From Containment to Oversight, How Women Executives Lead With Facts in Cybersecurity Crises
Published
Key Takeaways
- Strong allies create space, credit contributions, and intervene when dynamics drift.
- Organizations should treat device security as a lifecycle responsibility, rather than a manufacturing milestone.
- Johnson notes that boards have become more receptive to women with deep operational or technical cybersecurity expertise.
- Clarity is power, and being grounded in facts matters more than adapting to board culture.
- Johnson treats adaptability as the ability to shift from crisis execution to long-term risk oversight
Dr. Jeanine Johnson, CEO, Co-Founder, and Board Member at Immutaverse joins TechNadu’s ongoing International Women’s Day (March 8) campaign to reflect on how leadership, responsibility, and behavior intersect in cybersecurity and the boardroom.
Her career includes building security foundations at Apple and Microsoft, where decisions touched products and systems used by millions.
This interview explains what changes when the same executive is responsible for both incident response and board oversight. Johnson describes how security crises require rapid switches between hands-on decisions, and board-level work.Â
We address board dynamics, including navigating scrutiny, peer influence during crisis, and what allies in leadership should do differently.Â
While boards have become more receptive to women with deep operational or technical expertise in cybersecurity and risk, women are still expected to conform more closely to company culture than male peers.
Johnson walks through the device-level controls that matter most in IoT and OT environments, and explains how advance preparation, and clear communication determine whether an incident stays contained or spreads.
Vishwa: How does adaptability come into play when you carry responsibility as both CEO and board member during a security crisis?
Jeanine: Adaptability is the difference between reacting and leading. As a CEO of an AI cybersecurity company providing services to medium to large IoT and OT device manufacturers, I’m accountable for immediate execution: containment, communication, and technical decisions.Â
As a board member, I’m simultaneously responsible for oversight, risk framing, and long-term consequences. During a crisis, adaptability means switching lenses quickly: moving from operational detail to strategic clarity without losing either.Â
It also means being willing to revise assumptions as new evidence emerges; and not anchoring to early narratives just because they’re familiar or comfortable.
Vishwa: What questions should boards be asking security leaders to help security operations better?
Jeanine: Boards often ask whether controls exist, but the more valuable questions probe how they hold up under stress.Â
For example:
- Which failures would materially harm us if they occurred tomorrow?
- Where are we accepting risk because fixing it is operationally hard or politically inconvenient?
- What signals would tell us we’re wrong about our current threat model?
- How quickly can we patch or revoke trust at the device, identity, or firmware level?
Since security risks can never be fully eliminated, boards should regularly review risks and exposures with company security leaders.
Vishwa: In securing IoT and IIoT systems, which measures are consistently helpful for organizations in addressing device-level risk?
Jeanine: The most consistently effective measures are what I consider fundamental, albeit sometimes challenging to implement depending on a company’s available resources:Â
- establishing strong device identity,Â
- implementing secure boot with enforceable trust anchors,Â
- cryptographically signed updates, andÂ
- the ability to revoke or rotate credentials at scale.Â
Equally important is operational visibility, such as:
- knowing what devices exist,Â
- what firmware they’re running, andÂ
- whether they can be updated in the field.Â
Organizations that treat device security as a lifecycle responsibility, rather than a manufacturing milestone, are far better positioned.
Vishwa: From your experience, what aspects of board culture have become more welcoming to women leaders, and where does resistance still remain?
Jeanine: Over the past 10 years, I’ve noticed that boards are increasingly receptive to women who bring deep operational or technical expertise, especially in cybersecurity and risk.Â
There’s more appreciation for clarity, preparedness, and evidence-based decision-making. However, resistance still appears in subtle forms:Â
- women are expected to soften language,Â
- over-justify conclusions, orÂ
- conform to company cultural norms to a greater extent than male peers.Â
Progress is happening, but there’s still more work to do.
Vishwa: How can women leaders maintain their stand without conforming to expectations? What advice would you give women preparing for board-level responsibility?
