EDITOR’S NOTE: Auth0 CISO Joan Pepin spoke at the Women Who Code Connect 2018 conference in San Francisco, Calif. on April 28th. You’ll find video excerpts of her lengthy QA session throughout this transcript. (Due to sound quality, questions were paraphrased for clarity.)
"Auth0 CISO Joan Pepin showed that leadership is a skill that can be learned — and shared tips on how to be a stronger leader at #WWCode. Here’s the full transcript, with video outtakes from the QA. @CloudCISO_Joan @auth0 @womenwhocode"
Leadership can be learned… and other tips from my talk at Women Who Code Connect 2018
I'm here to talk about leadership, and another confession is, I believe the title of this talk in the program is "Five Things That Every Leader Could Use to be a Better Leader." We will hit five things, and generally speaking, some of that advice will be pretty gender neutral for anybody, but as I've prepared for this talk, it evolved a little bit. So "Five Things Every Leader Should Know" might not be the best description anymore for this talk.
I'm also going to talk a little bit more about myself personally than, A, I normally do, and B, that I'm normally comfortable with, because I've been asked the question a lot in the last few years how I got where I am. And people ask me all the time, "How did you do it?" I was raised in a New England Catholic family, and talking about myself and my accomplishments is not necessarily super comfortable with. But we're going to give it a try because I am asked that question very often. So who am I and how do those perspectives conform to what we're going to talk about today?
Well, there are lots of facets to who I am. There are lots of different identities that I can claim. Some of the ones that are most relevant to my career journey, though, might be, I am a queer transwoman. I did not ever attain a college degree, but I do hold a patent. I've invented several things for which I do not hold a patent. I've been twice the CISO of very successful companies, two of the highest-funded security companies in the information security industry. I was also the Business Information Security Officer, which is a very similar but somewhat different role for a Fortune 100 company.
I self-identify as a leader. I mentor formally a number of people, mostly women, but not exclusively, and I'm a change agent in the companies I work for. So that sort of maybe puts a little more relevance in the question of, how did a college dropout queer transwoman wind up being as successful as I've been, both in terms of just my pure career and my financial success, but also in terms of, uncomfortably, apparently being someone who other people admire and look up to, where I have the tremendous privilege of being able to now mentor people? How did I do that? What are my tips and tricks and what have the challenges been?
So I'll talk for a couple minutes about the actual nuts and bolts of my career progression, because career progression is itself a skill, just like riding a bike, playing an instrument. You can learn how to climb the ladder, if climbing the ladder is in fact a thing that you want to do. There are skills that you can master that will help you do that.
So in college I hung out with a lot of hackers, I was very interested in hacking culture. Back then that didn't just mean malicious activity on computer systems. There was a broader sort of sense of the word. Although it did include that definition, it was more expansive than that. I was so into that, I didn't go to class much. I mostly availed myself of the large Unix and, I'll date myself here, VMS, VAX VMS systems that were available to me at my state university. So I tend to be a self-educator. So I spent a lot of time in college hacking and not a whole lot of time going to class. This, in addition to being in a really unhealthy relationship at that point in my life, caused me to drop out.
Well, then I needed to make a living. I was out on my own. I moved out of home when I was 18, and what am I going to do with no college degree? Well, for a couple of years I had a string of jobs in small companies, a nonprofit healthcare center, where I was, my basic position was always described as The IT Guy. "We'll have our IT guy come look at that." It involved everything from wiring up networks, crawling around under desks with CAT 5 cables in my teeth, running the PBX, running the SCO UNIX servers, again, dating myself.
And that got boring, especially given how I sort of self-identify as, really, a hacker. I wanted to get into information security, but there was absolutely nothing in my background, nothing I could put on my resume, no degree that I had or classes that I had taken and passed anyway, that would give anybody the confidence of giving me a position in information security. So what I had to do was talk my way into that kind of position. I had to convince somebody to give me a chance at doing something I had not ever done before, at least not professionally. And that right there, that was key skill number one that I had to develop in my career progression, because you're not ever going to progress, by definition, if you keep only doing the things you've done before.
So a rule that I have developed for myself is, I never take a job that I am qualified for, because then I'm just going to keep taking the same job. If I only took jobs I was qualified for, I would still be working at Burger King. So that is not, though, I'm very well aware, despite the fact that I was raised and socialized as a man, I'm very well aware that women are not generally raised and socialized to have that confidence, to feel that, "Hey, I only have a few of the requirements on this and I'm going to apply for it anyway." And that's not fair. The fact that we have received that message over and over again, has been pounded into our heads, is not fair.
I talk a lot to my teams about should versus is. We want to strive for the should, but we always need to deal with the is.
But it's there. I talk a lot to my teams about should versus is. We want to strive for the should, but we always need to deal with the is. So this is a thing that has been pounded into many of our heads. So if you leave this talk with one piece of advice, one thing I can tell you to answer that question, "How did you do it, Joan?" it would be, never take a job you're fully qualified for. Figure out how to talk someone into giving you that next job, to give you the opportunity to gain experience that you have not had yet. And I did that. I talked my way into a security engineering position.
Now, partly that was by demonstrating how much I had self-educated. I had built a lab in my apartment while I was still an IT guy. Servers that my employers were discarding, I would take them home and install things like SCO UNIX on them. This was long before Linux. And teach myself how to hack them and do my own penetration tests at home with the network I had built in my apartment. Then I was able to show this to a potential employer and convince them that I actually did know what I was talking about even though I had never done it professionally.
Eventually that got boring, because what really gets me going, what really turns me on, is the ability to have an impact. And pen testing is fun, which is what I did for a few years as a security engineer. But it's difficult to really feel that you're having an impact, that you're changing a team, a company, the world, when you're just running around pointing out flaws. So I then needed to convince somebody to let me step up from that. I had to demonstrate that I could design systems and controls that would prevent people like me from doing the stuff that, until then, I had been paid to do.
QA: Getting Ready to Lead
And then I was really fortunate to have a mentor, while I was a security engineer, who saw that I had potential for management and leadership. That person managed to drill into my head that, since impact was really what I wanted to have, there was only so much of it I could ever have with only my two hands. No matter how grandiose my designs were, I'm still one person working with my own two hands. And so to really have an impact on the company I was working for at the time, he convinced me that I needed to manage people.
So then manager. It was at this point in time that I began my transition finally. And it's very interesting to me and counterintuitive that my titles, my status, and frankly my salary did the hockey stick thing after transition. My career has grown tremendously faster in directions I never could have imagined since I came out as a transwoman and began living as such. That's a little interesting. Now, I think that's largely to do with unburdening myself from the tremendous weight of inauthenticity. There might be other things involved, too, but being able to bring all of these facets along with me enabled me to go much further much faster than I had ever gone before.
So from manager to director, from director to executive. Now I'm Chief Information Security Officer, sort of plus, I own more than just information security. I own compliance, IT, various other operational QA-related things. My responsibility is for our platform to be secure, compliant, and available. I report to the CEO. How did I do that?
There are skills, there are a lot of skills that one can pick up. Now, some of those are what we call soft skills. And most of them actually are. But I've also had to do a lot of fighting perceptions. I've had to fight the perceptions about women, obviously. I've had to fight perceptions about queerness and trans-ness, obviously. I've also had to fight some of the stereotypes of my own particular role. The Chief Information Security Officer in many organizations is not really an executive, despite the C at the beginning and the O at the end. They're often simply the senior most person who knows anything about security.
In a study a couple of years ago, which was extremely depressing, something like 66% of senior executives felt the CISO did not deserve a seat at the leadership table. They are seen as technical experts who have the good communication skills. They're the hacker in the back room that we can actually let out and talk to people. But they're not seen as business leaders. I want to be a business leader, not just a technologist with good communication skills.
QA: Conflict & Consensus
So I've had to fight that perception every step of the way. I've had to convince people that I am not just a technologist, that while yes, I have a deep understanding of systems, I can talk kernels, I can talk APIs, I can talk programing languages and compilers, we can have all those discussions, but really let's talk about the value that I can bring to the business. Let's talk about the value that I can bring to our brand. Let's talk about the value that I can bring to the organization as an inspiring leader, and let's focus on those things. And let those technical skills fade a little bit, let's let those kind of sit in the back pocket to be taken out as an impressive magician's trick sometimes when I need to, particularly if it involves a very aggressive, snooty person in a meeting who thinks they know better. Every now and then it might be good to pull that out, that yes, I actually do understand how kernels work. But day by day that's not my job and that's not where I should be focused.
“What a bind it is to know that the best way to get a promotion is to promote yourself and yet know that self-promotion is seen completely differently when it's coming from a woman than when it's coming from a man.”
So what are the skills I've had to acquire? Well, what a bind it is to know that the best way to get a promotion is to promote yourself and yet know that self-promotion is seen completely differently when it's coming from a woman than when it's coming from a man. That sucks. Take a moment, right? That sucks. That is like one of the major definitions of a Catch-22. And I'm sure many of us or all of us have heard about that competence and likability horror show, right? The more competent a woman is, the less likeable she is, right?
So having to actually carefully place your feet to walk that line right down the middle. "Oh, I don't want to appear too competent in this meeting," is a really horrible thing to have to think about. But again, should and is. So consistently what I have tried to do is elevate what I'm talking about. If I appear competent but in a different flavor, if I can be competent about talking about leadership, if I can be competent talking about the value that I bring, the way that I've transformed a team, the way that I've changed things, that can take on a different flavor. We can reframe some of these things. I'm going to talk about a lot of reframing in another slide or two.
So these are all skills. Leadership is a skill. If you want to be a leader, you can learn how to do that. I don't believe any of these things are innate talents. I'm a musician. I wasn't born musical. I practiced a lot and studied hard and listened to lots of music and read books about it. I was not born a leader. I've had to learn how to be a leader, I've had to read books, I've had to get a coach, I've had to listen to other leaders, have mentors, seek them out, and learn that skill. We should not think, "I don't know how to do that, I'm not good at that, I wasn't born with that." We can learn how to do anything.
Now, I said before I'm a self-educator. I teach myself. That's not everybody's learning style. I read the book, I watch the YouTube video, I observe. That might not be how you learn. You might want to go and take a leadership class. However it is that you learn, you can learn these skills. And here's another trick. I'm trying to count the five things I'm supposed to do.
It can be hard to think, if you are an entry-level engineer and you have an aspiration in the back of your head someday to be the CTO, it can be hard to look from where you are to the CTO and imagine how you're going to get there. That can be daunting, that can be dispiriting. But what if you just look at your boss? What if you just look at your boss and say, "Could I do that job? Do I want to do that job? If I feel like I can do that job, then what's my path to get there? How do I get that job? If I don't feel like I'm ready for that job, what am I missing, what are the skills that I need, and can I ask my boss, 'Hey, boss, if I were to have your job, what do I need to know, what do I need to learn, what don't I know right now that you do?'" If you can't build that relationship with your boss, find someone else with a similar role that you can build that relationship with, and ask those questions.
Do your own personal gap analysis and fill those gaps. And again, that leads to the career progression. That's the skill. So since I mentioned before, since Burger King in my teens, I have always looked at my boss and said, "I could do that." Honestly, it wasn't until I think I was reporting directly to a CEO that I looked at my boss and said, "Oh, I don't even know if I want to do that." So making that a little more of a bite sized chunk, one step at a time. How can I get that next position?
So I didn't quite know where to put this slide in the flow here. One of the key perceptions that we have to fight is that we're too emotional. There's a lot of talk about vulnerability in the literature these days, about bringing your vulnerability. And then some people are starting to say, "Maybe that's not such a good idea."
I think it is a great idea, but I think we need to reframe it, because you know, information security, I'll say, even more male-dominated than the rest of IT, 11% of information security practitioners are women, 11%. So in that really hypermasculinized environment, vulnerability is weakness. But it can be reframed as transparency. I was once asked by a senior leader in the middle of a heated discussion if I could drain the emotion from the conversation. I stopped for a full beat and I took a deep breath and I told him that I could go make money not caring lots of places, but that in fact I did care. I cared a lot about the company, I cared a lot about us winning the deal, I cared a lot about the impact on my team and the organization, and that in fact I was here because I cared. And I questioned him, "Don't you? Do you not have emotions about this situation?"
