Caroline Wong, Cobalt

Episode Transcription:

Trac Bannon: 

My first exposure to Caroline Wong was in 2021. It was the height of the pandemic lockdowns, and we were brought together virtually, to discuss mentoring in technology. I was instantly drawn to her focus on happiness and on avoiding toxicity. 

She’s wicked smart, having received a degree in electrical engineering and computer science from UC Berkeley. When you meet her, when you hear her, it’s no wonder she is currently the Chief Strategy Officer at Cobalt, a firm focused on PenTesting as a service. 

While all this sounds like a natural fit, Caroline’s journey is filled with twists, turns, courage, and fate. 

Caroline was born and raised in San Francisco, the daughter of Chinese immigrants. Her mother was a trained biologist turned a stay-at-home mom. 

Her parents wanted only the best for their daughter. They taught her from an early age that college was not a choice. It was a natural next step. Expectations were set including her father insisting on her taking the most difficult engineering program available. 

Caroline Wong: 

The way I understood it… I was supposed to go to college… and then study… and then get a really great job.

My parents did encourage me to pursue academics, to pursue a career… my father insisted. So in our household, it just was the way that it was.

And you kind of did what Dad said to do. And when I was 16 or 17 and thinking about what I might study in college, I said to my father… “I would really like to study dance because I love dance. Or I would really like to study psychology because I think that’s very interesting.” And he said to me, “you’re going to study engineering and you’re going to study whatever is the hardest engineering degree that you get accepted to at the best school you get accepted to.”

And in my family, that was just how it was. And so I was like, okay… So I applied and then I got in. 

Trac Bannon: 

You are listening to Real Technologists. I’m your host, Trac Bannon, coming to you from Camp Hill, Pennsylvania. Each week we choose a unique guest behind leading Edge Tech innovation to explore their genuine stories, their true journeys. Technology touches nearly every aspect of our lives. It’s being driven by diverse perspectives and experiences of real humans.

You’re in the right spot to hear about the Real Technologists reshaping our world. Stay tuned for stories that will give you something to noodle on.

There she was… an undergraduate studying electrical engineering and computer science. Caroline found herself a bit of a fish out of water. She had never been in an engineering lab and had never seen an oscilloscope. She was, however, really good with math and science, something she credits to a very rich high school experience.

Caroline Wong: 

College just was kind of this blah place in my life. After actually a really rich high school experience, it was a little bit of a rude awakening… which in retrospect I can see helped me… in the way that sometimes when you go through something that’s a little bit hard or a little bit uncomfortable, then afterwards you’re like, all right, now I can do stuff. For me, college was a little bit like that, not particularly pleasant but I made it through and that helped the rest of my future.

It was kind of a rude awakening for me.

Trac Bannon: 

Caroline dug in and did very well and was able to line up an internship between her junior and senior year at Berkeley. Remember that mention of Caroline incorporating happiness into her life choices? This independent streak kick-started her accidental introduction to cybersecurity… you could even say, it was her choice in boyfriends… During her junior year, she was dating a guy who went to Stanford. 

Caroline Wong: 

For my summer internship between my junior and senior year, I wanted to live at his house with his parents in Silicon Valley and not my house with my parents in San Francisco. And so when I applied to internships that summer, and I must have applied to 50 different internships, I only applied to companies located in Silicon Valley. And I got an internship in IT at eBay.

Trac Bannon: 

Caroline loved the internship so it was a natural next step, as she neared graduation, that she reached out to her internship manager at eBay, Carl. He said I’m sorry, Caroline, there’s an IT hiring freeze. 

It was 2005 and industry was still working to implement Sarbanes – Oxley or SOX requirements. Massive accounting scandals had rocked corporate America. Names like Enron, Tyco International and Adeplhia became dinnertime conversation. America was learning about the complex practices and lack of independence between auditors, oversight, and investments. 

Plenty of tangential opportunity was rising from SOX implementations that require all financial reports include an internal Controls Report. The payment card industry was also forming the PCI security Standards Council. Compliance, risk, audit… 

While there was not a traditional IT role at eBay, there were other openings… Carl contacted Caroline… 

Caroline Wong: He said, you know there are a couple of entry level positions on the information security team. And I applied and the rest is history.

I was very confused. They handed me a 50 page pile of paper and they said here is our information security policy… you are in charge of responding to questions about it… you are in charge of handling and documenting exceptions to this policy.