Jeanine: Clarity is power. I’ve found that I don’t need to mirror someone else’s style nor to any board culture that may exist to be effective. Precision, consistency, and being rigourously grounded in facts have served me well over the years in my board roles.Â
My advice is to invest early in governance fluency: understand fiduciary duty, risk oversight, and how decisions are actually made in the room. Confidence grows when you know exactly where your responsibility begins and ends; and when you’re willing to be uncomfortable rather than invisible.
Vishwa: What would you like to share about peers who challenged you, rather than supported you?
Jeanine: Being challenged by peers can feel supportive, depending on the delivery and the situation. However, when a peer challenges without a clear, constructive purpose – such as withholding information or context, delaying decisions, or reframing issues to shift accountability – I know there is some sort of misalignment that may require relationship-building. I’ve also adopted the practice of documenting decisions, asking clarifying questions publicly, and not assuming shared understanding.Â
Vishwa: Did leading a team feel different as a woman in cybersecurity? What advice would you share with aspiring leaders?
Jeanine: Yes, particularly early on. Women leaders are often scrutinized more closely for tone than outcomes. Over time, I learned to focus relentlessly on results and clarity, and to let consistency do the talking.Â
For aspiring leaders: build credibility through follow-through, not perfection. And remember that leadership isn’t about having all the answers - it’s about creating conditions where the right answers can surface quickly.
Vishwa: From your experience leading incident response, which combination of capabilities matters most when responding to threats?
Jeanine: Speed, authority, and trust. Speed without authority creates chaos. Authority without trust slows everything down. The strongest responses come from teams that have rehearsed decisions in advance via tabletop exercises and recurring updates to operating procedures and incident response plans.Â
Know who can act without permission delays, and communicate honestly, even when the news isn’t good. Technical excellence matters, but governance and communication often determine the outcome.
Vishwa: Without naming organizations, can you describe a real security incident or near-miss where early action prevented a wider impact?
Jeanine: In one case, anomalous device behavior suggested a supply-chain issue rather than a traditional intrusion. Because the organization had strong device identity and update controls, we were able to halt deployments, revoke trust for a specific firmware lineage, and validate integrity before the impact spread.Â
The key wasn’t detecting the issue - it was having the authority and mechanisms to act immediately.Â
Vishwa: What should men in leadership stop doing if they want to be effective allies?
Jeanine: Stop assuming that intent overshadows or explains adverse impacts. Good intentions don’t negate exclusion, interruptions, or unequal scrutiny. Men in leadership should also stop over-mentoring and under-sponsoring.Â
Although advice is helpful, advocacy changes outcomes. The most effective allies create space, accurately credit contributions, and intervene when dynamics drift off course instead of waiting for women to self-correct the room.
Vishwa: What are the top cybersecurity regulatory changes boards should be aware of now?
Jeanine: Boards of device manufacturing companies should be aware of increasing cybersecurity regulations taking effect in their markets. Specifically, the EU Cyber Resilience Act (CRA) has vulnerability reporting requirements due this September with a full compliance deadline next year.Â
Similarly, the U.S. Cyber Trust Mark label will be required for all IoT/wireless-connected products to continue being listed with Federal Procurement effective EOY for January 2027 onward.Â
And all Boards should be aware that over the next few years, likely by 2030 if not earlier, quantum computing will become an increasingly serious threat to the security of wireless-connected devices as quantum computers begin to break widely used encryption methods like RSA and ECC, so companies today should have categorized their data to more securely encrypt their most sensitive data at rest and in transit and create migration plans to post-quantum cryptographic ciphers anticipated by NIST this April.Â
Those devices with hardware that can’t be updated to the new ciphers will have to be replaced with quantum-ready models or at least isolated via network segmentation and other layers. Overall, we’re in an active period of cybersecurity capabilities and campaign advancement and leaders top to bottom need to be prepared.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular