Heather Ceylan, the deputy CISO at Zoom, arrived at the company in January of 2021. Before coming to Zoom, she spent nine years as the director of cybersecurity, privacy, and risk at PwC, later moving to Collective Health to manage security, privacy, and compliance. With the influx of users and enterprises using Zoom during the pandemic, Ceylan saw the move to Zoom as an opportunity to grow.
At the time, part of her job was to oversee security certifications and attestations. Zoom—a company with a market cap of $19.61 billion—had about two certifications at the time. Now, they have more than 20.
“We had to scale to meet that pace,” Ceylan told IT Brew. “Our security program grew unlike any other security program I’ve ever seen.”
IT Brew caught up with Ceylan, and other leads at the company, to chat security measures, cyber threats, and being a woman in a male-dominated industry.
On strategy and goals
“Our goals for our security program, number one—first and foremost—we have to protect the platform and protect our customers,” Ceylan said. “If we’re not doing that, we’re not doing our jobs.” Next, comes product and revenue and securing and supporting talent. “There’s such a shortage of good cybersecurity talent out there, and you’re only as strong as your people.”
One way they’ve attracted top talent is via the company’s Bug Bounty program, Sandra McLeod, the head of security assurance at Zoom, said.
“It’s our goal to find everything we can and prevent anything from going out the door,” McLeod said. “We know that we can’t catch everything.”
At their last hacking event, over 60 researchers submitted reports, representing 30 countries. “We don’t set limits on what we want them specifically to look for. We’re really looking for breadth there,” McLeod said.
On the global landscape
“I think one of the things we’re closely monitoring is the geopolitical landscape right now,” Ceylan said. “You have lots of stuff happening in the world. You’ve got Russia, Ukraine—you’ve got tensions with China…When that stuff happens, there’s going to be increased cyberattacks, increased cyber warfare from nation states, criminal groups.”
Michelle d’Amico, the head of global intelligence and insider risk at Zoom, said their strategy doesn’t necessarily shift based on these geopolitical events because “we always exist in an evolving threat landscape.”
“The biggest challenge is not actually the shifting global geopolitical landscape and the threats from nation-state, criminal, intentional, and even unintentional threat actors, but rather, it is sifting through all the data and noise to surface what’s meaningful from a threat perspective,” she said in an email via PR rep Allie Attarian.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Other threats include domestic extremism, “the democratization of offensive cyber capabilities,” and tech that can be used to spread disinformation, d’Amico said.
On adapting and AI
“What we set out to do in a year, it changes every single quarter, because we’re adapting as the market changes,” Ceylan said, adding that the “generative AI push” last year also brought about new strategies.
“People may not know this, but AI has been core to Zoom’s product DNA over many years,” Lynn Haaland, Zoom’s chief privacy officer, said in an email via PR rep Clarissa Marzán.
In developing gen AI features, Haaland says the team relies on two core privacy principles—transparency and choice.
Teams at Zoom also use AI to make sure they’re staying abreast of potential cyber threats. “One area we’re investing in is our phishing simulation platform—an AI-driven simulation platform that does targeted behavioral-based phishing simulations for folks and provides that real-time training,” Ceylan said.
In the past couple of years, threat actors have utilized AI to their advantage for social engineering schemes, cyber-kidnapping, and more. In light of this, Haaland encourages users to remain vigilant.
“If a user suspects another participant is using a deepfake, we encourage them to report that to our trust and safety team and law enforcement authorities so appropriate action can be taken,” she said.
On being a woman in the IT industry
In her early career, Ceylan—who says she’s never had a female boss—saw the value in meeting other women in cybersecurity. “I would encourage women to seek out that mentorship where you don’t have it,” she said. “It’s sharing those success stories, and that builds the confidence that [women] need to say like, ‘Oh, yeah—I could take on a CISO role.’”
McLeod encourages women in the security field to also establish connections outside their organization. “Those connections are going to become your network that you’re going to learn from,” she said. “It’s really important to grow that network and make sure it’s a 360-degree network.”
“A lot of times, as women, we tend to think of all the reasons we’re not good enough for something instead of all the reasons that we are,” Ceylan said.