#3: Caroline Wong

September 16, 2015

Welcome to Episode 3 of the Building a Life and Career in Security Podcast.

Today’s guest is Caroline Wong. Caroline is currently the Security Initiative Director at Cigital. Caroline wrote the awesome security metrics book I often quote called Security Metrics: A Beginner’s Guide.

Caroline and I talk about writing books, finding a good mentor and about her (relatively) new baby.


[content_toggle style=”1" label=”Show%20Episode%20Transcript” hide_label=”Hide”] Caroline Wong: The book was awesome for my career. I have an opportunity to kind of talk to a lot of people in the industry that might not be interested in having a conversation with me if not for the book, but now, I’ve got this sort of credibility that I didn’t in the past. Speaker 2: From the jayschulman.com studio, this is the Building a Life and Career in Security podcast. Now, your host, Jay Schulman. Jay Schulman: Thanks. Hey, it’s Jay. Welcome to another episode of Building a Life and Career in Security podcast. It’s the podcast that lets you see how others grew their information security careers. Today’s guest is Caroline Wong. Caroline touches on a lot of really interesting topics today, how writing a book really helped her grow her career, what it’s like to be a working mom in information security and how to encourage more women to enter the security field. Here is Caroline’s career journey in her own words. Caroline Wong: It really started for me in college when my Chinese father insisted that I study engineering and so, I ended up studying electrical engineering and computer science at UC Berkeley. At the end of my junior year, I thought to myself, “Okay. It’s time to get an internship.” I literally applied to every job that I was qualified for and it ended up being about forty or fifty different jobs. The one that worked out was for eBay and it was an IT project management position, and I didn’t know what that meant, but it turns out that for the summer, they wanted me to come in and create their internet website for BCPDR, business continuity planning and disaster recovery. I worked the summer at eBay, in IT. When I graduated, I got in contact with my manger from that internship and I said, “You know, I really enjoyed my summer. I’d really like to work for you at eBay full-time.” He said, “There’s a hiring freeze in the IT department, so I can’t hire you, but I happen to know that there are a couple of entry-level positions in information security, so you should go check those out.” I thought to myself, “I don’t know anything about information security. I’ve never heard the term before. I don’t know what it means.” He said, “That’s okay because they’re really just looking for someone, like a fresh college grad to train up.” The night before my interview for this information security policy job, I was on Wikipedia and I pretty much memorized the website. I went in for a series of, I think it was four interviews and I found out pretty quickly that everyone is asking me the same questions and after they asked me the questions, they told me the answer. The hiring manager was last. He asked me pretty much the same questions everyone else had in the hiring process and I ended up with my first full-time job working in information security policy at eBay, which is interesting because I didn’t know what I was doing. Maybe like a lot of new college grads and I was really sort of learning it as I went. eBay had established a security program well enough to have a set of policy and my job was that if somebody in the business had a question about our policy or wanted to request an exception about our policy, then they would talk to me. What I would do is I would chat with them. I would sort of write down their request. I would go speak with more senior members of the team, ask them what they thought and then go back and tell the business owner. As this went on, sort of the same used cases would come up again and again. I kind of grew into a role where I was not only answering questions about policy, but actually making revisions to policy. Then I sort of got my big break when eBay hired Dave Cullinane to be their CISO. This was for eBay the first time they had hired someone that was at a VP level to run the security program. In the past, it had always been a director or below and at eBay at that time, you really needed to have a vice president title in order to make any real change. Dave goes in and he says, “We’ve got a team of twenty five. I really need it to be sixty four. We’ve got a budget of X. I really need to be Y.” They gave it to him. He really taught me above all things how to justify budget for a program. He went in and said, “Look, we’re running a business that allows strangers to transact with each other over the internet. We really need to have some good security.” He made a great pitch and they gave him everything that he asked for and he asked me at that point in time if I wanted to be his chief of staff, which mostly involved to sort of helping Dave as his right hand. I actually said to him at that