Yael: You know, I have observed, as I get to dance, I often describe with interesting people doing interesting things, that one differentiator is very true. And it doesn't mean that you're stuck with it, but at a certain part of your life, you want to build, you want to fix, or you want to let it run. And I feel like you're...not that you get to be that, it turns out you like to build. And you have had all the experiences now, and so you don't see yourself as the boss. You get to see yourself as a builder. Is that fair?
Caroline: That's absolutely right. I get to build. And that is important to me because, for so much of my career, I was learning. And that's not to say that I'm not learning. I'm gonna keep learning. Learning, for me, is part of the joy. But I know enough...I've experienced enough at this point that I do get to build, and it's fun to start at the beginning.
From "Cobalt at Home," this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry.
This is gonna be a weird, different episode. Yael, I don't even know how to say her name correctly. Will you tell folks how to say your name correctly, please?
Yael: My name is Ya-el. It is hyphenated on the second syllable, Ya-el.
Caroline: It's okay.
Yael: I used to say that it was like "Ya" as in "Yahoo!" and "EL" as in "Ellen," and then Yahoo! became a company that, like, stopped being relevant. And when I lived in Atlanta for five years, I didn't realize how close Yael is to "Ya-el," because I had grown up very much in a community of Jewish people. I went to a Jewish day school, and I lived in New York, and I lived on the coast of travelers. But in Atlanta, Ya-el is a lot like Yael.
Caroline: So good.
Yael: And so, it's like a two-week learning curve but it's...I will correct you, but you do a great job.
Caroline: I love it. Yael and I are here, and usually, I interview our guests. And today, Yael is here to interview me. I don't know what's gonna happen. I do know it's gonna be fun.
Yael: I am curious to also dig into your journey story, if you will.
Caroline: Yeah.
Yael: But it changes the energy to do that, doesn't it?
Caroline: It does. It absolutely does.
Yael: It does [crosstalk 00:02:39] that.
Caroline: And I love that, that is the way in which you care about this conversation. Yes, we totally became friends during COVID. I have no idea how tall you are. Like, as far as I know, you could be 4'10. You could be like 6 feet tall. I have no idea.
Yael: So this is a funny story, but I am 5'3 maybe. I was at my tallest 5'3. My kids are confident that I'm like 5'2, but they think that I'm tall still because they're that size. But my friends from college laugh all the time because I'm always surprised whenever I take a picture with them, and we look at the picture, and I'm like, "God, am I that short?" Because I really feel like I'm their height every time.
Caroline: That's fine.
Yael: How tall are you?
Caroline: I'm 5'6, so I'm just like...
Yael: Oh, you're tall.
Caroline: I am tall. And it's unusual to be tall and, like, Chinese, but I am, like, unusually tall.
Yael: I mean, it's not surprising at all because you're an unusually tall and Chinese person. I love that you identify as Chinese.
Caroline: Totally, yeah.
Yael: Where did you grow up, though?
Caroline: San Francisco. My parents are Chinese immigrants. You know, we can get into all of this. My parents are Chinese immigrants. I grew up in San Francisco, and I was, like, the San Francisco kid. And then they were...
Yael: Your parents moved here?
Caroline: That's correct. My mother moved to San Francisco at age 13, and my father moved at age 17. They met each other at age 19 at U.C. Berkeley on campus. And they got married fucking four months later. It was so nuts. And like...
Yael: But that's because they somehow knew. They had asked each other whatever the questions were from their parents and their hometowns, like, "Oh, perfect."
Caroline: They knew.
Yael: I love that. You are a mom?
Caroline: Yeah.
Yael: You are probably a mom first. Or I don't know, are you a mom first, a wife first, or an employee first?
Caroline: I am a mom first. There's just no question about it.
Yael: Yeah, [crosstalk 00:04:32].
Caroline: There's just no question about it.
