Tarah Wheeler is CISO at TPO Group. TPO is an acronym for technology, policy and operations, and the firm provides cybersecurity consultancy for high-stakes organizations such as critical industries and federal agencies. But despite this elevated position, her journey was far from typical.
“I absolutely did not choose this career on purpose,” she said. “No, I fell backwards into it. I feel like this career dragged me into an alley, coshed me over the head, and said, ‘You’re one of us now. kid’.”
For Americans unfamiliar with British slang, the ‘cosh’ phrase would be better understood as ‘hit me over the head with a baseball bat’ – and it may be worth noting that although born in Washington, Wheeler is currently studying at Oxford in the UK.
“At heart, I think of myself as a social scientist and writer. There is no better place than cybersecurity to see how people behave when they think they’re not being observed, and then getting data on it.” It’s like she saw cybersecurity as an arena for interpersonal relations (friend versus foe, collaboration, international relations, leadership, etcetera), and having once entered the arena, she either didn’t or couldn’t leave it.
In that arena, she received a thorough grounding in cybersecurity. “I’ve been red team, I’ve been purple team, I’ve been SecOps, and I’ve been in physical, digital, and social cybersecurity. Now I find myself moving more and more into risk and compliance, because it describes the impact of people’s actions at scale and my ability to change them. I think that’s fun. I like seeing collective behavior, and compliance policy is how you make 50,000 people behave slightly better when it comes to security.”
The influence her love of social science has had on her journey into cybersecurity and her career within it is clear. Her second love, combining social science with writing, cannot be ignored. She mentioned her pride in authoring a Foreign Policy feature in 2018: In Cyberwar, There are No Rules. But there is much more. She wrote the book, Women in Tech: Take Your Career to the Next Level with Practical Advice and Inspiring Stories, and has written numerous policy papers for institutions including the Council on Foreign Relations and Harvard’s Belfer Center.
Her increasing knowledge of cybersecurity (including stints with Microsoft, Silent Circle, Symantec and Splunk) gravitated her toward leadership. She became and remains CISO at Red Queen Technologies and is now also CISO (technically CSO) at TPO Group founded last year. Her proudest moment, she said, was when she gave testimony to the US Senate Committee on Homeland Security & Governmental Affairs during a hearing on The Cyber Safety Review Board in 2024.
She feels that the depth and range of hands-on practical experience in so many different security functions is fundamental to reaching her current level. “In security, your knowledge from every single thing you’ve done before builds over time. You don’t lose the perspective and information and skills that you get as a red teamer when you move into compliance. Instead, you start thinking about how people can crack and break and abuse compliance policy, and that makes you really, really good at compliance.”

In all her time in cybersecurity, she has never lost her earlier focus on social science, finding that the two subjects overlap and benefit each other. “The first case studies I ever did when I was in college were histories of conflict with China, Russia, and North Korea. And now I’m back again, dealing with conflict with China, Russia, and North Korea.”
She never lost her interest in foreign relations but now adds a cybersecurity lens. She was a security fellow at New America, “focused on South Asia and the Middle East, extremist groups such as ISIS, al Qaeda and allied groups, the proliferation of drones, homeland security, and the activities of US Special Forces and the CIA.”
She was a senior fellow for global cyber policy, and is a life member, at the Council on Foreign Relations. She is a member of the board of directors at EFF.
To social science and writing we should add another characteristic – a love of having fun. An example can be seen in the title of one of her policy papers, while at CFR, describing the role of a CISO: ‘Walk and chew gum…”. Another can be seen in her time at EFF. She founded and hosts the annual EFF Benefit Poker Tournament at DEF CON. “It’s a blast,” she said. “It’s been growing every year.”
What she didn’t mention is that she is a very competent poker player herself, with earnings from professional tournaments quoted on the Hendon Mob Poker Database.
She talked more about her time with EFF. “I remember Eva Galperin once saying the EFF is the closest thing that hackers have to a religion. And I don’t think she was wrong. This is the oldest digital rights organization in the world. It is a joy and a privilege.”
