Conversation with Yabing Wang
Good day, and welcome to another edition of our Digital Industry Leadership Podcast. Today I’m pleased to host Yabing Wang, the Deputy Chief Information Security Officer of Carrier Corporation. Yabing is a Strategic Risk Management oriented in a results-driven profession, with 20+ years of experience in technology and cybersecurity. She has a proven capability to set security strategies and directions, as well as create road maps and reference architectures, with the demonstrated ability to focus on delivering security capabilities and solutions to support business strategies. She’s proud to be a passionate collaborative and influential senior leader who works across boundaries and enables others to be successful. Yabing, welcome to our Digital Industry Leadership Podcast today.
Thank you Ken for having me and thank you for the introduction. I’m honored to share my journey and perspectives with the group, thank you.
Great, and we’re honored to have you on the program. This is such an interesting area of cybersecurity at this point and you, along with several others that we know of in the space are very influential in it, so we’re looking forward to the discussion. Let’s start with your professional journey, tell us a bit about your background and how it has informed your views of Digital Industry.
Sure, I grew up in China and came to the United States after I’ve finished my undergraduate and the first graduate degree, in philosophy actually. I went to university in Illinois, Urbana-Champaign, for my master’s degree in Computer Science. After that I joined Netscape Communications in 1998. Netscape was the pioneer for the internet in the 90s. Not only they had the first browser, Netscape browser, but Netscape was also the pioneer in the whole eCommerce in the late 90s. They offered a lot of the technologies to support eCommerce that includes the webservers, directory servers, application servers, portal servers, the whole ecosystem to support that eCommerce at that time. So, what I spent the first five years doing was helping their customers to push their services to the internet, which gave me the opportunity to be at the forefront of digitalization 20 years ago.
I joined Allstate after Netscape, and that’s the start of my security profession. After 15 years at Allstate, I joined Alight Solutions. Alight offers benefits management for a lot of Fortune 500 companies and mid-size companies. After being there for two years I joined Carrier Corporation early this year. Carrier is a manufacturer company just spun off from the parent company, and it has HVAC residential and commercial, refrigeration and fire and security systems as part of our core business. So, each of the companies that I worked for is from a different industry, and they are all in their own ways of doing digital transformation. So, if you work at how 20 years ago we called this bringing services online as a “dotcom, or eCommerce”, 20 years later this becomes more prevalent that we call them “cloud and digitalization”. So, my whole career was all about entering into the digital industry from different angles.
How did these roles and responsibilities, really leadership positions across these companies, prepare you for today’s role?
At Netscape, I started as an individual contributor. I played more of a role of influence in leading projects, managing people virtually. In Allstate for 15 years I went from Security Engineer to Chief Security Architect, I lead multiple teams including our security team, the infrastructure architecture team, and enterprise architecture governance team. At Alight I was the VP of global security responsible for security architecture and engineering. Here at Carrier, I’m the Deputy CISO. I have all security strategy, architecture, engineering, and operations, including all the technologies supporting the cyber organization, and also all the strategy for the cybersecurity portfolio.
So, if I talk about my career leadership development, in a nutshell, I started from developer, engineer to architect, evolved from individual contributor to management, and have grown my responsibilities along the way. Here is how I look at leadership. Leadership is not only about how many people are on your team, or how much responsibility you have, it is really about how much positive changes that you make to the company and the business, and how much you influence people around you. You’ve just asked me about how I grew into this role, and when I look back I think two things really helped me.
ONE is to realize how important is the salesmen’s skill for any role. Even though I was an engineer or architect I needed to sell the idea of why this solution is the best among all options. As the leader, I need to sell the idea of why this direction is the right decision, or why we need to spend money on these particular services, not on other projects. So, I think the salesman skillset is one big thing along my journey and how I learned that.
The second one is how important it is to respect and collaborate with others and build a virtual alliance with your teams, with the peers, with the stakeholders, and management. I think that made my job easier. Things are done through people not just through individual technology, and yes things are done through people and relationships. I think those two things really helped me get into today’s role.
And today’s role being absolutely critical given the larger attack surfaces that corporations represent these days. You’ve been at the forefront of information security for quite a while, tell us about some of your insights over that time, and more importantly on cloud computing security.
As I mentioned, if 20 years ago we knew eCommerce would be the future, that’s how they grew over the past 20 years, today we’ll say the same thing, cloud is the future. Moving to the cloud is not a question of why, it’s a question of when, because everybody has its own pace and maturity. So, in that cloud world, the whole concept is that there’s no datacenter, you don’t have a network perimeter anymore. One of the bigger things here for security is really looking at how identity becomes the new network perimeter. So, the whole identity access management becomes the key for securing cloud, and that includes how we do identity provisioning, de-provisioning, how we do the roles and groups, how access has been given, how they manage those privilege accounts, and how we do the life cycle management and governance for the whole identity. Of course, how we do authentication, how we manage the keys and tokens, the whole 9 yards of Identity and Access Management, that becomes more and more critical in this whole cloud world.