"11% of information security practitioners are women … in that really hypermasculinized environment, vulnerability is weakness. But it can be reframed as transparency. @CloudCISO_Joan @auth0 @womenwhocode"
That's a hard one to argue with. The vice president is certainly not going to tell me that he doesn't care that we're going to lose this deal. You care, I care, so let's talk about that. That doesn't have to be weakness. That can easily be turned into your strength. Yes, I'm passionate, yes, I care about this company, I care about this team, I care about our image, I care about our brand, I care, care, care all day long. And if you don't, then you're the jerk, not me.
So management. The first time you go from engineering, architecture, whatever, and you're first managing, it's actually in my mind now looking back with sort of a meta view, it's a lot like engineering. A great quote is that engineering is the art of making the shit you need out of the shit you have. Well, so is management, really. Only sometimes now the shit you have happens to be human resources. So how do I take this team and these tools and this budget and get what I need from it? That's management. It's an interesting challenge. It's rewarding, it's awesome.
By itself though, it's not leadership. Leadership requires a vision. If you continue to progress in your career you'll eventually become where the buck stops. My CEO, my boss is not an information security expert or professional. He's a CEO. I don't have a tech support line I can call. I am where the buck stops now. I can ask my CEO how he feels we should approach something, how he feels that our brand image would be impacted by A versus B. I can ask just how he feels about a given solution or situation, but I can't ask him for a technical answer. He doesn't know. And furthermore, that would jeopardize mine. I'm where the buck stops there. So my boss is just as much my vision as it is my CEO.
What guides me and the decisions that make on a day to day basis are based on the vision that I have for where I want to take myself and my organization. And that's where the leadership starts to come in. I was told once by a, recently actually by a very good friend of mine, that they were denied a promotion, they went through the whole interview process, they crushed it, there were like six interviews, they crushed five of them, and then in one panel interview where there were four people, one person who didn't like them canned that interview. They wound up not getting the promotion.
When he went to his boss and said, "I really don't think this is fair that this one person on one panel was able to shoot me down for this promotion," his boss was like, "Well, I really have to worry about the optics, and that person is really, they're a loudmouth and they're a big cultural influencer in the company, and if they're unhappy with it, it's really going to be a big problem for me. So I really have to consider the optics."
My response to that was, "Holy shit. That is the opposite of leadership." That is the opposite of having a vision of what you want to do and what you think is right and what the direction is that you want to go, and sticking to that and following it and figuring out how to overcome, around, over, through, under whatever obstacles stand in your way. That is being a dead fish that goes with the flow. That is not leadership. And the title of that person is very impressive. And someone with that title should be a leader and not someone who's, "I'm so worried about the optics."
If that manager felt this person should have the promotion and felt that the optics were important, then he should have taken it onto himself to change that person's mind, to convince them, to lead them along for why this was a good idea. That's leadership, and it's very different than just management. Being a leader can be very hard, because again, your boss is that vision and you have to figure out how to get there, and there are catch-22's and situations all the time that will test your ethics, test your morals, test your vision, test your skills, but there's nothing more rewarding in my opinion, in my life, than being a leader. But it really does require that extra vision, that extra step.
Also, so talk about skills, let's talk about will. Being a leader is really all about will. You need to have a lot of it, that's first and foremost. You also need to know how to harness other people's. If you've got a lot of will and you know how to harness your own, and you surround yourself with a couple of people who have a lot of their own will, and you can help harness that and guide them, lead them, that's going to get you a long, long way.
This is why you'll often see very successful people surround themselves with other A-players, and they bring them along. A new executive comes to the company and shortly thereafter a few people that they've worked with either at their last company or two companies before that come along with them. Those are the people they've worked with before who have demonstrated that they have that will and they have those skills.
