Having a diverse background in our careers rewards us with diverse experiences and insights. Janet Heins brings the breadth of her career experience to her role as the Chief Information Security Officer (CISO) at iHeartMedia. In this episode, she sits down with Matthew Stephenson to tell us about her journey from the cruise line industry, manufacturing, biotech, and pharmaceutical before landing at her current position in one of the largest media streaming companies in the United States. Janet shares the key things she found in common across different industries that have helped her in the strategic direction of the company’s Information Security Program. Touching on the human component, she then talks about dealing with culture, especially as the team transitions into new leadership. Join Janet in this conversation and gain great insights from her wide experience.
Listen to the podcast here
Janet Heins: I Love To Build
We are excited to welcome Janet Heins to the show. This is so cool. We always say we are excited, but this one’s close to my heart. I dig this. Janet is the CISO at iHeartMedia. If you don’t know what that is, I feel sorry for you because you’ve been living somewhere without access to electricity. In previous lives, she served as the CISO at Royal Caribbean Cruises, the Global IT Operations Leader, and CISO at W. L. Gore & Associates, Director of Information Security and Governments, and CISO at Biogen, and maybe another company you’ve heard of, Merck & Company where she was Director of Records and Management and IT compliance. Let’s say Janet knows a little bit about how to keep things safe and keep things legal for everybody. Janet, welcome to the show.
Thank you. I’m happy to be here.
This is a big day because you are heading out the door. I’m not going to give up your OPSEC, but let’s say you are going to go someplace besides work for a little while. Thank you for taking the time with us. You are the CISO of one of the most important content streaming services in the world, but naturally, in the course of your career progression, you came from the cruise line industry and naturally before that, manufacturing, biotech, and then pharmaceutical. Help me out with that path. How do you do that? Why do you do that? That’s a diverse and roundabout way to go.
I enjoy learning new things for sure. That keeps me energized. I’m interested in the work I do. I love security. Taking that same theme and applying it at different companies within different industries is what jazzes me up. I feel like I have learned so much more than staying at one company in one industry than maybe others would or maybe I would have on a different path.
It’s a fascinating path. Most of us would agree. I’m not going to put words in anybody’s mouth. Going from pharmaceutical to biotech, that seems like, you’d be like, “That makes sense. I get it,” but then to hardcore manufacturing, and then from there, let’s go to the cruise line industry. As a CISO when you are picking up all of these new bits of knowledge and meeting these incredible people and adding to your Rolodex, in your opinion, is it more helpful to have that wide almost like fusion cuisine approach to being a CISO? Does it keep you on your toes better as opposed to if you tend to stay inside a narrower lane in a career progression?
I can only speak from my own experience, but I believe that having that movement and there is a little bit of a natural progression although it doesn’t come across maybe line for line, I can go through that. The thing that helps me is that I get to see what’s common across companies and industries, and what’s not common.
When I meet with my peers and CISOs from other companies that work in industries that I have not yet worked in, we do have a common baseline of things that we do similarly, fight the same way, or need to be aware of. There’s a commonality to it. The nuances of the industry, the customer base, and the culture of the company add to the challenge for me. Sometimes I’m a little bit of a challenge junkie, so I like to go after things that I don’t know a lot about and learn about them.
From a CISO perspective, and maybe not even you specifically, this is your opportunity to speak for every CISO on earth, so no pressure. The end asset, in pharmaceuticals, is the medicines that they are putting out. In biotech, there are various things. I don’t even know how to describe the things that come out of biotech. Manufacturing is the item that is at the end of the factory. The cruise line is the experience. Is that what you are protecting overall or is it the company that is creating those things? How much does the end result of what comes out of the company affect what you are doing with regard to security?
As CISO, since I’m speaking for all of us, we always need to have a line of sight to what’s the purpose of the company and what’s the end goal of the company. There are in these companies and other companies, many people in departments, processes, and technologies that get them to be able to deliver that end state whether it’s a fun experience on your vacation while you are cruising.
