Conversations #71: Donna Hart, Chief Information Security Officer at Ally
Deepali Chouhan, Product Owner at Ping and Women Who Code Vancouver Director, sits down to speak with Donna Hart, Chief Information Security Officer at Ally. They discuss Donna’s work in cybersecurity, the mindset she’s used to navigating her career, her philosophy on leadership, and some of her work experiences at Ally.
Can you tell us about your career journey?
Out of college, I was fortunate enough to join one of the first associate programs for technology at First Union Corporation. It was a great introduction to the corporation and technology itself. I got to meet a lot of people who were straight out of college and built some lifetime friendships.
I joined the project management organization, got a position in desktop services, and then moved to network services. I ran the IP, DNS, and proxy group there, which was challenging. Then I went to network performance engineering, where we looked at the network's capacity and how we grew our network to be smart.
As we entered the merger with Wells Fargo, I was an individual contributor doing a project integration role for the networks.I took a production operations management role from there, like a division lead for a CIO role. I was assigned a special project on the DDoS challenges of 2012 - 2014.
The security division asked me to take over network security, where we did firewall and intrusion detection systems. At that point, I started loving everything about security. It was challenging and grew fast. We had so much work to do, and it was a lot of fun. Then I joined Ally as the Chief Information Security Officer, which is where I am today.
What made you try all these different career opportunities?
Each one was for a different reason or theme. I love a good challenge. Once I became competent at something, I was ready for a new challenge. I like the idea of learning. I like the idea of taking on new things.
As women, we face interesting challenges and obstacles. When I faced someone in leadership that didn’t believe in me, rather than going against the system, I said, “I’m ready for a new challenge.”
One of my first big challenges was the DNS IP job. One of the most critical functions of in-network services is to make the network move. I didn't know much about space and had a very short time to learn. I focused on the skills I brought to the table, like relationship management, leadership, and command. Then slowly, I learned the underlying technology to be proficient.
Sometimes as women, we have multiple things in our lives that make it harder for us to focus and be an A student in one area. We can have a family. We can have aging parents. We can have siblings or friends or some situation absorbing our personal life. With our jobs, we focus on competence. Competence is great because you can do your job with less challenge, brainpower, and hours on the job.
The problem is that if we spend too much time there because we love being good at it, we don't grow and build the skill set we need to grow into leadership. You've got to have more than one technology under your belt. You've got to have more than one skill set under your belt. And so it's imperative to move from group to group and constantly challenge yourself to learn something new and do something different.
Sometimes you're going to succeed, and sometimes you won't. That's something that I've been really lucky with. It hasn’t been an upward climb. Sometimes it’s been downward. My career hasn’t been a ladder. It's been a river. Sometimes I didn't succeed, but I've learned every time I didn't succeed.
What specific skill sets are required to move from independent contributor to leadership? Can those skills be learned, or are some just natural?
Individual contributor and leadership roles have a lot in common. In both roles, you’re going to work hard. You're not always going to make your boss and peers happy but satisfied with your work. You have to perform consistently, and you have to think about the entirety of the work consistently. You can't just look heads down all the time and type as an individual contributor.
As a leader, you add a layer of people you must satisfy. You have to satisfy your boss and the people you work for, and then you have to satisfy those who work by your side because it's a partnership, especially in technology. Nothing's done in a vacuum. There's a relationship management role that is so critical to leadership, and if that's something you struggle with, then you've got to address it.
Another thing with leadership is that you have to work hard. No one wants to work for a leader who isn't pulling enormous weight. You're not going to create a command if you're not working harder than everyone else.
Can you share your roles and responsibilities as a Chief Information Security Officer?
The first thing I did when I came on as the Chief Information Security officer was decide the framework I wanted to use to manage Cybersecurity. You want a strong vulnerability management program, asset program, insider threat program, and cyber defense and response program. You need an automation function. You want to make sure your perimeter controls, your firewalls, your intrusion detection systems, and your email protection systems are top-level and consistently deployed within your organization.
I created a list of 17 functions and assessed those with my team and a consulting company. Then I had outside parties tell me where they felt our organization stood. From there, we created a baseline and tried to figure out where we could deliver improvements to those functions across the organization.
I reorganized my staff to ensure I had the right people in the right place. Then I looked at the technology to see if we were best in class and to find out where improvements could be made. I thought about investing in technology and creating a risk-based approach to use the available funds.
I started from the outside with the firewalls, the detection systems, the routers, and the switches, and then went inside all the way down to the data. I had to think about how to protect the data. Then I thought about processes and looked into things that were making us less strong because our processes weren’t built in the most efficient ways.
Once the delivery section was done, I started the assessment stage over again to try and deliver at the next level while focussing on efficiency. Overall it was about better processes, less overhead, and looking at ways to use technology differently.
How is security evolving with all these new technologies and concepts?
Cloud, Web3, and Metaverse are all your attack surface area expansions. As you expand those service areas, you must apply the same framework, although you might use different technologies. There may be reputational threats versus technology threats. If you're doing the efficiency part of your job, as those surface areas increase, you must constantly assess.
It is imperative to get tech debt out of your corporation so that as you expand your surface area, you reduce the amount you have to cover from a landscape perspective. Assess, deliver, and efficiently.
How does Ally support you in your role, including policy and management?
It's great to be part of an up-and-coming company like Ally. We are a 100% digital bank and the largest auto lender in the United States. We're growing into the investment and the credit card space.
The leadership is phenomenal here. They have been so supportive of cyber and protecting the customer. Our motto is, do it right. It's really simple, but it does mean a lot. They invest heavily in cyber technology because we're a digital bank, and they want to ensure that we're thinking about our customers and protecting them down to that data layer. It’s impressive that we have support from our executive board on this effort.
Security is constant. You have to be good a hundred percent of the time, and the threat actors only have to be good once. You have to be aware constantly, and they know that, and they're very supportive of ensuring that we're getting what we need.
What are you passionate about outside of work?
My kids. I've been a working mom for 20 years. When I'm not working, I'm focused on family. I spend a lot of time at my kids' soccer games. My son's in college, so we go see him. My parents are still very much in my life. as well as my husband's parents.
We love to travel. I’m passionate about getting out into the world and seeing new things. Sometimes we can get a little too hyper-focused, and travel opens your eyes to what other things look like and what the rest of the world feels like.
What is your best pro tip for women in tech?
You can't control other people. You can only control your reaction to them. That is imperative to constantly have in your head as you're thinking about your career. Sometimes you'll be in a situation where too many obstacles are in front of you to do what you need to do. It’s okay to leave, but sometimes running around those obstacles is great. Much of my career has been a balance between running around obstacles and deciding that it's time for a new challenge. Own your career. It isn’t anyone else's.