A deputy global CISO who came up through information governance and law school makes the case that the strongest security leaders lead with risk, relationships, and storytelling, not with technology. It is a conversation about non-traditional paths into cyber, building people-centric teams, and why the talent pipeline depends on inviting in people who never planned to take a computer apart.
⬥EPISODE NOTES⬥
What does it take to lead a 200-person security organization without coming up through the technical ranks? Tera Ladner, Deputy Global Chief Information Security Officer at Aflac, answers that question by describing a path that runs through information management, e-discovery, and a law degree before it ever reaches the security org chart. The result is a leader who looks at a program through the lens of controls, evidence, and defensibility, and who treats security as a people problem before a technology one.
Host Sean Martin and Tera Ladner dig into what that orientation changes in practice. Rather than opening a stakeholder conversation with controls or threats, Tera Ladner starts by listening: what are the business goals, and how does security enable them? Working inside an insurance company helps, because risk is already the shared language of every leader in the building. The job, as she frames it, is translation, turning a technical event into a business and resiliency impact that the people who own the decisions can actually act on.
The conversation turns to hiring and team building, where Tera Ladner names curiosity as the first trait she screens for, the instinct to ask the second, third, and fourth question until the real problem surfaces. From there she argues for a broader "tool belt": storytelling, relationship building, influence without authority, and the ability to navigate ambiguity, a skill she sees tested daily as boards and technology leaders press for answers on frontier AI. Technical skills alone, she suggests, were enough years ago and are not enough now.
Culture sits at the center of how she leads. "Your team lives in the house that you build," she tells her people leaders, and she describes the team norms, transparency, integrity, and care, that hold a security organization together in the hard moments. That same relationship-first instinct extends outward, to a seat at the executive table that has to be earned by giving stakeholders a seat at yours, and downward into the talent pipeline through Aflac's Cyber Inspire and Empower Girls programs, which grew from 200 girls in their first local year to 815 in the second.
For security and risk leaders, the throughline is hard to miss: the future of the field depends less on finding more technologists and more on building leaders who can listen, translate, and bring people who never saw themselves in cyber to the table.
⬥GUEST⬥
Tera Ladner, Deputy Global Chief Information Security Officer at Aflac
On LinkedIn: https://www.linkedin.com/in/teraladner/
⬥HOST⬥
Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/
⬥RESOURCES⬥
Aflac: https://www.aflac.com/
Cyber Inspire and Empower Girls (Aflac community programs introducing students and seniors to cybersecurity): https://www.linkedin.com/company/cyberinspire
The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
More Redefining CyberSecurity Podcast episodes: https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
⬥ADDITIONAL INFORMATION⬥
🎙️ Redefining CyberSecurity Podcast: https://www.seanmartin.com/redefining-cybersecurity-podcast
📺 ITSPmagazine on YouTube: https://www.youtube.com/@itspmagazine
📰 The Future of Cybersecurity Newsletter: https://itspm.ag/future-of-cybersecurity
🌐 Connect with Sean Martin: https://www.seanmartin.com/
⬥KEYWORDS⬥
tera ladner, aflac, sean martin, cybersecurity leadership, security culture, risk management, ciso leadership, women in cybersecurity, cybersecurity careers, non-traditional cybersecurity paths, building security teams, security as business enabler, cybersecurity talent pipeline, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
Cybersecurity Leadership Is a People Problem, Not a Technology Problem | A Redefining CyberSecurity Podcast Conversation with Tera Ladner, Deputy Global Chief Information Security Officer of Aflac
[00:00:00] Sean: Hello, everybody. You're very welcome to a new episode of Redefining CyberSecurity. This is Sean Martin, your host, where, if you listen to the show, you know I get to talk to cool people in cyber doing cool things in cyber. And that's exactly the case today. I'm thrilled to have Tera Ladner on from Aflac. How are you, Tera?
[00:00:18] Tera Ladner: I'm good. How about you?
[00:00:19] Sean: I'm fabulous. It's a good day in cyber. I get to talk about all kinds of cool things, and we're going to talk about leadership in cybersecurity and finding that path into this career. We'll take a look at the work you've done and the role you have. I'm excited to hear your story and to share it with our folks listening, CISOs and practitioners up and down the chain of cyber. So let's start with an overview of your current role, and then we'll take a look back into how you arrived there.
[00:00:58] Tera Ladner: Sure. So currently I'm the Deputy Chief Global Information Security Officer at Aflac. That's a little bit of a different deputy role than some deputies. Some deputies in programs just own certain portions of the program. In my role, everyone in security reports up through me, and then I report to our global CISO.
