Zoom CISO Sandra McLeod on Securing Innovation at Scale

As one of the most-used communications platforms in the world, Zoom must guard against new and sophisticated cyber threats while continuing to support rapid product development. That responsibility falls to Sandra McLeod, who was named Chief Information Security Officer in May after leading the company’s security assurance efforts.

In this SecurityInfoWatch Executive Q&A, McLeod outlines her top priorities for the year ahead, shares how Zoom is embedding security across its engineering culture, and offers perspective on AI-driven threat detection. She also reflects on lessons from her time at Cisco and how they shape her leadership today.

McLeod joined Zoom in 2021 and brings nearly 15 years of cybersecurity experience to the role. Before stepping into the CISO position, she served as Head of Security Assurance, responsible for evaluating the effectiveness of Zoom’s security controls and practices. Earlier in her career, she spent more than a decade at Cisco leading offensive security, forensics, and advanced research initiatives, following 12 years as a developer in the financial and healthcare sectors, an experience that cemented her security-first mindset.

Ahead, McLeod offers a detailed look at what it takes to protect a global platform while enabling innovation to thrive.

Strategic priorities and risk management

What are your top strategic priorities as CISO at Zoom over the next 12 to 18 months?

As Chief Information Security Officer, my top priorities focus on two main areas: reducing risk in critical areas and advancing the maturity of Zoom’s security program.

We continuously assess our program against leading frameworks, like NIST, across multiple crucial domains. This includes strengthening detection and response capabilities, embedding security into our development cycle (SDLC) and hardening our infrastructure security. This approach ensures that we’re steadily raising our defenses against evolving threats.

Sandra McLeod leads Zoom’s global security strategy as CISO, with a focus on risk reduction, AI-driven threat detection, and building a security-first culture.

What is the most significant challenge you face in securing a global communications platform like Zoom?

The most significant challenge is the relentless pace of change in both threats and technology. We have to constantly analyze and expand our security capabilities in order to keep pace.

Another key priority is protecting against emerging AI-related threats like AI supply chain compromises and model abuse, while also defending against the use of AI in attacks targeting Zoom or our customers. Securing a global platform also requires the right leadership and teams who are willing to ask hard questions, challenge assumptions and drive continuous improvement.

How do you approach building and maintaining trust in Zoom’s security posture among users and stakeholders?

Trust is built through consistent transparency and strong, layered defenses. We work to prevent vulnerabilities by training engineers in secure coding principles. Our Secure Development Lifecycle includes security reviews at every stage, from design through testing and deployment.

After deployment, our Offensive Security team performs attack-focused testing to proactively identify weaknesses. And, on top of all of our internal teams working to ensure the security of our products, our Bug Bounty program with HackerOne incentivizes researchers to test for and responsibly report any potential vulnerabilities, which helps us remediate quickly and keep users safe.

What key lesson from your time at Cisco has shaped your leadership approach at Zoom?

At Cisco, I learned the importance of scaling security without slowing innovation. That balance between enabling the business and protecting it has shaped how I lead at Zoom. I encourage my teams to think like attackers but act like partners to the business, ensuring that security accelerates rather than obstructs growth. The key to doing this successfully is by inserting security early into the development lifecycle to ensure that security is part of the design, not something that has to be added later down the line.

AI, emerging threats and detection

How is Zoom using artificial intelligence to enhance threat detection and response capabilities?

AI is deeply embedded across Zoom’s operations and products. From a security standpoint, we use AI to analyze vast volumes of data in real time, detect anomalies faster and respond more efficiently to threats.

Just as importantly, we’re prioritizing secure-by-design AI development to help ensure that any AI capability we bring to customers is built with security and privacy at the core. This dual focus of using AI to strengthen defenses while securing AI itself is a top priority for my team.

What specific threat trends are most concerning to you in today’s communications and collaboration landscape?

AI-related threats remain top of mind. As I mentioned earlier, these include attacks on AI supply chains, abuse of models, and the malicious use of AI to launch attacks against platforms like Zoom and our customers. The speed at which these threats evolve makes adaptability and layered defenses critical.

How does your team evaluate security risk across Zoom’s diverse customer base?

Evaluating risk starts with a strong understanding of the threat landscape and mapping it across all physical and virtual assets we need to protect.

Security is not just a feature at Zoom; it’s foundational to everything we build. Our team relies on frameworks like NIST, leverages third-party assessments for independent validation, and embeds security directly into the early stages of product design and development. This ensures our security posture benefits all users, regardless of size or use case.

What does an effective security assurance program look like in your view?

An effective program is continuous, independent and aligned to industry frameworks. At Zoom, that means we assess against widely recognized standards like NIST, conduct ongoing risk evaluations, and bring in third-party assessors to provide an objective perspective. That outside lens helps us avoid blind spots and ensures we’re always raising the bar on security.

Building a security-first culture

What’s your approach to fostering a security-minded culture across different departments within Zoom?

At Zoom, security is treated as fundamental, not optional. We practice a 'shift left' strategy, integrating security into the earliest stages of product and feature design, and we’ve developed an AI/ML security strategy alongside our Secure Development Lifecycle.

Beyond technical measures, we build culture through phishing simulations, a ‘security champions’ program for engineers, and advanced training tracks like our ‘champions plus’ program. By combining foundational principles, early integration, and continuous education, we ensure security is a shared responsibility across the company.