Secret CSO: Joan Pepin, Auth0

Secret CSO: Joan Pepin, Auth0

Discover the secrets of the modern CSO…

Name: Joan Pepin

Organisation: Auth0

Job title: CISO and VP of Operations

Date started current role: 1.5 years

Location: Portland, OR

From attending "computer camp" after hanging out with hackers and working for Nike's digital security unit to the position of CISO & VP of Operations - with over 20 years of industry experience, Pepin is now responsible for the holistic security, compliance and availability of Auth0.


What was your first job? Flipping burgers at Burger King when I was 14.

How did you get involved in cybersecurity? I've had a love for computers since childhood. I went to a computer summer camp when I was eight years old, and growing up, I used a Mac Plus. Around my senior year of high school, I started to get interested in the information security (InfoSec) aspect of computers, and there were some well-known experts either attending the University of Massachusetts Amherst, where I went to college, or living in that area. I hung out with a bunch of hackers in college in the early 90s - the typical 2600/Cult of the Dead Cow (cDc) sort of crowd. When financial circumstances forced me to leave school, InfoSec was a way to earn a decent salary without the degree I had been working toward.

What was your education? Do you hold any certifications? What are they? I'm a college drop-out. In terms of certifications, I was a Microsoft Certified Solutions Expert (MCSE) at one point a long time ago. I do hold a patent for developing a methodology to assess whether a communication contains an attack.

Explain your career path. Did you take any detours? If so, discuss. I've been in InfoSec for 22 years. I'm currently the CISO and VP of Operations at Auth0, where I'm responsible for the holistic security, availability, and compliance of our platform, products, and corporate environment.

Prior to Auth0, I worked at Nike as their Business Information Security Officer (BISO), responsible for the security of Nike's digital business unit and direct-to-consumer portfolio. Before Nike, I was CISO and employee number 11 at SumoLogic.

Was there anyone who has inspired or mentored you in your career? I've had a couple of good mentors throughout my career who helped a lot with my sense of perspective, and where I could set my goals. One was my boss about 10 years ago. He was the first person to promote me into management. He's also a CISO now, and we stay in touch to keep each other grounded. I acquired the other mentor very recently, and he's been fantastic at helping me think even bigger.

What do you feel is the most important aspect of your job? Helping my company be successful at achieving its business goals through skillfully managing risk. An important part of this is building and maintaining a culture of security, where employees no longer view security as an inconvenience, but see themselves as part of a team working to identify suspicious activity before it becomes headlines. Building this type of culture requires leadership, and leadership is a vital skill for modern cybersecurity practitioners.

What metrics or KPIs do you use to measure security effectiveness? It depends very much on the company, its products, and what you're trying to secure. If your intellectual property (IP) lives on 100,000 desktops, you may want to measure incidents handled in a year, or incidents per headcount, defined as viruses, for example. If your IP lives in a walled-off database, in a walled-off data centre, you may instead want to focus on behaviours. Are your developers writing secure code, and passing their automated security tests? Are your employees reporting potential phishing emails to the security department, and ensuring that non-employees don't follow them into the building?

For about 10 years I was in managed security as a service. In that field, what you measure depends on what your customers want to see, and their reporting requirements.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Finding good talent in cybersecurity is an ongoing challenge for every company. But I am incredibly lucky to have a very strong team around me, a couple of whom I have worked with at previous companies. When I find good talent, I keep it.

Cybersecurity is constantly changing - how do you keep learning? I challenge the premise that cybersecurity is constantly changing. There are new technologies to secure, but the same fundamental information security principles of availability, confidentiality, and integrity have not changed. That doesn't mean that you stop learning, but it's important to recognise and apply security best practices.

What conferences are on your must-attend list? If you are a technical security practitioner, you should absolutely go to Defcon and Black Hat. If you are a woman in security leadership, you should absolutely go to the Executive Women's Forum.

What is the best current trend in cybersecurity? The worst? The worst trend is the inclusivity problem in InfoSec. As a community, cybersecurity professionals need to be more welcoming. Generally speaking, there's a pervasive attitude in the field that if you don't already know everything, you don't belong here. It's a self-defeating behaviour, and we need to encourage and support people trying to break into the field, especially with the huge amount of jobs to fill.

What's the best career advice you ever received? To try to focus on win-win situations. Rather than focusing on being the manager, director, VP, or chief officer in charge of a department with individual goals, imagine you're the CEO or chairman. In that case, you wouldn't care about the success of an individual department, you'd want the whole company to win.

What advice would you give to aspiring security leaders? I would say, broaden your view of InfoSec. InfoSec is a wide-open pasture for aspiring leaders to come into and make their own opportunities. There is an extreme lack of people to fill a huge amount of open positions, and a wide variety of different jobs and careers just within the field. You can be in compliance, incidence response, security architecture, application or network security, consulting, and more. There are hundreds of different jobs just waiting to be discovered.

While security roles have many technical qualifications, they also require a range of soft skills to educate the organisation about security, and advocate for budget and best practices. The most successful security practitioners are deeply involved with the business, and elevate themselves above a purely technical role to have a louder voice in overall decision making.

What has been your greatest career achievement? I focus a lot on developing people. I'm proud that people who've worked for me have gone on to be vice presidents, and grown in their careers tremendously from entry level to directors and senior directors.

Looking back with 20:20 hindsight, what would you have done differently? Having an executive coach has been really transformative. I would have done that sooner.

What is your favourite quote?"The arc of the moral universe is long, but it bends toward justice." Martin Luther King Jr.

What are you reading now? I've been reading and watching a good bit of history lately, particularly about generals, presidents, and heads of state, because I'm thinking a lot about leadership. Right now, I'm reading The Proud Tower: A Portrait of the World before the War, 1890-1914 by Barbara W. Tuchman, about the political, social, cultural, and economic conditions that led up to WWI. Along with the rest of our senior leadership team, I'm also reading The Advantage: Why Organizational Health Trumps Everything Else in Business by Patrick Lencioni

In my spare time, I like to… Play guitar.

Most people don't know that I… I don't have a degree.

Ask me to do anything but… Throw my team under the bus.


« CIO Spotlight: Avon Puri, Rubrik


The CMO Files: Ashling Kearns, Salesforce »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?