Zoya Schaller, Keeper Security’s Director of Cybersecurity Compliance Elaborates About FedRAMP, Zero-Trust, and Compliance Frameworks

The growing skill gap in security is a concern that governments and institutions are trying to reduce. Experts in the infosec industry are making a genuine effort to encourage people from all walks of life to take an interest, learn, and become a part of the workforce. 

Leading cybersecurity experts can make a huge difference and have a lot to share from their experience. This is why we asked a few critical questions to a woman leader from the industry.

Zoya Schaller, Director of Cybersecurity Compliance at Keeper Security, recounted how a new law reshaped the regulatory landscape for a client agency.

She gave a glimpse into the role mentors play in the lives of employees, KeeperPAM - a fully cloud-native platform by Keeper Security, and the need to avoid technical jargon that could become a barrier to effective communication with stakeholders.

We asked a few questions to Zoya Schaller for our latest LeadHER in Security interview. Read on to find what she had to say about FedRAMP, how to plan the study of cybersecurity compliance, and the need to create awareness about the same.

1. Please share about yourself and what drove you toward cybersecurity compliance.

My journey into cybersecurity began more than two decades ago, when the Federal Information Security Modernization Act was enacted.

As a federal contractor supporting information systems, I saw firsthand how this new law reshaped the regulatory landscape for my client agency. Intrigued by the challenge, I volunteered to lead the implementation of the required changes.

Being in the right place at the right time played a role, but so did the incredible mentors who guided me. They shared their knowledge, encouraged my growth, and created an environment where I felt empowered to learn and take risks.

Recognizing the importance of continuous learning, I pursued cybersecurity certifications like CISSP and CGRC – not just for credentials but to deepen my understanding of core principles and evolving threats.

What drew me toward cybersecurity compliance was the realization that it's about more than rules and regulations. It's about building trust, ensuring the integrity of information, and safeguarding critical assets.

It's about creating a secure digital environment where individuals and organizations can thrive. The field’s constant evolution, intellectual challenges, and real-world impact continue to fuel my passion for cybersecurity compliance.

2. Can you shed light on Keeper Security being a zero-knowledge company? How does this approach better safeguard user data?

Keeper Security is the leading cybersecurity provider of zero-trust and zero-knowledge Privileged Access Management (PAM) software protecting passwords, passkeys, privileged accounts, secrets and remote connections. From day one, Keeper was built with zero trust and zero knowledge principles, ensuring that even in a worst-case scenario, a user’s vault remains secure with multiple layers of encryption.

Today, Keeper is trusted by millions of individuals and thousands of organizations worldwide, including Fortune 100 companies and federal agencies such as the Departments of Justice and Energy.

Recent high-profile breaches have demonstrated the devastating consequences of compromised privileged access. KeeperPAM, our fully cloud-native platform, tackles this risk head-on by validating every access request using a zero-trust framework, allowing only explicitly authorized users to access critical systems.

Keeper’s zero-knowledge architecture is a key differentiator.  Unlike other solutions, Keeper's ensures that only the end user has access to their data – no one else, not even Keeper. This commitment to security has guided us for more than a decade, reinforcing our transparent, best-in-class security model.

3. What are some of the key features of KeeperPAM?

As organizations expand into hybrid cloud environments, securing privileged accounts has never been more critical. KeeperPAM delivers robust security and management capabilities to protect passwords, passkeys, privileged accounts, secrets, and remote connections.

The core capabilities of KeeperPAM include: Password Vault, Secrets Management, Session Management, and Remote Browser Isolation to secure internal web-based applications, cloud apps, and devices preventing malware, data exfiltration, and control browsing sessions with full auditing, session recording,g and password autofill; Admin Console that manages and deploys Keeper to users, integrates with identity providers, monitors activity and establishes role-based enforcement policies; and a Control Plane to orchestrates and monitors the various components and activities related to privileged access, session management, policies and workflow.  

KeeperPAM is FedRAMP and StateRAMP Authorized, meeting stringent federal security standards. The platform seamlessly integrates with SSO, SIEM, SDK, MFA and CI/CD pipelines and passwordless authentication. Features like automated password rotation, secure remote access, and real-time session monitoring ensure that only trusted users can interact with sensitive systems – eliminating the risk of credential theft and maintaining a clear audit trail.

4. You have worked as a FedRAMP advisory consultant, security policy consultant (ISSO), information assurance manager, and information security analyst, among other roles. While speaking to clients, what topics did you feel needed more clarification and what could be the cause of difficulty in understanding the concepts?

Many clients found risk management and compliance frameworks difficult to grasp due to technical jargon, time constraints, and a lack of foundational understanding.

The challenge was often not just the “what” of compliance but the “why” – why these frameworks exist and how they protect their organization.

To bridge this gap, I focused on clear communication and real-world examples. Breaking down complex concepts into practical, business-aligned discussions helped clients understand security as a proactive strategy rather than a compliance checkbox.

A collaborative approach made compliance more accessible and helped organizations build stronger security postures.

5. For young professionals who are learning about cybersecurity compliance, how would you recommend they begin their study? What topics should they focus on?

For those new to cybersecurity compliance, think of it like building a house – you need a strong foundation. Start with the network and system basics, then move on to core security concepts like the CIA triad (confidentiality, integrity, availability), risk assessment, and access control.

Next, focus on compliance frameworks relevant to your industry, such as NIST, ISO 27001/27002, GDPR, HIPAA or PCI DSS. Understand not just what they require but why. Develop hands-on skills in risk assessment, policy development, audits, and data privacy. and then studying their specific requirements and the underlying rationale for each control.

Stay informed about AI’s impact on compliance – it’s changing the landscape rapidly. Certifications, online courses, and industry forums will keep you up to date. Finding mentors, especially other women in the field, is invaluable.

The cybersecurity community is full of professionals eager to help newcomers. By putting in the effort, you can build a rewarding career in cybersecurity compliance and contribute to making the digital world safer. 

I even used OpenAI to create a Cybersecurity Regulatory Compliance Advisor to help answer compliance-related questions for frameworks like FedRAMP, SOC, ISO, CMMC, and DFARS – there are countless resources out there!

6. Being a woman in cybersecurity, what advice would you give to aspirants who are apprehensive about the study of Governance, Risk and Compliance (GRC)?

Governance, Risk, and Compliance (GRC) is about protecting the confidentiality, integrity, and availability of information. It may seem overwhelming at first, filled with acronyms and regulations, but at its core, it’s about managing risk.

Women bring valuable perspectives and skills to cybersecurity – skills the industry desperately needs. If you’re considering a career in compliance, seek out mentors and inclusive work environments that recognize the importance of diverse perspectives. GRC is an essential field, and you absolutely belong here.

7. Do you believe that cybersecurity compliance is studied by fewer professionals as compared to others? If yes, how could this be changed so more professionals opt to work in this industry?

Yes, cybersecurity compliance is a niche field. It requires translating regulatory language into technical and operational security measures. While it may not be as visible as Red Teaming or ethical hacking, compliance is what enables organizations to build mature, standardized security programs—helping them "play in the big leagues" and win customer trust.

Raising awareness about compliance’s critical role in cybersecurity is key. Organizations should highlight how strong compliance programs drive business success and create career opportunities.

By showcasing the real-world impact of compliance, we can attract more professionals to this essential discipline.