Wisdom From The Women Leading The Cybersecurity Industry, With Marianne Bailey of Guidehouse

An Interview With Jason Remillard

Always be upbeat and positive around your workforce. Whether it is a small hello, a wave across the parking lot, a two second conversation in the cafeteria or a quick note to check on someone, the impact of being present and engaging can make someone’s day. If your workforce thinks you care, they will care too! Don’t ever underestimate how powerful this small acknowledgement can be or how detrimental the lack of it can be.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Marianne Bailey. She is a partner at Guidehouse who leads the Advanced Solutions Cybersecurity practice to provide strategies and solutions which enable Guidehouse clients to manage their cybersecurity risks. Guidehouse’s Cybersecurity offerings include Strategy and Security Architecture, Cyber Resilience, Executive Cybersecurity Support, Incident Prevention and Response, Identity and Access Management (IAM), High Value Asset Management, and Data Protection and Privacy. Marianne and her team bring the power of leveraging other Guidehouse Solutions areas of Artificial Intelligence, Open Source Solutions, Advanced Analytics, Enterprise Risk Management, and Digital & Emerging Technologies as they partner with clients to develop and sustain cyber resilience to mitigate cybersecurity risks against current and emerging threats.

Marianne brings over 35 years of experience across the Department of Defense (DoD), Intelligence community, and civil government sectors. She served as Deputy National Manager for National Security Systems (NSS) and Senior Cybersecurity Executive for the National Security Agency where she was directly responsible for systems across the government containing classified and/or sensitive information. She also served as both Principal Deputy for Cybersecurity and Deputy Chief Information Security Officer (DCISO), Department of Defense, CIO. She received the Distinguished Executive Presidential Rank Award, the highest government civilian recognition, for her contributions to national security. Marianne has led US cyber policy and technology issues internationally and is well known for her global leadership in cyber. She has received many awards recognizing her efforts to include the Office of the Secretary of Defense Medal for Exceptional Civilian Service, FedScoop’s Top Women in IT and Washington’s Top 25 Cyber Executives to Watch (2020).

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up in Maryland, the youngest of 4 siblings. My dad was a WWII veteran, a mailman and an avid learner. My mom stayed home until I was in elementary school and then went back to work. My dad was extremely pro-college. It was not really a discussion; it was given. Having grown up quite poor during the depression, he would say no one can ever take away your education. My dad was so supportive and so proud of us. He was the best cheerleader. If you fall, you get back up and try again. He always used to tell us, “I went to the I CAN DO school.” Which meant “we could do” also. Never accepting anything less than succeeding. This taught me that perseverance is the way to success. Each of my siblings studied STEM classes in high school (chemistry, calculus, physics) and I followed in their footsteps. My siblings were among the less than 10% of graduates from my high school who went to college. My oldest brother became a structural engineer.

As my luck would have it, my high school hired a new physics teacher, Bill Fagan, the year I was to take the class (11th grade). He was an electrical engineer, decided to change career paths and become a teacher to inspire the youth. Being appalled at this college bound statistic, he decided to prepare us. He did two things that lit that fire for me. First, he was the most difficult teacher, subject matter wise, that I had experienced. I had to work very hard to do well in his class and I realized how much of a reward I received from such a challenge. Second, and not related to physics in any way, he assigned us a term paper to investigate 5 career choices and associated degrees, 5 colleges for each degree, and list pros and cons. What a gift to put that much effort into my career choice at 16. Without the Internet this was quite a time-consuming task. Afterwards, I thought I wanted to be a physicist but in my research of the types of jobs I would land with a physics degree, I chose engineering as my path. I applied to University of Maryland College of Engineering and received a full scholarship. It was not an easy path as there were very few women in engineering at UofM. I dealt with some situations that would have professors fired today and this is where my Dad’s guidance helped me persevere.

