Secret CSO: Stan Lowe, Zscaler

Secret CSO: Stan Lowe, Zscaler

Name: Stan Lowe

Company: Zscaler

Job title: Global Chief Information Security Officer

Time in current role: <6 months

Location: Washington D.C.

Stan Lowe, a cybersecurity and technology executive, has successfully led transformational change in large, complex environments, as well as small and mid-size cybersecurity and IT organizations. As Zscaler Global Chief Information Security Officer, Lowe oversees the security of the Zscaler enterprise and works with the product and operations groups to ensure that Zscaler products and services are secure. Part of his focus is to work with customers to help them fully utilize Zscaler services and realize the maximum return on their investment. Stan's public service record extends to the U.S. Department of Interior in the Bureau, the U.S. Postal Service Inspector General, and the U.S. Navy.

What was your first job? Hoeing peanuts. I was 10 years old, growing up in Southern OK, and paid 25 cents to row. It was hot and horrible.

How did you get involved in cybersecurity? After I finished my Navy career, I started working at the DARPA Technology Integration Center and got involved in the Total Information Awareness (TIA) program.

What was your education? Do you hold any certifications? I have an undergraduate degree from Strayer University and a Masters Certification in PM from GW. I don't currently hold any certifications. I am however a recovering CCIE, and MSCE and CCNP.  

Explain your career path. Did you take any detours? If so, discuss. I started out as a network guy, then when I was exposed to cyber through the TIA program, I thought this was the coolest thing ever and switched over to cyber security, concentrating on network and endpoint security then later on security operations centre (SOC) operations. In the mid 2000's, I got burned out and decided I needed a break from cybersecurity so I applied for a job as the DCIO for budget, staffing and logistics at the Federal Trade Commission before serving as CIO for several years.

I moved to the VA in 2013 to go back to cyber, but ended up helping develop the Post 911 GI bill program as Deputy Director, which was the first successful agile development project ever in the federal government. I also helped set up the DoD/VA Interagency Program Officer that was to develop the Joint Electronic Health Record for DoD and VA. I finally got back into cyber when I became the Deputy Assistant Secretary and CISO for the VA. I served in the role for a few years. Now I'm working in the private sector.

Was there anyone who has inspired or mentored you in your career? I've been so lucky to have had many people see some little spark in me and help me along the way. Seeing the leadership of mentors like John Corndexter, Roger Baker and Scott Dexter has taught me that leadership is how you talk and treat people, and the biggest test of that is how to lead an organization in times of crisis. The best way to lead during a crisis is to be calm, cool and collected. Don't place blame or make any rash mistakes. Take a step back to assess the problem and quickly find a solution. Worry about the root cause of how you got there later on.

What do you feel is the most important aspect of your job? Transformational Security. For years, we have been trying to overlay security on an inherently insecure protocol. Every time there's a new security problem, the current process is buying a tool to fix it. But now the Internet is increasing the boundary of the network and creating different holes. In short, the network is now completely insecure. Instead of approaching security as a castle-and-moat problem, we should assess 4 different criteria: the identity of the individual trying to gain access, what device they are using to try and gain access, where the individual is located, and what are they trying to access. Using this criteria, we can develop an architecture best suited to connecting authorized users to their designated applications, and restricting access for unauthorized users.

What metrics or KPIs do you use to measure security effectiveness?  My KPIs are business based.  I compare two key metrics: Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to identify how and where future investments should be made, and to validate the efficiency of existing investments. I create Business Impact Assessments (BIAs) with the company to understand business objectives and prioritize precisely what the company cares about protecting. From there, I'm able to measure what we've done to enable the business to drive revenue securely and reduce risk.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Absolutely, especially engineers, architects and threat analysts. There is a known shortage of qualified cybersecurity employees and its only getting worse. That is one of the promises of cloud-based security combined with AI and machine learning. It has the potential to allow certain parts of security to be automated, freeing up IT teams to focus on activities that will enable secure business growth.

Cybersecurity is constantly changing - how do you keep learning? Read and talk with peers and business leaders.  Back in the mid-90s, there were only 300 to 400 people who did this work. Now, the network has grown and there are more resources - LinkedIn, blog posts, events like DefCon, etc. I personally have a list of various websites and blogs I constantly review and update to keep up to date on what's cool, forward-thinking and thought-provoking.

What conferences are on your must-attend list? I personally prefer smaller more intimate conferences over larger ones where you can get lost in the shuffle or experience the "squirrel" problem (look at this, look at this!). I've been going to DefCon for the past twenty years, and I'm required to go to RSA. Conferences are always a good time to connect with old friends.

What is the best current trend in cybersecurity? The worst? The best is Zero Trust. By implementing a model that does not inherently trust any user or network and require verification with any attempt to access a system or application, enterprises are enhancing their application security and improving the remote-access user experience.

The worst is trying to overlay traditional cyber architectures for modern cloud applications. It's expensive and ineffective.

What's the best career advice you ever received? Put yourself in your end user's shoes. Think about the impact what you want to do will have on them and what they are doing. Will it make the end user's job easier or harder?

What advice would you give to aspiring security leaders? Similar to the above advice I was given in one of my first CISO roles. Become invested in and an expert on your business and what you can do to help your business achieve its goals. As I matured in the cybersecurity space, I started discovering we often approach things from a tech perspective. Technologists get too concentrated on making sure the tech works rather than thinking of how technology can support business problems and drive shareholder value. You don't need to secure the network - what you need to do is help organizations achieve business missions, and what you do affects that.

What has been your greatest career achievement? Ensuring Veteran Students were able to get paid their Post 911 GI Bill benefits on time and helping Tony Scott create the Federal CISO position.

When the post-9/11 GI Bill was passed, it was planned for implementation 6 months later - programs like this usually take 3 years to implement. We scrapped our typical IT approach and adopted an agile business approach to the problem, focusing on development over procurement. We put the system up in 9 months with incremental delivery every 3 months, ensuring veterans would receive a fully paid college education with board.

I was involved in the creation of the Federal CISO position in 2015. We formed a counsel, mapped the requirements for the position, and installed the first Federal CISO, Greg Touhill. The position is still continuing today with Grant Schneider.

Looking back with 20:20 hindsight, what would you have done differently? I wish I had finished school sooner. I quit high school in the 11th grade and joined the Navy. I wish I had the ability to stay in school instead. Luckily I was able to go back and finish my undergraduate while working full-time, but the benefit and leverage of an education would have helped me much earlier in my career.

What is your favourite quote?"That's mighty bold talk for a one-eyed fat man!".

What are you reading now? The Surgeons Mate and re-reading the "Old Man's War" series.

In my spare time, I like to… Play guitar and spend as much time as I can with my 14-year-old before he doesn't want to hang out any more…

Most people don't know that I… am a HUGE video gamer! PlayerUnknown's Battlegrounds and Destiny 2 are some of my current favourites. I'm also fan of VR gaming (Oculus Rift).

Ask me to do anything but… Eat anything I used to have to pick growing up…



« CIO Spotlight: Harry Moseley, Zoom Video Communications, Inc.


The CMO Files: Kevin Ruane, Syncsort »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?