Cybersecurity Leadership Lessons from a CISO Who Has Worked Across Five Industries

Watch on: Spotify, Apple, YouTube

Janet is a CISO who has intentionally moved across industries throughout her career, not because she was chasing titles, but because she loves learning how different businesses operate and applying what she knows about cybersecurity to new environments. She's also the author of Go Ahead, Ask For It, a book about making your value visible and positioning yourself to advance.

Whether you're a practitioner trying to grow, a vendor trying to understand what CISOs actually care about, or an investor evaluating how mature a company's security function is, there's something here for you.

How AI Is Changing Cybersecurity Defense and Why Practitioners Need to Adapt Now

We started the conversation with AI because it's impossible to avoid right now. With major releases happening almost weekly, Janet's take cut through the noise.

She sees AI the same way many of us experienced the early internet. Everyone has access to it. Everyone wants to say they're using it. But most people don't fully understand what they have access to or what it can actually do. The tools being released right now can uncover vulnerabilities that humans wouldn't have the time or capacity to find on their own, and that's valuable. But if that same capability gets into the wrong hands, it exposes systems to risks that would have otherwise stayed hidden.

Her advice for cybersecurity practitioners is straightforward: be proactive. The people who are teaching themselves, staying current, and getting hands-on experience with AI tools are going to thrive. The people who sit back and wait are going to get left behind. She compared it to any other major technology shift. The fundamentals of the job don't disappear, but the tools and the speed change dramatically.

Janet also sits on an advisory committee for High Point University in North Carolina, where they're wrestling with a question that affects the entire cybersecurity talent pipeline: what should the curriculum look like for students who won't graduate for four years? The pace of change means that what's relevant today might be outdated by the time a freshman reaches their junior year. Universities aren't typically built to be that dynamic, and the entry-level cybersecurity jobs that exist today might look completely different by the time current students graduate. The institutions that figure out how to make their programs more adaptive will produce graduates who are ready for the market. The ones that don't will be sending students into an industry that's already moved on.

Why Data Governance Is the Biggest Gap in Cybersecurity Right Now

When I asked Janet what's working in cybersecurity, she said the tooling is actually doing its job. When nobody's talking about security incidents, that usually means the tools are stopping threats and doing what they're designed to do. The challenge has always been that success in cybersecurity is invisible, which makes it hard to justify continued investment.

But when I asked what's broken, she went straight to data governance.

Her point lands hard. Companies treat storage as cheap and let data sprawl happen without oversight. Data gets replicated across systems, duplicated in repositories, and nobody is tracking which version is the source of truth. Most organizations don't have a dedicated leader whose job is to steward the company's data, to understand what data exists, where it lives, how it's classified, when it should be archived, and when it should be deleted.

This creates problems on multiple levels. From a cybersecurity perspective, you can't protect data you can't find or classify. From a compliance perspective, you can't demonstrate control over information you don't govern. And from an operational perspective, if five people go to five different data sources to answer the same question, they'll get five different answers. That's an efficiency problem, a decision-making problem, and a trust problem.

The AI connection makes this even more urgent. Every organization rushing to implement AI is dependent on the quality of the data they're feeding into it. If the underlying data isn't governed, the AI outputs won't be reliable. Janet sees data governance as the unlock that makes AI actually useful. Without it, organizations are building on a foundation they can't trust.

For vendors, this is a growing market opportunity. The companies solving data classification, lifecycle management, and governance are addressing a problem that only gets more urgent as AI adoption accelerates. For investors, data governance maturity is a signal worth evaluating when assessing how ready a company is to benefit from AI. For practitioners, this is a conversation worth having with leadership before the AI initiatives outpace the data infrastructure.

Common Cybersecurity Challenges Across Industries

Janet has intentionally built her career across industries because she loves learning what makes different businesses operate. Pharma, manufacturing, cruise lines, broadcast media, healthcare. Each one feels unique from the inside, and they are. But she's also found patterns that show up everywhere.

