We are excited to welcome Lisa Hall, Director of Information Security at PagerDuty on our next episode of the CISO-to-CISO webcast (podcast version is available here). Lisa Hall heads the Information Security and Compliance programs at PageDuty. With over 14 years experience in the information security field, she is focused on building security programs from the ground up, strategic planning, risk management, and driving process adoption company-wide. She believes security should make it easy to do the right thing. Lisa has previously held Information Security roles at Twilio, Glassdoor, and EY.
Lisa Hall-audio only.m4a: this m4a audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Michael Coates:
All right,
welcome, everyone. This is another edition of CISO to
CISO, so you're watching this on the webcast, maybe
the podcast, but super excited to bring this to you.
I'm your host, Michael Coates, and I'm super
excited to be with Lisa Hall today, the Head of Security
at PagerDuty. Thanks for joining us, Lisa.
Lisa Hall:
Thanks for having me.
Michael Coates:
So I can't
wait to dive into all sorts of great discussions for
those of you who are watching or listening, as
you've seen from our other talks, we've had a
wonderful set of guests over the last several months and
we'll continue that moving forward. So go to
AlterNet.to/CISO, to find more episodes. And this series
is brought to you by Altitude Networks, very quickly. We
are protecting data and cloud collaboration. So if you
are using GSuite or Office365 or similar, you may have
wondered how you protect that data, how you prevent it
from leaving with your employees, being shared to the
world by mistake, et cetera, et cetera. That is our
focus. So check us out at AltitudeNetworks.com. With
that, let's jump in. Lisa, super excited to have you
here. Tell us, how did you get into your role in
security? How did you end up at PagerDuty leading
security for the whole company?
Lisa Hall:
Yeah, thanks. Thanks
for having me. It's really great to see you, as
always. So I think my journey probably started like most
Gen Xers, I was luckily lucky enough to be born in
Generation X, and my family had an IBM in the 80s. So I
initially started my journey, I guess there where I was
into gaming. And then that kind of turned into interest
in like how websites work. And then the mid 90s rolled
around and Dreamweaver came to be around that time, if
anyone remembers that. And I was like, oh, this is cool.
I want to learn how to do this. So I started getting
into HTML and figuring all of that out. And I was mostly
interested in the design aspects. So I was going towards
more graphic design, started started diving in there.
And at that time, if you were doing graphic design or
music, you were like in the Mac shop and there
weren't tons like that was why you use Mac. Like not
every company had Macs like we do now back in my day. So
I started learning about Macs. And so part of learning
HTML and just how Macintosh worked for Apple. And the
more I learned, the more I liked it. And I actually
ended up working one of my first non retail jobs. I was
working as Tier One Help Desk in Apple in Sacramento.
Lisa Hall:
I remember I was there
when we had those the colorful iMax and I beta tested
10. That's good to myself there. I remember when
OS10 came out, we were like, oh, this is totally
different. This is cool. Anyways, I was going to school
toward a business degree, actually. I was working
various jobs, reception jobs, administrative assistant
jobs, and I applied for an executive assistant to a CISO
role at a company called First American in Dallas. And I
met the CISO and her information security officer and
got the job. And I was doing an executive assistant
things for a CISO and I loved it. And they're like,
oh, you know, about computers and you like it. And yeah,
pretty much just went from there. I told her and myself,
I really want to do this. I want to learn more. So I
studied and started networking and ended up being a
security analyst and then moved over into security
management. And after that I moved back to the Bay Area,
did some consulting with E&Y for some time, and then
joined my very first startup, which was Twilio in 2013.
And I've been startup being ever since. And now I
head up product, security, infrastructure, security and
compliance. So basically what the security world here at
PagerDuty.
Michael Coates:
Wow. Well, you
know, every journey is different, but it's amazing.
Some of those parallels that you see. I think
there's a whole group of us that. Yeah, that early
computer and me even the same like how do you get the
computer to play the games you want to play with? Like,
very limited memory. That was the beginning of tinkering
with the motivation of I want to play video games and
then the tinkering never stopped. And it's funny you
mentioned Dreamweaver. I remember that I used
Dreamweaver as well. So there must be we need to go seek
out these people who tried to get games to work in the
80s and 90s, who ended up coding and working with these
ridiculous programs that were fun at the time. Like
we've got a future and security for you.
Lisa Hall:
Yes. Like if you
wanted to figure this out, like I just remember, like,
run like, what is this called? Right. Like what is the
game called? How can I figure out how to even run this
thing you could have done.
