Chief Trust & Security Officer at DocuSign
Jan 26, 2021
Emily Heath shares how digital transformation over the past 10 years has impacted security and how global companies are leading with trust.
Daniel Barber 0:17
Today, we’re thrilled to welcome another industry leader in trust and security. Emily Heath, Chief trust and security officer at DocuSign. Welcome, Emily.
Emily Heath 0:26
Thank you for having me, Daniel.
Daniel Barber 0:28
Yeah, well, great to have him on the show. Like I said, I was I was super impressed by your background, and you know, all the different roles, you’ve sort of led teams and in aviation, and now in, you know, focusing on the system of agreement, would love to just learn a little bit about your background, and for our listeners, learn about how we got to here.
Emily Heath 0:46
Sure thing I’ve had a quite the past year in my career. So obviously, as you can tell by my not so California accent, I’m from England originally. And so I actually started my career as a detective in England.
For many years, I used to investigate what we called high yield investment frauds, which was people like Bernie Madoff, who stole hundreds of 1000s of millions of millions. So I started my security career back probably when cyber was not really that much of a thing back then. And I found my way into technology and actually ended up doing many different technology functions, including infrastructure and development teams, e RP, supply chain systems and those kinds of things. And then this thing called PCI compliance came along, though, you know, with it with some form of law enforcement slash legal background, I was anointed to be the person to, to figure out what all of this PCI meant. And I ended up kind of taking more of a path actually into the GRC. World first, before I went into the pure security world.
One thing I’m really grateful for is the experience I’ve had in other parts of technology that were not security because it’s made me much more well rounded leader, understanding the different areas of applications and infrastructure and those kinds of things. So So yeah, my career into the seaso world and into the information security world. kind of happened by default, I think I grew into it. I was the chief security officer of a company called eecom.
A few years ago, there 20 billion architecture engineering construction company. From there, I moved to United Airlines where I ran security for United Airlines for a number of years. And then came back to the Bay Area, because I was in Chicago for a while with United and came back to the Bay Area and joined DocuSign a little over a year ago. So what’s in the in the tech space? And I run the trust and security GRC physical security, safety and those kinds of things for DocuSign. Awesome. Yeah, quite
Daniel Barber 2:57
the journey. So you know, kind of along those lines, right. I mean, I, you know, when we talked a couple of weeks ago, we’ve definitely seen this sort of like digital transformation, just accelerated, right, where, you know, probably what we expected to see, in 10 years we’ve seen in 10 months. How do you see this impacting information security, and just like your sector in general?
Emily Heath 3:19
Yeah. So I think it’s been so interesting to be a part of this journey at DocuSign. And see how our customers have evolved because of the COVID world. And, you know, obviously, digital signatures have been a big part of their journey. And it’s been really neat to be a part of that when you see that businesses needed to transform really quickly.
from a security perspective, you know, as companies like DocuSign, and zoom and others become mainstay. We become part of any organizations ecosystem. And you know, every organization has an ecosystem these days. You know, many companies have 1000s of suppliers. And so understanding your technical footprint, as digital transformations happens across many organizations, is always a security concern.
Because everywhere you’ve got any connected anything, doesn’t matter what it is any connected anything is a potential attack vector. So so for me that the the transformation that’s happened, it’s been really neat to be a part of that success for customers. But as we’ve transformed ourselves internally, as well, within our own company, it’s constantly keeping track on on who your third parties are, what they do for you where data flows go. And the more you leverage technology and resources for that, the more we have to pay attention to it. Right.
Daniel Barber 4:37
Yeah, I mean, so along those lines, you know, definitely some big changes, I imagine for DocuSign the customers to your point, what what do you think has been a surprise over the last coming up a year, I guess?
Emily Heath 4:48
Yeah, I’m not sure if there’s been any surprise other than obviously through this through the COVID times, we all had to pivot and balance really quickly. We were very fortunate at DocuSign that we already had some of the toolings like slack and zoom and the things that we already used day to day we have a relatively remote workforce anyway.
So internally, we were able to pivot fairly quickly. What was really pleasant surprise, so I ran the COVID-19 task force with my partner in crime, who was our head of people are head of HR Joburg. Yeah, the two of us lead the lead the task force, what was really incredible was to see how the organization came together, we had a task force from all different facets of the business, we came together, sometimes we met multiple times a day in the beginning, we daily for a long time, that weekly, we still we meet monthly, but to see how people working together can really truly make a difference in times that are just difficult.
I’d say that was a really pleasant surprise. I think on the technology front, again, I mentioned for our customers, I mean, we had situations where our customer support and product teams, were helping governments move people around, you know, we were helping organizations move critical equipment to get mobilized for schools and implementing a solution like DocuSign, to enable them to do that. Otherwise, people still need signatures and days of COVID, you know, yeah, there’s no other options. So it was, it was pretty heartwarming to be a part of seeing how we could truly be a part of the digital journey that made a major difference in people’s lives.
And kudos to the to the business teams who spent hours and hours in the trenches with our customers, whether they be federal, state or private sector, to just help keep business moving. So I don’t know, it’s not necessarily a surprise, but again, on both sides of the equation for me, it’s all about people, you know, people, people, people working together to make things happen, no matter how dire the circumstances, it’s game changing. It really is.
Daniel Barber 7:05
That’s cool. I think your role and even just the title specifically is very interesting, right? I think we’ve seen this trend towards trust, obviously, you know, security, here, your background all the way back to, you know, working in working in the police force is is is is evident as a foundation. But how do you see like global brands, global leading sort of companies, leading with trust? Because I think that’s where we’re going, right? There’s definitely a path there. How do you see that happening?
