“Listen” — Several years ago, over the course of one week, I had 3 people cry in front of me. All of them were crying for different reasons, one was a personal situation, another was because of what a colleague had said and the third I don’t remember anymore. The first thing someone does when they cry at the office is apologize. I now have a habit of leaning in to why the person is crying, asking them questions, getting tissues and making sure they know they don’t need to apologize. I will cancel the next meeting. Nothing gives me more honor than someone crying in front of me because it means they trust me and the least I can do in return is give them all my focus and attention. Truly listening to people is important for leadership because there would not be any leaders if it wasn’t for the people who trusted them to be there. Frankly, there is no leadership; real leadership is service.
The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Caroline McCaffery.
Caroline is the CEO and Co-Founder of ClearOPS, a privacy and cybersecurity tech company innovating in third party risk due diligence using advanced technologies like deep learning and NLP. Caroline has over 20 years of experience in law, privacy, cybersecurity and is a frequent speaker on topics covering privacy, information security, ethics in A.I. and women in business. Caroline earned her J.D. from NYU School of Law and her B.A. from the University of Pennsylvania and is a certified privacy professional through the IAPP.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
My grandfather passed away when I was in middle school. I distinctly remember my father telling me that my grandfather had been disappointed that none of his 3 sons became lawyers because our family had always been lawyers. I declared right then and there that I would pick the tradition back up and become a lawyer. I followed through on this promise and eventually worked for a prominent law firm in California representing tech startups. For years, my goal was to find an in-house counsel job at one of the startups I represented. I realized that goal in 2011 and joined Sailthru, a marketing automation company. Because of the data that Sailthru collected, I decided to study for and obtain a certification in privacy. Coupled with my increasing security responsibilities at Sailthru, I found myself quickly becoming an avid student of cybersecurity. I was, and remain, fascinated with the complexity of translating cybersecurity into plain English.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
I cannot think of a specific podcast, book or film that resonated.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Yes, and it is a personal story. Basically, in 2015, I was the victim of tax fraud. I was a victim again in 2016. Being the victim of tax fraud is quite frightening and confusing. Plus, it follows you for some time. The most memorable part was when I sat in front of a real IRS agent and after hours of him typing on his computer, he turned to me and told me that my former employer’s payroll vendor was the original source of the data leak. I was impressed and also really mad at the same time (impressed by the IRS agent’s sleuthing, and mad that the payroll company had never alerted me).
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
I cannot think of one good story, which is disappointing because I like to try to be funny whenever possible.
Are you working on any exciting new projects now? How do you think that will help people?
I am currently focused full-time on building ClearOPS. The mission of ClearOPS is to bring back to every individual the right to experience the online world according to their own personal privacy preferences. It is a lofty goal and it starts one brick at a time. The reason I find it so exciting is because we are using NLP and deep learning, which means I am an integral part at working with that advanced type of technology. I cannot wait until we can get to the use of blockchain.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
I am excited about the awareness that is happening among the general population about how important great cybersecurity is. For example, the SolarWinds hack has brought cybersecurity into the national spotlight and even the Biden administration has promised to make cybersecurity a priority.
I am also really excited about cryptocurrency and blockchain because it is the first time that new technology is in itself valuable because of the security.
For the last one, the industry is experiencing rapid growth which gives me hope in the fight against cyber crime.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
I am still very concerned about the communication gap between cybersecurity and the rest of a business. What I mean is that the language that the cybersecurity and information security professionals use is not understood by the rest of the business, which creates confusion and risk. I am also concerned about the perception of cybersecurity as being a blocker to business rather than the enabler it is. Finally, I am concerned about the rapidly increasing number of attacks on business. I strongly believe that bridging the communication gap is the key to fixing all these problems I have identified.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
It depends on the size of the business. Small and medium businesses are increasingly seeing phishing, ransomware and other seemingly small-scale threats that are incredibly damaging to their livelihood. Enterprise businesses are facing state threat actors and very sophisticated attacks that have the ability to create harm and disruption for years.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I have helped businesses through several breaches or incidents and I can tell you the main takeaway is simply, be prepared. My best advice is to prepare that incident response plan, have your forensics investigator chosen, your lawyers, your crisis PR firm, your local and federal law enforcement contacts all identified and written down. Have your marketing department prepare possible notifications to customers. Being prepared will mitigate the most amount of damage.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
At ClearOPS, we use our own tool daily for third party risk due diligence. Other than that shameless plug, I want to focus on the one tool every single person should be using, a secure password system. Having strong passwords, changing passwords when logical and keeping your passwords in a safe location should be top priority.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
The other day, I noticed a strange new search bar on my computer’s home page. This is a computer that my kids frequently use and I know that they tend to click on random ads. Anyway, I immediately suspected this search bar and so I tried to figure out how to make it go away. Sure enough, when I clicked on the browser settings it would not let me remove it as the default so I had to find the program and uninstall it. My point is, if something seems strange or wasn’t on your computer before, immediately investigate it and remediate. Trust your instincts.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
This question is a hard one to answer because there is no magic remedy. However, I will go back to my advice on passwords. They are so critically important to keep secure. Also, if multi-factor authentication is an option, always take the time to turn it on.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
The most common mistake is not having a good employee and/ or contractor offboarding process where you know every single third-party service that they had access to and removing them from it. Almost every breach has occurred due to poor offboarding, specifically removing access from systems.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
As CEO, I am responsible for hiring and I have had this responsibility at prior companies too. Hiring women in STEM has been an issue for a long time and continues to be one. For every female applicant, I receive at least 20 male applications. This is true when I search for candidates as well. If I conduct a search on LinkedIn for specific STEM skills, the search results will have a 20:1 ratio of male: female (note: it is not just a gender issue). I think there are a lot of initiatives trying to drive change here and it is happening, it is just very slow. I do believe that technology suffers without having more diversity involved in building it.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
I think the biggest myth is that you need a certification next to your name. There are a lot of cybersecurity certifications, like Security + or CISSP. In my humble opinion, you don’t have to have a certification for me to take you very seriously about cybersecurity best practices and your competence.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- “Management is about managing yourself” — I hired a young woman several years ago who would become very nervous during review time. She was incredibly self-critical. The problem with performance reviews is that the point often feels like you have to provide critical feedback. Anyway, when I would sit down with her I would repeat this in my head over and over “you aren’t managing her, you are managing yourself.” I didn’t need to be critical of her. She needed encouragement in those reviews. I had to ignore the pressure and resist her nature of trying to get me to give her negative feedback. I had to manage myself.
- “Do stuff that scares you” — I am an introvert by nature and I identified public speaking as an opportunity to overcome my introverted tendencies. It took some time and practice but now I enjoy public speaking and I think the preparation, the experience and the feedback from public speaking makes you a better leader in business.
- “Respond with ‘I won’t make the time’” — Many years ago, I had a colleague who often seemed frazzled. I soon realized it was because her response to almost anything was, “I don’t have the time.” Once I realized this, I decided to start using the phrase, “I won’t make the time” because, in reality, that is what you are saying. It is an extremely powerful thing to say and can feel like you are being rude. However, it will also force you to realize your priorities. Aren’t you really making a conscious decision not to make the time? Try it, even if it is just in your head. It changes your response from something you cannot control to you being firmly in control of your time.
- “Keep always learning” — When I first started ClearOPS, I had to ask my co-founder a ton of questions about the inquiries on a security questionnaire that we were helping a client complete. He engaged with me in the discussion about what the inquiry could possibly be trying to ask. Often times, I would also look up the subject of the inquiry. I think I learned more about cybersecurity from doing this research than anywhere else! I think having a mentality of always learning helps women in technology. Ask the “stupid” question (I don’t believe in stupid questions, actually) because knowing more, at the end of the day, is a great strength.
- “Listen” — Several years ago, over the course of one week, I had 3 people cry in front of me. All of them were crying for different reasons, one was a personal situation, another was because of what a colleague had said and the third I don’t remember anymore. The first thing someone does when they cry at the office is apologize. I now have a habit of leaning in to why the person is crying, asking them questions, getting tissues and making sure they know they don’t need to apologize. I will cancel the next meeting. Nothing gives me more honor than someone crying in front of me because it means they trust me and the least I can do in return is give them all my focus and attention. Truly listening to people is important for leadership because there would not be any leaders if it wasn’t for the people who trusted them to be there. Frankly, there is no leadership; real leadership is service.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂
I have wanted to meet Aileen Lee from Cowboy Ventures for some time. I have heard her speak and I know that she is the one responsible for the term “unicorn” in tech. She seems like a really cool person and I just have this feeling that we would have a fun conversation.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!