Another thing is how we can automate security in the cloud world. Not everything is serverless yet, therefore we still need to be able to do the workloads. So we need to embed the security into the workloads build, embed the security into the application development, not only provide the guardrails but try to make all the policies-as-code into that process. We really don’t want to go back to the waterfall methodology where a lot of manual approvals are there in the phase gating. That takes time. Right now, everything is about quicker delivery, that’s why cloud is there too. So in other words automating those approvals into your process becomes another key for security. A couple of more things I can touch on. Data protection. Because data is no longer in the house, in the datacenter where you have a “wall” around it, now everything is in the cloud and people accesses from anywhere, anytime, so the way you look at the data and look at the data protection also becomes critical. I’m not talking about just encryption. It used to be people could choose whether you will do encryption or not, now everything has to be encrypted.
Maybe you have a different way to do tokenization or another way to do the data loss prevention, but figuring out the right way to protect the data is another key. So, another one for the cloud security is how monitoring and incident response becomes more critical. Because it doesn’t matter how good you are to do protection and prevention, there are always holes or vulnerabilities somewhere. Hackers are smart, they can find ways to exploit, so the monitoring becomes more important so we can respond quicker, and we can figure out a way even to predict what could happen. So those are some of the things I think are the keys to help move to the cloud, and security becomes much-much more a partnership with the technology group to make that happen.
There’s a general philosophy we discussed in prior podcasts, and that is almost the role of the CIO, Chief Digital Officer, or in this case the CISO, so generally, we collate the cluster IT leaders into two categories, those keeping the lights on, keeping the infrastructure running, protecting from risk, etc., and those that are really enabling new business lines, creating now PNLs, I’ll call it digital strategies. CISOs maybe unfairly are often clustered into that first category, providing critical resiliency for enterprise systems, and connected products. I was interested in our earlier discussion before the podcast that you see a role as more toward the latter, and so I’m curious about this, can you give us a bit more perspective on that?
Sure. You’re right that the traditional CISO role only adopts a cyber defense approach. They are the ones behind the scene doing their work, and they are the ones trying to help the corporation to assess the risk, to make a judgment call when something happened, what kind of risks the company can tolerate. A lot of times the traditional CISO roles are trying to protect the CEOs, and the board, and the company. So, from the traditional security angle, nobody really remembers the security team unless something is broken, some projects are stopped by the security team. That makes the security more to try not to break anything or keep the lights on. It is necessary but not enough in my opinion. So, I don’t like the CISO role as a reactive or survival role, I think CISO role should be more business orientated and strategic focus. because as I mentioned how the eCommerce, how the services for cloud becomes the direction for anybody, security has to part of that. Not only part of the technology direction but part of the business because the technology at the end is driving the business model and growth.
So, today's CIS0 role should act as a business enabler in my view, and they should be more closely aligned with companies objectives and digital strategy to provide the business with more options, more options to arrive at a solution. It’s not about, ‘no you cannot do it,’ it’s about “let’s figure out what options will be best for the business and for the security, for the business growth, and for the risk management”. So, the more the business sees the value from the cyber team, the better support CISO will get from everybody. Building trust with others can help enable business. I think that is the direction the CISOs should go.
We’ve also noted in prior podcasts that cybersecurity has become probably the greatest catalyst for enterprise harmonization since CRP. I was talking with the Chief Digital Officer just a couple of days ago, and he was commenting on the fact that the organizational design about what sits in the center and what sits in the BUs is also being driven largely by attack surfaces, which is an interesting model when you think about it. So, where do you see the key opportunities for cybersecurity features and services to provide not just risk management but revenue enhancement for industrial companies?
I think different industries may have different opportunities when looking at how security organization can help on the revenue generation or enhancements. One thing that I can give as an example, is how it depends on the services that each company offers. If the security controls can be embedded into that service offering, that will be a great opportunity. That could be, for example, how you want to include identity and access management, different levels of IAM into your service, or different levels of your monitoring and alerting into your services, and even sometimes that different level of anti-fraud capabilities. So the example could be that when we generally run a business trying to define the level of offerings, let’s say if you define a gold, silver, bronze level of your services offering, and define gold with greater support and hyper care from the business level, but you could also say that this service also includes the strongest security controls for this service, which means you invest more into the security controls. There are also things that are bundled together as a gold service that the company could pay more to get better services. Think about how security is part of the quality, it becomes how security is part of the services. So, the bronze level invests in the basic support and that includes minimum or must-have of security. So, I witness how each of the companies try to embed that into their services, and I think that is a success story for cybersecurity to enable the business.
