The role has definitely evolved, but to me it means that I am the executive stakeholder in charge of protecting the company from security risk, building the brand around trust that helps Zenefits shape the conversation with customers, creating a lasting culture of security within the organization, and helping Zenefits to create market-leading capabilities around security and privacy for our customers.
Which projects are you most excited to work on at Zenefits? Is there a certain area of our business that takes priority right now for your team?
Tough question! I am really excited to learn our business end-to-end; I firmly believe that in order to keep something safe and make the best possible decisions, it has to be from a place of understanding. That is also the place where I can learn the conversation we need to have with customers, understand their pain points, and look for opportunities they don’t even know exist.
I found it fascinating back in high school, and in college I took some of the first-offered network security classes at a university level. That said, the passion emerged after I transitioned from being a software engineer to a security consultant. The love of security definitely emerged there. I like to say I stay in security because my mom shouldn’t have to call me worried about her online accounts.
The trend I would focus on is that we are seeing the continued commoditization of technology for bad guys. As an example, there are criminal organizations selling Ransomware as a Service. One level of criminal creates a capability to attack businesses, and other criminals pay to use the service and then collect the ransoms. That is terrifying because it means that more advanced capabilities are being distributed to attackers who do not have the resources to develop them on their own. That really raises the bar for all defenders faster than many can adapt.
I think it varies by the company, but the themes I have seen work to create lasting understanding is by getting to the heart of the ‘why’ and the ‘how’ security matters to people. Education about security has to be relevant for people to retain it, so I like making it highly applicable to the team, or even the individual at times. You don’t force the finance team to learn about secure software development, and you don’t ask the software engineers to think about finance processes and how people could commit fraud within the company.
We actually participate right now! Zenefits uses HackerOne to manage our bug-bounty program.
I have a ton of thoughts on this! Let’s focus on one thing that I think goes without saying, but bears repeating. Security tools and products are never as much of a silver bullet as they claim to be. Many people across companies get caught up in the idea that they can just buy the right tools and then security is “solved”; but security is, and will always be, a process of managing risk more than a problem to solve. Our goal is to make our people and systems expensive enough to attack that the adversaries go elsewhere.
I am excited because ever since I became a manager I became hyper-aware of, and interested in, the relationship work has in people’s life. Zenefits is the kind of company that can help really shape that conversation and promote practices that enable us to measure the right things and make work and life a more healthy integrated whole.
I am intensely passionate about wilderness preservation and climate change. I spend a lot of the time I take away from work photographing wild places and donate all the money I make from selling prints to causes like the Southern Environmental Law Center, The Rainforest Trust, and Wild Earth Allies.