[00:01:21] Sean: And is that a fairly sizable group? I don't know how many departments you're looking after.
[00:01:30] Tera Ladner: Yeah, we have about 200 people in our US program.
[00:01:33] Sean: That's fantastic. All right, so you don't wake up one day and start managing 200 cyber professionals. How did you get started? What was your role initially?
[00:01:46] Tera Ladner: So my initial start into this world was really about information management: understanding information, understanding the value of information, understanding the risks and the costs behind information. This was about 27 years ago. Sarbanes-Oxley was happening, the advent of the iPod, when the information explosion was just happening. Companies were really grappling with how to manage that much information. So I moved into that career path, which led me into an e-discovery path. I went to law school during that journey, and then I moved into more of the information security focus, really understanding information and how to protect it properly.
[00:02:36] Sean: And I'm going to start here with the connection to legal and the legal space.
[00:02:44] Tera Ladner: Mm-hmm.
[00:02:45] Sean: I often think there are a number of parallels where the legal team, be it inside or outside counsel, are really there to guide the organization along a safe path, right? To achieve an outcome, whether it's a contract or onboarding a new team member or a dispute of a case, getting from A to Z in the most safe way possible. I feel cybersecurity has a similar role. What's your take on that, and how much of what you learned and did in the legal realm carries over to what you're working on now?
[00:03:30] Tera Ladner: Honestly, what they teach you in law school is a different way of thinking. No one can walk out of law school understanding every law and regulation that exists. So it's that different way of thinking. When I look at a security program, I think about the controls. What controls should be in place? Can I evidence those controls? Can I support what we're doing as a program? Can I defend what we're doing, either from a litigation or a regulatory perspective? When I look at a security program, I look at it from the perspective of controls, and I look at it from the perspective of risk. It really becomes a people-centric conversation and an action-centric conversation as opposed to a technology-centric conversation. So when you take the different experiences I've had in my career, and you layer that with an understanding of law and how you have to look at things from a legal and regulatory perspective, I really think that balances out my ability to see the program, to align it to business perspectives, and to make sure that I can defend the program and the actions that we're taking within it.
[00:04:46] Sean: So many things in my mind here. Entering this space, and even just technology in the broader sense, but certainly in cybersecurity, it's easy to get wrapped around the axle on "this is cyber," right? You mentioned the business, and it's easy to forget that we're doing this for the business and get wrapped up in what is the risk. Even risk is hopefully for the business. But looking at it from a risk perspective, or down to the controls, down to the threats, how are we going to build the program? It gets really complicated really quickly, and one can lose sight of that. Especially entering this field, where a lot of the online tools are how to hack and how to find vulnerabilities, and it's all tech and cyber-oriented. How did you navigate that world to keep the business focus you have while understanding the technical and cyber aspects that are required?
[00:05:59] Tera Ladner: Yeah, I think that's one of the interesting perspectives that I bring, coming from a non-traditional technical background. I didn't grow up through that area, so I had to have an understanding of risk and people and communication and business strategy. When I go to my business leaders, I really start with listening. I don't start right away talking about controls or threats. I start by asking them, "What are your business goals? What are you trying to accomplish?" Because what's important, whether it's growth in a new market or delivering a better customer experience or even strengthening operational resiliency, is that I have to be able to speak to them in a way that shows security as an enabler of that. Ultimately, we're not in the business of cybersecurity. While we take cybersecurity very seriously at Aflac, that's not our business model. Our business model is to serve our policyholders. So I have to align what I'm doing to those business enablers to make sure that my leaders understand that I'm here to support them and enable them to do what they do so well.
[00:07:07] Sean: And doing that so well is another area that has a lot of connection to the world of cyber, certainly with policies. Insurance is in the business of looking at risk and how to mitigate it, and avoiding having an incident, hopefully, and having to pay out a claim because one occurred. So how does that world shape what you do, and are you able to leverage and benefit? Do you have an advantage working for an insurance company to help you run your programs?
[00:07:48] Tera Ladner: Well, when you work for an insurance company, people naturally understand the conversation of risk. It really is about risk and decision-making and being able to influence decisions. Risk is an underlying principle that all of my business leaders, all of my stakeholders, all of my partners understand. So when I'm able to talk about risk, and sometimes that's accepting the risk or mitigating the risk, it's not always completely getting rid of the risk, it resonates well with them. Again, having that non-traditional technical background, but bringing those skill sets forward that allow me to translate: okay, this thing is happening over here from a technology perspective. I understand it, but I don't expect my business leaders to understand that. I think my unique skill set is to be able to translate that thing that's happening into how it impacts us. What could that look like from a security perspective? What could that look like from a resiliency perspective? All of that matters when we need to keep our operations running and make sure we can service our policyholders.