Biotech produces the same medicine as pharmaceuticals. It’s more like vaccines like living organisms that you shoot into yourself to be better, but they saw other diseases as well. It’s similar to other areas. People, processes, and technology all go into making the end product for the consumer, customer, and purpose of the company. Those three topics all need to be covered in any security program, people, process, and technology.
You had mentioned that a colleague of yours had mentioned to you that you were “brave” for moving among the industries. Is that bravery? Is it that you get bored easily? You said that you are always seeking a challenge. Is it brave? Let’s open with that as the question.
That’s probably up to individual people to determine. Changing companies a few years ago usually meant moving. That’s always a big thing too, having to pick up a family, your home, and whatever and move. As far as the company, brave to move to different industries. There are people that are comfortable staying in a company, working there, knowing it well, and making it better. Contributing to it is what gets them jazzed up. It’s a difference in style. I don’t necessarily get bored. I wouldn’t want to say that. In security, you can almost never get bored.
In security, you can almost never get bored.
Having the opportunity to move around from industry to industry as I have, going to your point from manufacturing to a cruise line industry was vastly different for me because if you think about it, they had 50 to 60-some-odd ships floating around the ocean somewhere in the world needing protection in a way to be sure that their passengers and crew weren’t in harm’s way. There’s a lot of technology on cruise ships and therefore, there’s a lot of opportunity.
Skyscrapers leaned over on their side, but for the added degree of difficulty, let’s float them in the middle of the Pacific Ocean for two weeks and fine. It will be great. As a CISO, your hands are all over all types of security. Is physical security a part of your purview?
It’s not and it hasn’t been in any of my roles. I know some companies that do that. I have always partnered closely with them. We have a lot of things in common. We are always protecting and keeping bad things out. It’s always good to be closely partnered with that group if they are not together.
It’s always good when news breaks in between the time that we agreed to do the show, had the conversation about doing what we are going to talk about, then the show happens, and then there’s when news breaks overnight the night before that we are supposed to do it. There was announced a massive incursion with one of the larger ridesharing companies in the world. I’m not asking you to speak to this specifically, but you are the CISO at one of the largest media streaming companies in the United States.
When news breaks of something of this magnitude when you have been beaten at all levels, what is the reaction? I’m not asking you to lay out the game plan. This is what we do when this happens, but you get that call at 11:47 at night. You have gotten into bed counting on that quality four hours of sleep before you get up and start your day tomorrow to protect the world from everything. Where does your brain go first, say, “I need to do this in order for the next few things to happen?”
Having been in that situation before or maybe not an equivalent situation, but similar as far as just something suspicious or malicious happening, it’s a huge reliance on your team and your extended team. I don’t mean just the security team. That is by nature because you need all the different thought processes and perspectives.
I always think of it like you are looking at it from a different angle than other people are. You need those people that are looking at this from a different angle to make sure that you’ve got all of the thought processes and different perspectives together, so they don’t miss anything. That’s the key. All of us in information security and cyber security know that having an incident response plan, and practicing and exercising that plan so that you do get to build the muscle for what you need to do in this heat of the moment is important.
That’s what gets to you this point of being able to pull it all together quickly and assess, “Do I need outside help? Do I need to make any public statement?” What are all those? There are a whole checklist and response plans that many of us are familiar with, but that’s what gets you practiced and ready. Having the right roles on the team, especially on the initial team is super important.
That’s the tough thing. Your job as a CISO is you hope you don’t have any practice at this. You would like to retire without being the least prepared to deal with this. You are totally prepared but with the least experience in dealing with this because you’ve never had to. Not to keep beating on this, but we are going to segue out of this.
This is a date stamp. We are recording this on Friday, 16th, September 2022. This is going to be published a little bit after that. It was social manipulation, which means it is an unwitting insider threat. This was not malicious activity from someone inside. Segue into the larger theme of what we talk about on the show. For your approach to making sure your people, your teams from the most seasoned veteran to the most recent intern even.
