Name: Caroline Wong
Title and company: Chief Security Strategist, Cobalt.io
Number of years in the information security industry: 14
RSAC: What was your first job in the infosec industry?
In college, I studied electrical engineering and computer sciences at U.C. Berkeley. The summer before my senior year, I worked at eBay in IT Project Management. When I graduated, I contacted my internship manager to see if I might be able to join the team in a full-time role. There was a hiring freeze in IT, and they couldn’t get approval to hire me. eBay did have an entry level position on the information security team. I applied, and I got the job.
It was 2005, and the first version of PCI-DSS had been released in December 2004. As a public company, eBay also needed to be SOX compliant. My job was to manage our security policies and exceptions, and provide security awareness throughout the organization. One of my first projects involved travel to our offices in Omaha (Nebraska) and Dublin (Ireland) to deliver role-specific data protection training for customer service representatives.
RSAC: If you weren’t working in the infosec world, what would you be doing?
That’s an interesting question. To be honest, I never planned to work in InfoSec - after college I was presented with an opportunity and one thing led to another. Over the years I’ve found that I really enjoy solving problems in this field, and the impact that I can have on society is satisfying. I’ve also met some really great people doing this work, and I like to surround myself with good people.
If I weren’t doing the work that I do today, I’d want to start a company that fills what I currently see as an unmet need for modern society. I don’t want to give away the idea completely, but I want to provide physical and virtual experiences to fill a gap that I see today in terms of how modern adult humans express themselves and process emotion and trauma.
We’ll see how it goes. Check in with me in a decade or so!
RSAC: What does the RSA Conference 2019 theme of “Better” mean to you?
I’m a big fan of this theme.
In particular, I appreciate that it’s different from a theme like “Our Very Best,” or something silly like that. To try and achieve “the best” can seem impossible -- so impossible that one might be discouraged from trying in the first place. But it’s always possible to do better.
Are we going to solve all the world’s security problems at this year’s conference? Probably not. Will the industry take a collective step forward by sharing what we know with each other and helping each other to learn and grow? Definitely.
RSAC: What is the biggest challenge facing the infosec industry right now?
We’re at a point in time where more and more organizations are recognizing the need for information security. Almost every InfoSec manager I know has open headcount for their team. Almost every InfoSec manager I know has a lot of difficulty filling these positions.
At the same time, I look around I see that the people in our industry do not reflect the diversity of the human population.
I’m very hopeful that somehow these problems can come together and solve each other over time.
Automation, some security vendors will tell you, is the solution. I know that it’s not enough. The industry faces a challenge when it comes to achieving on-demand, high-quality manual security testing in a way that’s accessible not only to well established enterprises with significant security budgets, but to all organizations.
RSAC: Complete this sentence: 2025 will be the year of __.
cybersecurity insurance for the individual family and consumer. Just as it is a normal part of “adulting” in 2019 to purchase auto and home insurance, in 2025 it will be normal to buy cybersecurity insurance for yourself as an individual and for your family.
RSAC: You’ve noted that the security world lacks the skillset needed to translate complex topics to language understandable to a wide audience. How do we begin to develop that skillset? Who is responsible for translation?
The first thing to do is to get a better understanding of the different audiences that matter. Who are these people and what do they care about?
The second is to harness the skills of a broader and more diverse population in order to communicate effectively to these audiences. For example, if we want students and children to understand complex information security topics, we should start by engaging with parents and teachers.
I believe that industry veterans with long standing expertise have a responsibility to share their knowledge and teach others who can continue to carry the message. Technology and social media have network effects of spreading information. Let’s use it for good.