Zenobia: My favorite analogy is to think about it like the weather, right? We are not going to be able to control the weather. So all the things that you're going to do to sort of minimize the impact of a weather event, how do you put in place your contingency plans? How do you think about what is your backup generator? What are your umbrellas?
Caroline: From Cobalt at Home: This is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. I am so happy for my friend and colleague Zenobia to be with us today. Zenobia Godschalk is a communications executive with over 20 years of experience growing tech companies into multibillion-dollar global brands. She currently serves as SVP of comms for Hedera Hashgraph, a next-gen top 40 distributed ledger company. She joined as a founding team member in 2015, and today Hedera is valued at $10 million. Hedera is governed by a council of global enterprises, including some of the world's largest technology and financial services firms. These firms including Google, FIS, IBM, LG, Nomura, Shinhan Bank, Standard Bank, Tata Communications, and Wipro, these firms use distributed ledger technology for use cases, including supply chain micropayments, identity, and digital wallets. Super cool, interesting stuff. Zenobia is also the founder and chairwoman of ZAG Communications, a leading PR and investor relations firm with extensive experience in crisis communications, particularly as it has to do with cybersecurity and breach response. Zenobia, welcome. Thank you so much for joining me today.
Zenobia: Caroline, thank you for having me on, you are such a treasure to this community. And I'm just excited to be here.
Caroline: So cool. Let's start with your story. Tell us what your story is, and about the different things that have happened in your career up until this point where you're just, like, coaching all of us on how to talk, what to talk about, what to say, and just really at the cutting edge of all the newest tech, how did you get to this point?
Zenobia: Sure, sure, it's a little bit of a long and convoluted journey. But I suspect that that is the case for many people who work in the space but also, many people who are thinking about getting into this space. I am gonna start it very, very early, just to give some context because of what's happening in the world today. So I was 18 months old when we left Iran during that country's revolution — we're having a lot of discussions in our household today and over the past few weeks and months about what it means to be...you know, my children are reading books about refugees, about what it means to sort of leave your home to start over, to do those kinds of things. And so, my travels have taken me from Iran by way of England where my family lived for a number of years, and then to California, right, the promised land for immigrants from all over the world. I grew up there, I went to school out at Stanford, and coming out of Stanford, I took a role in finance — my background is in economics and industrial engineering. And I went to work for Intel, the family was super excited, well-known brand, super stable, very reliable.
And about six months into that job, I was bored out of my mind. Intel is an amazing company and has done such wonderful things. But they also have a program that basically at the time sort of kept you in this role. And if you were doing a great job, you got to rotate in 18 months, and I thought, okay, by 18 months, I'm going to have lost my mind. So I went from big company, Intel, and I was super excited to tell my parents that I was going to a startup and they were like, "You're crazy. This company is making no money, they are not profitable." My CFO dad was like, "You're insane. And we've now supported you through college, and you're probably gonna have to move back home." That was not the case, I went to work for a startup called beyond.com in the finance group, but supporting their marketing function and that was where I really got some great exposure to what PR and marketing did. And then from there, I was recruited to a company that at the time was called LoudCloud, which was Marc Andreessen and Ben Horowitz company, and continued with them, started off as you know, sort of low man on the totem pole and grew to run their entire PR efforts for what would become Opsware before we sold it to HP.
So a lot of trial by fire in that space. That was really kind of core internet infrastructure, early days of cloud computing, trying to tell people, "Trust us, you're going to do a bunch of stuff in the cloud," kind of before it was known as the cloud. Then my at the time boyfriend, now husband had moved out to Atlanta. When we got engaged we thought probably a good idea to live in the same city. And so I moved out here and I was looking at ... are there software companies I can join. Are there companies where I can sort of do the same thing for a different company? And at the time in Atlanta, the answer was really no. There were a few software companies, but none that were sort of at scale where they needed someone to run their communications efforts.
And so I was talking to a connection, who was in the Ambit investment banking space, and he needed someone to be an analyst on his team covering internet security and infrastructure on the sell side. And the sell side is the people who write the reports that highlight, hey, is this company stock, a good investment, right? Is, at the time, is Symantec a good investment? Is McAfee a good investment? Is ISS a good investment and why? And so that was really my...I jumped in there, and that was sort of, hey, you've got to learn about now the entire internet security industry very, very quickly.
And I remember taking the role. And I remember talking to Marc Andreessen and saying, "Is this crazy? Like, if I really like PR and marketing, should I go do this?" And he said, "Of course, you should, because very few people who are in PR and marketing have that financial analyst perspective and have that perspective of what the investors want and how they think so even if you hate it, you will come out of that having so much more of a robust background for, for going back to PR." And that is exactly what happened. I did a stint on the sell side for about two years. Very quickly, I remembered why I didn't go into investment banking right out of the gate. That is a very... it's a grind, you're on all of the time. And you also for me, personally, I felt like, well, gosh, I'm giving people investment advice, and I'm doing all of this analysis, but I'm not building anything. And I missed that. I missed being part of a team that was helping to build and grow things.
So I started ZAG Communications, really, just as a consulting business, I reached out to some of my contacts on the West Coast. I said, "I'm thinking about consulting in PR and IR investor relations, what do you think?" My first two calls, they said, "Great, like, sign us up." And I would love to say, I had this big strategic plan for growing a big competitive agency, but it was very much organic. And I think as I started to think about how do I want my life to look, how do I want to design my life, I want to have children, I want to have a family, what kind of agency do I want to put together. And so ZAG was started and still has sort of this core belief that there are a ton of smart people, in particular women, who go into these jobs, PR can be a brutal job. I think it has, you know, it's been ranked as similar to InfoSec, it's been ranked as one of the most stressful jobs in America, every year that they do those rankings. And part of that is because agencies stretch people too thin. So you end up being assigned to a huge number of clients and working 60 to 80 hours a week, and then you see a big group of those people then start to have families and just completely drop out. So we designed ZAG so that it would purposely be different.
So not overtaxing people, hiring a senior level team, who knows how to do all of the things, right, the communications with the client, the relationships with the media, the analyst strategy, the messaging, all of those things that are super important to our end clients, and where they say, okay, that's the value you're gonna bring. And we can say, we're going to make a good living doing this for a controlled set of clients. We're not gonna do growth at any cost. We're going to maintain those relationships. So we've had clients who have been with us since ZAG started in 2007. And I think that's pretty rare among PR agencies. And then, in 2015, we started working with a set of entrepreneurs, Dr. Leeman Baird and Mance Harmon, who were working on distributed ledger technology, blockchain technology, as the category is more broadly known. And at the time, it felt like, gosh, this is something special. These two are a remarkable duo of founders. Over the years, I had been asked to join some of our clients to go in-house, and I'd always say no, and this just felt like, gosh, this is so new and so different. And it feels like the web at its beginning and it feels like cloud computing at its beginning. And so maybe I should give this a try.
And so we launched Hedera, which is a public ledger, publicly in 2018. We launched it globally in 2019 across APAC and EMEA. And then we all know what happened in 2020. But the interesting thing that happened during that time was a lot of use cases that we would not have imagined for distributed ledger technology started bubbling up. So areas where you need computational trust between parties that may not wholly trust one another or may need to share only certain parts of their data, but not everything that they have are great use cases for blockchain and distributed ledger technology. For example, all of the different providers in a vaccine, cold chain storage, right, getting your vaccine from the manufacture through the distributor all the way into... for shots in arms, there needs to be accountability of that to make sure that the vaccine is stored at the right temperature all the way along the way, being able to have each of those parties contribute that data, being able to have everybody have full visibility and access into that, but not relying on a single party to manage that data, I think, is a great example of something we wouldn't have expected but has been an area where distributed ledger technology has really started to shine.
And so that's where we are today. Yes, so I wear a few hats, but all of them keep me on my toes. And I think in our world, you're almost forced to stay on the cutting edge of these technologies. And you have to certainly take some of them with a grain of salt. But you know, when the wave starts, you sort of start to know, okay, this is happening. I'm either gonna hop on, or my children are gonna have to educate me on these technologies soon.