[00:09:02] Sean: I presume every CISO I talk to is part of some community where they get to talk to each other and compare notes on where things are headed, where we're struggling, what technologies we use, how we keep our team active and healthy. How much of those conversations come back to finding the right people for your team and growing the right team to allow you to move up and fill your shoes?
[00:09:47] Tera Ladner: Yeah, we talk a lot about that. I'm lucky enough to have some really strong connections in the industry. I belong to a lot of groups based in Atlanta. The Atlanta CISO community is so supportive and always willing to reach out and help with whatever topic you may be grappling with that day. It's also a small community, so there are lots of people who will call around and say, "Hey, do you know somebody looking in this space or that space?" Building a team is one of the most important jobs for a leader in cybersecurity. You've got to have the right people. You've got to have the right culture. They've got to come in with the right attitude, because in those moments when something does happen, or when you have a problem in security, you've got to be able to look to the people left and right and know you can trust them and depend on them. Building a very strong team is probably my highest priority day in and day out. As we look across, there are lots of conversations about how we build the pipeline of talent. How do we make sure we're bringing the right diverse perspectives to the table? What are the different areas we can pull from where we're getting good talent? We share a lot of that in those different communities I'm in.
[00:11:08] Sean: When you're looking for talent, we talked about your unique experiences and perspectives and training, and your career leading you to this point has shaped who you are and what you're able to do. Somebody just starting out doesn't have that experience yet.
[00:11:32] Tera Ladner: Right.
[00:11:33] Sean: And one of the first things you mentioned was shaping how you think, right? In the legal sense. You don't know everything that's coming your way. The real training comes in how you tackle something when it comes up that you don't know. So, two ways of looking at this. How do you look for people who have that? Are there experiences they have, things on their resume, things they answer in an interview? And how would you suggest people get that experience of thinking differently if it's not naturally there for them?
[00:12:19] Tera Ladner: Yeah, I think the first answer is easier. I always say that the first skill set I look for in anyone I ever interview is curiosity. Do you have that curious and analytical mind? Do you ask a question, and then you ask the second question, and then you ask the third question? Because that's really where the information comes from, that third and fourth and fifth question, where you're starting to put pieces together and really understand, okay, this is bigger than the technology we're talking about. This is what's happening to our end-user experience. This is how it's impacting that other system. We have to be willing to dig deep and understand what's really happening before we can solve a problem. The second piece is, and I tell my technology teams this all the time, if you're looking to grow, you've got to get those basic skill sets. You've got to figure out how to build them. You've got to be a storyteller if you want to be a leader in security. You've got to be able to connect those technical conversations to business pieces, as we talked about earlier. You've got to be willing to build relationships. I could not be successful in my role if I didn't have very strong relationships across my stakeholders, my friends in legal, my friends in compliance, my friends in the business. You have to be able to influence, because I don't always have authority over the decisions that need to be made. They're owned by our technology division, or they're owned by the division. I have to go and influence their decisions. I don't own them. You've got to navigate ambiguity, especially with frontier AI models right now. We're all navigating ambiguity. There's the media hype, there are conversations coming from our technology leaders, the boards asking questions. You've got to be able to navigate and say, "Here's what we think. We don't know yet, but here's what we're doing to prepare for it." So you've got to build those various skill sets along the way while keeping your technical skills honed in. I think you have to have those skill sets to be successful in a leadership position in security where we are here and now. Those technical skills were enough years ago. I just don't know that they're enough anymore.
[00:14:41] Sean: I'm smiling because you've said two things in particular that really resonate with me. The first is the curiosity and asking the next question. A very good friend, Laz, a former CISO, would always say, "Well, what's your question, Sean?" And then I'd ask a question, and he'd say, "Why?" And then again, "Why?" And again, "Why?" You'd think, "Well, how many whys?" And until he didn't feel another why was necessary, he would keep asking. It was a phenomenal thing. The other is the ambiguity thing, and I'll go back to my manager when I was at Symantec. She said to me, "Sean, you'll be successful if you can identify and manage ambiguity for your team." Because, similar to you as a product and program manager, you manage through influence. You have no direct control, right? So you have to guide people, and you have to look for those potholes and work through the unknowns and help make the decisions that take you down a good path or keep you off a bad one. So, all of that said, you also talked about storytelling, which is near and dear to my heart, hence the podcast. I think those things together touch on the other point you made around culture. So my question is, how do you create a culture that supports your team, ensures you can run a program that's successful, and does it in a way that meets the expectations of the executive leadership team and the board? All three very different things, right?