And that's great, that will get you a long way, but it usually won't get you all the way there. There's going to be some percentage of people in your organization who have that will, but there's going to be most of them who don't have as much. So how do you generate that will? That's where the real leadership starts to come in, that's where my story about the promotion...Like, okay, well I have one person who wasn't going along with the flow. And rather than bowing to that, how do I generate the will in that person to do the right thing? How do I take my whole organization and get them to care at least almost as much as my couple of A-players who I know care as much as I do? How do I be an inspiration, how do I paint that vision for them, how do I let them see at least a glimpse of what I see so that they can care at least almost as much as I do? That's where the leadership comes in. So is there a story, is there a parable, is there, what can I do to generate that will and harness that will? And a big part of it is letting them see what you see.
So then there's just some tips and tricks. Science. So there's another really horribly depressing study/experiment that's been done and replicated about women dominating the conversation. In a conversation between a woman and a man, this has been reproduced many times, if the woman talks more than 25% of the time, she will be perceived as dominating the conversation. Okay. That's not right. But it's what's there, and I see it all the time. I know if I talk too much in any given meeting, no matter how respected I am, if I talk too much in any given meeting, they're going to hear, "Blah, blah, blah."
QA: Making Yourself Heard
So I know I need to be bold, I need to be brilliant, and then I need to be gone. I will go a whole board meeting without saying anything. No offense to the guys in the audience. I don't know a single guy who would go a whole board meeting without saying anything. If there's an opportunity to say, "Hey, I'm smart, I'm here," they're going to take it. Maybe I shouldn't, though, unless I've really got something impactful to say. I've built a lot of my brand around what I call ABC, always be correct. Unless I'm in a brainstorming meeting or in a trusted safe space with my direct reports and I can just spitball, I'm not going to say anything in the board meeting that's conjecture. I'm going to talk about facts that I know. I'm going to always be correct.
"I know I need to be bold, I need to be brilliant, and then I need to be gone. #WWCode transcript @CloudCISO_Joan @auth0 @womenwhocode"
And you do that meeting after meeting, time after time, you start to develop the reputation. They can't help it. Oh wow, I guess every time she opens her mouth, something that's right comes out of it. And that can take a long time, but it will eventually happen if you're disciplined about it. Also, your ideas will get stolen, people will take credit for them. There's a couple ways to deal with that. One is, you can accept that. You can just say, "You know what, someone's going to get credit for this." And that's okay because as long as we do the right thing...Now, I don't want to say trust the system. I don't want to say someone will notice. No. You're going to need to somewhere make sure that someone notices, but maybe you don't always need to take the credit.
Maybe it's more important that we did what you wanted to do than that you got credit for it. So sometimes that's a way to think about it. Other times, though, if you really do want the credit, make allies, pre-socialize. Before that meeting where you're going to drop the big idea, you talk to two or three of the men who are going to be in that meeting and you get them to agree with you and think that's a good idea before you ever go in. You don't want to have the argument at the meeting. You want as much as possible, your agenda to be agreed upon before the meeting.
Then if you've done that with enough, if you've got enough of a sample size from the people who are going to be there, that's sort of a consistency check. It's a lot harder for one person to take credit for your idea when three or four of them ahead of time knew that it was your idea, and you went to them and had that one-on-one conversation. If one or two people try, there's other people who can be like, "Hey, no, wait, she came and talked to me about that two weeks ago."
And that involves building relationships and maintaining relationships, very important for that career progression. So find out, figure out who you can trust, who you can have those pre-socializing conversations with. And then sort of finally, here's my favorite hack and thought experiment lately. This is great in conflict, this is great when you're trying to explain something. This is great to just help you sometimes be a better person in whatever situation, is, I pretend I'm the CEO. What if everyone were working for me?
I know I have a tendency to treat my team, to nurture my team, the people who work for me, I want them to succeed, I nurture them. My peers, if my peers fail in front of me I'm more likely to giggle. But that's not like...If I were their boss, I would not want them to fail. So to defeat my own tendency to be much harsher on my peers than I am on my direct reports, I sometimes pretend what if everyone really did work for me? Wouldn't I want the best for everyone in this situation? Right? Wouldn't this conflict seem stupid to me if I were the CEO looking down on this conflict? So maybe I should change my tone. So there, I hope there were five things in there. And that's what I've got.