All Resources

CISO to CISO Webcast with Lisa Hall, Head of Information Security at PagerDuty

Webcast and Podcast | Altitude Networks, March 10th, 2021

We are excited to welcome Lisa Hall, Director of Information Security at PagerDuty on our next episode of the CISO-to-CISO webcast (podcast version is available here). Lisa Hall heads the Information Security and Compliance programs at PageDuty. With over 14 years experience in the information security field, she is focused on building security programs from the ground up, strategic planning, risk management, and driving process adoption company-wide. She believes security should make it easy to do the right thing. Lisa has previously held Information Security roles at Twilio, Glassdoor, and EY.

Read, Listen, and Subscribe to the Podcast

Lisa Hall-audio only.m4a: Audio automatically transcribed by Sonix

Lisa Hall-audio only.m4a: this m4a audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Michael Coates:
All right, welcome, everyone. This is another edition of CISO to CISO, so you're watching this on the webcast, maybe the podcast, but super excited to bring this to you. I'm your host, Michael Coates, and I'm super excited to be with Lisa Hall today, the Head of Security at PagerDuty. Thanks for joining us, Lisa.

Lisa Hall:
Thanks for having me.

Michael Coates:
So I can't wait to dive into all sorts of great discussions for those of you who are watching or listening, as you've seen from our other talks, we've had a wonderful set of guests over the last several months and we'll continue that moving forward. So go to AlterNet.to/CISO, to find more episodes. And this series is brought to you by Altitude Networks, very quickly. We are protecting data and cloud collaboration. So if you are using GSuite or Office365 or similar, you may have wondered how you protect that data, how you prevent it from leaving with your employees, being shared to the world by mistake, et cetera, et cetera. That is our focus. So check us out at AltitudeNetworks.com. With that, let's jump in. Lisa, super excited to have you here. Tell us, how did you get into your role in security? How did you end up at PagerDuty leading security for the whole company?

Lisa Hall:
Yeah, thanks. Thanks for having me. It's really great to see you, as always. So I think my journey probably started like most Gen Xers, I was luckily lucky enough to be born in Generation X, and my family had an IBM in the 80s. So I initially started my journey, I guess there where I was into gaming. And then that kind of turned into interest in like how websites work. And then the mid 90s rolled around and Dreamweaver came to be around that time, if anyone remembers that. And I was like, oh, this is cool. I want to learn how to do this. So I started getting into HTML and figuring all of that out. And I was mostly interested in the design aspects. So I was going towards more graphic design, started started diving in there. And at that time, if you were doing graphic design or music, you were like in the Mac shop and there weren't tons like that was why you use Mac. Like not every company had Macs like we do now back in my day. So I started learning about Macs. And so part of learning HTML and just how Macintosh worked for Apple. And the more I learned, the more I liked it. And I actually ended up working one of my first non retail jobs. I was working as Tier One Help Desk in Apple in Sacramento.

Lisa Hall:
I remember I was there when we had those the colorful iMax and I beta tested 10. That's good to myself there. I remember when OS10 came out, we were like, oh, this is totally different. This is cool. Anyways, I was going to school toward a business degree, actually. I was working various jobs, reception jobs, administrative assistant jobs, and I applied for an executive assistant to a CISO role at a company called First American in Dallas. And I met the CISO and her information security officer and got the job. And I was doing an executive assistant things for a CISO and I loved it. And they're like, oh, you know, about computers and you like it. And yeah, pretty much just went from there. I told her and myself, I really want to do this. I want to learn more. So I studied and started networking and ended up being a security analyst and then moved over into security management. And after that I moved back to the Bay Area, did some consulting with E&Y for some time, and then joined my very first startup, which was Twilio in 2013. And I've been startup being ever since. And now I head up product, security, infrastructure, security and compliance. So basically what the security world here at PagerDuty.

Michael Coates:
Wow. Well, you know, every journey is different, but it's amazing. Some of those parallels that you see. I think there's a whole group of us that. Yeah, that early computer and me even the same like how do you get the computer to play the games you want to play with? Like, very limited memory. That was the beginning of tinkering with the motivation of I want to play video games and then the tinkering never stopped. And it's funny you mentioned Dreamweaver. I remember that I used Dreamweaver as well. So there must be we need to go seek out these people who tried to get games to work in the 80s and 90s, who ended up coding and working with these ridiculous programs that were fun at the time. Like we've got a future and security for you.