time, I said, “You know, Dave, I’m twenty three years old and I don’t know anything. Are you sure you want me to be in this role working for you?” He said, “Yeah. I’ve watched you work and I know that you’re very organized and I know that you know how to get things done.” He said, “Between the two of us, I’ve got the experience and you’ve got the get it done. Between the two of us, we’re going to make a really good team.” I worked for Dave for several years, really listening to his ideas and helping him carry them out and in that way, began to sort of develop my security knowledge of the industry and the various vendors, worked with a lot of vendors during that time. I put a lot of programs into place, including a metrics program. At one point, Dave said to me, “Well, now we’ve got the budget and we’ve got the people and we’ve got the projects and we’ve got the technology, now we need some security metrics to measure the value of the program and ensure its ongoing investment.” At that time, I did what I always do when I don’t know what to do which is, I read a lot of books. I do a lot of research and I try to meet and talk to people who are subject matter experts. I was lucky because Dave had and has a very strong network in the information security field and so he was able to introduce me to folks like Dan Gear that had an opportunity to speak to firsthand about this kind of thing. What I’ve learned at that point, this was kind of 2006, 2007 timeframe, was that a lot of people were thinking about security metrics, but not very many people were doing security metrics. A lot of the literature that was out there, Andy [inaudible 00 = 06 = 51] book for example, had a lot of great ideas, but I had yet to meet people who would actually put them into practice. For our practical purposes, we sort of made it up. At the time Archer Technology which is now owned by RSA EMC, but at that time was just Archer. They had just come out with their data feed service. I thought to myself, we’ve got all of these different technologies that we’ve got to deployed, how cool would it be if we could pull data from all of these different feeds and kind of put them in one place and create a CISO dashboard? So that instead of Dave having to speak individually to his direct reports in order to find out what was going on, the vision was that he could just kind of log on first thing in the morning, look at all these data and then have sort of a targeted way of being able to ask questions about what’s going in his program. We built that out and the same time, Dave was being asked to do a lot of public speaking engagements and one of those was at RSA and one of them was to speak on a panel about security metrics. He said to me, “I actually have so many obligations at this conference, why don’t you take this panel? Why don’t you do it on my behalf especially since you’re the one putting the program together anyway?” I thought, what a very cool opportunity and I spoke on the panel and following that panel, I was approached by an author, rather a publisher, an editor from McGraw-Hill and she said to me, “I’m working with a guy named Lance Hayden and he is running a book on IT security metrics. Would you be willing to contribute a case study for one of the chapters in Lance’s book?” I thought, “Yeah, definitely. That’s super cool.” As I began to work with Lance and write my chapter, he also asked me to be a technical reviewer, so I ended up having an opportunity to read Lance’s book really before anyone else did. As I was reading Lance’s book, I thought to myself, the ideas in this book are really excellent, but because I’m sort of on the ground for this stuff, I also happen to know that it’s a little bit advanced for where the industry is today. These are things that people are not near ready to actually do. One night, probably after a couple of glasses of wine, I e-mailed the editor and I said, “Hey, Jane. I’ve got an idea. I think that Lance’s book is very excellent and I also think it’s ahead of his time.” I said, “But I have an idea for a book that I think would be very well-received because people are really just beginning to do this kind of thing.” I said, “What if we wrote a security metrics book for beginners?” She said, “Write me a formal proposal and we’ll see where it goes.” I was very surprised actually that they thought it was a good idea and so they asked me to write a sample chapter. That was the hardest chapter I’ve ever written. It turns out, for me, it was very difficult to write the book. Two years of working nights and weekends later, we ended up publishing it in 2011. That was totally cool. Eventually, after five years, I did transition out of working for eBay. I was living in San Francisco and commuting to San Jose, which at that time was about an hour each way. Today, it’s probably two hours each way during commute hour. This company called Zynga was looking for a security team in San Francisco. I ended up working for Zynga for a while, really putting together their very first security policies and playing role in developing their