The Network Edge

The Network Edge – Our Interview with Heather Gantt-Evans

Published March 15, 2022 by Benny Lakunishok

Heather Gantt-Evans, the Chief Information Security Officer at SailPoint, is an advisory board member to several organizations and a member of Chief. Previously, Heather was the Senior Director of Security Operations and Cyber Resilience at The Home Depot and was also previously Senior Manager, Advisory Services, Cyber Risk Practice at EY.

Tell me about your background.

My personal and professional stories are deeply intertwined. I grew up in a small town in Texas, and joined the military to pay for school after becoming a single mother at 19. My first exposure to security was in the US Army Reserves, where I got trained in all-source threat intelligence.

After coming back from the military, I completed my undergrad in sociology – I was fascinated then (as I am now) with how social forces shape behavior. And when I reflected on the best path to support my daughter and myself, I found myself gravitating towards technology.

After doing a masters in tech management, I got picked up by Booz Allen Hamilton, initially as an IT business analyst for the Air Force Real Property Agency on a government contract and shortly after secured a position as a cyber threat intelligence analyst on a contract for Air Force Cyber Command. That was the beginning of a security career spanning the public and private sectors – with highlights including building out the cybersecurity practices at EY and leading the security operations at Home Depot.

I’m currently the CISO at SailPoint, the leading provider in identity security solutions, where I lead a team of about 30.

How does your sociology background influence your outlook on cybersecurity?

A major takeaway from sociology is the notion that we’re all a product of a specific time and place. Technology doesn’t happen in a vacuum. Technology is shaped by political, cultural, and social forces that inform our priorities and behaviors.

Culture eats strategy for breakfast.

This is true not just in the macro-landscape, but within an organization – where culture is often the strongest influence. A saying I find true is that culture eats strategy for breakfast. When you’re thinking about driving change, you need to be thoughtful about how the culture will support or impede your efforts.

How would you describe your cyber leadership style and approach?

I’m a people-first security leader. After all, your greatest source of competitive advantage in this business is the people you bring in and the culture you create. In my experience, people excel when they have psychological safety and can bring their whole selves to work. So I lead with empathy. I want to be known as the leader who’s willing to talk about the hard personal things going on.

In terms of approach, I’m a relentless advocate for basic cyber hygiene and operational excellence. Lots of people are interested in the cool innovative stuff. On some level this makes sense: cybersecurity professionals have been in a pressure cooker, with adversaries who never sleep and who are always increasing their skills and ambitions and targets. And the pressure has only gotten more intense in the pandemic, as cyber professionals have been called upon to support the business in different ways – traversing from a perimeter- to an identity-based approach, for example.

But while it's natural to feel a sense of urgency to embrace the latest and greatest, you have to earn the right – by executing the basics flawlessly. Few organizations do, and it’s a massive opportunity.

What are the basics?

There are four categories that I view as paramount.

  1. Identity: Role- and identity-based access management can be deceptively tricky for an organization to get right. A common stumbling block for an org with an identity access management program is not enough granular understanding of roles in the organization. This makes it impossible to meaningfully enforce privileges or identity-based segmentation. A lot of organizations want to jump into buzzy zero-trust solutions without having done this foundational work. Now, there are some ways that technology can help here – e.g., using analytics to help recommend what would be better-served as least-privilege (e.g., changing a privilege that hasn’t been used recently from a standing to just-in-time access model). But ultimately, a lot of the work to be done here is table-stakes security hygiene.

You have to earn the right to do cool innovative security stuff by executing the basics flawlessly.

  1. Endpoint security: Organizations need to ensure that their patch management is strong, that they’re doing their CIS benchmarking scans, and that they understand how far off they are from best practice configurations of their endpoints. This is especially true in the cloud, where there’s dual responsibility for maintaining those configurations – some things that the cloud provider is responsible for configuring properly, and other things that the purchasing company is responsible for locking down on those endpoints.
  2. Email security: There’s a lot of value in basic hygiene practices here. This includes an email security solution – alongside practices like having external emails marked as external, web browser isolation, phishing tests, phishing alert buttons.
  3. General attack surface management: Knowing what your organization looks like from the outside in is cyber 101 – that’s what your adversary is going to be looking at. So you need to know if you have databases exposed to the internet that shouldn’t be and what entry vectors are exploitable to your adversaries.

Why don’t all organizations have the basics covered?

A leading factor is often a lack of cultural buy-in from the rest of the organization. Business stakeholders have their own pressures and priorities. They’re a revenue center with urgency. CISOs often struggle to articulate the “why” – how investment in better cyber hygiene will help grow the business and support the priorities of their business counterparts.

What have been the biggest changes over the course of your career?

There have been a few massive tidal shifts:

  • Cloud security. In just a few years, cloud security has become a central focus for many organizations. The environment has expanded to include containers and serverless workloads that are stitched together by exploding amounts of API connections. And DevOps has become very cloud centric. This requires a complete shift in mindset, something we as an industry are still grappling with. And this is hugely exciting: we’re in a formative time of defining best practices for DevSecOps.
  • Agentless approaches. These weren’t common earlier on in my career. I love seeing what we can do without agents – it makes our IT and DevOps partners happy to know that they’re avoiding agent bloat consuming performance of the workload.
  • Zero-trust solutions. When I first got into security, folks weren’t talking about “zero-trust.” And when it first emerged, it was ill-defined and really more of a buzzword. It’s been gratifying to see zero-trust designs and solutions begin to mature and become more concrete in how they support the organization’s security objectives.

What major security trends do you foresee in 2022?

One trend I’m particularly energized about is increased integration of blockchain technology in how we secure enterprise technology. To be clear, blockchain is still very much in the buzzy, ill-defined state (the way “zero-trust” was a few years ago). But in my mind there are obvious security implications to what blockchain offers – an immutable record and decentralized verification, for example.

I think we’ll also see continued convergence of different cybersecurity domains, particularly identity and data protection. Identity compromise is becoming a more central feature of big cybersecurity breaches, where an adversary leverages legitimate credentials from a legitimate identity, using tools that are native to the system that they’re operating on. It’s very difficult to identify that type of compromise, where there’s no alert on a hash from a known malicious file. I think we’ll see increased evolution of analytics solutions to support Identity outlier detection.

Finally, I expect that data extortion will, unfortunately, become more prominent. With ransomware as a service, we’re seeing very effective pieces of malware accessible to just about anybody – and along with it, trends like double or triple extortion and hacktivist-driven ransomware attacks.

How do you build a world-class team?

Your reputation follows you in the security industry. Word of mouth spreads. So I’ve always tried to be a leader that people want to work for. For me, this has meant avoiding the dictatorial, comeuppance style of management in favor of a more empathetic approach to get the best out of the people on my teams.

Shed the stern exterior. Be tough on standards, tender with people.

This is especially true with the younger generation, which rightly expects to be treated with respect, to balance work and life, to have meaningful relationships, to have a voice, and to work for an organization that aligns with their values.

An inspiration I continue to draw from is Doug Conant’s way of embracing being tough on standards while also being tender with people. It’s a misconception that you cannot be both.