So what would happen is tech leaders, business leaders would say, “I want to request an exception to the information security policy”,  and I would go and meet with them and try and understand why they refused to separate development from production, or whatever it was that they were requesting.

I didn’t understand a hundred percent of what they were saying, but I could write it all down. And then I could take it back to my manager who actually knew it was going on… and then come back with an answer. So that’s how I learned information security was on the job by responding to questions and exception requests having to do with our information security policy. 

Trac Bannon: 

Talk about on the job training. She was thrown in the deep end and she learned to swim. Along the way, she worked with Dave Colony, CISO at eBay and former CISO at Washington Mutual. Dave was one of those mentors, one of those sponsors who could see her potential. 

Her relationship with Dave sparked her first RSA conference speaking panel. It was right at the end of her tenure at eBay. Dave Colony was supposed to speak on a panel about security metrics. 

Caroline Wong: 

And he said to me, Caroline, you are the person on our team who’s running this initiative. You should be the person speaking at the conference. And so I said, okay.

It was the first time I ever had an opportunity to do something like that. And after that panel, there was a person who approached me who had been in the audience. And that conversation started me down the path to publishing a textbook with McGraw Hill. 

Trac Bannon: 

It was 2011. She published her first book with McGraw Hill titled “Security Metrics, A Beginner’s Guide” and that book is dedicated to her mentor, Dave Colony.

Trac Bannon: 

She was at eBay for five years climbing to the rank of Global Information Security Chief of Staff before leaving to join Zynga. Caroline will always be grateful for her time at eBay. It was her first job out of college… and in retrospect, she didn’t realize how good life was at eBay. Hindsight is, after all, 20/20. Zynga was a growing phenomenon in online gaming.

Caroline Wong: 

I really didn’t know how good I had it. I was commuting. I was living in San Francisco. I was driving an hour, hour and a half each way to San Jose every day. And there was this hot new company at the time called Zynga, and they were located in San Francisco. I was going to have a much shorter commute and there were these rumors that the company was gonna go public. They were known for a very silly game called Farmville.

It’s an addiction of sorts… these types of online video games. Farmville was the super duper popular one. My role on the security team was actually to write the set of information security policies that took Zynga through the IPO. I wrote Zynga’s first ever acceptable use policy.

Trac Bannon: 

Caroline applied her smarts to the Zynga policy and found herself in a debate that has continued to shape the Cybersecurity domain: Should she write the policy such that it’s easy for folks to comply in practice, or should she write it such that it’s aspirational?

They landed on a mixed approach writing the first release closer to practice. The idea was that they would update it on a yearly basis and keep things moving forward. She was there for only two years. The work was exciting. The workplace culture was not a fit. 

Caroline Wong: 

Yeah, It was kind of a wild place. I would say that Zynga was a place where I experienced not my favorite workplace culture. And that turned out to be an enormous lesson for me because since that time in my career, I really learned the value of working with people that I like and respect, who like and respect me.

And I refuse to take a role where I can’t have a workplace environment like that.

Trac Bannon: 

You see this pattern with Caroline again and again. Take on a new experience, work hard, and learn. Her pattern also includes being true to herself. Her internal sense of what brings her happiness and joy and what doesn’t. Whether career or personal life, she is not afraid to stop, to reevaluate, to pivot, and to change. 

Caroline is also an open book; she is fiercely proud of her choices and her changes. This is especially true when she discusses her first husband. They had met during her tenure with Zynga at an adult kickball league. 

Caroline Wong: 

I really wanted to start a family, and I actually wanted it more than I wanted my own happiness… my first marriage taught me was that I was very, very unhappy and that I could actually make choices in favor of my happiness. So it’s really interesting for me because I met my first husband when I was in a mindset that said… well, I really want to start a family, and this is kind of… the way that I thought about it, kind of a prerequisite. And when I met my second and current husband, I actually was just going for joy.

Trac Bannon: 

Caroline’s ability to step back and to really look at her situation, at her choices, and to take action is her hallmark. She has a willingness to make the hard decisions, choosing happiness over societal norms. 

It was 2012 and her next move was to join Symantec, a global leader with tools for comprehensive cyber defense. The timing was off. Caroline dove in then realized it was not a fit. She stayed there for only one year.