Michael Coates:
And I guess, you
know, if we step back those fundamental skills, like how
does this work? How can I make things do what I want,
how can I get around stuff like that's the
fundamentals of the security mindset, really. So. Now,
for those of you that have watched before, we always
kind of try and get around the world, so to speak, where
are we today? So what location have we so graciously
flown us both to virtually?
Lisa Hall:
Well, unfortunately,
one day maybe again we will be here. I noticed a few of
your attendees had been in Spain and I had did have a
Spain location, but I changed it. So we are in Tel Aviv.
We are you know me. We're definitely at a bar. We
are at a bar in Tel Aviv. It's called Imperial.
It's a really amazing bar. They kind of go a little
extra with their cocktails. Very, very showmanshippy.
They have some cool actually, for whomever is actually
watching. I can even pull up a background real quick of
one of their menu is this little booklet that you open
up. And the drinks are really interesting. If you could
see it. They have a name. Yeah. And they just come.
Yeah, it's really it's an experience to go
there. So that is you were in Tel Aviv, sir.
Michael Coates:
I think we're
going to make a tours of the world from the CISO to CISO
webcast because we have all these great locations now
picked out a bunch of amazing bars. We've got some
tropical locations. Someone took us to a mountain
somewhere. So I think it's going to be a little tour
of the world.
Lisa Hall:
Yes. I like it.
Michael Coates:
All right, so
let's see, so you've been at PagerDuty, also you
know, not a bad choice starting at Twilio, it seems like
you have found your way into some amazing environments.
But PagerDuty must be intense because in addition to
doing security and having a number of customers trust,
you have very sensitive information. You have to do that
on a system that is essentially known for being fast all
the time, like downtime is downtime is reported through
PagerDuty to be not happening at PagerDuty. How do you
balance those things? Like how does it impact your
philosophy on security or how you do things?
Lisa Hall:
Yeah, no, that's a
great question. I think definitely very true at
PagerDuty specifically. And I also think we're
seeing it more often in our industry in general, which
is where security we are more enablers and not blockers.
And I know several other people have this philosophy in
our industry, which I think is great. We're moving
in the right direction. For us, it definitely affects
the decisions I make. When you think about like tooling
or anything that's going to bring latency, like we
cannot have that. Our whole our whole gem is being
available. So we let's say we're looking at like
AWS shield or something or something we want to
implement. We can't block events we want to enforce
DMARC maybe we can't block email notifications like
people need to get their alerts. So we have to be really
mindful what we do if we install agencies that's
gonna bring like just the tiniest bit of latency to our
notifications. And I think it's really brought us to
a point where we we are learning what the business needs
are and then how security can can work with the business
to make it secure and really fast. And all of these
things that a lot of the we're moving towards in
security. So we're pushing code a lot more than once
a week. Right. Many times a day. So we can't have
things that slow us down. And yet we have again, like we
have internal and external customers. Do you think about
building for our developers or partnering with our
developers? And then we have our external customers who
are relying on us for for the same kinds of things.
It's been it's definitely been interesting to
have that that point of view and to be able to to work
with our teams to really to really say, hey, we can
actually make this go quicker. We're not we're
not going to be a blocker. We're going to we're
going to help you build things.
Michael Coates:
Yeah, that that
reminds me of my time of Twitter, and I have to imagine
your PagerDuty time is similar to your Twilio time,
again being essentially a real time system. And in all
of these places, this whole notion of gates or blocks,
even to workflows like it just sort of goes out the
window because things are happening all the time from
the way the system processes that you think about
security, they're like, you know, this needs to
happen within a few milliseconds or it's too late to
the way development happens. Like to your point, code is
being shipped more often than weekly and even daily all
over the place. And I guess if I'm pulling the
pieces together, you used to be at E&Y, as you said
and I was at a consulting firm for a while, too, that
was such a different world. When you're one of those
big companies, like, here's our quarterly release of
this and that, like. All right. Well, welcome to the
debate. Silicon Valley where things are happening all
the time, such night and day. It's something to wrap
your head around for sure.
Lisa Hall:
Oh, yeah. Like think
about, like waterfall method of development or like just
code check. Like, I'm not taking my code and sending
it somewhere, you know, waiting for a day for it to get
reviewed. It's definitely not going to happen. So,
yeah, it's a little different.
