Secret CSO: Heather Gantt-Evans, SailPoint

What metrics or KPIs do you use to measure security effectiveness? “Some of my favourites are reporting on service level agreement adherence by criticality for risks and vulnerability findings.”


Name: Heather Gantt-Evans

Organisation: SailPoint

Job title: Chief Information Security Officer (CISO)

Date started current role: February 2021

Location: Austin, Texas

Heather Gantt-Evans is responsible for designing SailPoint’s next-generation cyber strategy, to decrease risk and exposure points across the business and increase collaboration between teams. She has an impressive depth of knowledge around cyber transformation and security experience. Previously, she was at The Home Depot, where she acted as the company’s senior director of security operations and resilience. Starting her career in the U.S. Army Reserves as an all-source threat intelligence analyst, she also supported Air Force Cyber Command for three years where she focused on cyber threat intelligence and integration of threat intelligence with security operations.

What was your first job? My first job was at age 13 running a YMCA concession stand. My first professional role was as a pharmacy technician - I did this for 5 years prior to entering cybersecurity.

How did you get involved in cybersecurity? I was working at Booz Allen Hamilton – an information consultancy firm – as a government contractor supporting Air Force Real Property Agency as an IT Business Analyst. Booz Allen Hamilton approached me about an opportunity to support Air Force Cyber Command as a Cyber Threat Intelligence Analyst because of my background in tech and as an all-source intelligence analyst in the US Army Reserves. Cyber threat intelligence was a great first role to have because I was able to immerse myself in cyber threat reporting and become very familiar with the cyber threat landscape and cybersecurity terminology.

What was your education? Do you hold any certifications? What are they? My undergraduate degree is in Sociology and my graduate degree is in Technology Management. I also hold certification as a Certified Information Systems Security Professional (CISSP).

Explain your career path. Did you take any detours? If so, discuss. I started in cybersecurity as a Cyber Threat Intelligence Analyst. I then went on to supporting both offensive and defensive cybersecurity operations for the US Air Force. After that, I got picked up by Ernst and Young to build out their Cyber Threat Intelligence service offerings as well as build Cyber Threat Intelligence programmes for companies. My career path then kept growing by raising my hand to take on broader challenges. For example, I raised my hand to help build out Security Operations Centres, cyber exercise programmes, cyber resilience programmes and ultimately entire cybersecurity programmes. I did not necessarily take detours, but I did take time for me and my family along the way as my family grew. 

Was there anyone who has inspired or mentored you in your career? Absolutely - and I wouldn't be here without those that have inspired me and my network of mentors and champions. I don't dare name names as I would absolutely take up way too much space with shout-outs and still inadvertently leave someone off the list. 

What do you feel is the most important aspect of your job? Setting the cybersecurity strategy and equipping the team for successful execution of the strategy.

What metrics or KPIs do you use to measure security effectiveness? Oh wow, an entire metrics catalogue worth! Some of my favourites are reporting on service level agreement adherence by criticality for risks and vulnerability findings.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Definitely Cloud Security, Product Security, and Application Security roles.

Cybersecurity is constantly changing – how do you keep learning? Surround yourself with smart people and ask the ‘stupid’ question. I also love audiobooks and talking through challenges with peers.

What conferences are on your must-attend list? SailPoint's Navigate Conference (of course), RSA and I would love to attend Executive Women's Forum, Women in Cybersecurity, Grace Hopper Celebration, and BlackHat/DefCon.

What is the best current trend in cybersecurity? The worst? I love the emergence of lower friction and agentless security solutions. The worst trend in cybersecurity is a tougher one for me since I love this industry – every industry has pros and cons, fads and staples, etc. If I had to pick one, it is the low percentages of diversity (but this is improving).

What's the best career advice you ever received? Research and role-play your audience in order to anticipate their questions and concerns.

What advice would you give to aspiring security leaders? Make sure you understand what your partner teams, customers, and other stakeholders really do and need. Reach out and understand their day-to-day. Make a strong connection. You will be able to weather the challenges of a security leadership role so much better with these relationships and a deep understanding of how to help the people around you.

What has been your greatest career achievement? Honestly, I feel like it is the sense of community I have developed with people I work/worked with and care about. 

Looking back with 20:20 hindsight, what would you have done differently? I would have liked to have learned to better manage my calendar a bit earlier. It makes such a huge difference in work life balance.

What is your favourite quote? “It all comes down to being tough on standards and tender-hearted on people.” - Doug Conant.

What are you reading now? I am re-reading The Art of Happiness because I find that book is so centring.

In my spare time, I like to… Check out any live performance (theatre, symphony, comedy, bands, etc.)

Most people don't know that I… Have a pedal steel guitar that I really need an instructor for - anyone know anyone?!

Ask me to do anything but… Build pivot tables in Excel!