security program from the ground up under [inaudible 00 = 10 = 35] [Spoolman 00 = 10 = 35] and then sort of after that, ended up working for Symantec. I like to describe that as my transition “to the dark side,” to the vendor community, but that was really fun. I liked very much working for Symantec and having a product that we could help our customers with, but over time, I kind of got frustrated with the products. The reason is because the problems that a lot of our customers at Symantec were trying to solve, they weren’t really problems that could be solved with the product. Part of my role as product manager was to deal with our strategic customer escalation, so customers who were dissatisfied with the product, very important customers who are paying us a lot of money. Part of my job was to fly in and talk with them and kind of talk them down and convince them to not get rid of our product and in having conversations like this with those folks, I realized what these people need is consulting. They need to talk to experts about how to solve some of these problems and the problem is not really with the product. The problems to solve that these people are trying to solve, these are people brain kind of problems. These are not product problems. Working at Cigital, which is where I am currently and have been for about two years, Cigital two-year anniversary will be this July 22nd. I really have had the cool opportunity to talk with folks about the problems they’re trying to solve in the security space and help them solve them. It’s very satisfying to be in this consulting role because very different from being in a product kind of role, there’s a lot of flexibility. That’s how I got to be where I am today in my career. At Cigital, I’m working on the BSIMM which is a measuring stick for software security programs. I’m also working on sort of doing software security metrics for our clients and developing that as a formal offering. Jay Schulman: It sounds like Dave was really influential in building out your career. I don’t know if you’d call him a mentor, but kind of how you described it definitely has that mentor-like capability. How did you know that he was a guy to emulate or when did you figure out that you should be really listening to him. Caroline Wong: Great question. I would absolutely call Dave a mentor, probably the most important mentor that I’ve had throughout my career. In fact, the book that I published with McGraw-Hill is dedicated to Dave because without his influence and his leadership, I certainly would not have the career that I do today. I think that when I met Dave, he came in the door. He had kind of the courage to say things that I had not heard other people say at eBay. I think that it’s not so uncommon for any organization to have sort of a way of talking about itself, a way that people are satisfied with, like perhaps a security team will think, “Oh, the business never listens to us. We’ll never be able to get the money we need. We’ll never be able to convince our business partners to do the right thing from a security perspective.” Dave really came in and he changed the conversation. I thought that was cool. The way that I am naturally, I’m a little bit of an optimist. He was a very optimistic guy. He asked the questions that were different from questions that were being asked in the past and I really admire that about him. Jay Schulman: A lot of people think that writing a book is glamorous and certainly, you talked about how you’d spent two years, nights and weekends putting this book together. What effect do you think the book had on your career? If you had it all to do over again, would you write the book again? Caroline Wong: The book was awesome for my career. What it’s done for me, I have an opportunity really to kind of talk to a lot of the people in the industry that might not be interested in having a conversation with me if not for the book, but now, I’ve got this sort of credibility that I didn’t in the past. There are some really amazing minds in security and a lot of those folks have many more years of experience than I do. I’ve really only been in the security business for about ten years and at the time when I published the book, had only been in the security business for six years and compared to somebody who’s got twenty, maybe thirty years of experience. It was kind of like, “Why would you even talk to this person?” It gives me this credibility where people are willing to have a conversation with me and I really appreciate that. If I had to do it again, I absolutely would. Again, for that same reason, I think people talk to me that wouldn’t have otherwise if not for sort of this stamp on my resume. Jay Schulman: Do you think that given the success you’ve had with the first book, is there a sequel or a second book that you’re thinking about? Caroline Wong: I have thought a lot about it and I always said and I will continue to say that I would really like to write a second book when I have something more to say and I’m developing that. At Cigital, I’ve really become much more