Lisa Hall:
Yes. Like if you wanted to figure this out, like I just remember, like, run like, what is this called? Right. Like what is the game called? How can I figure out how to even run this thing you could have done.

Michael Coates:
And I guess, you know, if we step back those fundamental skills, like how does this work? How can I make things do what I want, how can I get around stuff like that's the fundamentals of the security mindset, really. So. Now, for those of you that have watched before, we always kind of try and get around the world, so to speak, where are we today? So what location have we so graciously flown us both to virtually?

Lisa Hall:
Well, unfortunately, one day maybe again we will be here. I noticed a few of your attendees had been in Spain and I had did have a Spain location, but I changed it. So we are in Tel Aviv. We are you know me. We're definitely at a bar. We are at a bar in Tel Aviv. It's called Imperial. It's a really amazing bar. They kind of go a little extra with their cocktails. Very, very showmanshippy. They have some cool actually, for whomever is actually watching. I can even pull up a background real quick of one of their menu is this little booklet that you open up. And the drinks are really interesting. If you could see it. They have a name. Yeah. And they just come. Yeah, it's really it's an experience to go there. So that is you were in Tel Aviv, sir.

Michael Coates:
I think we're going to make a tours of the world from the CISO to CISO webcast because we have all these great locations now picked out a bunch of amazing bars. We've got some tropical locations. Someone took us to a mountain somewhere. So I think it's going to be a little tour of the world.

Lisa Hall:
Yes. I like it.

Michael Coates:
All right, so let's see, so you've been at PagerDuty, also you know, not a bad choice starting at Twilio, it seems like you have found your way into some amazing environments. But PagerDuty must be intense because in addition to doing security and having a number of customers trust, you have very sensitive information. You have to do that on a system that is essentially known for being fast all the time, like downtime is downtime is reported through PagerDuty to be not happening at PagerDuty. How do you balance those things? Like how does it impact your philosophy on security or how you do things?

Lisa Hall:
Yeah, no, that's a great question. I think definitely very true at PagerDuty specifically. And I also think we're seeing it more often in our industry in general, which is where security we are more enablers and not blockers. And I know several other people have this philosophy in our industry, which I think is great. We're moving in the right direction. For us, it definitely affects the decisions I make. When you think about like tooling or anything that's going to bring latency, like we cannot have that. Our whole our whole gem is being available. So we let's say we're looking at like AWS shield or something or something we want to implement. We can't block events we want to enforce DMARC maybe we can't block email notifications like people need to get their alerts. So we have to be really mindful what we do if we install agencies that's gonna bring like just the tiniest bit of latency to our notifications. And I think it's really brought us to a point where we we are learning what the business needs are and then how security can can work with the business to make it secure and really fast. And all of these things that a lot of the we're moving towards in security. So we're pushing code a lot more than once a week. Right. Many times a day. So we can't have things that slow us down. And yet we have again, like we have internal and external customers. Do you think about building for our developers or partnering with our developers? And then we have our external customers who are relying on us for for the same kinds of things. It's been it's definitely been interesting to have that that point of view and to be able to to work with our teams to really to really say, hey, we can actually make this go quicker. We're not we're not going to be a blocker. We're going to we're going to help you build things.

Michael Coates:
Yeah, that that reminds me of my time of Twitter, and I have to imagine your PagerDuty time is similar to your Twilio time, again being essentially a real time system. And in all of these places, this whole notion of gates or blocks, even to workflows like it just sort of goes out the window because things are happening all the time from the way the system processes that you think about security, they're like, you know, this needs to happen within a few milliseconds or it's too late to the way development happens. Like to your point, code is being shipped more often than weekly and even daily all over the place. And I guess if I'm pulling the pieces together, you used to be at E&Y, as you said and I was at a consulting firm for a while, too, that was such a different world. When you're one of those big companies, like, here's our quarterly release of this and that, like. All right. Well, welcome to the debate. Silicon Valley where things are happening all the time, such night and day. It's something to wrap your head around for sure.

Lisa Hall:
Oh, yeah. Like think about, like waterfall method of development or like just code check. Like, I'm not taking my code and sending it somewhere, you know, waiting for a day for it to get reviewed. It's definitely not going to happen. So, yeah, it's a little different.