Yael: So let's pick up. We got your origin story. And now, tell me your career story. So I know that you're at Cobalt because, to me, you're the face of Cobalt also, but I also know of Cobalt as a Pentest company. And I don't know really your professional, how you got to Cobalt, and then your role at Cobalt, but I would love to.
Caroline: Cool. So, I was born in San Francisco to Chinese immigrants. That becomes relevant for my career story because at 16, my father asked me what I wanted to study in college and I said, "I would like to study dance or psychology." And I don't even know why he asked me. This was similar to, years and years later, he and my mom were going to change the color of their house, and he asked me what color I thought they should do it. And it was like, "Why did you even ask, because you're not taking it into consideration?" So when I said to him, "I would like to study dance or psychology," he said right back to me, "You're going to study engineering, and you're going to do it at the best school you can get accepted to."
And so, I went to U.C. Berkeley, and I studied electrical engineering and computer science. My junior year, I got an internship at eBay. When I graduated, I asked my internship manager if I could have a full-time role, and he said in IT, which is the department I was working in, they had a hiring freeze. But there was an entry-level position on the information security team, and that I should apply to it. And the rest is sort of history.
I did not know at the time that eBay was an extraordinary place to be working in information security. I did not know that I would get to work for Dave Cullinane, our CISO. I did not know that he would ask me to be the chief of staff to the team, that we would grow the team from 20 to 60 people, from $2 million to $30 million annually, that I would write a book on "Security Metrics." Loved that job, loved that team, learned so much. Dedicated the book that I wrote to Dave.
Yael: How did you know it was time to leave?
Caroline: It was time to leave because it had been five years. And for folks who are familiar with the San Francisco Bay Area commute, I drove from San Francisco to San Jose every day for five years, and it was just too much. It was my first job out of college, and I didn't know how good I had it.
Yael: So where did you go next?
Caroline: I went to Zynga. There was a shiny, flashy thing called Zynga, and...
Yael: Into the industry, though, right, at the right time.
Caroline: Super interesting. FarmVille was blowing up, and Zynga was an early adopter of AWS cloud, very interesting technology things going on at that organization, very interesting data things.
Yael: Like the gaming industry, right? When you think about protecting computers, this is interesting, right?
Caroline: Absolutely.
Yael: And what was your role there?
Caroline: I was a manager on the information security team reporting to the CISO. I did policy and program. I wrote the acceptable use policy, and all the information security and IT policies to take Zynga public.
Yael: Can I just say, to anyone who's looking for someone to fill their board seat, that experience is it. Because I bet you, that was foundational for every other role you've had since.
Caroline: It was. And it was a fun, challenging stakeholder thing.
Yael: Did you get promoted while you were there?
Caroline: I think so. I don't remember. That was a long time ago, Yael.
Yael: So where did you go from there?
Caroline: So then I went to Symantec.
Yael: Okay. How did you get to Symantec? Who brought you? Did you apply? How did you switch jobs? I always [crosstalk 00:08:25] question.
Caroline: So, I got recruited by Kurt Van Etten. Kurt is currently leading product over at RedSeal. And Kurt said, "Come on, let's do this thing. Let's do something new, and different, and awesome when it comes to governance, risk, and compliance." And it was such a fun...
Yael: Okay, amazing. And so you went there to do what?
Caroline: Global product management.
Yael: Wow.
Caroline: Yeah, it was fun.
Yael: You switched sides. You start from being back office, and now you're dealing with customers.
Caroline: That is right. I went from...
Yael: That's a huge shift.
Caroline: Yeah, it was a big shift.
Yael: Who taught you how to do that, make that change?
Caroline: Kurt Van Etten taught me how to do that. He is an extraordinary product [inaudible 00:09:15].
Yael: And he knew how to talk to you because you knew where you were coming from. And so, tell me what your role was?
Caroline: Global Product Management for Control Compliance Suite, just for a year, because Symantec at the time had something like four CEOs in four years, and the CEO in place when I started had a similar vision as I for our product line. And the new guy had a different vision, which was totally fine. It just wasn't my vision.
