Few security leaders have seen cybersecurity from as many angles as Kristin Lowery. Across more than three decades, she has helped protect global financial institutions, critical infrastructure, and, most recently, organizations navigating today’s rapidly evolving threat landscape as Field CISO at Optiv. Having previously led cyber and physical security for one of the largest electric transmission systems in the United States and held executive security roles in financial services, Lowery understands that resilience is no longer confined to a single organization; it extends across suppliers, cloud platforms, operational technology, and increasingly, AI-driven ecosystems.
That breadth of experience makes her an ideal guest for CISO Diaries, our interview series exploring how today’s top security leaders think beyond frameworks and technology. Rather than focusing solely on tactics, the series examines the judgment, habits, and leadership philosophies that shape security decisions every day. In this conversation, Lowery explains why trust is one of the most important controls a CISO can build, why understanding the business is just as important as understanding cyber threats, and why the next decade of security will be defined by resilience across deeply interconnected digital ecosystems rather than defending a traditional network perimeter.
How do you usually explain what you do to someone outside of cybersecurity?
I usually explain my role in terms of resilience. My job is to help organizations protect the things that matter most—their customers, employees, data, operations, and reputation—so they can keep serving their communities even when something unexpected happens. Cybersecurity can sound very technical, but at the executive level it is really about risk, trust, and business continuity. I help leaders understand where they are exposed, what risks matter most, and how to prioritize investments that make the business stronger.
What does a “routine” workday look like for you, if such a thing exists?
There really is no standard routine, which is part of what keeps the work interesting. A typical day may include conversations with CISOs, CIOs, boards, client teams, and partner teams across different industries. One meeting may focus on cloud modernization or identity risk, while the next is about operational technology, data protection, third-party exposure, or how to use AI more effectively for defense. Much of my time is spent helping translate complex security issues into practical business decisions and helping teams align on the roadmap, priorities, and timing needed to reduce risk.
What part of your role takes the most mental energy right now?
The most mentally demanding part is helping leaders prioritize in an environment where everything feels urgent. Organizations are modernizing quickly, but often unevenly. Cloud, SaaS, connected production systems, APIs, third parties, and AI-enabled workflows are expanding faster than legacy platforms are being retired. That creates hybrid environments with fragmented visibility and inconsistent controls. The challenge is helping leaders focus on the exposures that could truly disrupt operations or erode trust, while still making progress on longer-term transformation.
What’s one security habit or routine you personally never skip?
I do not skip multifactor authentication, and I am very intentional about identity protection. Identity has become the control plane for resilience. Whether it is a workforce user, administrator, supplier, service account, or machine identity, weak authentication and over-privileged access remain some of the most common paths to compromise. On a personal level, I treat identity as the front door and try to make sure that door is never left open.
What does your own personal security setup look like?
At a high level, I keep it simple but disciplined. I use strong, unique passwords supported by a password manager, multifactor authentication wherever it is available, regular device updates, and secure backups for important information. I also pay close attention to what applications and services have access to my data. The basics still matter. Many incidents begin with preventable gaps, so I try to practice the same fundamentals I encourage organizations to reinforce: protect identity, reduce unnecessary access, keep systems current, and have a recovery plan.
What book, podcast, or resource has influenced how you think about leadership or security?
The resources that have influenced me most are not always purely technical. I value conversations with other CISOs, board members, industry peers, and leaders who have had to make hard decisions under pressure. Security leadership is about judgment, communication, and trust as much as technology. I’m also drawn to resources that connect risk to business outcomes, because strong security leaders help the organization move forward safely rather than simply say no. I regularly read The Wall Street Journal and The Economist, along with technical publications such as Dark Reading. My favorite podcast is The Tim Ferriss Show because he explores how accomplished leaders think, the habits that shape their success, and how they approach complex problems and leadership.
What’s a lesson you learned the hard way in your career?
One lesson I learned is that being right is not the same as being effective. Early in my career, like many technical leaders, I believed that if the risk was clear and the solution was sound, people would naturally align. In reality, sustainable progress requires listening, understanding business constraints, building relationships, and communicating in language that matters to each stakeholder. Security leaders have to influence without always owning every decision. That means trust is one of the most important controls we build.
What keeps you up at night right now, from a security perspective?
I worry most about interconnected risk. Organizations are no longer protecting only their own four walls. They rely on suppliers, logistics providers, payment platforms, cloud services, SaaS providers, plant vendors, and partners. At the same time, operational technology environments and connected production systems are becoming more integrated with enterprise technology. That interconnectedness creates enormous value, but it also means a weakness in one part of the ecosystem can quickly affect many others. Visibility, segmentation, identity governance, and recovery planning are critical.
How do you measure whether your security program is actually working?
A working security program should be measured by more than activity or tool count. I look for evidence that the organization understands its most important risks, can detect and respond effectively, can recover critical operations, and is improving over time. Useful measures include reduction of high-risk exposures, time to remediate critical vulnerabilities, identity hygiene, third-party risk visibility, incident response readiness, recovery test results, and how well security priorities are aligned to business objectives. The real test is whether the program helps the organization make better decisions and withstand disruption.
What advice would you give to someone stepping into their first CISO role today?
Spend as much time learning the business as you do understanding the security environment. Know how the organization creates value, serves customers, operates, manages risk, and makes decisions. Build strong relationships across finance, legal, operations, technology, audit, HR, communications, and the board. Do not try to solve everything at once. Focus on the risks that could materially affect the business, create a clear roadmap, and communicate progress in business terms. Just as important, take time to understand your peers’ challenges and work well across disciplines. Most large-scale problems require a broader team to solve, and that collaboration builds trust and strengthens culture.
What do you think will matter less in security five to ten years from now?
I think the traditional emphasis on protecting fixed perimeters will matter less. The environment is already too distributed for that model to be enough. Workloads, data, identities, suppliers, and devices move across cloud, SaaS, operational environments, and partner ecosystems. Security teams will still need strong network controls, but the center of gravity will continue shifting toward identity, data, resilience, continuous monitoring, and secure-by-design practices embedded into how technology is built and operated.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Security teams will spend much more time governing autonomous and AI-enabled activity across the enterprise. That includes how AI systems access data, make recommendations, trigger actions, interact with customers, and connect with third-party services. I also think teams will spend more time validating resilience across ecosystems rather than only within their own company. The question will not just be, “Are we secure?” It will be, “Can our business continue to operate safely when our data, suppliers, platforms, and intelligent systems are all deeply connected?”