Michael Coates:
Yes. Now when you are building your security team, I mean, we have people that are in these different worlds of security. And then, you know, people say there's a security talent shortage, which. I sometimes push back and say, I think people did bad at hiring, it's not a shortage, but nonetheless it's challenging to hire and it's challenging to find maybe the right people or to convince them to join your team versus another company out there. How are you tackling that beast? Any tips and secrets that. Well, I guess you want to tell people that can use it, too.

Lisa Hall:
Yeah, no, I mean, I'm in your camp of like, I totally disagree. There is not a there's not a pipeline problem or security hiring issue. But I also believe that people they work for people. And so part of the process is really building like that security culture and having people on your team who other people want to work with makes a big, big difference. I also think I said this before. I think security is a creative industry and I think looking at hiring creatively is can be very beneficial to us. And everyone comes from different backgrounds. And how we got here, you know, like for example, like when I was going to college, you could major in computer science like that is about as close as you could get to doing security. And now there's you know, thankfully it's just broadened so much. You can specialize in so many different things on a different background really lends us to success in security. We I'm a big fan of promoting from within. We have someone on our team. We've brought in through customer support who is really close to the product and know how to talk to customers. And that was a great move over. They had an interest in security. We brought her over, have Christine on my team is our technical program manager. She has an education background and she took some classes and and decided, hey, I want to move towards security. But all of the things that each of these individuals learned before have really helped them out in security. And it's not just the technical parts of it. It really is just being creative learners and knowing, just recognizing problems, thinking about things differently and being able to communicate with different teams. All all of these things helps. I think we just again, we have to, like, dismiss the stereotype of what a security person should be and look at what people are bringing to the table. I've definitely been told more than once that I don't have executive presence like all these things. Like I don't I'm not what you're thinking you're going to be. But I'm also big on, like, not having having more fluid interviews. So, like, tell me how you think. Like, how can you describe a problem? Like, I don't really need you to code in Python specifically. Like we know our industry changes so fast. If you're just stuck in one thing, like it's you're not going to last long. You've got to be able to adapt, move fast.

Michael Coates:
Yeah, yeah, yeah. You know, whoever told you didn't have executive presence. That's that's somebody who's not going to be at a company that's going to do well because that's that's ridiculous to to take amazing people out of the running for whatever weird stereotype they're trying to fit. Yeah. Those are the companies that fail. But I totally know what you're saying. And I you know, the way that security has evolved, like maybe originally when it was a very narrow niche field, it was like, all right, you're the best, most technical person about operating systems. And that's what we think. Security is cool now. It's so many things. And you do you need to coordinate programs across the company to be successful. You need a TPM. You need to win the minds of people. You need somebody that can actually, you know, talk, talk, business, talk, people. You need to be able to present to the board and leadership that have business skills. I totally agree that it's just like so many different skills now. And it's also it's fascinating what you say about how do they think? You know, I've always held on to this notion. And I guess from my own experience, I think it's true. And people I've worked with, I've found that people that figure out how to be successful in strange situations continue to do that. Some of the best people I've worked with have really wild stories when they're younger. Yeah, I managed a farm like at first, like, well, why would you think Farm Managing Farm is anything related to security? And it's not none of the skills transfer like security directly, but problem solving does. And I've seen it. It's really interesting to go back and talk to the people like who you think are like the best you've worked with. Ask them their jobs and stuff and you may find out that they've done some really wild things, solved crazy problems or taken these adventures they like. That seems really hard and it's just something about it, like people that can overcome challenges, keep doing it. And I wish more of us in the security industry would look for that and give those people a chance because. You know, you need some foundation, but just so much can be learned and so much can be taught.

Lisa Hall:
I totally agree, like I know we know plenty of people mutually that probably didn't even go to college or maybe didn't finish high school, like, it's nice you can learn things from taking classes and you could be great with that as well. But it doesn't it's not the only thing. It's not the only path like. We always have said, like, oh, we are very thankful for our retail experience because it really taught us how to work with people, different people. You know, you're complaining about talking to developers. Like what? They are friends, wait till you have like an angry customer, you know.