What is a hacker?
This raises an interesting question. It’s very difficult to find a universally agreed definition of ‘hacker’; so, what does Wheeler mean by the epithet?
“A hacker is a person with a certain set of skills. The list of skills from A Hacker Manifesto [by McKenzie Wark] is a good way to think about it.”
But, she added, “If I was to define a hacker, I might go back to Razor and Blade in the 1995 movie Hackers. Hacking is not a crime. It’s a set of survival traits, the ability to see the world orthogonally, to see how it is fragile, to see how you could take advantage of fragile physical, human and digital systems, and to make a choice in that moment between taking advantage of them or making them safer so other people cannot be harmed by them,” she said.
“People who use these skills for good are hackers. People who use the same skills for harm, are just criminals.” That’s another feature of Wheeler’s character – a tendency to slice through the noise to find the kernel.
If those skills define a hacker, what skills are necessary to be the leader she has become?
Being a leader
“I think I’ve seen one single attitude that allows people to move from individual contributor to manager to leader: it’s the ability to subsume your own ego. To help other people do the job you used to do, but to help them do it better than you ever did – while taking no credit for it. Anybody can be a leader if they’re okay with their victories being other people’s successes.”
Wheeler clearly has many interests beyond the simple definition of cybersecurity. Do such outside interests help make a better cybersecurity leader?
“I don’t see how they cannot,” she said, “whether that’s by keeping your mind refreshed through tackling intellectual puzzles or doing something completely different. It can bring new perspectives and improve your ability to draw analogies to explain technical issues for people who aren’t in security but need to understand it.”
She stressed this point. “I think the more cross-disciplinary interests you have, the better senior practitioner of cybersecurity you become. Our job often requires explaining, using analogies, what’s going on in security to non-technical business leaders. The best way to do that is not to explain what it is, but what it is like. We must be able to explain security to business leaders in a way that helps them make good, risk-based decisions without having the quarter century of technical knowledge we have in our own head. There’s no way that outside interests don’t help you do that.”
She gave a personal example. Apart from the outside interests we have already noted, “I’m also a student pilot,” she said. It offers two advantages. “I guarantee that when you fly a plane for the first time, the last thing on your mind will be your day job.” So, it’s refreshing – and the security analogy is simple: “Do it right or die.” Incidentally, the same principle applies to another of her hobbies: motorcycling.
Burnout
It is worth wondering if having such a wide range of additional interests has any preventive effect on cybersecurity’s modern-day scourge: burnout. Probably, but only indirectly. “I think burnout is what happens when people feel trapped in their situation,” she said. “And a lot of things can make you feel trapped and powerless.”
She mentioned ‘late stage capitalism’ as a key factor. This term started life in Werner Sombart’s early‑20th‑century idea of the capitalism emerging after WW1. But as the nature of capitalism has evolved, so has the use of Sombart’s term evolved – from ‘late capitalism’ into ‘late stage capitalism’, and from scholarly into more or less derogatory. The term is now used as an almost satirical comment on the absurdities of modern market economies.
“I think earlier in my career, I would have described burnout more as a failure to manage yourself. Now, I see people being trapped in situations that are exhausting and inescapable.” Exhausting because of the absurdities in modern global business, and inescapable because of personal situations such as commitments, or debts, or even immigration status.
“In burnout,” she continued, “I see people who have become trapped. The solution is not to give them a self-care instruction, like go home and use a bath bomb – the solution is to figure out why they’re trapped and help them escape the trap. Even if you don’t see the trap, they feel it; and just because a trap is invisible to you doesn’t make it less real.”
Advice
What helped Wheeler reach her current position as both a cybersecurity and thought leader? What advice did she receive on her journey?
“At a personal level,” she replied, “The best advice came from the boss I had at that time. I was in the midst of a massive cybersecurity crisis, and he said, “In two years, this is going to be a story you tell yourself about something that once happened to you.”
It’s one of those simple statements with a wide range of possible interpretations and applications. Don’t fret too much about a current crisis because firstly you’ll get beyond it and it will become history, and secondly you are not defined by a single happening, good or bad. “Apprenticing to a truly great leader,” she added, “is the best way I’ve seen for learning to be a leader yourself. And that’s the best personal advice I’ve ever received.”
At a technical level, she continued, “The best advice I ever got was from Jon Callas.” Callas co-founded PGP Corporation and developed IETF standards including OpenPGP and DKIM, after Phil Zimmerman had developed the original PGP. Together, the two of them and Mike Janke founded Silent Circle, where Wheeler was a systems architect.
“I was frantically rebuilding some NVIDIA drivers for Kubuntu just 15 minutes before doing a conference presentation, because my laptop wouldn’t output the slides that I wanted it to display. Jon said, ‘Your job is to explain this technology to other people. Your job isn’t to write this driver. It’s a waste of your time to keep rebuilding your computer every six weeks when you have a talent for making people understand cybersecurity.’”
The lesson: focus on what is actually time-efficient and necessary to do the job.
And the advice she would now pass on to others?
“Fail hard and fail often,” she suggested. “I’ve probably failed seven out of every ten things I’ve tried. I accept that. I’m not ashamed of my failures, and you shouldn’t be afraid of your own failures. In fact, have more failures, because increasing the number of your attempts, and the ratio of your acceptable failures to success, is how you get awesome success. And it’s an acceptable price.”
What now?
So, what now? Having come so far and done so much in cybersecurity, what worries Tarah Wheeler most today in or about cybersecurity?
“The truth,” she answered. “I worry about the lack of ground truth in cybersecurity. I’m concerned about the inability to parse truth and facts from what we are told. The problem in cybersecurity is we don’t have industry benchmarks, and we don’t have industry statistics. I’m continually asked, what is the correct number of phishing tests to run? How should we manage our identity? How many attacks should we expect and accept each year versus paying to remove them? What is our ROI on cyber insurance?”
The cause, she continued, is, “We don’t have the relevant information because we’re bombarded by the media, by marketing from large companies with corporate data, and even from the government with white papers. None of this is actual science telling us the true impacts of international action, of user actions, of state threats, of APTs. We don’t have that because we don’t have a Bureau of Cyber Statistics in the US, because there is a lack of political will to create a source of truth.”
She clearly feels passionate about this. “Hell, NIST right now is under attack, and NIST was the last bastion of irrefutable evidence.” She refers to the major downsizing in NIST’s workforce instigated by the Department of Commerce as part of a broader federal push to downsize agencies. It started around the Spring of 2025, with the termination of more than 70, mostly ‘probationary’ staff. By the end of January 2026, CyberScoop reported, “The agency has shed more than 700 jobs since 2025, including 89 at a lab responsible for testing and validating the government’s encryption.” This is not internal restructuring, but government-enforced workforce downsizing.
“We don’t have central repositories and sources of truth, and as a result, we don’t have a firm footing upon which to make our decisions. That’s the thing that keeps me up at night. In cybersecurity, it is manifested by people in the media who substitute Gartner quadrants for facts; it is manifested in the way I can’t tell if what I’m reading on a previously respected journalistic outlet is in fact the truth, or if something is being excluded or added. Right now, it’s very difficult to tell if I am truly building my knowledge base, or if I’m just stacking hype on hype in my brain – and that is distressing.”
Related: Beyond the Hype: Questioning FUD in Cybersecurity Marketing
Related: CISO Conversations: Timothy Youngblood; 4x Fortune 500 CISO/CSO
Related: CISO Conversations: Keith McCammon, CSO and Co-founder at Red Canary
Related: CISO Conversations: John ‘Four’ Flynn, VP of Security and Privacy at Google DeepMind
https://www.securityweek.com/ciso-conversations-tarah-wheeler-cybersecurity-leader-thought-leader-and-original-thinker/