Caroline Wong: 

The year that I was there was one of these years where the company had four CEOs, so there was really quite a lot of change going on at the executive level. For me, here’s the other thing about the breakup… sometimes, and you’re in a bad relationship, the breakup is actually a really good thing.

So you could say that I was in this relationship, it was not the right fit… and then when it ended, that life got way better.

Trac Bannon: 

Cigital was Caroline’s next landing pad and she thrived for three years as the director of security initiatives, a title she admits was a little wonky. Her role was to conduct BSIMM assessments. BSIMM stands for Building Security In Maturity Model. It was a research effort to observe and report on real software security initiatives.

She and the teammate were to travel around the world leading BSIMM assessments. As a self-professed metrics and data nerd, she was so delighted to get involved with this to use data to tell the industry what everyone else was actually doing, instead of prescriptive approaches based on personal information or limited experiences.

She loved the work though she had a demon to contend with: alcohol. From her first days in tech, Caroline had been exposed to the pervasive culture of alcohol: from beer taps in the break room, to constant happy hours, to corporate gifts that included whiskey and wine. The combination of the constant availability of alcohol and Caroline’s own need for a coping mechanism was a nasty combination. Like others in tech, she felt the stress of being in a fast paced and high pressure role. 

Caroline Wong: 

It was just really a big surprise to me… Oh, you want to meet up after drinks for work? Oh, we’re having dinner. Oh, have a glass of wine at lunch. I mean, when I was at Zynga we literally were given champagne mimosas on a Friday morning. We literally were offered Bailey’s Irish cream with our coffee. We would go to a company all hands at the Warfield Theater in San Francisco with an open bar. I remember being at parties where executives of that company walked around with literal trays of shots in their hand.

Working in tech some days are stressful, and at that point in time I knew, well, I didn’t know at the time… I know now that I was using alcohol as a coping mechanism. I’d have an uncomfortable conversation at work, and if I had a glass of wine or a cocktail or five… pretty soon, I forgot about that completely. I did not then have the opportunity to acknowledge my feelings, process my feelings, coach myself, and maybe get to a different place with it.

But alcohol was definitely my strategy of choice when it came to dealing with anything uncomfortable. And there was a lot that was uncomfortable. 

Trac Bannon: 

Caroline knew that change was needed. In 2015, life handed her a set of new challenges to navigate that kick-started the change cycle; she was pregnant and that new life inspired her sobriety. Five months into her pregnancy, she headed on a weekend trip to Vegas with her partner and another couple. Sober and hell-bent on investing in her happiness, Caroline and her partner decided on an ad hoc Vegas wedding. That weekend was a whirlwind of fun and of love. 

Caroline Wong: Yeah. He met me when I was a raging alcoholic, and I talked to him about that sometimes. I think that it was really obvious to him, and it was really obvious to me that when I was with him, I was just outrageously happy.

While I think that as an active alcoholic, I was rude and considerate a poor listener. He characterized it as I just was always seeking a lot of fun. But I feel extremely fortunate that he chose to stick around with me. And even that he has supported me in my journey to, and through sobriety.

I am today about eight or so years sober, having overcome severe alcohol addiction. For me that’s really been a game changing part of my recent life. And that little baby girl who was in my body in Las Vegas when I was getting married to the love of my life… she is really who inspired my sobriety. 

Trac Bannon: 

Damn, that’s what I call moxy… Knowing changes needed, digging deep, and doing it. Caroline is a strange cross between cheerleader and pragmatist. She shoots straight but is genuinely kind. You see this in the way that she uses her voice to mentor others and to boost the number of females in Cybersecurity. 

Caroline Wong: 

At any given time, I might be actively working with 5 to 10 different mentees. It is very meaningful work to me. I really enjoy getting to know people and providing them with a perspective based on my past experiences that I think might help them to tackle a problem they’re trying to solve or try and create a pathway to the next step that they want to get to in their career. 

Trac Bannon: 

Women helping women… Caroline is such a strong role model. She uses her position, her platform, and her voice to enable others. As a member of the advisory board for the influential RSA Conference, there is a focus on highlighting technologists and strategists driving cybersecurity forward. Between her volunteering, her role with Cobalt, and this degree of visibility into the Cybersecurity industry, Caroline is quick to call out that there is tremendous work to do to educate this generation and the next on secure design, secure coding, and secure operations. For me as well, this is a core focus. For example, the well known OWASP top 10 security vulnerabilities? If we are learning and improving, logic would dictate that the top 10 would change! There would be new types of vulnerabilities… alas… there really are not… 

Caroline Wong: 

I do have a mission and my mission is I really want us to have a new OWASP top 10. And I don’t want us to have a new OWASP top 10 just for kicks. I want us to have a new OWASP top 10 because I actually want us to make some headway on being able to find and fix and prevent security vulnerabilities in web applications at scale.

