Secret CSO: Vanessa Pegueros, OneLogin

How did you get involved in cybersecurity? “I didn’t choose security, security chose me.”


Name: Vanessa Pegueros

Organisation: OneLogin

Job title: Chief Trust and Security Officer

Date started current role: October 2019

Location: Duvall, Washington

With over two decades of technology experience, Vanessa Pegueros joined OneLogin in 2019 as chief trust and security officer charged with reinforcing standards, strengthening trust with partners, and leading internal initiatives across the entire security-first led company. She oversees a range of strategic and operational elements across OneLogin's global offices. Before working at DocuSign, Expedia, and US Bank, Pegueros held senior-level security roles with Washington Mutual, Cingular, and AT&T Wireless. She is a former board member at Carbon Black, sits on the board of Boeing Employee Credit Union, and is a venture partner with Flying Fish Partners in Seattle.

What was your first job? My first job out of college was as a Network Traffic Engineer for Pacific Bell in California. The job basically entailed forecasting network traffic and growing the telecommunication switches to meet the forecasted demand. 

How did you get involved in cybersecurity? I didn’t choose security, security chose me. I ran a next-generation technology architecture team at a wireless company and the CISO of the company did a red team exercise and the results turned out to be not very good for the company. The executive VP in charge of the wireless network told one of his VPs to dedicate a Director to fix security issues. I got called into the office and my VP told me, “You’re gonna go fix security”. I thought about it for a few seconds and said, “ok”.

What was your education? Do you hold any certifications? What are they? I have a BS in Mechanical Engineering from UC Berkeley, an MS in Telecommunications from the University of Colorado, and an MBA from Stanford University.  I also have the following certifications:                                                                                              

  • SANS GIAC Gold Security Essentials Certification (GSEC)
  • Certified Information Security Manager (CISM)
    Certified Information Systems Security Professional (CISSP)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified Information Privacy Professional/EU (CIPP/EU)                                                                                    

Explain your career path. Did you take any detours? If so, discuss. I have always been in the technology space so that has remained fairly constant. I have worked for 12 different companies in my career so that may be considered a lot of detours. I have maintained throughout my career to only stay at a company for as long as my job is fun and challenging and where I feel I can make a positive contribution. This approach has given me a rich experience in different industry verticals as well as different company sizes. I realise that there is not a one size fits all relative to developing an effective security program.

Was there anyone who has inspired or mentored you in your career? I think the strong women in my family have been a foundational inspiration. I met my great grandmother when I was in my 20’s and I have never met such a strong person, all 4’ 8” of her :). In terms of my career, there are many people that helped me along the way including my first boss out of college. I even called him about 6 years ago and thanked him for all he had done for me.

What do you feel is the most important aspect of your job? There are several important aspects of me, I would highlight two of them. The first is the importance of my team and ensuring that everyone in my team feels included, accepted, and able to contribute to their full potential. The second is to treat all security decisions as risk management decisions and enable all levels of the organisation to make the best decisions.

What metrics or KPIs do you use to measure security effectiveness? There are various levels of metrics that are used depending on the audience. For the Board and my peer group, we talk about the top risks of the organisation and gauge progress around reducing those risks. At a more micro level and quantitative level, I utilise metrics around known inventory and maintaining the security posture of those assets. I also look at incident response metrics and measure how automation improves response times. I am a big believer in automation and building automation wherever we possibly can.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? At this point, the shortage is not affecting my organisation. There are a few reasons for that: our use of automation and our team culture. Because people really enjoy working with our organisation, they recommend it to their friends and others in their network. I actually have the challenge of more people wanting to come to work with us than we have open roles.

Cybersecurity is constantly changing – how do you keep learning? I learn from my team and listen to their challenges. I learn for startups and hear the new ways they are trying to tackle challenges. I usually pick a topic that I’m interested in and then read a book about the topic, for example, machine learning.

What conferences are on your must-attend list? Right now, I’m not attending any conferences.  Pre Covid, I would try and attend local conferences that were 1-2 days. I think the bigger conferences get the harder it becomes to get real value out of them, they just become too much of a marketing event versus a learning event. I have had good experiences at some Forrester and Gartner conferences, also IAAP conferences.

What is the best current trend in cybersecurity? The worst? I think the best trend is the use of AI/ML in technology. The worst trend is Ransomware and the more people pay the ransom, the worse the problem is going to get.

What's the best career advice you ever received? Some of the best career advice I got was when I asked an executive woman about work-life balance, she told me, “there is no such thing, a job will take whatever you give it”.

What advice would you give to aspiring security leaders? Do as many different roles that you can in your career but have a thing you are really good at, whatever that thing may be. One of the best jobs I had prior to getting into security was being a System Engineer on a Sales team. I learned so much on that job, how to present technical material to customers, how to support Account Execs, how the sales process worked. I had no idea how valuable that role would be to my future at the time.

What has been your greatest career achievement? There are two. 1) Being on the team that launched the first iPhone, my security team had 1 of only 2 phones in all of AT&T Wireless 2) Going public with DocuSign.

Looking back with 20:20 hindsight, what would you have done differently? I’m not one to look back much but I guess I might have made the jump to smaller companies sooner. I really enjoy working for smaller companies.

What is your favourite quote? “There is only one thing that makes a dream impossible to achieve: the fear of failure.” - Paulo Coelho.

What are you reading now? Principles by Ray Dalio.

In my spare time, I like to… Hike, golf, go wine tasting, travel.

Most people don't know that I… love spending time by myself hiking and being in nature.

Ask me to do anything but… don’t ask me to do it over and over again, I get bored.