[00:16:36] Tera Ladner: Right. But I really do think they all three come from the same place. As a leader, it's my job to build a culture among the team. I always tell my people leaders, "Your team lives in the house that you build." So it's up to me to set that stage for the team I'm trying to build. We have pretty clear team norms that we live by. We live by transparency. We say what we mean, and we mean what we say, and we don't sugarcoat or cover up anything. We are very transparent with each other. We have the very hard conversations behind closed doors. But when we come out as a leadership team, we are all aligned and supportive of the decisions made. We work with absolute integrity. We are true to what we say we can deliver, and when we realize we can't meet those expectations, we're very clear as quickly as we can be. We work respecting each other and caring about each other and holding each other up in those moments when it's hard. We work in a hard industry. You know this. It's a tough day-to-day industry to work in. If we're not supporting each other, and we're not taking care of each other, and we're not keeping that human part of doing a job at the forefront, we can't build that kind of culture. So it's important to me to have leadership days where we don't do anything but talk about how we communicate and what our team norms should be, and make sure we're all aligned and getting to know each other and building that trust we need in those hard moments. We do a lot of going back to that. We do a lot of program management in our world. We set clear expectations of what we're going to deliver, and then we measure ourselves against those, so we make sure we're holding each other accountable. We really focus on making sure we have a people-centric culture in our program and at Aflac in general. Dan Amos always says, and I'm probably not going to say it correctly, that you take care of your people, and they will take care of your company, and thus our policyholders. I really believe that. If I take care of my people, they'll take care of what they should be doing to protect our company.
[00:18:58] Sean: And in there, I'm hearing, and I'm going to presume you can confirm, that you give people a voice. Because for years the role of cyber has battled to emerge from being the department of no to being connected to the business, having a seat at the table, having exposure to the board to talk about the big things that really matter. In the context of the role of cyber in business, getting a voice has been difficult. Talk to me about how, and obviously it comes from leadership, but about presenting yourself and maybe some guidance for others looking to excel in this career, to find the right place to have their voice and how best to present that voice to establish that respect, to establish the integrity, and to have those conversations.
[00:20:14] Tera Ladner: I really honestly believe it is relationship building. I spend a lot of my time very intentionally building those key relationships and making sure I'm sustaining them. Not in a fake way, in a very real way. I want to know who my stakeholders are. I want to know what they care about, what they're grappling with on a day-to-day basis. Because then it's easier for me to help them understand what we're grappling with. So when you say find a voice with them, you also have to give them a voice with you. You have to be willing to let them speak to you, and, as I said earlier, you have to be willing to listen. You have to understand that they're coming with their own goals and their own performance issues and their own various problems they're trying to solve, and you've got to be a partner in that. You can't come in and say, "Yeah, but I'm security," bonk them on the head, and tell them they've got to do this, this, or that. You've got to meet them where they are. The more you work to build key relationships and have strong relationships with your various stakeholders, the easier all of that becomes. But you can't only ask for a place at the table, you also have to give them a place at your table.
[00:21:36] Sean: I was trying to figure out a fun way to connect it to the table analogy, but not everybody thinks they should have a place at the table. The industry is filled with imposter syndrome. Let's be honest, it's a world filled with crusty old white dudes, right? So how do you see a way for young women, or any age, to find that space at the table? Are there programs you've been involved with or groups that you can recommend?