It is so annoying to me that if I put the 2021 version of the OWASP top 10 right next to the 2003 version, they are just so alarmingly similar. So my mission is to change it. 

Trac Bannon: 

I’m ready to jump in with two feet to help Caroline move the needle on this. Consider that the first ransomware attack happened in 1989. Caroline was only six years old. We’ve had decades to address this; however, in 2022, IBM researchers reported that the average cost of ransomware breaches was $4.54 million; a figure that does not include the cost of the actual ransom itself. 

The looming question is how? 

Caroline Wong: 

We have to do things that are boring and hard. 

If we just track our inventory properly, keep it up to date, find and fix vulnerabilities, back up our data and test those backups to make sure they’re working, we actually can avoid being victims of ransomware. But we don’t do those simple things. We, as an industry, have an opportunity to focus on the basics and do them really well.

I think we totally can. We just have to decide that it’s important. 

We’ve got our work cut out for us. I really want the world that my children and my grandchildren… I want their computers to be safe. I want their internet to be safe. I want them to be able to use these technologies to connect safely.

Trac Bannon: 

Her passion for people and the future is what caused this life long San Francisco native to uproot her growing family and move to the Pacific Northwest… to Portland. She lives on a six acre property that is half meadow and half forest. She is absolutely sold that she made the right, the choice for happiness. 

Caroline Wong: 

I thought to myself, okay, having kids is pretty crazy, and then the work that I do is pretty crazy,  and then living in San Francisco is pretty crazy. So if I could just like take one of those factors and make it really chill, that might be easier. And so I’ve still got kids, they’re still pretty wild. My work is still extremely dynamic and fast paced, and I just live in this nature paradise. I literally will go outside and I will shove my hands in the dirt. I literally will hug trees. It’s a completely different lifestyle and I’m loving it.

Trac Bannon: 

Caroline’s journey has been filled with twists and turns, with anxiety and with joy. What will the future hold for this Cybersecurity guru? Oh, we’ll have to wait and see. One thing for sure, her decisions will be based on happiness… 

And that’s a wrap for today’s episode of Real Technologists. I want to thank my guest, Caroline Wong, for sharing her story. Your insights and experiences are truly inspiring. I’m grateful for the opportunity to share them with the audience. This podcast is a Sourced Network production and updates are available weekly on your favorite audio streaming platform. Just search for real technologists and consider subscribing. Special thanks to our executive producer, Mark Miller, for making this show possible. Our editor and sound engineer, Pokie Huang has done an amazing job bringing this story to life. Thank you both. The music for today’s episode was provided by Blue Dot Sessions, and we use Descript for spoken text editing and audacity for the soundscaping. The show distribution platform is provided by CaptivateFM making it easy for our listeners to find and enjoy the show. 

That’s all for today, folks. This is Trac Bannon. Don’t forget to tune in next week for another intriguing episode of Real Technologists and something new to noodle on.

Episode Guest:

Caroline Wong is the Chief Strategy Officer at Cobalt. She has 15+ years of cybersecurity leadership, including practitioner, product, and consulting roles. Caroline authored the popular textbook, Security Metrics: A Beginner’s Guide. She teachers cybersecurity courses on LinkedIn Learning and hosts the Humans of InfoSec podcast.

Episode Transcription:

[00:00:00] Trac Bannon:

In our world today, technology plays an increasingly significant role in shaping our lives. The way we communicate, work, and even entertain ourselves is being revolutionized by tech. Behind every innovation, there’s a person, a human being with unique experiences, perspectives and challenges. Understanding what shaped their perspective is a real goal.

From The Sourced Network remote offices in Camp Hill, Pennsylvania, welcome to Real Technologists. Each week we explore the genuine stories and true journeys of folks shaping our digital future. How did they navigate this complex world of ours? What challenges did they face? What are the innovative ideas that continue to propel them forward?

Each episode is crafted to broaden your perspective, spark innovation, and help you make better decisions by showcasing the diversity of thought and experiences within the tech industry.