Caroline: Zenobia, what an extraordinary journey you've been on, and thank you so much for your generosity in sharing it with us. I wonder... your career and your life has taken so many different twists and turns. If you could go back and speak with a younger version of yourself, I wonder what you would say to her?
Zenobia: Yes, well, so many things, you know, outside of buy Bitcoin.
Caroline: Nice.
Zenobia: I would say it is okay to have a very, pun intended, zig-zag path. I think there are certainly those among us. And I knew people in college who were absolutely, I'm going to medical school, I want to be this kind of a doctor, I have my whole life planned out for me. And I think also as an immigrant, it was the, well, you're gonna be an engineer or a lawyer or a teacher or a doctor. So sort of pick from one of those and those are your pathways to success. I think what we're seeing is, that change is accelerating faster than we expect, it's certainly accelerating faster than previous generations have expected and it's going to just continue happening. So 80% of the jobs that will be available to our children are not jobs that even exist today. So I think keeping in mind the teams that you work with, the people that you're going to learn from and, the potential of the industry are all things to consider when you choose your job. And also just knowing it's okay to not know. It's okay to not know what the end result is going to be. As long as you are excited about it, you feel like you can be passionate about it, you feel like it's something where you can really contribute and kind of dig in, it's okay to not know what that is going to look like. Because I think the ability to change and the ability to be flexible is going to continue to be more and more important as the world changes.
Caroline: I think that's definitely been demonstrated over this past couple of years. I think as we look at our friends and our colleagues and different companies and seeing who has the ability to be successful when things change, and why. I love that message. Thank you so much. Zenobia, you have done a TED talk about demystifying blockchain and internet privacy. I wonder what do you think our listeners need to know about blockchain and about the internet?
Zenobia: Yes, I mean, I think you know, your listeners probably already know the mantra of assume that everything that's out there is public, right? And it's the same thing I tell my kids that assume nothing is private. We had an Alexa device for a hot minute before we returned it both because my kids kept saying, "Alexa, set a timer for four minutes," and also because it became very clear when you started asking Alexa questions about what she was doing with your data that she was not gonna give you any answers. So I think there's that point of view. But there's also I think blockchain and DLT gives us an opportunity to, another Marc Andreessen-ism, let's make different mistakes this time, right, we made so many mistakes with the internet because we worked from the assumption that people were going to use it for good and for productivity. And we were probably a bit too idealistic. So coming at kind of the next version of whatever the internet will be, and whatever those applications will be, we have the opportunity to build them with privacy in mind. And we have the opportunity to build them with more robust controls in mind and much more granular controls in mind.
Now, we as individuals will have to take advantage of that. We'll have to choose what data we give certain people access to. And when we grant those permissions do we actually pay attention to should we revoke those permissions, so there will be more onus on the individual to actually make those decisions actively. But I think also there will be more ability to do so. And then there's also sort of this idea of in the metaverse, and in these virtual worlds identity is going to mean something very different. I can be Zenobia Godschalk to this audience. But maybe if I am pitching to an audience of VCs that I know is, say, 80% male, maybe I don't want to have this persona, right, or maybe when I engage with different communities, I want to have different personas. So I think the idea of identity is also going to change and giving people enough to sort of recognize who you are, and be able to validate who you are without giving them everything of who you are. To me, that's a really interesting and exciting but also tricky concept. So I think all of these technologies we just have to go into it with the mindset of, we may have to take it to the extreme in terms of what's the worst that people can do with it, and then build backwards from there to make sure at least don't make the same mistakes, and hopefully don't make worse ones.
Caroline: I really liked that idea about, hey, let's try not to make the same mistakes, let's try to make new mistakes. And the recognition that making mistakes is part of learning. Zenobia, I think the information security industry, it's super interesting for me to have observed how people communicate about information security over the 15 years or so that I've been in the industry. And I think that we also live in a super interesting time where there is all this information. And it's like, what do people hear? What do people believe? And so it comes down to this topic of myth versus reality. And I wonder if, from your perspective, being a communications expert, and having seen communications from all these different perspectives, if there are any observations that you'd like to share with us?