Michael Coates:
Yeah, I remember that. You know that saying everyone should be a waiter, waitress at some point in their life to have to deal with that. Now, have you found any interesting channels for for your recruiting efforts? You know, one thing I found it, Twitter and Mozilla was the Year Up program, not Europe, the continent, but Year Up. And I really enjoyed that. That program. It was kind of a a technical training track that brought in folks that were newer to the industry but just had such passion and drive. We found like this great channel of training them up as interns and then eventually kind of entry level roles that worked really well for us. So I'm always curious, like, have you found any other interesting channels that work for you, maybe they are universities, organizations, other things like that?

Lisa Hall:
Yeah, no, I love it. Year up, totally on my list. I think a great organization. Hackbright, we've worked with before. I feel like there's so much out there. I found just broadening my network has helped. I'm getting involved and even podcasts out or anything like that now like like feel free to reach out to me if you have a question. Right. Like just making those connections. You know, I met Christine, who I mentioned before through, you know, just people I know in industry. And, hey, this person's looking to get involved. And I've found that our industry that we do have our issues is an amazing group of people. I wouldn't be where I am without the people that I met when I first started. And I think we can work together to lift others up and be those mentors and sponsors that we all need. And yeah, for me, that person come from anywhere. We partner with certain schools and actually lots of different areas at PagerDuty. And yeah, I think the biggest thing there is just look at your network, see where people are coming from, try to be diverse in that, not just be like, oh, I'm only looking at this one school because I think they're the best.

Michael Coates:
So much agree. I've been really enthused with the the spirit of the infosec community. I agree. We certainly have issues and pockets of things to address. But, you know, the vast majority of people are ready to help those that reach out. And I think that's fascinating. It feels it feels really odd as someone doing a cold outreach to someone who may have been established in history and you're just trying to get started. But a lot of times they'll help. And if there are kind of a jerk about it, well, they're just a jerky person. You should avoid them anyways.

Lisa Hall:
Totally, like now it's even better. I think it's gotten better because before I felt like we were so stuck in our area, like where we lived, like I remember doing a OOS kickoff in Dallas and there was like five people there. I was like, yeah we've got people, but now like I was just at a OSS thing in Toronto. We've got offices in Toronto. I joined in virtually. Right. Like, I feel like it's we're all better connected now, forcefully. So even friends. I think I think it's really great. Like conferences that were never online are now virtual. You can network with people so much easier and people are open to it, I guess, getting used to it. So I think it's a great time to get involved in security and reach out to networks and groups and participate as much as you're comfortable.

Michael Coates:
Yeah, that's good. There's some silver linings to us being cooped up at home for all this time.

Lisa Hall:
Yes. What, you're in Tel Aviv. I want to know what you're talking about.

Michael Coates:
That's true. That's true. So, you know, kind of speaking along those lines, what is your advice for folks that are insecurity and say, all right, I'm just getting started. But one day I do. I want to become the head of security, I want to lead that for a company, I want to be a CISO. What's your advice? Any recommendations on paths to take, skills to learn? Or maybe the advice is don't do it.

Lisa Hall:
No, no. It's a lot of work, but I think most people who land in this field probably enjoy hard problems. I'm guessing most people I know like or we're problem solvers. We like it. We like a challenge. Like we're just trying to figure out ClubHouse earlier, right?

Michael Coates:
That's true. We tried to simulcast on ClubHouse and we were defeated by Audio Echo.

Lisa Hall:
But we like these things. Right? Like, that's, almost, it's it's not even frustrating. It's like, oh, cool problems to solve. I think for people starting and my daughter is in high school and learning python right now. I don't think she's she hasn't loved it yet. But one thing I have found and for me as well, is if you want to get into security or anything, really find something, find a problem to solve, find something you love. Because if you're just typing Hello World, you're like, yeah, I did it. I don't really know what that what that is. But if you're like I have this cool idea and I wish this thing would just do this and I want to build it, what do you like and security like. It's so broad now. Do you like do you have do you see something missing? Is there something you can just dive into? I think once you find where your your your joy is and your heart's attached to it, you really you really get into it and then everything else comes. You're like, oh, and there's all these other things I have to do because it's my job. But it'll really it'll hook you that way. And then as far as leadership. Yeah, very, very similar. I mean, some people for me, I like the people part of things. And so I enjoy managing people and and I love my humans that I work with.