[00:22:15] Tera Ladner: Yeah, I can certainly talk about that. I'll start with a funny story. I always tell people that, first of all, I am a woman in cybersecurity, that that's unique. And then you add on top of that that I'm extremely extroverted. So there are many times I'll go into meetings and look around and see one or two women in the room. Of course, I'm extremely outgoing. I want to meet people. I'll walk up to a table and say, "Hey, how's it going?" And you can just see people visibly lean back, like, "Why is this woman talking to us?" So I experience that a good bit. I really wanted to think about why women don't see a path to security, and I do think it's because we come from this place where we think we have to be a technologist or someone who really wanted to grow up and take a computer apart and put it back together and understand all the things it does. But that's not true. There are so many diverse perspectives that are needed. Think about people who train, and how important making sure our users understand how their behavior can impact security is. That's a whole training and awareness piece, changing the culture of the business to be a security-focused culture. That's a whole different skill set than someone who can run technology. There are so many places. Think about our governance teams and audit backgrounds, so many ways to get into cyber and to be successful in cyber. So I'll talk a little bit about a program that we created and picked up from our Northern Ireland team. There's a program called Empower Girls that was started over in England, and it was really about building a day that brings young women together to allow them to see that they can have a path into security. After attending one of those in Belfast at our Northern Ireland team's office, I brought that concept back to the US, and we started a program called Cyber Inspire. One track is that we go into the schools, into our local schools, about once a week at the middle and high school level, and talk to all kids, all upcoming adults, about what it looks like to be part of a cybersecurity program, what their different paths are, in addition to being safe online and making sure that we're doing things the way we should when we're on a computer. The next one is Empower Girls. For the last two years here in our local area, we've brought together, the first year it was 200, and this year I'm so proud to say it was 815 girls. We brought them together for a full day, with some of our cybersecurity technology partners coming in, setting up booths, playing games, letting them understand what cybersecurity is about, showing them that you can attach cybersecurity careers to things you already love. And then just making it a fun day for them so they felt engaged with the content. I can't remember the exact percentage, but I can tell you at the beginning of the day, we didn't have that many girls interested in a career. At the end of the day, we had a very large number interested in the career. We have another track in our Cyber Inspire program where we go into our local senior communities to help teach seniors how to be safe online as well.
[00:25:41] Sean: So cool. And congratulations. That's super successful. 200 to 800. That says something. That is inspiring. I'll say now, maybe we have another chat with a couple of the girls who found something fun to do, and I'd love to hear their stories with you on with them.
[00:26:00] Sean: I want to go back to the diversity of skills and the diversity of ways of thinking, because you touched on the whole awareness training. Just before we started recording, I was on with some folks out of Oxford who are doing research on human psychology and cybersecurity, and it's such an important piece. So, not technology, but an important piece. There are a lot of different ways to find a path in, and being curious is the first step. Maybe something you've seen or heard or trained in could apply. Asking that first question, and then the why, could lead you to a path. It's good that you have programs like the ones you're working on to give people a place to have those conversations, ask those questions, get those whys out there. I want to give you a moment to wrap with some thoughts for your fellow cybersecurity executives in this world. Anything you're thinking about or working on that you think the community should come together with, or thoughts on something you did that others might need to consider?
[00:27:52] Tera Ladner: Yeah, I would love to see more organizations come together and really focus on bringing those diverse backgrounds into cybersecurity. A lot of times we spend too much time looking within our own community, because we're looking for someone who's been vetted or who has the experience we need. But we've got to be very intentional about making sure we have pipelines, because we're going to run out of our own after a while, and I'm not sure that newer generations are as excited about a cyber field as maybe earlier ones. So I think we've got to focus there and be intentional. The other thing I'd say is make sure we're talking to our teams about building their tool belt. I talk about this a lot with my team. Back in the day, remember when we were in high school and we were like, "Ugh, why will we ever need algebra?" It's easy to say, "I shouldn't learn that thing," or, "I shouldn't take that class," or, "I shouldn't be a part of that project because I'll never fit." You don't ever know what's going to fit. You don't ever know when you're going to need a huge tool belt of all these skill sets and pull one out and say, "Oh, I knew something about that," and use it. So let's make sure we're expanding our team's knowledge and focusing on leadership, on influence, on storytelling even, on the other skill sets they will need to continue to grow outside of just their technical training. We've got to, as leaders, remember that to grow into the positions we're in, you've got to have all those skill sets. If we're not influencing our teams and challenging our teams and supporting them with the resources they need to build those skill sets, then we're doing them a disservice, knowing that's really what they're going to need in the future.
[00:29:52] Sean: Tera, you're amazing. I'm so glad we had a chance to connect. It took us a couple of weeks to get this scheduled, but I'm so glad we had this chat. You're welcome back anytime, and hopefully we get to talk about the Empower Girls program at some point.
[00:30:14] Tera Ladner: I would love that.
[00:30:15] Sean: And I wish you and all the CISOs success. It's a tough role. I joke that it's a role I wouldn't want. So I admire you and honor you and cherish you for taking on that role and protecting our information in the broader society of the digital age we live in. All right. Tera, thank you so much. And everybody listening, I encourage you to connect with Tera and follow her on LinkedIn and the work she's doing. Hopefully folks will be inspired from listening to this. I certainly was. Thank you very much.
[00:30:55] Tera Ladner: Thank you so much for the opportunity.