Michael Coates:
Yes. Now when you
are building your security team, I mean, we have people
that are in these different worlds of security. And
then, you know, people say there's a security talent
shortage, which. I sometimes push back and say, I think
people did bad at hiring, it's not a shortage, but
nonetheless it's challenging to hire and it's
challenging to find maybe the right people or to
convince them to join your team versus another company
out there. How are you tackling that beast? Any tips and
secrets that. Well, I guess you want to tell people that
can use it, too.
Lisa Hall:
Yeah, no, I mean,
I'm in your camp of like, I totally disagree. There
is not a there's not a pipeline problem or security
hiring issue. But I also believe that people they work
for people. And so part of the process is really
building like that security culture and having people on
your team who other people want to work with makes a
big, big difference. I also think I said this before. I
think security is a creative industry and I think
looking at hiring creatively is can be very beneficial
to us. And everyone comes from different backgrounds.
And how we got here, you know, like for example, like
when I was going to college, you could major in computer
science like that is about as close as you could get to
doing security. And now there's you know, thankfully
it's just broadened so much. You can specialize in
so many different things on a different background
really lends us to success in security. We I'm a big
fan of promoting from within. We have someone on our
team. We've brought in through customer support who
is really close to the product and know how to talk to
customers. And that was a great move over. They had an
interest in security. We brought her over, have
Christine on my team is our technical program manager.
She has an education background and she took some
classes and and decided, hey, I want to move towards
security. But all of the things that each of these
individuals learned before have really helped them out
in security. And it's not just the technical parts
of it. It really is just being creative learners and
knowing, just recognizing problems, thinking about
things differently and being able to communicate with
different teams. All all of these things helps. I think
we just again, we have to, like, dismiss the stereotype
of what a security person should be and look at what
people are bringing to the table. I've definitely
been told more than once that I don't have executive
presence like all these things. Like I don't I'm
not what you're thinking you're going to be. But
I'm also big on, like, not having having more fluid
interviews. So, like, tell me how you think. Like, how
can you describe a problem? Like, I don't really
need you to code in Python specifically. Like we know
our industry changes so fast. If you're just stuck
in one thing, like it's you're not going to last
long. You've got to be able to adapt, move fast.
Michael Coates:
Yeah, yeah, yeah.
You know, whoever told you didn't have executive
presence. That's that's somebody who's not
going to be at a company that's going to do well
because that's that's ridiculous to to take
amazing people out of the running for whatever weird
stereotype they're trying to fit. Yeah. Those are
the companies that fail. But I totally know what
you're saying. And I you know, the way that security
has evolved, like maybe originally when it was a very
narrow niche field, it was like, all right, you're
the best, most technical person about operating systems.
And that's what we think. Security is cool now.
It's so many things. And you do you need to
coordinate programs across the company to be successful.
You need a TPM. You need to win the minds of people. You
need somebody that can actually, you know, talk, talk,
business, talk, people. You need to be able to present
to the board and leadership that have business skills. I
totally agree that it's just like so many different
skills now. And it's also it's fascinating what
you say about how do they think? You know, I've
always held on to this notion. And I guess from my own
experience, I think it's true. And people I've
worked with, I've found that people that figure out
how to be successful in strange situations continue to
do that. Some of the best people I've worked with
have really wild stories when they're younger. Yeah,
I managed a farm like at first, like, well, why would
you think Farm Managing Farm is anything related to
security? And it's not none of the skills transfer
like security directly, but problem solving does. And
I've seen it. It's really interesting to go back
and talk to the people like who you think are like the
best you've worked with. Ask them their jobs and
stuff and you may find out that they've done some
really wild things, solved crazy problems or taken these
adventures they like. That seems really hard and
it's just something about it, like people that can
overcome challenges, keep doing it. And I wish more of
us in the security industry would look for that and give
those people a chance because. You know, you need some
foundation, but just so much can be learned and so much
can be taught.
Lisa Hall:
I totally agree, like
I know we know plenty of people mutually that probably
didn't even go to college or maybe didn't finish
high school, like, it's nice you can learn things
from taking classes and you could be great with that as
well. But it doesn't it's not the only thing.
It's not the only path like. We always have said,
like, oh, we are very thankful for our retail experience
because it really taught us how to work with people,
different people. You know, you're complaining about
talking to developers. Like what? They are friends, wait
till you have like an angry customer, you know.