If they can log into a company machine, by definition, they are an opening for a bad actor to come after. What inspiration can you take from these events, from your history, from other people’s histories and implement that for your people to put them in a position to not be susceptible to this thing, to be the hero as opposed to being the one who through no intent happened to get beat this one time?
It’s similar to what we talked about with the specific incident response plan, but it’s exercising and testing all of your employees to make sure that they know what to look for and know what to do in case they see something or they think they did something wrong that they know whom to notify. Security awareness for employees, contractors, partners, customers, and the list goes on, is huge.
We do a good job of it as companies. For the most part, I can’t speak for all companies but if you have a mature security program, you have a good employee awareness program. I’m not so sure we reach the scope of our company, but there are individuals out there, mothers, grandparents, cousins, or siblings who aren’t as aware and aren’t given that same opportunity to be made aware. Certainly, inside the enterprise of companies, the best protection is to have a strong awareness program.
Inside the enterprise of companies, the best prevention or protection is to have a really strong awareness program.
It used to be seen more as you are trying to catch me doing something wrong. You are trying to trick me and catch me doing something wrong. More and more, as these recent news stories break and the details about them being that some unwitting employee was socially engineered, I believe people are starting to recognize the value in them. There are different ways you can go about the approach. You can make it a little more lighthearted. It doesn’t have to be punitive by any nature. You can get your employees what we call the click rate. Email phishing will remain the number one, at least initial entryway.
I always love getting those texts like, “It’s your CEO. I’m at a conference right now. I need some Apple gift cards. Can you get those for me?” It’s like, “Sure. Thanks for texting me directly. I’m so glad you have my phone number.”
You raise a good point. The bad actors are much less sophisticated, and the reason is that the tools are out there for them. They don’t have to develop them. It’s a service. Some of them even have support. It’s a business. You don’t have to be a rocket scientist to figure this all out. If you have a credit card, maybe not even your credit card. You can purchase it and purchase some of this right off the Dark Web.
Was it the Satan ransomware as a service that had this beautiful tech support? They even had forums where the individual bad guys were talking to each other about the best way to do this. Not only are you battling the actual crime syndicates, but then all of the little nerds that are in there saying, “If you’ll only tweak this a little bit, it’ll get that much better.” We need to crowdsource crime.
At iHeartMedia, we talked a little bit earlier about the end output of the company and that you need to secure that at all costs in addition to the company inside. That is a different animal than what you had been doing previously. On the cruise line, it is the experience, but at the end of that experience is the people. Manufacturing is a hard physical item. Biotech and pharmaceuticals are healthcare-related things. Is there a radical noticeable difference when what you are doing is a digital item as opposed to the other things that you’ve done before that you have to secure and protect?
The difference that I have discovered in this role is that the protection extends all the way right to the listeners’ hands debating whether to say ears, because they are listeners versus the other companies where there’s the product. To your point, it is not digital. It’s the experience on a vacation or a product that gets delivered. W. L. Gore, they were one of those companies that put their products inside of a lot of products that we use.
iHeart hits 9 out of 10 Americans. The other stuff you were doing while it has a great impact, it ain’t 90%. I can’t even imagine the responsibility and the weight that your team carries with that.
I like to look at each as they weigh the same to me. I’m a good compartmentalist. I’m not ignoring anything. I’m able to stay focused on what-if scenarios and more on the how-to-protect scenarios. I can give you an analogy. A little bit about me, my husband is a retired law enforcement officer, and when he was active or working, people would be like, “You are married to a cop, and how is that? It must be so stressful.” I’m like, “No. I can compartmentalize it a little bit. The worry is out there, but it doesn’t consume me.” That’s how I am with my role here. It doesn’t consume me. It’s important and it’s forefront.
He’s married to a CISO. I would think that there’s an equal amount of stress. You are less likely to get shot at but, come on.