Yael: Great. So then you got recruited or went looking?
Caroline: Then? Gosh, I guess I went looking. I'm not really sure how the Cigital thing happened.
Yael: Oh, Cigital.
Caroline: Yeah, management consulting, pre-synopsis. I did BSM assessments. I led more than three dozen BSM assessments. And this was the stage in my life when I was like, "Stop assessment..."
Yael: I understand that Cigital did it differently.
Caroline: They did.
Yael: Tell me how they did it differently.
Caroline: So they did it differently because there are many people and frameworks in the security that say, "This is how to do it. This is what you should do." It's very prescriptive. Cigital took a different approach and said, "We want to observe what people are actually doing." It is a descriptive model. Because there's a difference between saying, "I've a good idea. You should do this thing..."
Yael: Square peg, round hole.
Caroline: Right, right. And actually, having a good enough idea, and getting enough buy-in and resources to actually make it operationally occur. That's a difference.
Yael: It requires smart people and trust.
Caroline: And execution, and implementation. You've got to make stuff happen, and making stuff happen involves working with other people.
Yael: Which you do very well, by the way.
Caroline: I do love people. I love people.
Yael: You connect with people very well. You are able to see somebody where they are, and see their sparkle, as I described it, and then connect that to a different person's language. And you are like that receptor.
Caroline: I have decided to surround myself with people that sparkle. That increases my sparkle, and the sparkle just multiplies when I have an opportunity to introduce one sparkle to another. And if somebody makes me feel like I don't sparkle, then I just don't hang out with them. And life has gotten better since I decided to do that.
Yael: It's so amazing. And you don't have to change it in every part of your life, but if you can commit to doing it in one part of your life, like work, where it's more of a choice, and then you can see how it works, you will find...people who don't know their sparkle yet, find their sparkle in being cleared of heavy clouds.
Caroline: Totally. It's about self-awareness. And in my case, it applied not only professionally, but also personally. I ended my first marriage because of a level of self-awareness that was not always there, that developed where I got to say, "Oh, like, this is not me sparkling, and I want to sparkle, and so I need to end this and try something new."
Yael: I get that. Totally, I get that. Similarly, I had a decision point somewhere in the probably same years of our decision points, where I decided professionally, I only wanted to work with people who I like and only doing things that I like.
Caroline: Yes.
Yael: And that was what I had to do to find my sparkle. And sometimes it changes. Like for a while, it's been executive calms. For a while, the sparkle has to be geared towards metrics, right? Like, there are different parts of the interest areas that I'm convinced all come together for wherever you're going.
Caroline: Yes.
Yael: You know, I have observed, as I get to dance, I often describe with interesting people doing interesting things, that one differentiator is very true. And it doesn't mean that you're stuck with it, but at a certain part of your life, you want to build, you want to fix, or you want to let it run. And I feel like you're...it's not that you get to be that, it turns out you like to build. And you have had all the experiences now, and so you don't see yourself as the boss. You get to see yourself as a builder. Is that fair?
Caroline: That's absolutely right. I get to build. And that is important to me because, for so much of my career, I was learning, and that's not to say that I'm not learning. I'm gonna keep learning. Learning, for me, is part of the joy. But I know enough...I've experienced enough at this point, that I do get to build. And it's fun to start at the beginning. It's fun to have that kind of impact.
Yael: You have a career path of writing policies and standards. You know which one to do first before the other.
Caroline: That's right.
Yael: You know how to do it organizationally.
Caroline: Yes, yes.
Yael: Dude, that's awesome. And it sounds like...
Caroline: It's fun.
Yael: ...it's not just you there.
Caroline: We have extraordinary people at this company. And I get to work with them, and it is fun. And then they pay me for it, which is just awesome. And they pay me really well, which is also awesome.
Yael: So, let me ask you a question. This company is gonna soar. You're doing great, they value you, but you just learned that you like to build?