I like that, in some sense, its protection managed security, you could say managed uptime, all of those things roll hand-in-hand in terms of continuous uptime in protection.
Ultimately the trend moves to the product as a service so people buying Carrier's chillers - will basically buy the chilling effect in the end. So, in our executive search work we’ve placed quite a few cybersecurity leaders including some at Carrier, we’ve noticed the predominance of women in these leadership roles compared to other peers IT roles. Have you seen the same and what do you think makes this such an attractive field?
[Laughs] I’m not sure about predominance among the industry, but I do see those numbers are growing. I remember some statistics about in Fortune 500 companies that 13% of the CISOs are women, and I think there’s another different research showing that 19% of CIOs are women, 12% of the CFOs are women. I think the lower number is CEO, I think it’s 5%, right now grows to 8%. So, it is kind of saying a similar thing, I am not saying cyber has a bigger number, but we do see from this CISO perspective the recent new CISOs for women are a bigger number than the traditional ones. So, while looking at it, I’m thinking why women get more attracted into the CISO role or play more of a key role here, I’m thinking about two possibilities, two reasons [laughs].
One is the CISO role requires a lot of collaboration and relationship building. As I said, it’s not about CISO trying to stop something. If the security is trying to enable the business, collaboration, and relationship building with the stakeholders, not only internal, and even external with the peers in the community, in the industry is very key. So, particularly I would say even though leadership overall requires that collaboration, but I think the CISO and the security professions face a unique challenge. Because, as I mentioned, it doesn’t matter how good you are, there are tons of smart people out there who can find ways to exploit things in your organization. We’re in the dark, we don’t see them – they see us. So, if the good ones re-align, we’d build an alliance, we’d do this together, it’s a much better chance for us to win the battle. My point is that success for CISO should be a really good collaborator. The funny thing here is that there are studies showing in the collaborative work culture, women can be more of the weight. So, I do think women have more tendency to include others to collaborate more with others and support each other, and that’s kind of one view.
Another reason I can think of is, women have more sense of balance [laughs]. As we balance work and life, we’re the masters in handling things at work, at home, and in playing multiple roles, as moms, wives, and daughters, engineers and others. We are good at that naturally, or you can say we’ve been trained well to play that role. So, when we walk into the crazy cyber world, we’re not shocked, but still calm, able to juggling things around as we juggle daily amongst work and life. I do believe men are pretty strong to handle stress, but women from a different away we’re pretty strong to balance that, just my two cents.
I like that. We had a webinar we did a year ago called ‘Connect and Protect’ and we featured a number of prominent CISOs, several women on there, and we asked a similar question and I think your latter answer hit squarely on that because they said it really was the ability to multi-task, as you say balance work and life. But because everything is so event-driven you’ve got threats coming in, you’ve got coordinate if you will across all of the divisions you’re responsible for to manage a fabric of protection, so it is interesting and is something that we continue to see at least in our exec search arm, so I’ve always found it quite fascinating.
We’ve been through some extraordinary times over the last 10/11 months now with COVID-19, and we’ve kind of characterized internally as a bit of a digital accelerator in that it really equipped newly remote workers, and newly remotely managed assets in many cases. What are some of the changes you’ve seen in client requirements since the start of the pandemic, and what do you think will be the long-term implications for information security?
Yeah, 2020 is a tough year from many different angles, and this pandemic thing that you said definitely becomes a digital accelerator. The noticeable changes I have to say are three parts. One is the whole remote working style and how that brings the effectiveness of working in different places. Every company is in a different stage about allowing remote working. In certain situations, you do need people to come to a factory or in the office doing research. But that (remote) working style right now becomes more and more to show that when people are not in the office they can do the work right, make the effectiveness of the work, I think that’s one big change.
And the second big change is communication. It’s not only how you communicate within your teams, communicate with different teams in your company, and how you communicate with others. It is tough in the way that there are no conferences you can go to, there are not many opportunities you can directly interact with others. That triggers people to think of another way of communication.
So, the last thing I would say is socializing. This one is a challenging one, as it is the best way for relationship building. We’re relying on Teams, Zoom, we rely on watching people in the video, but we cannot go out for a drink together anymore, we cannot do anything together anymore. But that is another change, I want to say that not only impacts the work but impacts my lifestyle too. I used to do a lot of playing sports with others, and now we have less opportunity to do that, so I have to run by myself. Those changes personally and professionally have impacted my lifestyle. Not everything is good from the beginning, so people are looking to improve these things.