Michael Coates:
Yeah, I remember
that. You know that saying everyone should be a waiter,
waitress at some point in their life to have to deal
with that. Now, have you found any interesting channels
for for your recruiting efforts? You know, one thing I
found it, Twitter and Mozilla was the Year Up program,
not Europe, the continent, but Year Up. And I really
enjoyed that. That program. It was kind of a a technical
training track that brought in folks that were newer to
the industry but just had such passion and drive. We
found like this great channel of training them up as
interns and then eventually kind of entry level roles
that worked really well for us. So I'm always
curious, like, have you found any other interesting
channels that work for you, maybe they are universities,
organizations, other things like that?
Lisa Hall:
Yeah, no, I love it.
Year up, totally on my list. I think a great
organization. Hackbright, we've worked with before.
I feel like there's so much out there. I found just
broadening my network has helped. I'm getting
involved and even podcasts out or anything like that now
like like feel free to reach out to me if you have a
question. Right. Like just making those connections. You
know, I met Christine, who I mentioned before through,
you know, just people I know in industry. And, hey, this
person's looking to get involved. And I've found
that our industry that we do have our issues is an
amazing group of people. I wouldn't be where I am
without the people that I met when I first started. And
I think we can work together to lift others up and be
those mentors and sponsors that we all need. And yeah,
for me, that person come from anywhere. We partner with
certain schools and actually lots of different areas at
PagerDuty. And yeah, I think the biggest thing there is
just look at your network, see where people are coming
from, try to be diverse in that, not just be like, oh,
I'm only looking at this one school because I think
they're the best.
Michael Coates:
So much agree.
I've been really enthused with the the spirit of the
infosec community. I agree. We certainly have issues and
pockets of things to address. But, you know, the vast
majority of people are ready to help those that reach
out. And I think that's fascinating. It feels it
feels really odd as someone doing a cold outreach to
someone who may have been established in history and
you're just trying to get started. But a lot of
times they'll help. And if there are kind of a jerk
about it, well, they're just a jerky person. You
should avoid them anyways.
Lisa Hall:
Totally, like now
it's even better. I think it's gotten better
because before I felt like we were so stuck in our area,
like where we lived, like I remember doing a OOS kickoff
in Dallas and there was like five people there. I was
like, yeah we've got people, but now like I was just
at a OSS thing in Toronto. We've got offices in
Toronto. I joined in virtually. Right. Like, I feel like
it's we're all better connected now, forcefully.
So even friends. I think I think it's really great.
Like conferences that were never online are now virtual.
You can network with people so much easier and people
are open to it, I guess, getting used to it. So I think
it's a great time to get involved in security and
reach out to networks and groups and participate as much
as you're comfortable.
Michael Coates:
Yeah, that's
good. There's some silver linings to us being cooped
up at home for all this time.
Lisa Hall:
Yes. What, you're
in Tel Aviv. I want to know what you're talking
about.
Michael Coates:
That's true.
That's true. So, you know, kind of speaking along
those lines, what is your advice for folks that are
insecurity and say, all right, I'm just getting
started. But one day I do. I want to become the head of
security, I want to lead that for a company, I want to
be a CISO. What's your advice? Any recommendations
on paths to take, skills to learn? Or maybe the advice
is don't do it.
Lisa Hall:
No, no. It's a lot
of work, but I think most people who land in this field
probably enjoy hard problems. I'm guessing most
people I know like or we're problem solvers. We like
it. We like a challenge. Like we're just trying to
figure out ClubHouse earlier, right?
Michael Coates:
That's true.
We tried to simulcast on ClubHouse and we were defeated
by Audio Echo.
Lisa Hall:
But we like these
things. Right? Like, that's, almost, it's
it's not even frustrating. It's like, oh, cool
problems to solve. I think for people starting and my
daughter is in high school and learning python right
now. I don't think she's she hasn't loved it
yet. But one thing I have found and for me as well, is
if you want to get into security or anything, really
find something, find a problem to solve, find something
you love. Because if you're just typing Hello World,
you're like, yeah, I did it. I don't really know
what that what that is. But if you're like I have
this cool idea and I wish this thing would just do this
and I want to build it, what do you like and security
like. It's so broad now. Do you like do you have do
you see something missing? Is there something you can
just dive into? I think once you find where your your
your joy is and your heart's attached to it, you
really you really get into it and then everything else
comes. You're like, oh, and there's all these
other things I have to do because it's my job. But
it'll really it'll hook you that way. And then
as far as leadership. Yeah, very, very similar. I mean,
some people for me, I like the people part of things.
And so I enjoy managing people and and I love my humans
that I work with.
Lisa Hall:
But I think especially
when it comes to leadership and actually any any role in
security in general, I really appreciate and I think
it's really important to know your business, know
your product like security. You can take it so many
different ways and you really know what works for your
company. Going back to Twilio real quick, I appreciated
what they I don't know if they do it anymore.
