Inside the episode: What I learned from speaking with Michelle Tolmay
I often talk about how cyber security is fundamentally about communication, but my recent conversation with Michelle Tolmay, CISO at Tracsis, reminded me that it is also fundamentally about people.
Michelle’s career path is anything but typical, and that is exactly what makes her perspective so valuable. She didn’t start out with a burning desire to configure firewalls; she started in veterinary science. In fact, she funded her degree by running a fibre optic networking company in South Africa, literally digging trenches and pulling cables.
While she eventually traded the veterinary path for IT support (and thankfully, digging trenches for a desk job), she pointed out a fascinating parallel between the two. Whether you are looking at the respiratory system of an animal or the network architecture of a business, it is about understanding how things tick.
But more importantly, she told me that her time in IT support taught her the value of service. She loved being able to “give a little and make people’s lives a bit easier”. That ethos has stuck with her as she moved from fixing printers to breaking into systems as a penetration tester, and finally into leadership. As she put it, “If you’re doing cyber security right, people don’t notice it”.
Finding a voice in the room
We couldn’t ignore the reality that Michelle is still one of a relatively small number of female CISOs. While the industry is changing, we discussed the challenges that still exist.
She shared a story that made me wince, though she recounts it with good humour now. She once walked into a meeting with a new vendor, accompanied by a junior male colleague. The vendor immediately looked at her and asked, “Can we have a couple of coffees, please, love?”.
It is a staggering assumption to make, but it highlights the biases that still linger. Beyond the overt moments like that, Michelle spoke about the frustration of the “Am I on mute?” phenomenon in meetings—where you voice an idea, get no reaction, and then hear someone else say the exact same thing thirty seconds later to a round of applause.
Her advice here was practical and powerful: we need allies. She calls them “corporate cheerleaders”. It is about having someone in the room who is prepared to say, “Actually, Michelle said that first. Can we go back to her idea?”. As leaders, ensuring we amplify those voices is a small action that makes a massive difference to the culture of our teams.
Why security leaders must be optimists
One of my favourite moments in our chat was when we dug into the mindset required for this job. There is a stereotype that security professionals are pessimists—always looking for the holes, the flaws, and the risks.
Michelle completely flipped that narrative. “I don’t think we are,” she said. “I think, actually at the heart of it, we’re all optimists because we’re trying to find things that could go wrong before they go wrong, so that we can fix them”.
It is such a refreshing way to frame what we do. We aren’t here to say “no”; we are striving for that “happy place where everything’s secure, runs well, and doesn’t cost the earth”. We have to believe that state is possible, otherwise, why would we turn up every day?
Answering the “so what?”
Of course, optimism alone doesn’t secure a budget or convince a board. Michelle was very open about her learning curve when it came to speaking the language of the business.
She recalled her first board presentation where she went in highlighting risks that would cost a few hundred thousand pounds to mitigate. The company secretary simply turned around and said, “We’ve got a five million cyber liability insurance. Why should we care about something that’s only going to cost us a few hundred thousand pounds?”.
It was a tough lesson, but it taught her that you have to understand the risk appetite of the business before you even open your mouth.
Her advice for anyone aspiring to a CISO role is to find a mentor who will challenge you. She had a boss who would look at her slides and simply ask, “So what?”. If you can’t explain why your technical finding matters to the business outcome, you aren’t ready to present it.
Creativity in “security poverty”
We also touched on the unique energy of startups and scale-ups. Michelle loves that environment, even though it often comes with what we called “security poverty”. You can’t just go out and buy the silver bullet tool that costs twenty grand a year.
But rather than seeing this as a deficit, Michelle sees it as a driver for creativity. It forces you to adopt a “blue tack and sellotape approach”. You have to be resourceful. And often, showing that you can be creative and solve problems without spending a fortune actually builds your credibility with the board when you eventually do need to ask for investment.
Fixing the talent pipeline
We wrapped up with a bit of a soapbox moment, and I’m glad we did. Michelle is passionate about the fact that we cannot fix the diversity problem in cyber security by just poaching talent from each other. “We just move the problem around. We don’t actually fix it,” she said.
Her call to action is for us to get involved at the entry point—schools, guides, colleges. We need to show people that you don’t have to be a “super genius coder” to work in this industry. Whether you are into policy, people, training, or engineering, there is a place for you.
If you have a moment, I’d highly recommend listening to the full episode. Michelle’s journey is a great reminder that while technology changes, the most effective security always comes back to understanding and helping people.