Today, we’ve included some short excerpts to give you a taste of what’s to come.

Let’s start out with Jennifer Leggio, Chief Marketing Officer for Netography and cybersecurity strategist. She’s also luminary for the accountability and responsibility and security marketing. Just who helped her along the way?

[00:01:17] Jennifer Leggio:

” He would push me and say, I see more in you. I see more in you. And so because of that, Cisco wasn’t enough for me anymore, and it wasn’t Cisco. It was the role because it’s such a huge org. My role was very finite there, focusing on security strategy and communications and messaging and such. I’m like, you know what? I’m gonna quit.”

[00:01:41] Trac Bannon:

Caroline Wong, Chief Strategy Officer at Cobalt got her start with eBay as an intern. Her experience and exposure to eBay said in motion a series of domino events transforming her into a leading voice in cybersecurity. Funny to think it all started with dating a Stanford student.

[00:02:02] Caroling Wong:

” For my summer internship between my junior and senior year, I wanted to live at his house with his parents in Silicon Valley and not my house with my parents in San Francisco. And so when I applied to internships that summer, and I must have applied to 50 different internships, I only applied to companies located in Silicon Valley. And I got an internship in IT at eBay.”

[00:02:31] Trac Bannon:

Katy Craig is a cybersecurity expert who has spent her career focused on the US Navy. She’s a retired veteran, educating the next generation of ethical hackers.

[00:02:43] Katy Craig:

” It’s very special to build a ship, to be part of the pre-com crew, to be a quote unquote plank owner is a very special, privilege. I am a plank owner of Bonham Rashard. We went through a lot on that ship. I was there on 9-11 when the planes hit the towers. we deployed early to go hunt for Osama Bin Laden.”

[00:03:06] Trac Bannon:

Lonya Ford grew up on the south side of Chicago and joined the military as a way to put a roof over her head and maybe give her an education. When she started out, she found herself believing that she could not be her authentic self.

[00:03:19] Lonye Forde:

” It was scary joining the military because I was transported to a land where no one spoke like me. No one really looked like me. And so that was, a tough environment for me. And, you know, for a while I think what I started to do was conform a little, right?

[00:03:39] Trac Bannon:

Rosalind Radcliffe is an esteemed IBM fellow driving big blue to drink their own champagne, so to speak, in their adoption of modern software practices and DevSecOps. As a self-proclaimed high school dropout, she is leading the way for the DevOps-ing of IBM’s z/OS.

[00:03:58] Rosalind Radcliffe:

” So I went to school in Wisconsin for two years and then my dad was moving to Florida to teach at the University of Florida via England for a year. And so they sent me to the university and the university said, would you like to show up in August? I said, no, I’m going to England for a year. So let me go to England for a year and I’ll come back and then I’ll go to the university. And so technically I’m a high school dropout.”

[00:04:22] Trac Bannon:

That’s what Real Technologist is all about. I delve into the lives of innovators to discover their journeys, their passions, and their motivations.

This is Trac Bannon, the host and storyteller for the Real Technologist Podcast. I’ve been in the tech industry since the 1990s. Along the way, I’ve worked with scientists, researchers, consultants, educators, military and hardcore technologists driving digital innovation.

I’m an active member in many technical communities ranging from digital transformation to software architecture, to DevSecOps. With a vibrant network of professionals who are constantly monitoring what’s going on, I’ve developed a passion for uncovering unique stories and perspectives.

I believe that behind every technological innovation, there’s a unique individual with a captivating story to tell. Our goal, my goal, is to bring you face-to-face with the real technologists behind the latest tech trends, and to give you a glimpse into their lives, their passions, their motivations.

Real technologists is more than a podcast about diversity. It’s about amplifying the goodness that comes from our diverse spectrum of voices and experiences. It’s about genuine stories, true journeys, our complex world. Whether you’re a tech enthusiast, an entrepreneur, or just curious about the world of technology insights, the interviews are sure to inspire and educate. Consider joining me weekly at Real Technologists. Each episode will leave you with something to noodle on.

Episode Guest:

Caroline Wong is the Chief Strategy Officer at Cobalt. She has 15+ years of cybersecurity leadership, including practitioner, product, and consulting roles. Caroline authored the popular textbook, Security Metrics: A Beginner’s Guide. She teachers cybersecurity courses on LinkedIn Learning and hosts the Humans of InfoSec podcast.