Lisa Hall:
But I think especially when it comes to leadership and actually any any role in security in general, I really appreciate and I think it's really important to know your business, know your product like security. You can take it so many different ways and you really know what works for your company. Going back to Twilio real quick, I appreciated what they I don't know if they do it anymore. Someone ping me and let me know, before, so 2013 quite some time ago, but before you got your little track jacket and a Kindle, which at that time, you know, those are cool track jacket, you had to write a Twilio app like it was your rite of passage. You couldn't not know Twilio and how it worked. And I loved it because you are in H.R., you are in facilities. Doesn't matter. You are writing a Twilio app and it really got everyone close to the product. So like you would never have anyone who didn't know how to worked working for you. And so that just facilitated conversations better because then you can think like a user, think like a developer, think like everyone else you work with for a common goal. So I know I've worked at companies where people probably had never used barely use the product. They're just like, I'm just here to support this thing.

Lisa Hall:
And I think you can get so much by knowing I'm not a data scientist, but I definitely want to know as much as I can about data science so I can work with our data science team. I definitely will not be an expert in that at any point. But I just I really appreciate that. And I think that is just a good way to approach leadership, is just learn your thing as much as you can, learn what you're dealing with so you can offer good advice and have input and not just be like, oh, just because security says, you know.

Michael Coates:
Yeah, I mean, it really, really gets back to as a as a security leader, like you're you're a business leader. And how can you lead the business if you don't have such an appreciation for the product or even the other teams? You know, one of the things that I've I did myself and I found it really helpful. And I recommend to others, like when you come into a security leadership role, like go just sit down with all the other department heads and just find out, like, what is their world, what matters to them, because sometimes we just come charging in as security people like this is not secure. You must do this. And they're like, hey, I'm over here. Like trying to keep the business alive and making money. I want to help you. But like, you're asking me to to stop all this stuff and that that people element is huge. It's such an interesting transition to, you know, as you go from like an individual security person into like security leadership. You know, I don't know how you thought about I'm curious. It was kind of a moment for me and I think others had it too. Am I going to be like doing less security and only doing, like, people management? And I was really surprised, like you're doing more security in a different way by empowering all of these activities and unblocking huge projects across the company. I found it that to be really fulfilling. What did you see as you kind of made the transition yourself?

Lisa Hall:
Oh, me too. I love it. I think, you know, if you really if you really, really enjoy just like I like, I just want to code by myself all day, you know, it would be probably be a difficult transition. Doesn't mean you can't though. Doesn't mean you can't participate. But I think it does for me, it really gave me a it kind of flipped my view on security. So instead of like instead of trying to sell security so much. Right. Like, oh, we should do this, you know, kind of pushing it. It turned more just into embedding it into every part of the business, goes closer to different parts of the business. And as we're doing an annual planning. Right. Like naturally, a lot of the things that are coming out of that now are security related. And that's how I know, oh, this is this is embedded now, this isn't an afterthought, like this is something every single team is thinking about. And so I don't think of myself as the person just doing security like we're all now doing security, like I'm driving the direction of it, but we're all kind of doing it more together. And that's that's something something I learned by by moving up at least into more leadership roles for sure. And that partnership. Yeah, it's been it's been good.

Michael Coates:
Yeah, it sure is exciting. The way the field has changed and the role has changed. It's continues to be elevated I think is a good thing. I mean, sadly, there's so many situations where security is going afoul and awry that there's only more need for us, more need for everyone wants to be in the field.

Lisa Hall:
Yes, we will turn everyone into a security person.

Michael Coates:
There you go.

Lisa Hall:
Think about it.

Michael Coates:
Well, this is this is great. Thank you so much for the time. Any parting thoughts or closing items that we may have missed that you wanted to send out to the world?

Lisa Hall:
No, not really. Just thank you for having me. Anyone can feel free to reach out to me. I really do appreciate our community. And I think it's great you're doing this. So thanks again.

Michael Coates:
Awesome. Well, thanks, everyone, for joining. Again, you can check out these recordings both on the podcast format or the webcast itself on the Altitude Networks' website. And again, thank you so much Lisa for joining us. This is awesome.

Lisa Hall:
Thanks.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your m4a files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you'd love including automated subtitles, enterprise-grade admin tools, share transcripts, transcribe multiple languages, and easily transcribe your Zoom meetings. Try Sonix for free today.

Subscribe for More

Get notified of future CISO webcast and other exciting security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR