Profile: William Lidster, CISO, AAA Washington

William Lidster AAA Washington Snip


William Lidster attended the United States Military Academy at West Point, and joined the armed forces after graduation. After his tenure in the military, he moved into a technology sales role, selling computer and networking equipment across Europe and the Middle East to government organizations like the DoD, Department of State, and United Nations. He acquired some networking skills during that experience and decided to move into more leadership-focused roles, taking him back to his home state of Alaska. William’s first exposure to administering information security needs came with  an IT leadership role with a local electric utility company. It was during this time he recognized how interested he was in the information security side of the business, and his career took off from there. After a successful career building security programs across banking and healthcare organizations, William began working as the first CISO at AAA Washington. 

What attracted him to AAA Washington was the culture and importance placed on the success of the security program. He explains, “I’ve been here almost seven years now. We have a great culture, great people, and I’m afforded lots of latitude. They take security seriously and it has been wonderful to develop and grow the program here.”

In order to set himself and the security program up for success, William spent the first few months at AAA Washington connecting with business leaders, understanding their pain points, and determining how security could make a positive impact. He comments, “One of the very first things I was trying to do is get a lot of easy wins. I wanted to get to a place where security was viewed as helpful. And that we can help them quickly and efficiently, and not be a roadblock to anything other business units are trying to do. Achieving this was probably one of the best things I was able to do.”

Being a strong communicator derives from William’s formal training at West Point. As an officer, he was constantly communicating with senior-ranking officers, something that matured his ability to think and talk strategically. He realized most leaders want to know the what, not the how, and when you can confidently discuss this with them, you instantly gain their trust. 

“I’m responsible for everything that is information security. When we think about information security, we also think about physical controls, not just technical or administrative, and that’s a working partnership we have internally. We have a lot of initiatives and a lot of transformation taking place in different areas, and my responsibility is that we’re doing it within our risk appetite and risk tolerance. I have to make sure we are putting the right things in place to ensure our systems and data remain secure. I have overarching responsibility with governance, and making sure things are being done correctly, even if it’s not in my particular department, because we do distribute things people have to be able to do, not just my team,” explains William. 

One of their current larger initiatives is around cloud migration, moving systems off prem, and transforming their capabilities moving into the cloud. For the next twelve months, William is upping the security posture in response to the new perimeter. He says, “The perimeter is really going away. I’m doing basically a lift and shift, and that puts our endpoint into a different category of criticality that we didn’t have to worry about before. So that’s what I’m working on right now. We’re replacing our EDR with something that’s far more powerful, far more comprehensive. We’re implementing a SASE as soon as we’re done with EDR, to provide security before we go to our cloud resources. When I found out these business transformations were coming, I knew that we needed to lift and shift our controls in a different way.”

William and his team follow the NIST CSF framework, an approachable way to ensure they are meeting standard security requirements. His goal is to continue to mature how they align to the framework, and ensure they focus on key areas that are most applicable and impactful to their business and how it operates. For example, they might look at the CSF and map it to their GRC tool to ensure efficiency.  

To effectively communicate with executives about progress on framework alignment, among other areas, William ensures he uses clear business language. He comments, “I go into executive meetings with the intention to get across, at a high level, what we are doing and why. I use my judgement to determine what milestones to share with them, and my goal is to make sure they have a good grasp on what we are doing. I don’t go into details like percentage of NIST controls complete, it is not necessary for them to know this level of detail as long as they understand what we are trying to accomplish and why. They really want to know how our work relates to the business. The board and executives should walk away from the meeting with an understanding that we are doing the right things and headed in the right direction. We get asked smart questions by them, and it shows we are on the right track.”

Having a common vision and ensuring his team understands the value of their mission is important to William, and it is how he approaches leading towards a positive impact. He explains, “My team is engaged, they understand that they’ve got a mission and purpose, and they’re behind it. And that they’re free to grow and be engaged in our program. It is great that they stop and question what we are doing as well. We might be headed in a certain direction, and they have free will to question if it is the right decision or suggest alternatives. Everyone speaks up and shares their thoughts on what we are doing. I am always open to reassessing the direction we are going based on feedback from my team.”

He continues, “I really value making sure that everybody’s on board and knows what’s going on. I formulated a Risk Governance Committee, that didn’t exist before, so I can bring the business in formally every quarter, and say this is what we’re doing, this is why, and this is what’s next. We ask questions to make sure they understand what we are doing, and ensure we have buy-in from them. Approaching it this way is part of my leadership style.”

To continue to grow his skillset and hone his leadership skills, William strongly believes in networking, whether it is at conferences or amongst his personal relationships with peers. He values learning from others in his position about their approach to communicating with executives, and how they effectively align to the business. He also discusses how his peers approach investing in solutions – better understanding their requirements and outcomes. Another way William gives back and continues to learn is by regularly teaching cybersecurity courses at universities. It provides him opportunities to stay current on trends and encourage the next generation of security professionals to be passionate about a career in the industry. 


    Stay up to date with cyber security trends and more