It’s important to keep your eye on the ball for sure. Your board and your senior executive team, that’s where their eyes are and you need to be able to connect to that, but on the day-to-day, we got to stay focused on what we can protect. Early detection and fast response, that’s the name of the game.
We have been ping-ponging around a little bit because your career is so interesting. I keep looking up at my notes and it’s like, “Manufacturing question. Digital question.” It’s all these different things. You had mentioned earlier that when you make these career moves, it also involves physical moves and philosophical moves.
When you come into not just a new position as a CISO, you are not transitioning from leading this healthcare firm to this healthcare firm. You are moving from industry to industry. Cultures are different. Homogenous is always terrible, but we want the Venn diagram to be the big part in the middle to be pretty similar. Have you found it to be that? When you come in, is there a lot of heavy lifting that you need to do to gain the trust of the teams and then also to implement your vision for what can improve what you hope is already good?
Culture is huge and it’s been different at the different companies I have worked for. Some companies are focused on the customer. Some companies are more focused internally on the employees. Those are all good things. That’s the way the company is for a good reason. Being able to adapt or having that ability to adapt takes some time to understand what the culture is.
It’s like pushing a little bit to see where you get to push back and you can understand where the boundaries are, and what they’re tolerant of versus what they are not tolerant of. It also has to do a lot with what they have been through. Have they had a security incident? How severe was it? How long ago was it? What data do they have? What’s of interest to whom nation states versus the teenagers in the basement?
It is attributed to when you are first getting to know someone in a relationship. You have to slowly understand where they come from and what they have been through. Based on that, I build a strategy around what they can get buy into, tolerate, and what their concerns are. I may not fully understand why a specific concern is theirs, but they voice it and I respect that.
As I learn more about the industry in the company that I’m working for, I gain an understanding of where or why those concerns are there. Getting into the company and then finding out what concerns them. It’s not specifically about security, just to be clear about that, but in general. At the cruise line, it was passenger and cruise safety, that’s number one. Make sure that everyone on those ships is safe. Find out what drives the company and what concerns the execs around the company.
Do you find that having moved among these industries wouldn’t even matter if you move from company to company if that organization has a personality? If you come into a place that has had an incident compared to one that hasn’t, which means they haven’t had one yet because statistics show they will. Is anyone more or less likely to be willing to accept a new direction? Do people want to keep things going because we have been pretty good so far, everybody’s happy, we get paid, and stock options? Have you come into situations where they’re like, “Thank God she’s here. Let’s go?”
It’s a mix and it depends. Companies that have had incidents and have been through the trenches containing mediating an incident recognize the reality that can happen. It’s much more difficult in companies that feel more secure. Let me put it that way.
Let me ask this question. Does that lead to a sense of complacency when you come in? We feel safe because we are safe. We are good at our job. Trust us. Steer the ship.
Fortunately, through the interview process, none of the jobs that I have had so far have resulted in that situation. We talked about this before. I love to build. In my career, I have been brought in to build something up that doesn’t exist. There’s already that momentum in the company for it. It doesn’t make it easy, but it certainly makes more of a pathway for me and that’s important.
As with anyone in my role, no senior management needs to buy into information security investments in people, processes, and technology in order to get anywhere. Things become more mainstream or well-known or publicized as incidents happen. It’s a new norm. It’s not an aftermarket add-on anymore. It’s something we have got to build in.
As you’ve said, you love to build. When you come into a new organization, what are the things that you like to build? Not saying, “I want to find these problems and fix them.” It’s to build on what is already there. The foundation has been laid. You’ve got a neat town in place and think, “Let’s add this thing.” What’s your favorite thing to either add on to improve or to build something new coming into a new position?
Other than that we found a foundationally need to have this because we are lacking this. Whatever this is, pick a thing in the suite of all the capabilities of a security program. I typically like to gravitate toward the things that are challenging and that haven’t been successful before. We already tried that. We can’t possibly identify all of our assets and keep them in a database like not possible. We can’t scan these machines because they have to be on all the time, so we can’t risk bringing them down. Finding creative ways and other ways to accomplish that that people haven’t found before. Thinking outside the box is how I’d probably turn that.
