CISO Julie Chatman wants to help you take control of your security leadership role

First, the hopes-and-dreams budget: What would it take to close all the known gaps and operate proactively?Second, the could-live-with-this budget: What’s realistic and gets you to acceptable risk levels?Third, the I-think-I’m-going-to-resign budget: Because you can see a breach coming and you don’t want your name attached to it.You probably won’t end up at that last one, but all your stakeholders need to understand what’s at stake at each level. And you need to show them how past investments translated into outcomes, what you achieved, what you prevented.That’s critical because people say the cybersecurity budget is a black hole. Cybersecurity works best when nothing happens. Your performance indicator is literally zero incidents. That’s a tough sell, but it’s reality.How do you deal with AI-enabled attacks?Chatman: Every cybersecurity professional, up to and including CISOs, needs to understand how AI works. Some people thought AI was hype and delayed learning about it. Now everyone realizes it’s not going away, and if you don’t understand the technology, you can’t defend against it.You also need to update your security awareness training to reflect AI threats. That means covering deepfakes, AI-enhanced business email compromise, adaptive attacks that change based on the target. Your training programs need to evolve with the threat landscape.And here’s something that often gets overlooked: CISOs need to be more accessible right now. AI makes attacks more convincing and harder to spot. Your employees need to feel comfortable reporting suspicious activity without fear of looking stupid. If someone thinks they might have fallen for a deepfake or an AI-generated phishing attempt, you want them to come to you immediately, not hide it because they’re embarrassed.My message to cyber professionals here is: Remember, you weren’t always a cybersecurity expert. You learned this over time. So, meet people where they are. Skip the jargon. Explain things in plain language. If people can’t understand you, they can’t help you defend the organization.Tell me about your mentoring experience.Chatman: I’ve mentored and coached a lot of people, both one-on-one and in groups.For example, in 2021, I created a free five-part series called Cyber Career Differentiators,  basically business acumen and soft skills for technologists. There are boot camps everywhere teaching people how to configure firewalls, but nobody’s teaching technologists how to make eye contact with businesspeople and have actual conversations. So, I built that curriculum and put it out there and 516 people took the class.Beyond that, I do ongoing one-on-one mentoring, and I run a coaching firm now focused on developing cybersecurity leaders.What are you most proud of in your career?Chatman: Earlier I said that cyber professionals are shying away from the CISO role. It’s getting harder to convince people to sign up for this job. But here’s what I’m most proud of: People tell me I inspire them to join cybersecurity. The feedback I get is that I’m relatable, practical, and human.I think people can see that I care about the human beings behind the technology. That’s why I’ve never run an ‘office of no.’ ‘No’ is the first word most babies learn, and it’s a favorite word in cybersecurity. But it doesn’t come naturally to me. That’s not to say I’m permissive, I ask hard questions, I dig into the details, I challenge assumptions. However, I always start by listening.What I’m most proud of is being an example for people who feel intimidated by this field. I started in medical diagnostics. If I can become a CISO, then anyone with the right blend of curiosity and commitment can build a successful career in cybersecurity.That matters more to me than any technical accomplishment, any FBI project, anything else I’ve done. Inspiring others to see this as possible for them, that’s what I’m proud of.Is there a quote that you are inspired by?Chatman: ‘Strength is not found in systems that never fail. But in those built to recover smarter, faster, and stronger.’Are there any books you’ve learned from that you would like to suggest to others?Chatman: World War Z by Max Brooks. It’s a collection of short stories set during a zombie apocalypse, but the zombie part is just a placeholder. What makes it valuable is how it examines different facets of society under stress, government, military, finance, global supply chains and logistics, medicine, including organ donation and transplantation, pharmaceuticals, and more.The book isn’t really about zombies. It’s about how systems break down when infrastructure fails. What happens when we lose basic services, grocery stores, pharmacies, hospitals, law enforcement, all the things we take for granted?Every time I read it, I see something new about how to think as a technologist. For example, the logistics chapters: How do supply chains collapse? How do people get stranded when transportation systems fail? I need to understand these dependencies because all of them are enabled by technology. The book is an interesting look into how things work when they’re functioning and what breaks first when they’re not.I’m fascinated by this genre because it shows what happens when technology fails at scale. We had a taste of that with the CrowdStrike incident. People couldn’t access their bank accounts, couldn’t fly home. That’s a glimpse of what systemic failure looks like.