‘’And the good girls go to heaven, but the bad girls go everywhere...’’ – This is what I have read when I was trying to know Lisa better on her Twitter account. Controversial, courageous, and ambitious, this woman has a lot to share with us about her experience, and how she climbed the corporate ladder in security.
I chatted with Lisa for hours about life, politics, and technology as well as about how to tackle the challenges in a male-dominated industry. I believe through her experience, and career, she is part of the positive change, that we are all aiming for.
Lisa impressed me with her knowledge and her passion for cyber security. She is an exceptionally talented professional, who knew over the years how to gain and keep the respect and credibility within a male dominated industry. For over 24 years Lisa Lorenzin has been shaping her career in the industry, influencing the environment for women in technology and cyber security, passionately advocating the power of the female technical knowledge and leadership skills.
Through my meetings and interviews, I met fabulous women, and Lisa is definitely one of them. She did not only inspire me with her stories, but also through her authenticity, and humanity. We agreed that we still have a long way to go to combat the key challenges we saw women facing in cyber security.
Lisa is the Director, Emerging Technology Solutions, Americas at Zscaler, specializing in secure access. Lisa is also a co-chair of Trusted Network Communications (TNC), a work group of the Trusted Computing Group (TCG) that defines an open architecture and standards for endpoint integrity and network security, as well as a contributing member of the Security Automation and Continuous Monitoring work group in the IETF.
Lisa has actively worked since 1994 in information security. She built a strong forward career, and she is giving back and encouraging other women to follow her patch.
As per her colleague’s feedback, Lisa can make technology not only work, but can help get it in a reasonable format for training customers.
She has a terrific technical knowledge, an amazing personality, and she is a fan of Agents of S.H.I.E.L.D. ! Here is what we have asked Lisa to share.
I've been working in IT for almost 24 years, and focused on cybersecurity for over two decades of that. I started out in Internet services / web services at several small start-ups in my first few years, had a stint as a security analyst in the government and healthcare spaces, then joined NetScreen in early 2003 to work on their next-gen firewalls. We got bought by Juniper in 2004, and I spent the next decade there as a principal solution architect focusing on secure access - NAC and VPN technologies. Juniper spun off that business as Pulse Secure in late 2014, and I continued as a principal solution architect there for a couple more years before joining Zscaler as Director of Emerging Technologies in late 2016.
For the last eight years or so while I was at Juniper and Pulse Secure, I also worked in cybersecurity standards with the Trusted Computing Group and IETF - focusing on open standards for trusted communications enabling network visibility, endpoint compliance, access enforcement, and security automation. 2017 saw the culmination of my work there, with publication of two standards to which I contributed - a major refresh of the TCG's TNC Architecture, which I edited, and an IETF RFC on requirements for security automation and continuous monitoring, on which I was an author.
At Zscaler, we're building a software-defined access solution, Zscaler Private Access, that brings together my previous work in NAC and VPN with my interest in visibility, control, and orchestration. We're tackling use cases such as remote-access VPN replacement, app migration due to cloud initiatives and/or datacenter consolidation, mergers & acquisitions and/or divestitures & spinoffs (MADS), and targeted third-party access for partners, contractors, etc. ZPA solves problems people are facing today, while laying the groundwork for further transformation to true zero-trust networks - where endpoints are treated the same whether on or off the corporate network. Zero-trust enables administrators to pull in their perimeter and focus on protecting their critical resources and supporting infrastructure, and users to get a seamless experience regardless of their physical location or the location of the applications they're accessing. That's the future I'm helping to build!
After starting out in tech support both in & after college, I got hired by one of our customers, a web services startup, to do web design - this was back in the early 90s when web design meant HTML and CGI scripts. We only had one sysadmin, so I ended up pitching in on the sysadmin work for the web servers I supported. The first time one of our servers got hacked, I got interested in web security / system security, then realized that I really needed to learn about network security. I went through several phases as a firewall/VPN administrator - SOC monkey at a local ISP/colo host, then subcontractor to the EPA, then security analyst for a health insurance company - before joining NetScreen as a systems engineer. Having a range of experience on the customer side of the table really shaped my approach to my role at a security vendor…
It's funny - I had absolutely no intention of leaving Pulse Secure when I started talking with my friends at Zscaler! I'd been with NetScreen / Juniper / Pulse Secure for almost 14 years and was leading a global initiative to grow NAC revenue which was very demanding but equally rewarding, and making tangible progress. Two of my colleagues who I respect very much from my Juniper days, Manoj Apte & Denzil Wessels, had been reaching out to me for months about this new technology they were working on that they really wanted me to see... When they finally could share details, after it launched, I was initially dubious about the premise - remote access without an inbound connection?? - then I was amazed that they could actually do that, and then I met the extended team, and that's really what pulled me over the edge. So I guess it was the technology that caught my interest, but the people that made the difference, and the opportunity to shape an emerging area of cybersecurity!
"Most significant" is really hard to call - it changes depending on my mood and what's important to me at the moment. Right now, I'd say it's helping launch our local hackerspace, Splat Space. I served as treasurer in its formative years and worked on our successful 501(c)3 application (a US government designation of charitable status, for tax purposes, which makes it much simpler to operate a cooperative organization like this). I'm still a member, despite my travel schedule being too busy for me to participate much in person these days, and I'm thrilled to see it growing and thriving five years in! We've done neat projects with local schools, Maker Faires, and other SIGs, as well as hosting meetups on everything from coding to It's a great community of really creative, smart, fun people, and a wonderful place to learn something new!
My superpower is humanizing technology - engaging people to understand their goals, their pain points, their requirements, and what they don't know, then working with them to understand how our solution can help them address requirements, reduce or eliminate obstacles, and achieve their goals. I challenge myself to truly listen to people and learn something new in every engagement - whether that's an element of business, technology, politics, etc. - so I can continually expand my understanding of our space and use that experience to help others build on it.
For several years while I was at Juniper, I worked on a set of standards for security automation - initially within the Trusted Computing Group, as the Interface for a Metadata Access Point (IF-MAP), then later also within IETF. In TCG, I edited specifications for a team of engineers developing a publish-and-subscribe interface and metadata framework for exchanging security information - initially focused on network security, then expanded to include ICS security, and designed to be flexible enough to accommodate any security orchestration project. Our hope was to enable an interoperable ecosystem where customers could leverage data from disparate vendors to create a dynamic solution…
But it didn't turn out that way. Initially, it was very promising - a handful of vendors implemented the spec, we had several exciting PlugFests with new implementations coming in for interoperability testing, and we started to see production deployments! But then we realized we needed to make a backwards-incompatible update - to expand the framework beyond our initial limited vision - and that's where it started to go downhill. One of the biggest implementers (my own employer, Juniper) never upgraded to rev 2.0, which was a real boat-anchor on the ecosystem - new vendors had to implement both 1.1 to play with us, and 2.0 to play with everyone else. And the SOAP toolchain was cumbersome - everyone wanted to be working with JSON, but there was political pressure from the vendors who'd implemented SOAP (Juniper again, sigh) not to release another binding.
The biggest lesson I learned is that "if you build it, they will come" only works in the movies. In retrospect, we should have released a binding for JSON as soon as we realized that SOAP was impeding adoption - and I wish we'd had broad enough vision early on to realize that we needed every element of the framework to be expandable, so we could have avoided the need for a 2.0 rev that fragmented the ecosystem. While IF-MAP did get by several vendors, the biggest use ended up being for coordination among a vendor's own products, rather than for interoperability between vendors. I think the work was valuable - and TCG is now working on a new binding to CBOR (the successor to JSON), so IF-MAP may yet have life left in it. But it certainly didn't achieve our goals of providing a widely-adopted interoperable orchestration framework for multi-vendor security deployments.
One of my colleagues who I strongly respect at Zscaler is a sales manager, Ashley Cupstid, in the South Central US area. She's a highly successful account executive with a very distinctive personal style - also, she can be very direct, and very aggressive at pursuing information and engagement for her prospects and customers. She's achieving her success in a part of the US that is traditionally the most male-dominated culture (Texas), on a team that to my knowledge is totally male, in a traditionally male role (sales), in our male-dominated industry.
On our first engagement together, we clashed pretty hard - she'd been handed someone else's mess to clean up, in an account where I had been building technical relationships for some time. She was understandably seeking to get control of the situation, and she tried to position herself as gatekeeper for all communications with the customer. I don't report into the sales organization, and I don't react well to being micro-managed, so we went through a bit of conflict working that out! In the end, we reached a mutual understanding - I've continued to engage with my contacts there, keeping her in the loop the entire time, and consulting with her before initiating anything new, and she's brought me into several conversations that have arisen along the way.
I admire Ashley for her clear sense and projection of who she is, the talent that enables her to thrive in her role, her effective advocacy for her customers, and her ability to identify what's needed both by her and by her customers to enable them to close deals together.
My initial reaction was: I wouldn't say I "work on" diversity. I'd say I contribute to diversity by being a fully competent and contributing member of my team who happens to have two X chromosomes, and I believe that "working on diversity" is a primary responsibility of our People and Culture team, just as "working on technology" is the primary responsibility of a technical role. I realize that some people would say this is a cop-out, but frankly I believe that "working on diversity" is not the particular responsibility of women, any more than it is of people of color, or transgender people, or any other minority.
Thinking about it further - every person inside or outside of HR has a responsibility to work on diversity by valuing people who aren't like them, regardless of the form that difference takes, and seeking to understand each other, especially the way our disparities make us stronger as a whole. Hiring managers can additionally work on diversity by actively seeking a range of characteristics as they form their teams, but I'm not a hiring manager - I've had a firm policy for many years that I don't manage anything I can't reboot.
Despite the headwinds, cybersecurity is a great field in which to be female - once you've established yourself. :-/ I believe that women bring unique soft skills that add value to the tech industry in general and to cybersecurity in particular. We can be just as technical as our male peers, but may be more inclined to collaborative thinking, empathy, and understanding the people side of technology. There are definite benefits to being a technical woman in a room full of technical men - I believe I have more leeway to admit when I don't know something, ask questions, ask for help, in ways that would be more difficult socially for a man. And there's sometimes the "talking monkey" advantage - men are sometimes surprised to see a woman in a technical role, so they tune in for the novelty value (or to see if I really know what I'm doing) and then find that they're actually interested in what I have to say!
I will caveat that I can only speak for my particular corner of cybersecurity - as a solution architect / technical specialist / subject matter expert. I have the impression that it can be a lot more difficult in some of the internal-facing roles, like product management or software development - I've heard some real horror stories from my female friends and colleagues in those areas. So I think I've been lucky to find an aspect of cybersecurity where traditionally-female strengths have value inherent to the role, and
Despite all the women-in-technology initiatives, the reality is that IT is still a hugely male-dominated profession, and it has a long way to go. The first challenge is - how much are you willing to put up with? Casually sexist language - anything from "how would you explain X to your mom?" to gendered pejoratives ("don't be such a blouse") - is still common, as is man-splaining and the usual set of double standards (a man being direct is assertive, a woman being direct is bossy, etc.) You'll have to work harder to prove your technical credentials based on your gender - at this point in my career, that doesn't happen to me as much anymore, but it certainly did when I was starting out.
The best defence, in my opinion, is to think of male/female interactions in terms of social engineering. For example: I still see the pattern where I make a suggestion in a meeting, nobody really responds, then a man makes the same suggestion a few minutes later, and everyone thinks it's a great idea - I try to not get wound up about it, because as long as it accomplishes my goal, I don't care how we get there. (Another luxury of having confidence in my standing, though!) As a naturally "bossy" woman, I try to remember to soften my approach - to say "maybe we could consider X" or "what would you think of Y?" - even when I believe I know the answer we need, so others feel consulted / included / can reach that realization on their own. And it helps me grow, too, because sometimes the response includes something I hadn't considered, that wouldn't have occurred to me if I'd just said "we should do X"!
If I find it, I'll let you know. :-/ I'm a bit of a crazy workaholic, and it can be hard to tear myself away from my email & phone - so I've had to build mechanisms to keep from making myself nuts with it. My partner and I are quite physically active - our hobbies include climbing, caving / cave exploration, rappelling, mountain biking, etc. - so most weekends I unplug and get outside. If you can't reach me on a Saturday, I'm probably doing something that involves rocks, whether it's climbing up them, crawling under them, dropping off them, or crashing a bike on them!
I do try to take care of myself physically - enough sleep, regular workouts, healthy diet - and mentally - with a good support network that lets me vent when I'm stressed. Burnout is a very real thing in our industry, and I'm high-intensity by nature, so I really need that relief valve! One thing I'd like to add is meditation, but I just haven't found an approach that sticks yet…
I've said for years that my biggest problem is always that there is at least three people's worth of work that I want to be doing, and I only have one person's worth of hours in the week! I don't believe that humans can truly multi-task, but I'm a chronic parallel task-switcher - I tend to have at least two or three things going on simultaneously so if I get stuck on any one of them, I can just swap over to another and try to make progress there.