interested in and learned more about the software security area. Historically, I had thought about security metrics in a broader sense, but I do think that there’s an opportunity for a more specific sort of software security metrics book, which if he would go for it, I’d love to coauthor with Sammy [Mica 00 = 16 = 16]. That’s something that we talk about sometimes, but we’ll see if hopefully that ends up happening. Jay Schulman: The first part of your answer very much seemed like the presidential candidates. I’ll let you know when I can kind of answer. Caroline Wong: Yeah. People are like, “Oh, you should do an update.” I honestly think to myself, there’s no point in doing an update unless I have something new or different to say. I’ve been kind of waiting for that to happen and I think that that may be happening soon because I think that the software security thing is very interesting and very specific and pretty different really from your typical IT security metrics. Your software security, your application security metrics are going to be different. I think there’s an opportunity to really put some fresh new content in there. I would hate to do a new book simply for the sake of doing a new book. I don’t think that’s really worth doing unless there’s something new or different to contribute. Jay Schulman: Absolutely great, very cool. We ask two questions to every one of our guests. Firs, is there a point in time where you had a big decision, two different ways you could have gone and you really struggled with it, but ultimately, you feel like you made the right decision? Caroline Wong: Yeah, absolutely. In fact, for me, that has to do with writing a book. As I mentioned, it really was two years of nights and weekends and there were a lot of times when I thought to myself, “Gosh. This is just too much work. It’s just too much work. I really just don’t have the time. I don’t have the energy.” I had situations where my editor was like, “Caroline, you are two weeks behind the deadline.” I was like, “I’m trying.” There is this situation that I found myself in some nights where I would just sit in my laptop with an open Word document and just struggle to get words on the page. In nights like that and you do get words on the page, but there times when I thought, “Maybe I’ll just give up. Maybe this is not worth it.” But I really got how to stick with it for the reasons that I mentioned which is that it’s been a really door-opening for me. For me, it was kind of the right time in my life. At that point in my life, I could give my nights and weekends to this project which these days, Jay, as you know, I’ve got a beautiful fourteen-week old daughter, so she takes up a lot of my nights and weekends, but at that particular time in my life, it was definitely the right place to spend the energy. Jay Schulman: Well, let’s talk about that for a second. What is it like to be a working mom in the information security field? Caroline Wong: It is totally cool and it is totally weird. When my daughter was born, I found myself for three months doing things that I had never done in my life before, some of the hardest things I’ve ever done in my life. I was like, “Wow. I am a new person. This is my new identity.” I am doing these things I’ve never done and then when I came back to work just a couple of weeks ago, I found myself at SFO Airport traveling to Dallas to be at our headquarters. I cried on my way out the door because I was so upset about the first time really in her life being away from my daughter and then I arrived at SFO Airport and I sort of breathed a sigh of relief and I was like, “Okay. I am this new person. I’m a new mom, but I’m also still Caroline.” This is a part of my identity that’s not lost. It’s been good. One of the things that I really like about working in consulting and in particular, my role here at Cigital is that I have the opportunity to work from home part of the time, so that makes things a lot easier. Jay Schulman: It’s interesting because you didn’t kind of set out to be an information security professional and it sounds like your dad was pretty influential in giving you at least the baseline skill set into the technology field. One thing I’ve noticed and certainly, I want to ask you about is, I don’t want to say it’s the lack, but there aren’t enough women in information security. Do you have advice for people like myself with my two daughters or just women who are maybe right at that point in time trying to figure out their career as to whether an information security career is right for them? Caroline Wong: Yeah. I think that it’s really a problem of exposure. Growing up as girl, I didn’t know any information security professionals and so, I couldn’t aspire to be one. Even if I knew someone who was working in software, I didn’t really know what their life is like. Today, I can say confidently that my life is awesome. In the same week, I can be at home breastfeeding my fourteen-week daughter, but I can also be getting dressed up and going to a really fancy restaurant and entertaining clients. I can be