Someone ping me and let me know, before, so 2013 quite
some time ago, but before you got your little track
jacket and a Kindle, which at that time, you know, those
are cool track jacket, you had to write a Twilio app
like it was your rite of passage. You couldn't not
know Twilio and how it worked. And I loved it because
you are in H.R., you are in facilities. Doesn't
matter. You are writing a Twilio app and it really got
everyone close to the product. So like you would never
have anyone who didn't know how to worked working
for you. And so that just facilitated conversations
better because then you can think like a user, think
like a developer, think like everyone else you work with
for a common goal. So I know I've worked at
companies where people probably had never used barely
use the product. They're just like, I'm just
here to support this thing.
Lisa Hall:
And I think you can
get so much by knowing I'm not a data scientist, but
I definitely want to know as much as I can about data
science so I can work with our data science team. I
definitely will not be an expert in that at any point.
But I just I really appreciate that. And I think that is
just a good way to approach leadership, is just learn
your thing as much as you can, learn what you're
dealing with so you can offer good advice and have input
and not just be like, oh, just because security says,
you know.
Michael Coates:
Yeah, I mean, it
really, really gets back to as a as a security leader,
like you're you're a business leader. And how
can you lead the business if you don't have such an
appreciation for the product or even the other teams?
You know, one of the things that I've I did myself
and I found it really helpful. And I recommend to
others, like when you come into a security leadership
role, like go just sit down with all the other
department heads and just find out, like, what is their
world, what matters to them, because sometimes we just
come charging in as security people like this is not
secure. You must do this. And they're like, hey,
I'm over here. Like trying to keep the business
alive and making money. I want to help you. But like,
you're asking me to to stop all this stuff and that
that people element is huge. It's such an
interesting transition to, you know, as you go from like
an individual security person into like security
leadership. You know, I don't know how you thought
about I'm curious. It was kind of a moment for me
and I think others had it too. Am I going to be like
doing less security and only doing, like, people
management? And I was really surprised, like you're
doing more security in a different way by empowering all
of these activities and unblocking huge projects across
the company. I found it that to be really fulfilling.
What did you see as you kind of made the transition
yourself?
Lisa Hall:
Oh, me too. I love it.
I think, you know, if you really if you really, really
enjoy just like I like, I just want to code by myself
all day, you know, it would be probably be a difficult
transition. Doesn't mean you can't though.
Doesn't mean you can't participate. But I think
it does for me, it really gave me a it kind of flipped
my view on security. So instead of like instead of
trying to sell security so much. Right. Like, oh, we
should do this, you know, kind of pushing it. It turned
more just into embedding it into every part of the
business, goes closer to different parts of the
business. And as we're doing an annual planning.
Right. Like naturally, a lot of the things that are
coming out of that now are security related. And
that's how I know, oh, this is this is embedded now,
this isn't an afterthought, like this is something
every single team is thinking about. And so I don't
think of myself as the person just doing security like
we're all now doing security, like I'm driving
the direction of it, but we're all kind of doing it
more together. And that's that's something
something I learned by by moving up at least into more
leadership roles for sure. And that partnership. Yeah,
it's been it's been good.
Michael Coates:
Yeah, it sure is
exciting. The way the field has changed and the role has
changed. It's continues to be elevated I think is a
good thing. I mean, sadly, there's so many
situations where security is going afoul and awry that
there's only more need for us, more need for
everyone wants to be in the field.
Lisa Hall:
Yes, we will turn
everyone into a security person.
Michael Coates:
There you go.
Lisa Hall:
Think about it.
Michael Coates:
Well, this is
this is great. Thank you so much for the time. Any
parting thoughts or closing items that we may have
missed that you wanted to send out to the world?
Lisa Hall:
No, not really. Just
thank you for having me. Anyone can feel free to reach
out to me. I really do appreciate our community. And I
think it's great you're doing this. So thanks
again.
Michael Coates:
Awesome. Well,
thanks, everyone, for joining. Again, you can check out
these recordings both on the podcast format or the
webcast itself on the Altitude Networks' website.
And again, thank you so much Lisa for joining us. This
is awesome.
Lisa Hall:
Thanks.
Sonix has many features that you'd love including automated subtitles, enterprise-grade admin tools, share transcripts, transcribe multiple languages, and easily transcribe your Zoom meetings. Try Sonix for free today.
Get notified of future CISO webcast and other exciting security content