The problem is that I chronically have more interrupts than I can service, so I'm constantly feeling that I'm underwater and desperately trying just to stay afloat. I think this is common across our industry, and I wish there was a way to better handle the firehose. It's a case of wanting to have it both ways - I always tell my colleagues, if there's something you think I can help with, ask me! And if I have the cycles to help out, I will. But that means invariably I get a lot of inquiries that I can't help on, and I always wish I could jump in and tackle them, too. I wish I was better at accepting that I can't do it all, and not fretting over things I wish I could do that just really aren't feasible.
Parisa Tabriz (whom I've never met) - because her work at Google is fascinating, and from the profiles I've read of her, I'd love to hear her thoughts on cybersecurity and the future of IT.
Wendy Nather - because of her amazing ability to synthesize information, highlight critical points, and project a path forward. In many ways, she's who I want to be when I grow up professionally.
Leigh Honeywell - because she's a talented technologist, a dedicated advocate for women in tech, and terrifically fun to hang out with, too!
This one seems like a gimme, but I'd have to say Skye / Daisy. Talented, impetuous, independent but loves her team - with the best of intentions, but doesn't always make the best decisions - works best when paired with a strong partner. (Although I've had more luck on that front than she has - my strong partnership has lasted 22 years, and it's definitely one of the things that keeps me going!)
I really enjoy working at Zscaler - we have fantastic people, innovative technology, and a great corporate culture. I'd love to see more women join the company, and my team, because I think it's a win-win - somewhere women can succeed, and in doing so, can bring the company success.
DEFAULT TO YES! I've had amazing good fortune and great opportunities in my life - in part because I've worked hard to get myself to a point that when an opportunity arises, I go for it. Whether that's single-rope rappel off El Capitan in Yosemite, or taking on an emerging-technology solution in a nascent technology space, or getting duct-taped into a giant foam pad for Crashpad Sumo Wrestling at the New River Rendezvous…
I'm inspired in this by my Mom, who recently attended Burning Man with us for her first time - she's 70, has MS, and has limited mobility and low heat tolerance. So let's go ride bicycles in the desert for a week! What could go wrong? We had many discussions of her concerns, what we could do to address them, and how to ensure that she would not only survive but enjoy herself - and it ended up being glorious. All because she was willing to say YES and trust that together we could make it work - and make it wonderful.
Which is not to say that you should blindly tackle anything that comes by - there may be good reasons not to accept certain challenges or offers. But I always start with assuming the answer is yes unless there's a clear and convincing reason not to - and while I've occasionally looked back and said "well, that didn't go the way I planned!", I've always had more regrets about things I had the chance to do and didn't, than about things I tried that didn't work out.
Lisa, and I, both believe that more women in our industry equals better performing teams, and therefore companies. The research has proven those results with clear numbers and statistics. It will always be a two-way interaction between the female employee and the hiring firm. Lisa has been given the opportunity to grow and progress, and she did not refuse it. She jumped on it with confidence and passion, believing in her capabilities, and the support of her team. Zscaler recognized her experiences and her knowledge and believed in her as a leader. She earned her respect in the industry, where women and men reach out to her for advice, and answers. She learned over the years, the best ‘’tricks’’ on how to manage perceptions, with a great balance between results, and ego. Yes, ego… Others’ ego … She has been giving back to the firms where she has been working for years, and she has contributed tremendously to the community through her speeches and articles.
Lisa also thinks that Zscaler is aligned with her values and principles. She thrives in a culture where collaboration with each other internally, is the way for the best success.
Diversity and inclusion are daily efforts that need to start with senior decision makers in an organization. Zscaler has not only done that with encouraging Lisa to share her views, and bring her own touch but also through an open approach to seek how to make a real change.
Every year, we chose to celebrate an international woman day. That said, one day will not impact the statistics that are continuously proving an important disproportion between women and men. Women need to feel supported and included when they start a new position. The organization needs to ensure an environment where equal opportunities for expansion, and promotion are provided for both genders. Zscaler is clearly communicating that the company is an inclusive organization, where opportunities are equal. The firm celebrates people’s achievements in a transparent and collaborative way across borders, and beyond genders.
Zscaler would like to move at a faster pace in making a difference, and a clear progress in the space. This includes changing hiring practices, organizing more events around inclusion and diversity, and build a culture change where there is no place for stereotypes.
Franziska Bühler currently works as a Senior Systems Engineer in Switzerland.
Her main areas of responsibility are web server security and everything related to the access layer. In Switzerland, this typically includes authentication and web application firewalls.
She holds a Bachelor of Science degree in computer science with a specialization in IT security. She is also a Certified OSSTMM Professional Security Tester (OPST), accredited by ISECOM (Institute for Security and Open Methodologies).