Caroline: Yep.
Yael: And that's gonna...that's an interesting drug at some point because at some point you get to the size, and it could be once you're like 40,000 people, once you get acquired 4 times, like, who knows? Like, I'm not saying it's fast, but that you like to build. And the building, you don't feel it as much when you're so big. You like to feel the feeling, like the texture under your toes.
Caroline: I do. I like the change. You know, I've been there. I've been here for nearly six years, and it has definitely been six companies between now and then. To be consistent and have long tenure at a growth company is to demonstrate agility. And that is the case for myself, as well as for my colleagues who started in the, "early days." You know, the great companies of the world, the Amazons and the Netflixs of the world, these are 20-year plus companies. We are just getting started. It's gonna be another five companies in the next five years, and I cannot wait to meet each and every single one of them.
Yael: And how will you flex and adapt the way in which you interact with every new joiner?
Caroline: So it is different, you know. We're going to...
Yael: I hear you got sad.
Caroline: Yeah. We're going to...
Yael: Because you like really getting to know every new joiner.
Caroline: I do. I loved the company when we were 10. I loved the company when we were 50. I loved the company when we were 100. And it's different now, and I can mourn the loss and the passing of a phase, while at the same time embracing the new one. The last time I got to see everyone in the company was January 2020. The next time I'm gonna see folks is gonna be in Mexico in July, and I will not know, like, maybe half of the people. And that is gonna be weird, and it's also gonna be great. I met a new director at our company yesterday, and I was like, "You are very awesome."
Yael: You know what's awesome? Is that your last 100 people that you...you know, when you saw them last, you all shared the same culture, energy, desire, and that's when you left and went off into the COVID.
Caroline: Yeah.
Yael: But somehow you managed to keep that torch burning, and some probably will have shifted along the way, only to be more appropriate or exactly what we need. And it'll be really interesting to see how that comes together. I won't be surprised if somebody walks away and says, "We need to start to document more of how we do onboarding, or engagement, or what [crosstalk 00:18:27]."
Caroline: Oh, absolutely, absolutely. You know, I interviewed candidates for roles this week. And as I'm filling out our scorecards in Green House, we actually have codified in the scorecard process, rating people according to the four Cobalt values. We have had to put structure in, where things just happened magically before via one-to-one relationships. At scale, things are different.
Yael: Yeah. But the good news is most people have some experience with that, or you get to teach them, although that's an interesting challenge.
Caroline: It is interesting. And it's like...
Yael: You're a natural teacher, though. You teach the LinkedIn Learning, you speak at all of the cons, the risk cons, and...I forgot all the names for all the cons. They're probably like a secret con or like hidden con, whatever. There are all these cons now.
Caroline: All the cons.
Yael: You're a teacher.
Caroline: I am a teacher. I always wanted to be a teacher. And I said to my Chinese immigrant parents, "I want to be a teacher." And they said, "You should want to do something that makes more money." And it turns out...
Yael: I'll just say, as a mom, however, who came out of COVID, I agree that we don't pay our teachers nearly enough for their roles.
Caroline: Definitely.
Yael: They're shaping how people get launched into everything.
Caroline: My daughter's coding and math teacher, who lives on the other side of the planet, has become one of my very best friends. I appreciate the gift that she has given to my daughter and to our family so much. It is extraordinary. And I love that I get to teach in this role. I love that I get to say, "Here's what I've observed, here's what I think," because it is this ongoing experiment. It's like when you plant a seed and watch a tree grow. It's like when you have a kid, and you watch that kid grow. Like, my six-year-old is not the same person that she was when she was five, or four, or three. And I miss my three-year-old daughter, and I love my seven-year-old daughter. And it's kind of like that in a weird way.
Yael: But also more complicated because, like, I asked my mom for help with my 10-year-old daughter problems and she's like, "These are problems that we didn't...I don't know, because, you know, the world is so different." And I feel the same in cyber also, right?