So, from an implication perspective to security, I would say two big things, one is the acceleration of the adoption of this philosophy called zero trust. Zero trust, meaning that you treat people internally/externally the same, meaning that companies have to provide the capabilities to allow people coming from anywhere at any time by security. So the way we have to look at our capabilities to support this zero-trust philosophy is a little bit different now, that means how we want to adopt the right way to doing remote access, how we want to do the right way to secure our endpoints, and how we do data loss preventions, how we ensure cloud security as we discussed before, how we do the unified communication in a secure way. So, we the security professionals got to look at this differently to support this remote working style. It’s not 2020, it could be any future years, so looking at security in a different way is the key now.
Another thing that actually becomes more interesting is, every secure organization we want to manage the risk and manage the vendor risk. This whole epidemic, this whole remote access starts to impact how we view and how we assess vendors. Because a physical visit is difficult now. We used to every year think of the top vendors we wanted to go and visit, we’d want to see their physical security, we’d want to see how things are being run in the data center, how things are run in the field. We are no longer able to do that, so how can we trust and verify in a different way? How can we leverage the industry scoring system instead of our own scoring system to evaluate vendors? I think that is a lot of acceleration, for vendor risk management for security. I would say actually towards the right direction because you no longer will be able to do things yourself anyway, you are relying on the industry, you are relying on the community, you are relying on this virtual alliance together. I think it’s the right direction from the security angle.
And many of these are not inter-measurable because the new normal especially amongst tech companies will be working remotely per se, and the new operating pattern for a lot of assets will be run remotely as well, so these are great infrastructural items to have in place for this new normal. Given your own career success, what advice would you offer to those who aspire to be a CISO?
Everybody’s career path is different and the pace of success is different too. If I look at myself there’s a couple of things I can think of. I started with a philosophy background, and stayed in technology for 25 years, and picked up security 18 years ago. My journey and others too I know share one thing in common, that is it doesn’t matter where you started, you could have landed on security and land on the CISO role one day if you have the passion for it. I think that’s the key, the passion. Here’s why I say that. Because if you look at the CISO role, number one it is challenging, the security world always has something going on, threats, vulnerabilities, incidents, events, projects, operations, so ask yourself do you enjoy that? Do you enjoy that challenging role daily? Only when you have a passion for that you are enjoying this.
Another one is, in my view, security is not one field. Security resides in every single field, which means it’s a lifetime learning opportunity. Not only learning opportunity for security itself, but it’s for everything else as well. With all the new technology advances so quickly, we get to learn them as well outside of security. For example, learning cloud, leaning data analytics, learning AI, learning IoT, even learning quantum computing. If we don’t know them, how can we know how to secure them? So, I would say ask yourself is that learning part of your style? Do you enjoy that for the rest of your life?
Another thing, I was chatting away with my CISO friends about the CISO role, CISO is not as powerful as the CEO who shapes the business direction and strategy. It is not as impactful as the CTO or CDO who drives the innovation in a business through technology and in digital transformation. So, ask yourself, do you want to change then? To my previous point, the CISO can still shape the company’s future before we can figure out ways to make security a business differentiator, a revenue generator, or at least a business enabler. If you have a passion for making positive impacts, you can challenge yourself to transform the CISO role to a business-oriented role in the company.
So, in closing can you provide recommendations for books and/or resources that inspired you?
I’d like to provide two names, two people that inspired me [laughs]. So, one is RBG, Ruth Bader Ginsburg. She really inspired me for leadership qualities, she’s my role model truly. There are many leadership styles and she resembles the one kind I like, that is to be a great leader you don’t have to be aggressive or really demanding. You lead by example. You don’t need to be talkative all the time, you don’t need to be the center of the crowd all the time. You do need to stand up for the things you care about. I like the way she said, ‘Fight for the things that you care about, but do it in a way that will lead others to join you.’ She truly is my role model.
The second person who inspires me is Elon Musk. He is not only talented, but also a genius, and none of us can compare with him! But the way he inspired me is because he’s always thinking to solve problems and the bigger strategic problems of human beings. His life to me is all about looking for new things, looking for innovative ways to solve problems. Most people are able to see the problems, the smarter ones know how to solve the problems, and the wise ones know what problems to solve and focus on. So, to me, Elon Musk is a smart and wise one, and I personally thrive to be like that as well. So, both of them really made a big dent in my life and career.
Two great role models, Ruth Bader Ginsberg, and Elon Musk. And in some sense very much the same and very different people as well. So, Yabing thank you for providing this insightful interview.
Oh, thanks again Ken for having me. I really appreciate Momenta putting together this leadership series, this is a lot about how everybody should work together in the community to support each other, thank you.
Thank you for joining us as well, and I do very much appreciate your comments around the community because we do feel like this is very much about an ecosystem and community building.
So, this has been Yabing Wang, Deputy CISO of Carrier Corporation, and perhaps if I can throw in another title, Chief Relationship Builder there as well.
Thank you for listening and please join us next week for the next episode of our digital industry leadership podcast series.