Are the teams willing to do that? Are they hopeful when the new boss comes in because everybody likes momentum when it’s happening? Any time new leadership comes in, it’s human nature to be like, “What’s going to change?”
“Is my job going to be here? What’s she going to do differently that’s going to impact me?” That’s natural. Anybody who gets a new boss is looking up going, “Is it going to work? Let them do what they want or need to be doing. How do I make sure you know what I’m doing?” The team is huge. Building a team and having, in thought, a diverse and experienced team is huge. Diversity comes in a lot of different ways.
When building a team, having diversity in thought and experience is huge. Diversity comes in a lot of different ways.
For me, having people who worked in other industries or worked in different kinds of organizations and cultures and getting them together as a team helps with the ability to accomplish difficult things. You get all that input about, “Maybe we should try this, or maybe we should do this before we do that because it might work better.” The team is able to contribute to what the roadmap looks like and why.
When a company like iHeartMedia, given that you are in music, podcast, or concerts, it’s everything that people look to for inspiration, but across the American diaspora, it’s every culture in the world. There has to be dynamism in your approach to that. When you wake up in the morning, how do you feel about knowing, “I get to deal with everything in the world now?”
That’s my compartmentalism. I focus on what I have to focus on. It’s there. It’s a matter of when I let it get to me.
It’s why we say at the end of this call, it’s going away for a little while to not have to work. I’m not saying where or for how long. It might even be for fifteen minutes, but, trust me, iHeartMedia is going to be well protected in her absence because she’s built the team to do that thing. Hard shift to something else. In your experience, you could see all kinds of cool technologies, some that have made great promises and not delivered, and some that sounded ridiculous and then have delivered amazing things. Is there any technology that has caught your eye? Not necessarily a company or a product or anything. It’s something you are seeing out of your peripheral vision, but you think is going to be in primary focus in the relatively near future because it’s pretty cool.
There are a couple of things. Some of the newer things that we heard about a few years ago were all about behavior and being able to understand what’s normal behavior. Behavior analytics to be able to understand whether the computer itself is behaving normally or whether the human beings are behaving normally, and then see if there are anomalies there and identify those. That was probably the new interesting thing a couple of years ago.
Now I’m hearing in the industry that companies are coming out that are looking at the behavior of the browser and the behavior of the device, which is interesting to me. The ability to recognize anomalies because browser A never does X or device B doesn’t deliver content to the device holder this way. it’s being able to figure out that things aren’t what they seem in a deeper way in this browser analysis and device analysis.
I’m going to collect all of these because that’s a question I have asked every guest. We are going to collect all of these into the greatest hits. At the end of the year, I look back and say, “Who called which for which things?” We’ll have these little clusters because you are not the first one who has mentioned behavioral analytics which is interesting. It’s not the Big Brother watching. It’s already done, so we can go back and examine history in order to learn from it and provide a better future. How about you say that so people don’t point and laugh at me? They can point and laugh at you.
I don’t think I would say that.
Leadership corner. This is always my favorite part of this show because we have had such a great and diverse cast of characters across multiple industries in parts of the country. We have had men and women and all kinds of different races. We even had some English people on this show. Don’t tell anybody. What’s on your playlist? What are you reading? Are you cooking? Are you out in the garden? Do you ride motorcycles? What’s happening when you are not doing this?
I moved to Texas to work for iHeart and we bought a 20-acre ranch. I have learned how to care for lots of different livestock that I never thought I would do. That’s fun. We have a little herd of goats led by a donkey. She is their protector.
That is officially the first answer we have had that involves goats and a donkey.