Emily Heath 7:37
Yeah, so it’s, it’s always an interest where we’ve kind of pivoted in the industry to this trust. It’s always interesting, because whenever I see organizations use that, so what does that mean to you? Trust, what does that mean to you, because it encompasses a whole bunch of different things. But when you think about trust it, what we’re trying to do is inspire a feeling. And it’s that kind of non tangible that we’re trying to create. It’s a two way street.
And it’s something that is a relationship that you’re building. And there’s an organization and the way you build trust is through transparency, no surprises, transparency, I completely understand that our customers want to know how I run security at DocuSign. And we’re an open book. That’s the way that I’m going to inspire trust.
And it’s that relationship between people. And again, I know keep coming back to that, because it’s really what makes the world go around. But if you choose between security, and trust me as the relationship is, and as I mentioned earlier, every company is an ecosystem now, and for our customers for organizations that trust us, they’re trusting us with documents with sensitive information with signatures on things, they need to trust us. And so us being very, very transparent and upfront with our customers is what’s going to inspire that trust for the long term, which is hopefully a longer and meaningful relationship.
Daniel Barber 9:03
Yeah, that’s awesome. So switching gears a little bit, so I ask every person that comes on the show, you know, as a as a security Pro, I’m always curious about, you know, new sources or things that you go to read on a daily or weekly or monthly basis. Where do you go to sort of inform yourself about security or privacy or just the field you’re in in general?
Emily Heath 9:26
Yeah. So there’s a few things. I’m an avid reader, I read an awful lot. So I start my day reading the Wall Street Journal. Yeah, no, no, not in paper format anymore. But, you know, I think security has so many facets and privacy has so many facets, the consumer or enterprise that keeping tabs on day to day activities that are happening in the world is just a part of our job. For me. It’s really important. So there’s the obvious things like that. There’s a couple of online resources like cybersecurity ventures is a really good source.
We got Another CSO magazine, they’ve been around for a long time, the security equivalent of CIO magazine, they have a bunch of great stuff. So they’re kind of the the ongoing things like, I have a Twitter feed with, you know, again, monitor social media constantly to see what’s going on anyway. And then I would say, you know, the annual report or other things that I tend to refer to quite a lot. So, you know, Monday and fireeye, come out with a report every year as do the ponemon Institute, outdo CrowdStrike, and IBM, you know, having different five different views into that. It’s interesting to see because, you know, a lot of these security organizations spend a ton of time and money and effort on r&d. And they show that in their annual reports.
And so they’re always a go to, for me, every, every year, when all these come out, we and my team, we put them in a central folder, we give everybody access to them. And to me, that you see some trending and things like that, which are really important. And then it says probably the third category for me as my favorite topic, people, you know, we have a strong network insecurity. It’s one of the wonderful, magnificent things about this industry. We’re all trying to fight crime at the end of the day, let’s not get there’s criminals coming out. And the way for us to solve those problems is to work together.
And it’s a it’s a really neat part of being in the security community is we share, we share things with each other because nobody wants to see anyone else in the headlines. So the reaching into the network, if I’ve got a question or a problem, or something I’m trying to solve, I want to see how other people have done it. I don’t hesitate to ask for help. And And likewise, when other people ask for help, we don’t have we don’t hesitate to help them out, either.
Daniel Barber 11:44
That’s great. So obviously, you’ve had a very successful career. I love to hear this question. Because it’s just, you know, for folks that are aspiring to be in your shoes, right, and thinking about their career insecurity and interests and thinking about that path. What would be your one piece of advice you would offer someone who’s perhaps, you know, just embarking on that journey? This is maybe they’re, they’re graduating or thinking making a shift in their career, and they’re thinking about a career similar to yourself, what would you advise that person today,
Emily Heath 12:16
there are so many facets to security. Don’t believe for a second that you’ve got to be a hacker in order to work? Right? Yeah, I mean, we’ve got people on my team who are former lawyers for paralegals, people from audit, people from finance, you know, lots and lots of different analytical backgrounds.
There are so many the true diverse element of what security is, don’t be put off by thinking that you have to be able to hack or deal with threat intelligence, and all those things. There’s so many different facets. So find ways to talk to people about the different different types of elements of security and compliance and risk and all those things. Because no matter what your background is, you might be surprised that so many inroads that there are because it truly is a very diverse nature by by virtue of what we do.
And then if you find yourself in a security team, you know, pay attention, pop your head up every now and then realize how what you do really transpires into an effort that leads to the greatest strategy of how you’re securing a company. Because again, get to know the different departments and get to know the different areas don’t don’t be worried about moving around and learning more within the team, you know, you know, you don’t have to stick to one thing and say, Okay, I’m in vulnerability management, that’s all I’m gonna do. I’m gonna focus Yeah, open your eyes and pop your head up a little bit, because you might be surprised that you might get drawn to other things. And, you know, don’t be afraid to lock up and hold your hand up and ask for help. Because again, wonderful thing about security community is people love to help each other out. And there’s a robbery in a spirit that people want to help each other genuinely so. So try things out. Try some try. Don’t make your mind up too soon.
On thinking that you want to be an ethical hacker or you only want to do intelligence, try a few other things because it will make you a much more well rounded professional.
Daniel Barber 14:13
That’s awesome. Some great advice. Well, Emily really enjoyed the show. Like I said, your focus on trust is inspirational your points on transparency Island and learn something there too. And your sources were fantastic. I wrote down a couple of myself. So again, thank you. And yet, enjoy the conversation. Look forward to chatting again soon. And for those that want to tune in, you can find the GrailCast on iTunes, Spotify, SoundCloud, and all the major channels. Thanks again.
Emily Heath 14:41
My pleasure, Daniel. Thank you for having me.