Caroline: Oh, yeah. It's changed.
Yael: It's changed.
Caroline: None of us know, right? We don't know what's gonna happen, and that is something that I have, over years of life experience, developed a relative comfort level with. We don't know, and all we can do is our best. And I think that it involves self-awareness, and surrounding yourself with extraordinary people, and having just like a little bit of trust, and a lot of persistence.
Yael: So how would you...? I agree with that entirely, that you have to just kind of say...I say to my daughter, "I know what I need to do and I got this."
Caroline: Yes.
Yael: Right? Like, "I know what I need to do and I got this."
Caroline: Yes.
Yael: What would you say to your younger self?
Caroline: My younger self was a very anxious person. I am a little less anxious now, and part of it is because horrible things have happened to me. My beloved father passed away in 2015, and that was one of the worst things that's ever happened to me in my life. And I know now that bad stuff will happen, and I also know that I will survive, and I will emerge on the other side, and I will be a different person. And there might be so much joy that I couldn't imagine. I moved. I was born in San Francisco. I thought I was gonna live there forever. Now I live in the Pacific Northwest. That move was hard for me. And I could not have imagined how good it would be.
So, I would go back to my younger self and I would say, "Look, stuff is gonna happen, and it's gonna be very difficult, and you're gonna be very sad, and you're gonna be very angry, and it's gonna be okay. You can actually trust your future self to handle whatever comes up. You can trust your future self." And that has helped me to become a little less anxious.
Yael: Thank you for that, and for recording that message.
Caroline: Yeah. Thanks for asking.
Yael: But I want to ask forward because I cannot because, you know... When you think about the...I know for sure you don't know what your future is, so I'm not even gonna venture to ask. That's like the craziest question. I am curious to know, as an obsessive studier as you are, and teacher, and re-packager of information with situational awareness and experience, what do you think are the skills that, as a business leader or a parent, we should be talking about now, that we need for the next step? That will be where I wanna spend the last conversation with you.
Caroline: Yeah. I think a lot of it comes down to values. I think a lot of it comes down to asking yourself, what do you value? Defining those, and then coordinating your actions accordingly, coordinating your decisions accordingly. Because, like you said, we don't know what's gonna happen. We don't know what challenges are going to occur. We don't know what solutions we're gonna have to come up with. We don't know what kind of difficult decisions we're gonna have to make. But there is value in...there's something that we can do. There's something that is within our control.
Yael: I think it's really interesting at this point about that. Sorry, I'm gonna cut you off.
Caroline: No, go for it, please.
Yael: The reason you're bumbling on the word is because every person's definition of it is different, and that is a conversation that we have at home with family and at work.
Caroline: Yes, yes. And they don't have to be consistent forever. You don't have to [crosstalk 00:25:20]
Yael: No, they have to adapt to the environment. They have to adapt to the situation.
Caroline: That's right. I do not have the same values that I did when I was 17 years old. I do not have the same values that I had when I was 29 years old. And that is okay. But there is...
Yael: They're all better. I can't wait to meet your, like, 60-year-old [crosstalk 00:25:40].
Caroline: My 80-year-old Caroline is a badass lady.
Yael: Oh, no doubt about that. No doubt. She is, like, sitting on the floor with, like, the teenage...she's the only one that the teenagers thinks is cool, who's, like, not a teenager. And, like, every other person who's younger is like, "What?" And she's like, "Whatever, you'll get it." And that's it.
Caroline: It's gonna be good. There is so much goodness ahead for all of us. I believe it.
Yael: Well, I look forward to giving you an in-person hug, and making you part of our official family at your East Coast annex.
Caroline: I'm just exploding with joy. Thank you so much for this. This has been such a gift to me. And I can't wait to interview you next.
Yael: That gives me all the feels, as you might imagine.
Caroline: It's gonna be so fun. It's gonna be so, so fun. I love it.
Yael: I know it will.
Caroline: "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter @HumansofInfoSec.