I also learned a very valuable lesson on how important mentoring is for our young people and never to underestimate how providing guidance and support can impact someone’s life. Throughout my career I prided myself on coaching and mentoring anyone who was interested and I was honored to have many people ask me.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I have studied leadership for years, formally and informally. I have read many good books and listened to many leaders. Each of them has taught me something. Three of my favorites are Steven Covey, Maya Angelou and Jim Collins. I always remembered Steven Covey’s story about giving his son the job of maintaining the lawn. When his son underperformed by Steven’s measurement, he had to remind himself that his job was not to grow grass but to grow a strong, successful person. I am paraphrasing but his guidance was as a leader it is our job to see the possibility and nurture it into reality.

I was a Division Chief of an engineering organization and in need of a technical director. I selected an individual on our team and put him in the position. I was aware that he had some interpersonal skills challenges, as is not uncommon with highly technical folks, and so he had an occasional conflict. He would address it with me, I’d give him some ideas and he’d try them out. Over time he became very effective and respected. One day he came into my office and said, “Thank you for believing in me and seeing in me what I could not see in myself.” To this day that is one of my favorite compliments. I am not sure if it’s fear or lack of confidence, but many people do not see the possibilities for themselves. I have mentored dozens and dozens of employees and many of them were not in my organization. Helping people grow and achieve success is rewarding in so many ways. I am a strong cheerleader; I hold them accountable to take the steps they define to improve, and I have such pride in watching their success.

Maya Angelou impacted me by describing her journey in life and key stepping stones to success. You may make choices in your life which seem like the only option at that time but turn out to be a less than great decision. You’ll have missteps, you may not be successful, but the only failure is not learning and not building on those experiences. This resonated with me in two ways, personally, to continue solidifying the importance of perseverance in achieving a goal and not dwell on a past bad decision. Also, to relay this advice to those I coach and lead to move beyond a mistake, learn, and continue to achieve great things.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was hired into the National Security Agency directly from college. I began my career with Secure Voice programs-Communications Security (COMSEC). As technology exploded this grew to Information Security (INFOSec), Computer Security (COMPUSec), Information Assurance (IA) and eventually, Cybersecurity. I have worked in every aspect of these areas from standards development, policy development, systems engineering, defensive cyber, deep tech evals, broad national policy, international interoperability and information sharing. I don’t have a particular story but I was taught the love of learning early in my life and I have continued along that path to this day. I have had many people ask me why I remained in government for so many years. That’s such an easy question to answer. Never once did I wake up and not understand why I went to work every day. For me the importance of the mission of protecting our nation is second to none. I knew I was working to ensure that my children and grandchildren would have the opportunity to live in the same great nation that I was honored to be born into.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

This incident is a bit funny in hindsight….. but at the time, a bit stressful. I was about 5 years into my career and working on a new security technology that we wanted to pilot extensively across the government. Our very senior director had a personal relationship with the Director of our target customer agency. The word was relayed down to us at the technical level that during a round of golf, the two directors agreed on implementation of our technology at this customer agency. Later, however down at my level, their representatives informed me that they had no intention of implementation due to lack of time, funding, and it was not a priority. I immediately fired off an email to my Director who then called his golfing buddy. Events spiraled and quickly soured not only at my level but also at the customer relationship level. Our own organization’s customer relationship manager, a senior military officer, upon receiving an ear full of grief from his counterpart, launched an internal email entitled “Broken Customer Relationship” to our entire leadership chain and stated that I misrepresented our customer. And now my mistake — my kneejerk reaction — I launched a Reply All response that very undiplomatically stated that our customer relationship manager had no idea what he was talking about.

Fortunately, my Director laughed at my pushback. He understood that I was defending the attack on my integrity. He even said he wanted to meet me sometime as I was quite bold. But as I learned, the situation could have easily gone in an unrecoverable direction. I still had to complete the implementation, but now I was starting at a greater disadvantage. I had to mend fences across both organizations and meet even greater technical expectations with the customer. Lesson to self from these early days of email — take a breath, walk away, sleep on it, and always take the high road to assume noble intent from the other side of the table. With even more happening via email today, when drafting critical messages, I will have a trusted colleague review it from their fresh perspective to ensure it conveys the right tone. I’ve found that being calm, deliberate, and taking that high road saves so much time, fosters collaboration, and delivers better results.