Zenobia: Yeah, I mean, I think there's one of my old CTOs said, "Well, we're always gonna have issues as long as there's a carbon life form at the other end of anything," right? And I think when you look from the outside, it can be very black and white. Right? Well, of course, in hindsight, you should have done this, of course, in hindsight, you should have patched that, or you should have done things this way. And I think the InfoSec community has over time evolved to recognize that that's not true, right? There are more areas of sort of shades of grey. And to think about things, my favorite analogy is to think about it like the weather, right, we are not going to be able to control the weather. So how do you put in place your contingency plans? How do you know, think about what is your backup generator. What are your umbrellas? What are all the things that you're going to do to sort of minimize the impact of a weather event? I think that shift in mentality has been happening, and I think you're starting to see, I mean, you've already seen it, you've seen people sort of accept that and say, "Okay, we are not going to expect our security teams to be perfect. We want them to be prepared, and we want them to make us prepared. But we're not going to be perfect." And I think the other interesting thing that we're seeing is sort of more opening up and sharing of the postmortems.
And I think for a long time, that was something that was just taboo, people didn't want to share what happened, they wanted to they felt like that would be a big liability. But now you know, for better or for worse, with things like Twitter, you've started to see more of that exposed. And I think that actually is very, very helpful for the community, because first of all, it says, "Hey, nobody's perfect." And second of all, there are a lot of lessons that can be learned and can be shared that you just can't share if you're trying to hide certain parts of that. So I think it's interesting to me sort of watching my kids and that generation be much more open. I think some of that is filtering up into sort of how corporate America communicates, and how consumers expect corporate America to communicate. So that's actually helpful for those of us in InfoSec. Because it's no longer forbidden or taboo.
Caroline: Awesome. Zenobia, last question for you. What have you been reading lately that you've enjoyed, business-wise or otherwise?
Zenobia: Yes. So I read a fabulous book, and the title made me chuckle. So on the personal side, I will read or read just about anything, I'll try just about anything. Taylor Jenkins Reid, like all her stuff is just escapism and super fun, but sort of a combo business inspirational book I read recently, it was called "Broad Band." And the subtitle is "The Untold Story Of The Women Who Made The Internet" and I loved that tongue-in-cheek title. And I feel like every time I go read one of these books, it is a discovery of oh, wait a minute, we know these names. We know all of these male names who have done amazing things and have developed these technologies. But there are just as many, if not more, women who have been pretty content to let their accomplishments speak for themselves. And I think only now are getting recognized for those. So I really enjoyed that book. I would highly recommend it to anyone who loves sort of that historical take on what's happened in the world, but also a little bit of their personal stories.
Caroline: Fantastic. I am like literally, okay, so first of all, "Broad Band" sounds awesome. And I am googling Taylor Reid because and I shared this with you before we started recording. I am gonna be on an airplane tomorrow for the first time since March 2020. And I need a really good audiobook. And so now I'm thrilled. Thank you so much for the recommendation.
Zenobia: Yes, she's got some great ones. And then the other one, I'm blanking on the author's name, but "The Henna Artist." And then she wrote a sequel to that and those both take place in Jaipur and they have just beautiful imagery and storytelling, and I loved those as well.
Caroline: Phenomenal. Thank you so much. Zenobia, what a pleasure this has been. I appreciate so much you taking the time to spend it with me today.
Zenobia: Thank you. It was my pleasure. It is always lovely to talk to you. And thank you so much for everything that you do for the InfoSec community. I don't know that all your listeners know all of the things that you do and how tirelessly you contribute your time and your efforts behind the scenes. So kudos to you and thank you.
Caroline: Thank you, that means so much to me. "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter @humansofinfosec.
.svg){kind=icon}
.svg){kind=icon}
