Lessons - Dedicated CISO Teams & Sophisticated Security Threats | John Downey, CISO at GoFundMe

Welcome to Lessons episodes of Success Story, part of the HubSpot podcast network. These lessons episodes will be shorter conversations with past guests, valued members of the success story community, and myself. They'll be focused on teaching you actionable, insightful takeaways that you can use to upskill your personal and professional life. You start to see more and more prevalent security threats and more complicated security threats. And there's always been threats, right? But do you notice that more companies are creating dedicated teams? Is this more of a like a 2023, is this like a you have to have like a CISO in your organization as soon as you can get one because there's just so many bad actors and they're so sophisticated? Is this like the norm now? I think it's been kind of developing as the norm for a number of years. And so I kind of like in my career, I kind of see a few of miles. So there's 2013. There's a couple of major retail of breaches, so you saw like Target and a few others. And that was kind of the point at which it became clear that a security incident was not just going to affect the chief security officer. It was also going to affect other sea level executives at the company. So that that was an interesting kind of development. And then, you know, fast forward a couple of years, you had 2016. You had the election interference and the hack of the DNC. That kind of, you know, was another big aspect. Fast forward to 2020, everybody went to work from home. There's the, you know, the joke of like which C word major, you know, drove the technology innovation at your company. Was it the CTO, the CEO or the COVID-19? Because everybody overnight went work from home and that brings, you know, radically changed the security landscape. And then, you know, kind of, you know, fast forward to today, you know, these inflection points keep hitting. And then we have a big one for at least for public companies with the SEC rules that, you know, are currently a proposal, most likely going to pass that are going to require that you start to report on the cybersecurity expertise of your board that the board has to acknowledge that they have cybersecurity oversight responsibility, kind of setting out rules and requirements for reporting of cybersecurity incidents. And then just even a couple of days ago, the Biden administration putting out the national cyber security strategy from the, from Sissa, the critical infrastructure security administration as part of DHS, they set out kind of like, here's how, you know, technology is critical. Security issues and technology are, you know, kind of affect the entire American people. And here's what we're going to do to make sure that companies are taking responsibility for this because there's really an underlying current of, you know, kind of so what? Like we have a security issue, the stock price rebounds, you know, maybe someone loses their job, but it's like not that big of a deal, except for it has, you know, started to become a big deal and companies are starting to realize it, but I think politically the regulators are starting to say, look, we have to get involved in push companies harder and faster. When you look at what the SEC is doing, is it enough? Does the SEC know what good looks like or is there more that has to be done? So I think that's a, that's a great question. I think where the SEC is largely, in my opinion, catching up with where highly regulated organizations, right? So like financial services, health care, places like that, had already had a lot of these kind of requirements in place, where the SEC is kind of coming in as it's clarifying that this isn't just those industries, it's all industries. And also clearly, you know, clarifying wise at, you know, SEC's goal is always, we need to empower investors and protect investors. And so what requirements are there, you know, if you have an incident, but the incident maybe doesn't reach this, you know, this kind of mythical material level, what does that even mean? Like, it's the SEC's kind of laying out, like, well, no, here's what that means, here, you know, here's we have to put into your 8K, which is the form that you have to file when there's a, you know, material incidents, and here's like specifically how long it's been going on, kind of like the criteria of it, you know, are they going far enough? I think that's, that's a great thing we'll kind of see over the next few, you know, over the next few years, if, you know, companies really start to increase the reporting and the visibility, if the sunlight actually, if the sunlight actually kind of acts as a, you know, acts as an agent of change, but I don't know, you know, I think the, a lot of the, a lot of the regulated issues were already this, or already this way, especially if you are regulated out of states like New York, where they already had very stringent requirements for financial services companies, you know, you're seeing a lot of these things are things that you had to do already. I've always found that on average, nonprofits do not have the expertise that the for-profit business world has, and I'm interested as to you as like a case study is to what made you want to move into the nonprofit world, because somebody with the information security background from PayPal, I would say there's unlimited career opportunities, potential, money out there that you could go chase after, and I think that's actually a problem that a lot of nonprofits have. I think that they do not know either how to or cannot afford to pay because the business model is suffering to some degree, to pay the salaries of the people that can move the organization forward and not even just information security like sales, marketing, everything. But you made that conscious decision and I think that like that's remarkable. So I feel safe with, with GoFundMe, I feel safe with Classy, but I think a lot of nonprofits suffer from this, which is why you see trust in nonprofits start to be great, to be quite honest. But what was that thought process for you? How did you make that jump? Why were you able to do that? Why did GoFundMe look towards somebody who was highly capable to bring into the organization? Yeah, so I spent, as you mentioned, I spent a number of years at PayPal, and I knew my next steps. I wanted to stay in financial services, so I actually went to and spent a little bit of time and insurance just to try my hat on another financial services sector. My passion is for payments, and it's weird to say, but like I kind of got really good at it. I learned a lot about how the banking system works, how messy it can be, but how functional, and in a lot of ways it isn't, how important it is, you look at a lot of the last couple of weeks here with the Fed and the banks in the U.S., and so that I wanted to kind of stick to that. So GoFundMe and Classy offer a way to kind of like, for me, stay in payments, but also feel a lot better about what I was doing on a day to day. And now that, obviously, I hold no animus towards any of my prior employers, we were doing great work, but it helps day to day, I feel they impact a lot more at GoFundMe and Classy. In terms of, you know, you've raised a great point around nonprofits, and you know, the whole kind of government in PO sector, you know, NGO sector has a real deficit of talent in a lot of cases. There's recently been a case where, you know, the NSA and others have been like, hey, we want to do a talent swap with industry where they want to go to like Google and Facebook and others and say, hey, well, we'll swap people with you, like you can kind of send your best security engineers to us and we'll train them to help us in our fight against, you know, whatever it is. And then they'll work for us for a few years and then we'll swap them back and you know, kind of like, you know, as a way to like maybe get talent, that's something they've kind of floated recently. I think this is, you know, it just goes to show you that there's a real issue here and a lot of that kind of stems back to, just, you know, start, you know, nonprofits have a lot of the, my experience have a lot of the issues startups do. You know, they're small, they usually have very limited resources, scrappy team, everybody's, the thing I love about being a startup is everybody did everything, right? Like my job, which I want to join brain tree, said that I maybe asked to take the trash out. I thought that was awesome because I was, it was something I was really passionate about. I think the people who work at small nonprofits, small to medium sized nonprofits have the same passion, but you know, maybe a little bit different mission alignment, right? They're very philanthropic, like kind of looking to the, do, you know, do the most good. And the key thing I see is sort of the funding, right? So in a startup, you know, another dollar going towards AWS or some, or GitHub or some developer tool, you know, it kind of makes sense. It's, you know, an investment that you're kind of making towards the future. When you're in a nonprofit, a lot of these dollars, like you want to maximize your dollars going to programs. How can I deliver whatever help my nonprofit is trying to deliver? I want to maximize that, which means, you know, paying less on salaries, investing less on training, investing less on, you know, other things. Until you get bigger and you hit this kind of inflection point at which, you know, you kind of have to make that risk based decision, but smaller organizations, community organizations, they're really trying to maximize the program, though how much they can put into the program, which means they have to minimize a lot of other stuff.