Chatman, who grew her career from medical diagnostics to a cybersecurity and risk leader at the FBI, has been a mentor to many in the industry. She also has a clear vision of how CISOs can navigate the challenges unique to the role today.
Julie Chatman never planned to get into cybersecurity. In fact, she believes most do not, but rather are mentored into it, as she was.
Chatman started her professional career as a Navy Hospital Corpsman, specializing in medical laboratory science and technology — a core part of medical diagnostics. “I analyzed blood work, monitoring quality control, ensuring accuracy in life-or-death results. That precision and systems thinking translates directly to how I approach cybersecurity today,” she tells CSO.
After three US Navy enlistments, Chatman joined the FBI as a budget analyst for the Office of the CIO. “Budget analysis wasn’t my end goal, but it taught me how technology investments get made in large organizations,” she says. “I learned the language of ROI, risk, and resource allocation — all critical for cybersecurity leadership.”
That foundation proved valuable when a senior leader tapped her for a high-stakes project: digitizing the FBI’s paper-based classified informant files.
“The FBI ran on paper with more than 50 field offices, more than 20 legal attaché offices, and multiple covert sites worldwide,” Chatman explains. “We had to implement the agency’s first role-based access controls, PKI infrastructure, and digital signatures while managing change across thousands of personnel who’d never worked this way before.”
The project combined enterprise cybersecurity, organizational change management, and operational security on a massive scale. Its success opened doors to progressively senior roles, ultimately leading to her position as a cybersecurity and risk leader within the FBI.
From the FBI, Chatman moved into strategic advisory roles with Deloitte, GSK, and McKinsey, where she led cybersecurity transformations for Fortune 100 companies, advised on multi-billion-dollar corporate demergers, and authored foundational crisis management frameworks. She has since served as CISO for healthcare and federal contractors, and now runs ResilientTech Advisors, a cybersecurity consulting firm. Throughout her career, she has prioritized mentoring emerging cybersecurity professionals.
CSO spoke to Julie Chatman about how the CISO role is changing and how security leaders can navigate challenges specific to the role. Following is that conversation, edited for length and clarity.
What are some of the challenges CISOs or cybersecurity leaders are facing today?
Chatman: There are a couple of challenges — some old, some new.
The old challenge is getting people to understand that security matters. And when I say people, I mean colleagues, C-level leaders, everyone in your environment. Security often feels like friction, it gets in the way of getting work done. People will work around things that slow them down, including security controls. That’s the fundamental tension.
The second challenge is funding. Because of that first challenge, leaders often don’t see cybersecurity budget requests as necessary until something goes wrong.
The third challenge is modern: AI-enabled adaptive attacks. There has always been emerging technology, but AI is different because it can mimic human intelligence to some extent. Now organizations are dealing with attacks that change their behavior based on who they’re targeting. No one planned for that.
And then there’s personal liability. In a few high-profile cases, security leaders have faced criminal charges for how they handled breach disclosures, and civil enforcement for how they reported risks to investors and regulators. The trend is toward holding CISOs personally accountable for governance and disclosure decisions. But here’s the problem: CISOs often don’t have the authority to match that accountability. Leadership might be told, ‘We need this control’ and then told to stop asking. Then something happens. Guess who gets blamed? CISO can also mean chief scapegoat.
It’s getting harder to convince younger people to sign up for this job.
Are you seeing that happen? Have you noticed people avoiding the job or just being afraid because of these recent cases?
Chatman: Yes, absolutely. There are other ways to make money without this level of stress and exposure.
Think about the typical setup: A C-level executive reports to another C-level who controls their budget. They have D&O [directors and officers] insurance coverage. A CISO might not. The cybersecurity budget is cut. Then when there’s a breach, the CISO is blamed and personally exposed while others are protected.
Who would sign up for that?
The role is becoming less attractive. The rise of fractional CISOs, virtual CISOs, and heads of IT security instead of full CISO titles is being observed. It’s a lot harder to hold a fractional CISO personally liable. This is relatively new. The liability conversation really intensified after some high-profile enforcement actions, and now the market is responding.
What can the cybersecurity industry do to fight the liability trend we’re seeing?
Chatman: There are advocacy groups pushing back, but realistically, if regulators want to hold people liable, they will. So maybe it’s less about fighting the trend and more about navigating it as an individual — at least for now.
First, negotiate protection upfront. When considering a CISO role, explicitly ask about D&O insurance coverage. If the CISO is not considered a director or an officer of the company and can’t be given D&O coverage, will the company subsidize individual coverage? There are companies now selling CISO-specific policies. This should be part of compensation negotiation.
Second, perform the job well but understand the paradox. Sometimes when the job is done properly, one is labeled ‘the office of no,’ seen as ‘difficult,’ and lasts 18 months. It’s a catch-22.
Real liability protection involves changing how an organization thinks about risk ownership. Most organizations don’t have a unified view of risk or the vocabulary to discuss it properly. If a CISO can advance that, they can help the business understand that risk is theirs to accept, not the CISO’s.
Here’s what that looks like in practice: Someone says, ‘I don’t want to implement this control; it’s too expensive.’ That’s fine but someone has to formally accept that risk. And it’s not the CISO. It’s the business owner, the data owner, the product owner. Document it in the GRC tool, create a process, get sign-off.
CISOs get in trouble when they take on risk that doesn’t belong to them. They act like they have veto power. They say, ‘I’m blocking this’ or ‘You can’t do that.’ That puts them in the position of accepting risk that isn’t theirs to accept.
Instead, say: ‘We have a risk appetite and risk tolerance. This decision falls outside those parameters. I need you to formally accept this risk.’ That’s a conversation. It’s not telling them no; it’s asking them to own their choice.
But this requires a culture shift in the cybersecurity community. Many are not used to being heard, so they just talk louder. That’s not business leadership.
Every CISO needs to remember they’re a business leader first. That means thinking about ROI, operational friction, and production impact. No more ‘we need to do this because it’s the right thing to do.’ That’s great in a movie, but it’s about running a business function. Businesses run on tradeoffs.
How do you balance the organization’s investment in cyber with the needs to protect the business?
Chatman: It depends on how much voice the CISO has. In some organizations, the CISO has no seat at the table. The CIO and other C-levels make budget decisions behind closed doors, then the CIO communicates what will be received. But regardless of the organization structure, the best practice is to articulate value in a way stakeholders can receive it. And before even getting to budget conversations, establish oneself as a partner, not just a cost center.
One thing I do when joining an organization is audit the existing tools. Are things being paid for that are not used? Is there double-paying for overlapping capabilities? I can usually find a couple hundred thousand dollars in savings pretty quickly. That makes friends in the CFO’s office fast.
When it comes to the budget, be honest about what is needed and transparent about what happens if it is not received. I also recommend building three versions of the budget:
- First, the hopes-and-dreams budget: What would it take to close all the known gaps and operate proactively?
- Second, the could-live-with-this budget: What’s realistic and gets to acceptable risk levels?
- Third, the I-think-I’m-going-to-resign budget: Because a breach can be seen coming and one does not want their name attached to it.
One probably won’t end up at that last one, but all stakeholders need to understand what’s at stake at each level. And they need to be shown how past investments translated into outcomes — what was achieved, what was prevented.
That’s critical because people say the cybersecurity budget is a black hole. Cybersecurity works best when nothing happens. The performance indicator is literally zero incidents. That’s a tough sell, but it’s reality.
How do you deal with AI-enabled attacks?
Chatman: Every cybersecurity professional, up to and including CISOs, needs to understand how AI works. Some people thought AI was hype and delayed learning about it. Now everyone realizes it’s not going away, and if the technology is not understood, it cannot be defended against.
Security awareness training also needs to be updated to reflect AI threats. That means covering deepfakes, AI-enhanced business email compromise, adaptive attacks that change based on the target. Training programs need to evolve with the threat landscape.
And here’s something that often gets overlooked: CISOs need to be more accessible right now. AI makes attacks more convincing and harder to spot. Employees need to feel comfortable reporting suspicious activity without fear of looking stupid. If someone thinks they might have fallen for a deepfake or an AI-generated phishing attempt, they should be encouraged to come forward immediately, not hide it because they’re embarrassed.
My message to cyber professionals here is: Remember, you weren’t always a cybersecurity expert. You learned this over time. So, meet people where they are. Skip the jargon. Explain things in plain language. If people can’t understand you, they can’t help you defend the organization.
Tell me about your mentoring experience.
Chatman: I’ve mentored and coached a lot of people, both one-on-one and in groups.
For example, in 2021, I created a free five-part series called
https://www.youtube.com/channel/UCaFsBfsNrJR9x4RIRLxFMDw
, basically business acumen and soft skills for technologists. There are boot camps everywhere teaching people how to configure firewalls, but nobody’s teaching technologists how to make eye contact with businesspeople and have actual conversations. So, I built that curriculum and put it out there and 516 people took the class.
Beyond that, I do ongoing one-on-one mentoring, and I run a coaching firm now focused on developing cybersecurity leaders.
What are you most proud of in your career?
Chatman: Earlier I said that cyber professionals are shying away from the CISO role. It’s getting harder to convince people to sign up for this job. But here’s what I’m most proud of: People tell me I inspire them to join cybersecurity. The feedback I get is that I’m relatable, practical, and human.
I think people can see that I care about the human beings behind the technology. That’s why I’ve never run an ‘office of no.’ ‘No’ is the first word most babies learn, and it’s a favorite word in cybersecurity. But it doesn’t come naturally to me. That’s not to say I’m permissive — I ask hard questions, I dig into the details, I challenge assumptions. However, I always start by listening.
What I’m most proud of is being an example for people who feel intimidated by this field. I started in medical diagnostics. If I can become a CISO, then anyone with the right blend of curiosity and commitment can build a successful career in cybersecurity.
That matters more to me than any technical accomplishment, any FBI project, anything else I’ve done. Inspiring others to see this as possible for them — that’s what I’m proud of.
Is there a quote that you are inspired by?
Chatman: ‘Strength is not found in systems that never fail. But in those built to recover smarter, faster, and stronger.’
Are there any books you’ve learned from that you would like to suggest to others?
Chatman: World War Z by Max Brooks. It’s a collection of short stories set during a zombie apocalypse, but the zombie part is just a placeholder. What makes it valuable is how it examines different facets of society under stress — government, military, finance, global supply chains and logistics, medicine — including organ donation and transplantation, pharmaceuticals, and more.
The book isn’t really about zombies. It’s about how systems break down when infrastructure fails. What happens when basic services are lost — grocery stores, pharmacies, hospitals, law enforcement — all the things taken for granted?
Every time I read it, I see something new about how to think as a technologist. For example, the logistics chapters: How do supply chains collapse? How do people get stranded when transportation systems fail? These dependencies need to be understood because all of them are enabled by technology. The book is an interesting look into how things work when they’re functioning and what breaks first when they’re not.
I’m fascinated by this genre because it shows what happens when technology fails at scale. This was exemplified by the CrowdStrike incident. People couldn’t access their bank accounts, couldn’t fly home. That’s a glimpse of what systemic failure looks like.