The most universal one is what she calls "the thing you can't shut off."

In biotech, it's the manufacturing line for biologics. You're growing living organisms to make medicine. If you shut down the line to patch a system or install an endpoint tool, you lose the entire batch. In cruise lines, it's the ship. In broadcast media, it's the live feed. In healthcare, it's patient care systems. Every industry has some version of this: a system or process so critical to operations that it can't be interrupted, even when cybersecurity requires it.

That forces security teams to get creative. They have to find ways to protect systems that can't be taken offline and work around constraints that don't exist in a textbook or a framework. For practitioners, this is a reminder that cybersecurity in the real world is never as clean as the certifications suggest. For vendors, understanding these operational constraints is essential if you want to build products that work in production environments, not just in controlled demos. For anyone entering the industry, knowing that this dynamic exists in every sector will make you more effective from day one.

The other constant Janet identified is the challenge of legacy systems. Across every industry she's worked in, there are always systems that are out of support, too old to protect with modern tools, and too embedded in operations to replace quickly. She sees this as a business prioritization problem more than a technology problem. In companies where technology isn't the primary business, upgrading legacy infrastructure competes with revenue-generating priorities and often loses.

How CISOs Get Board Buy-In for Cybersecurity Initiatives

Janet has a framework for getting executive and board-level buy-in for cybersecurity investments that she's used across every industry she's worked in.

She frames every cybersecurity initiative around four categories that leadership already cares about:

Operational: Does this keep the company running? Whether it's broadcasting radio shows, cruise ships leaving port, or providing healthcare to patients, leadership wants to know that operations won't be disrupted.

Financial: Does this protect the company's ability to generate revenue? Any cybersecurity risk that threatens the bottom line gets attention.

Reputational: Does this maintain customer and consumer trust? Companies need their customers to trust them in order to keep doing business. A security failure that erodes that trust has measurable consequences.

Regulatory: Does this keep the company in compliance? Regulators have the power to shut operations down. Framing cybersecurity initiatives around regulatory requirements makes the stakes clear.

If a cybersecurity initiative can be tied to one or more of those four categories, it gets traction. If it can't, it probably shouldn't be a priority in the first place. Janet said she doesn't typically rely on heavy risk quantification in these conversations. It's more conversational and rooted in common sense. The key is speaking the language of the business, not the language of cybersecurity. When you tell a board that a particular risk threatens the company's ability to operate, they listen. When you describe a vulnerability without connecting it to a business outcome, they don't.

For vendors, this is direct insight into how CISOs sell cybersecurity internally. If your marketing and sales materials don't map to these four categories, you're making your champion's job harder. For investors evaluating a company's security posture, asking whether the CISO has board access and a framework for communicating risk is a strong signal of organizational maturity.

How to Align Cybersecurity with Business Strategy

A theme that ran through the entire conversation was the importance of aligning cybersecurity with the company's mission. Janet made a distinction that many security leaders miss. It's not enough to be good at cybersecurity. You have to connect what you do to what the company exists to do.

When she worked at a cruise line, the mission was making vacations fun. In healthcare, it's keeping patients safe. In biotech, it's producing life-saving medicine. Each company has its own language, its own priorities, and its own way of talking about what matters. Security leaders who learn that language and align their work to the company's purpose get included in conversations early. They get resources. They get buy-in. And they shift the perception from "security is the department that says no" to "security is the team that enables us to do what we do safely."

Janet's advice for making this happen is to build relationships with the people in the rooms you're not in. Understand what your boss's peers care about. Understand what keeps them up at night. Connect your work to their goals, and make that connection visible. That's how cybersecurity goes from being a back-office function to being a strategic partner.

For vendors, this is a reminder that CISOs are not just evaluating your product on technical merit. They're evaluating whether they can tell a story about your product that resonates with their leadership. Make that story easy to tell.

