Julie Chatman never planned to get into cybersecurity. In fact, she believes most don’t but are mentored into it, as she was.
Chatman started her professional career as a Navy Hospital Corpsman, specializing in medical laboratory science and technology — a core part of medical diagnostics. “I analyzed blood work, monitoring quality control, ensuring accuracy in life-or-death results. That precision and systems thinking translates directly to how I approach cybersecurity today,” she tells CSO.
After three US Navy enlistments, Chatman joined the FBI as a budget analyst for the Office of the CIO. “Budget analysis wasn’t my end goal, but it taught me how technology investments get made in large organizations,” she says. “I learned the language of ROI, risk, and resource allocation — all critical for cybersecurity leadership.”
That foundation proved valuable when a senior leader tapped her for a high-stakes project: digitizing the FBI’s paper-based classified informant files.
“The FBI ran on paper with more than 50 field offices, more than 20 legal attaché offices, and multiple covert sites worldwide,” Chatman explains. “We had to implement the agency’s first role-based access controls, PKI infrastructure, and digital signatures while managing change across thousands of personnel who’d never worked this way before.”
The project combined enterprise cybersecurity, organizational change management, and operational security on a massive scale. Its success opened doors to progressively senior roles, ultimately leading to her position as a cybersecurity and risk leader within the FBI.
From the FBI, Chatman moved into strategic advisory roles with Deloitte, GSK, and McKinsey, where she led cybersecurity transformations for Fortune 100 companies, advised on multi-billion-dollar corporate demergers, and authored foundational crisis management frameworks. She has since served as CISO for healthcare and federal contractors, and now runs ResilientTech Advisors, a cybersecurity consulting firm. Throughout her career, she has prioritized mentoring emerging cybersecurity professionals.
CSO spoke to Julie Chatman about how the CISO role is changing and how security leaders can navigate challenges specific to the role. Following is that conversation, edited for length and clarity.
What are some of the challenges CISOs or cybersecurity leaders are facing today?
Chatman: There are a couple of challenges — some old, some new.
The old challenge is getting people to understand that security matters. And when I say people, I mean colleagues, C-level leaders, everyone in your environment. Security often feels like friction, it gets in the way of getting work done. People will work around things that slow them down, including security controls. That’s the fundamental tension.
The second challenge is funding. Because of that first challenge, leaders often don’t see cybersecurity budget requests as necessary until something goes wrong.
The third challenge is modern: AI-enabled adaptive attacks. We’ve always had emerging technology, but AI is different because it can mimic human intelligence to some extent. Now we’re dealing with attacks that change their behavior based on who they’re targeting. No one planned for that.
And then there’s personal liability. In a few high-profile cases, security leaders have faced criminal charges for how they handled breach disclosures, and civil enforcement for how they reported risks to investors and regulators. The trend is toward holding CISOs personally accountable for governance and disclosure decisions. But here’s the problem: CISOs often don’t have the authority to match that accountability. You tell leadership, ‘We need this control’ and you’re told to stop asking. Then something happens. Guess who gets blamed? CISO can also mean chief scapegoat.
It’s getting harder to convince younger people to sign up for this job.
Are you seeing that happen? Have you noticed people avoiding the job or just being afraid because of these recent cases?
Chatman: Yes, absolutely. There are other ways to make money without this level of stress and exposure.
Think about the typical setup: You’re a C-level executive, but you report to another C-level who controls your budget. They have D&O [directors and officers] insurance coverage. You might not. They cut your cybersecurity budget. Then when there’s a breach, they blame you and you’re personally exposed while they’re protected.
Who would sign up for that?
The role is becoming less attractive. You’re seeing the rise of fractional CISOs, virtual CISOs, heads of IT security instead of full CISO titles. It’s a lot harder to hold a fractional CISO personally liable. This is relatively new. The liability conversation really intensified after some high-profile enforcement actions, and now we’re seeing the market respond.
What can the cybersecurity industry do to fight the liability trend we’re seeing?
Chatman: There are advocacy groups pushing back, but realistically, if regulators want to hold people liable, they will. So maybe it’s less about fighting the trend and more about navigating it as an individual — at least for now.
First, negotiate protection upfront. When you’re thinking about accepting a CISO role, explicitly ask about D&O insurance coverage. If the CISO is not considered a director or an officer of the company and can’t be given D&O coverage, will the company subsidize individual coverage? There are companies now selling CISO-specific policies. Make this part of your compensation negotiation.
Second, do your job well but understand the paradox. Sometimes when you do your job properly, you’re labeled ‘the office of no,’ you’re seen as ‘difficult,’ and you last 18 months. It’s a catch-22.
Real liability protection is changing how your organization thinks about risk ownership. Most organizations don’t have a unified view of risk or the vocabulary to discuss it properly. If you can advance that as a CISO, you can help the business understand that risk is theirs to accept, not yours.
Here’s what that looks like in practice: Someone says, ‘I don’t want to implement this control; it’s too expensive.’ That’s fine but someone has to formally accept that risk. And it’s not you. It’s the business owner, the data owner, the product owner. Document it in your GRC tool, create a process, get sign-off.
I see CISOs get in trouble when they take on risk that doesn’t belong to them. They act like they have veto power. They say, ‘I’m blocking this’ or ‘You can’t do that.’ That puts them in the position of accepting risk that isn’t theirs to accept.
Instead, say: ‘We have a risk appetite and risk tolerance. This decision falls outside those parameters. I need you to formally accept this risk.’ That’s a conversation. You’re not telling them no; you’re asking them to own their choice.
But this requires a culture shift in the cybersecurity community. A lot of us aren’t used to being heard, so we just talk louder. That’s not business leadership.
Every CISO needs to remember they’re a business leader first. That means thinking about ROI, operational friction, and production impact. No more ‘we need to do this because it’s the right thing to do.’ That’s great in a movie, but you’re running a business function. Businesses run on tradeoffs.
How do you balance the organization’s investment in cyber with the needs to protect the business?
Chatman: It depends on how much voice you have as the CISO. In some organizations, the CISO has no seat at the table. The CIO and other C-levels make budget decisions behind closed doors, then the CIO tells you what you’re getting. But regardless of your organization structure, the best practice is to articulate value in a way stakeholders can receive it. And before you even get to budget conversations, establish yourself as a partner, not just a cost center.
One thing I do when joining an organization is audit the existing tools. Are we paying for things we don’t use? Are we double-paying for overlapping capabilities? I can usually find a couple hundred thousand dollars in savings pretty quickly. That makes you friends in the CFO’s office fast.
When it comes to the budget, be honest about what you need and transparent about what happens if you don’t get it. I also recommend building three versions of your budget:
- First, the hopes-and-dreams budget: What would it take to close all the known gaps and operate proactively?
- Second, the could-live-with-this budget: What’s realistic and gets you to acceptable risk levels?
- Third, the I-think-I’m-going-to-resign budget: Because you can see a breach coming and you don’t want your name attached to it.
You probably won’t end up at that last one, but all your stakeholders need to understand what’s at stake at each level. And you need to show them how past investments translated into outcomes — what you achieved, what you prevented.
That’s critical because people say the cybersecurity budget is a black hole. Cybersecurity works best when nothing happens. Your performance indicator is literally zero incidents. That’s a tough sell, but it’s reality.
How do you deal with AI-enabled attacks?
Chatman: Every cybersecurity professional, up to and including CISOs, needs to understand how AI works. Some people thought AI was hype and delayed learning about it. Now everyone realizes it’s not going away, and if you don’t understand the technology, you can’t defend against it.
You also need to update your security awareness training to reflect AI threats. That means covering deepfakes, AI-enhanced business email compromise, adaptive attacks that change based on the target. Your training programs need to evolve with the threat landscape.
And here’s something that often gets overlooked: CISOs need to be more accessible right now. AI makes attacks more convincing and harder to spot. Your employees need to feel comfortable reporting suspicious activity without fear of looking stupid. If someone thinks they might have fallen for a deepfake or an AI-generated phishing attempt, you want them to come to you immediately, not hide it because they’re embarrassed.
My message to cyber professionals here is: Remember, you weren’t always a cybersecurity expert. You learned this over time. So, meet people where they are. Skip the jargon. Explain things in plain language. If people can’t understand you, they can’t help you defend the organization.
Tell me about your mentoring experience.
Chatman: I’ve mentored and coached a lot of people, both one-on-one and in groups.
For example, in 2021, I created a free five-part series called Cyber Career Differentiators, basically business acumen and soft skills for technologists. There are boot camps everywhere teaching people how to configure firewalls, but nobody’s teaching technologists how to make eye contact with businesspeople and have actual conversations. So, I built that curriculum and put it out there and 516 people took the class.
Beyond that, I do ongoing one-on-one mentoring, and I run a coaching firm now focused on developing cybersecurity leaders.
What are you most proud of in your career?
Chatman: Earlier I said that cyber professionals are shying away from the CISO role. It’s getting harder to convince people to sign up for this job. But here’s what I’m most proud of: People tell me I inspire them to join cybersecurity. The feedback I get is that I’m relatable, practical, and human.
I think people can see that I care about the human beings behind the technology. That’s why I’ve never run an ‘office of no.’ ‘No’ is the first word most babies learn, and it’s a favorite word in cybersecurity. But it doesn’t come naturally to me. That’s not to say I’m permissive — I ask hard questions, I dig into the details, I challenge assumptions. However, I always start by listening.
What I’m most proud of is being an example for people who feel intimidated by this field. I started in medical diagnostics. If I can become a CISO, then anyone with the right blend of curiosity and commitment can build a successful career in cybersecurity.
That matters more to me than any technical accomplishment, any FBI project, anything else I’ve done. Inspiring others to see this as possible for them — that’s what I’m proud of.
Is there a quote that you are inspired by?
Chatman: ‘Strength is not found in systems that never fail. But in those built to recover smarter, faster, and stronger.’
Are there any books you’ve learned from that you would like to suggest to others?
Chatman: World War Z by Max Brooks. It’s a collection of short stories set during a zombie apocalypse, but the zombie part is just a placeholder. What makes it valuable is how it examines different facets of society under stress — government, military, finance, global supply chains and logistics, medicine — including organ donation and transplantation, pharmaceuticals, and more.
The book isn’t really about zombies. It’s about how systems break down when infrastructure fails. What happens when we lose basic services — grocery stores, pharmacies, hospitals, law enforcement — all the things we take for granted?
Every time I read it, I see something new about how to think as a technologist. For example, the logistics chapters: How do supply chains collapse? How do people get stranded when transportation systems fail? I need to understand these dependencies because all of them are enabled by technology. The book is an interesting look into how things work when they’re functioning and what breaks first when they’re not.
I’m fascinated by this genre because it shows what happens when technology fails at scale. We had a taste of that with the CrowdStrike incident. People couldn’t access their bank accounts, couldn’t fly home. That’s a glimpse of what systemic failure looks like.