Everybody who talked to me in 2021 knows I have been through it. We have baby goats and all sorts of things that my husband and I never thought we’d have the opportunity to experience. As you can see, I have diversity in the industries I have worked for but I also have diversity in the places I have lived and the types of places that homes that I have lived in. This was another way to say, “We are going to move to Texas. Let’s do the ranch thing and check it out.”
The smell of your hands at the end of the day when you come inside.
There are rules about hand washing and shoes in my house now that we have livestock. I am heading out to be away from work for a little while. I downloaded a book on quantum computing because I want to learn more about it.
One wants to do it when one’s on vacation.
That sounds like fun reading, but I do. When I go on vacation, I usually read one professional-related book, and then I usually read some fun stuff that you can get through fast.
Tell me what trashy novel you are reading right now.
I haven’t started yet. I have got my Kindle. I got to start downloading. I have started to dive into cooking a little more than I used to because we are at home. When you are done at work, there’s no commute, so it’s easier to go right into the kitchen and whip up something new.
San Antonio is a pretty cool food town too. You got some opportunity for some interesting local ingredients, I would assume. Shameless plugs. Anything cool that is going on with you? There are tons of cool stuff with iHeartMedia but are you speaking anywhere? Are you publishing social media sites or any of that stuff? I will turn my mic off in all ears.
The one thing that we are doing at iHeartMedia that is cool and I touched on it a little bit earlier is because we reach so many people, we have the opportunity to inform those listeners of important issues. Cyber security is important and individuals or people who don’t necessarily work for large enterprises or for companies who do real broad awareness campaigns or deep awareness campaigns miss that.
We have partnered with National Cybersecurity Alliance, and we are inviting companies who advertise with us to join us in raising awareness about the importance of cybersecurity and especially during cybersecurity awareness month. The National Cybersecurity Alliance is focused on individuals. These companies that choose to advertise with us can also choose to help tag onto their ad awareness around the National Cybersecurity Alliance’s existence and how they can help.
When you are touching 90% of Americans, you’ve got a pretty good voice there where you can help raise awareness and get the word out. What about you? Any social? Any LinkedIn or anything like that? Are you one of those security types like, “Leave me alone?”
I have a LinkedIn profile but I’m silent. I like to read other people’s posts.
You are a lurker.
You call it stalker but lurker. I’m not sure which one’s worse. Is one worse than the other?
Stalking puts intent, whereas lurking, you are hiding in the bushes.
I will switch my language. I’m a lurker. I learned a lot by reading other people’s posts, articles, and that type of thing.
No one ever proudly declares themselves a stalker. Reminder, none of the opinions expressed reflect those of iHeartMedia or Elevate Security. We are off into a dark turn. Janet, thank you so much for coming out and joining us. Any parting shots or last things as you are on your way to a fabulous destination that we still are going to remain unknown because we are going to keep you a bit of a mystery?
I do not. I enjoyed being here and chatting with you. Thank you for having me.
That is it for now. Thank you for joining us on the show. For more information on all that’s good in the world of cyber security, make sure you check us out on LinkedIn and Facebook and the mothership, www.ElevateSecurity.com. You could find me at @PackMatt73 across all the socials. The show, anywhere you go, that’s where you are. Always on the website but all the good voices too, Apple, Audible, and iHeartRadio. I know we are out there so I had to adjust iHeartMedia for this conversation because it is so much more than radio. Go check us out at all the fun spots. All we ask is that you subscribe, rate, and review. You’ll never miss all the great folks that are coming on the show. Until then, we will see you next time.
About Janet Heins
Janet Heins is the Chief Information Security Officer (CISO) at iHeartMedia. As CISO, she is responsible for the strategic direction of the Information Security Program. This includes implementing tools that protect our technology, building a team of security professionals and educating iHeartMedia employees on how they can help protect the Company from security risks. Janet has been in the CISO role for over 10 years, most recently at Royal Caribbean and prior to that, at W. L. Gore & Assoc. and Biogen. Her tenure in IT spans industries and includes IT leadership roles in development, operations, support, communications, training and user experience.