What Security Incidents Teach You About Cybersecurity Leadership

I asked Janet about a moment that shaped her career, and she went straight to security incidents. She's been through several major ones and was candid about what they're actually like. They almost always start on a weekend. They flip everything upside down. They run around the clock for days, sometimes weeks. The incident doesn't pause because you need sleep.

What she said next is worth sitting with. Those incidents are the best team-building experiences she's ever had. Being in the trenches with people through something that intense, in a compressed timeframe, creates bonds that last. She wouldn't wish it on anyone, but the people who go through it together come out the other side closer than they were before.

For Janet, those experiences didn't push her out of the industry. They made her want to stay. Because in those moments, you're doing exactly what the role is for. You're protecting the company, and you're making things better on the other side.

For practitioners, the moments that test you the most are often the ones that define your career. For vendors, understanding what CISOs have lived through during incidents shapes how you should approach them. They don't need fear-based marketing. They need partners who understand the reality.

Cybersecurity Career Advice: Make Your Value Visible

Janet is the author of Go Ahead, Ask For It, a book about a system she developed for advancing in her career. The core idea is that most people don't make their value visible. They do good work, but they don't connect that work to the company's goals in a way that decision-makers can see. And then they wonder why they're passed over.

Her approach is to align your personal purpose with the company's purpose, make the value of your work visible to the people who matter, and then ask for what you want with that backing. Not "may I please," but "here's what I've contributed, here's how it ties to what we're trying to accomplish, and here's what I'd like to do next."

She's honest in the book about times it worked and times it didn't. But even a "no" gives you data you can learn from. For anyone in cybersecurity who feels like their work goes unnoticed or their career has plateaued, this is worth reading. The principles apply well beyond security.

Why This Conversation Matters for the Cybersecurity Ecosystem

Janet's perspective is valuable precisely because she's seen so many different environments. The patterns she's identified apply across the industry. Her framework for board communication is something any CISO can adopt immediately. Her take on data governance speaks directly to a gap that's only growing as AI accelerates. And her approach to career growth is relevant for practitioners at every level.

That's the kind of cross-cutting conversation The Cybersecurity Ecosystem Show is built for. Not just how to do cybersecurity, but how to lead it, communicate it, and build a career around it.

Watch the full conversation with Janet through the link below.

Frequently Asked Questions

How do CISOs get board buy-in for cybersecurity? Frame every initiative around four categories boards already care about: operational continuity, financial protection, customer trust and reputation, and regulatory compliance. Connect cybersecurity risks to business outcomes using the language of the business, not technical jargon.

What are the most common cybersecurity challenges across industries? Every industry has systems that can't be shut off for patching or maintenance, legacy infrastructure that's too old for modern security tools, and the ongoing challenge of making security success visible when the best outcome is that nothing happens.

Why is data governance important for cybersecurity? You can't protect data you can't find or classify. Without data governance, organizations have duplicate data across multiple repositories with no clear source of truth. This creates security gaps, compliance risks, and unreliable AI outputs as organizations adopt AI tools that depend on data quality.

How is AI changing cybersecurity defense? AI tools can uncover vulnerabilities faster than humans and at a scale that wasn't previously possible. But the same capabilities can expose systems to new risks if accessed by threat actors. Cybersecurity practitioners who proactively learn and adopt AI tools will be better positioned than those who wait.

What cybersecurity career advice do experienced CISOs give? Align your work to the company's mission, make your contributions visible to leadership, and build relationships with stakeholders outside of your immediate team. Career advancement in cybersecurity depends on demonstrating business value, not just technical skill.

-

Connect with Janet Heins on LinkedIn: https://www.linkedin.com/in/janetheins/

Get Go Ahead, Ask For It on Amazon: https://www.amazon.com/Go-Ahead-Ask-Value-Undeniable-ebook/dp/B0GLR2W4D5

The Cybersecurity Ecosystem Show connects practitioners, investors, vendors, regulators, and everyone in between. New episodes drop weekly. Subscribe so you don't miss one.