having really deep thoughts about creating a security metrics program for a client. I really feel that it’s like the best of all worlds, but if I hadn’t stumbled upon it, I would never know that. To the extent that I can, I’d like to share my story with young women and with girls to say, “Hey, this is my life and I love it.” You should consider it as you’re growing and deciding how you want to live your future life. I think a lot of it is really about exposure and sharing stories about what it’s really like and allowing girls to consider it in their options and even know that it is an option. Jay Schulman: Thank you. Great advice and it’s great that you reflect on your current career in life. That’s awesome. The last question that we ask everybody, is there something that maybe wasn’t awesome that you’d want to do over again in your career? Caroline Wong: There is. If I could do it over again, honestly, I would have paid it more attention in school. I have a technical degree from an excellent university, but I have not done technical work in my career and I wish that I did and I wish that I had that understanding and it’s something that I actively work on today in order to kind of develop my technical chops, but working in software security space, I wish I were more technical. That would make me I think even more valuable to my clients that would allow me to convey an even deeper sense of meaning to my clients. That’s what I would really work on if I could do it over again. Jay Schulman: Is there a particular class that you kind of blew off that you wouldn’t have blown off in retrospect? Caroline Wong: I think it’s really the difference between wanting to get a degree for the paper versus wanting to get a degree for the knowledge. At that point in my life, ten years ago, I was like, I find engineering to be very challenging and I just want to get out of here. I just want to finish. Instead of like, “Hey, this is a really incredible opportunity to learn and really understand things at a very deep level.” Maybe if it even takes me longer, like I could have stayed in college a couple of years to really understand things, now I realize that for being in my early twenties, an extra year or two probably wouldn’t have made a big difference in a lot of ways, but it would have allowed me to really get that deep technical understanding when I had a great opportunity to. That would be my advice perhaps for anyone who’s in college and thinking about trying to finish quickly, trying to just get out of there with your piece of paper. For me, being in university was a tremendous opportunity to really gain some deep technical knowledge and I didn’t take it as much advantage as I wish I had. Jay Schulman: It’s interesting that you bring that up because you see the growth of something like Coursera which isn’t about the paper. It’s solely about the knowledge and how fast they’ve grown. I’m curious kind of in the future whether that route where you just get very specialized, deep understanding in a particular area might be in favor of the piece of paper. Caroline Wong: Yeah. In fact, on my maternity leave, I was actually watching a lot of videos through edX. In fact, from my alma mater, UC Berkeley, they’ve got software as a service computer science class and so I spent a lot of time watching some pretty trashy television, but also watching some of these recorded lectures from UC Berkeley. I couldn’t agree more. I think a lot of people are choosing to be self-educated and really go for the value of the knowledge itself rather than the paper. Jay Schulman: Thank you for adding the trashy TV because I’m sure everywhere where it’s going, “Oh my God. She didn’t even watch trashy TV.” Well, thanks for doing this today, Caroline. Do you want to talk a little bit about … Let everybody know once again the title of the book and where they can find you. Caroline Wong: Yes. Security Metrics, A Beginner’s Guide. It’s available on Amazon.com. People can reach me on LinkedIn. I’m always excited to have conversations with folks about the book or about the topic of security metrics in general. Jay Schulman: Thank you. Caroline Wong: You’re welcome. Jay Schulman: Thanks to Caroline for joining us today. Her book is fantastic. Now that you’ve heard her speak, when you read the book, it actually feels like she’s reading it to you. At least, it did for me. There’s a link to the book in the show notes as well as a link to her LinkedIn profile and make sure she knows you heard her from our podcast. If you have any comments or questions about today’s podcast or want to join me to talk about your career journey, shoot me an e-mail at podcast@jayschulman.com. If you found this podcast valuable, let me know by leaving a comment in iTunes. Thank you for listening to this episode of Building a Life and Career in Security podcast. Please subscribe to the podcast on iTunes or at jayschulman.com/podcast. Speaker 2: Thank you for listening to the Building a Life and Career in Security podcast with Jay Schulman. For more information and to subscribe, go to jayschulman.com.