Are you working on any exciting new projects now? How do you think that will help people?

We are working with the government and companies to develop cyber resilience programs. This is the next focus area for cybersecurity. As we migrate our maturity from cyber as an IT issue to a true business issue, organizations (public and private) need to absolutely understand the risk to their business from a cyberattack. We are working to help multiple organizations identify their true risks in terms of business impact and help them prioritize protections.

Organizations spend a significant amount of resources protecting their networks and their information but they do not have a good picture of what that protection provides them. They have no idea how to invest their next dollar to achieve the best protection possible.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

1. New methodologies that gain traction and bring a buzz to cybersecurity. One of those is Zero Trust. I always joke and say it should really be titled 100% trust because the premise is that you only communicate with those things that are authenticated to include data, devices, people, etc. Everything that is not authenticated you deny access. Identity and Access Management is the core of this methodology and is so critical to a strong cyber program.
2. Stronger public/private partnerships protecting our data. Data privacy regulations are beginning to take foothold across the United States. I recently did a podcast titled, ‘Data is the New Oil’ which kind of sums up the importance of data and protecting that data. Stronger government industry relationships like Cybersecurity Maturity Model Certification which is raising the bar for cybersecurity across the supply chain in DoD. We’ll see this model promulgate across the government/industry relationship to commercial/industry relationships. Innovative technology like Automated Intelligence and Cyber Analytics so that our tech can help detect anomalous digital behavior and robust Data Management Platforms ensuring our data is adequately managed and protected across legacy and cloud architectures.
3. A New Cyber Executive Order that brings focus to the current challenges and ensures cyber is provided the focus and resources that is necessary for the U.S. to remain strong. Attacks like Solarwinds and the Colonial Pipeline raise aware with senior officials that the U.S. needs to take a very strong stance in both response and defense.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

1. Insufficient skilled resources to implement and maintain solutions intended to protect companies. We are not reaching the female population as we account for less than 18% of the STEM graduates. This is a real problem. We do not have sufficient skills and we are not aggressively attracting women to the field. This can be addressed by investing more in educating individuals in STEM, scholarships, high school programs, etc. I talk a little more about this later.
2. Insufficient focus on the human element which remains the weakest link in cybersecurity to this day. This is a national issue not just a corporate issue. Americans and individuals in general, need a very basic understanding of the vulnerabilities thrown at them from the cyber world. We need a national campaign to educate our citizens on things like identity theft, strong passwords, enabling automatic updates, being very suspicions of odd-looking emails or any email where someone requests action. Everyone should be speaking with their elderly parents and grandparents about these issues. This is a national problem since attackers target individuals for fraud and identity theft as well as companies. Much like the Smokey the Bear campaign of years ago, we need a national cybersecurity campaign. Also, this needs to be taught throughout primary and secondary schools. Identity theft, financial fraud, health insurance fraud impacts everyone at every age. And don’t make it easy for someone to socially engineer you which means don’t put so much personal information on social media.
3. Companies and Agencies are just beginning to understand the cyber impact of business resilience, what we call Cyber Resilience. As Identities are being stolen and individuals impacted, corporate reputations are being tainted. IP theft is continuing to increase. Companies spend millions on research and development that their foreign-actor-supported competition does not have to invest in because they steal it. Critical industries are not resilient from nation state adversaries and in the case of the Colonial Pipeline the attack which paralyzed them had nothing to do with their operational technology (OT). Cyber adversaries are very creative in creating impact and an unprepared corporation is most likely protecting the wrong things. Developing a cyber resilience strategy looks at your business in depth to identify areas that you must protect and they very well might not be obvious to you.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

The threats we are seeing today will be around for years to come. What I do think we will see more of in the future is the creativity of the cyber actor. Now that we live in a digital ecosystem, adversaries will continue to achieve the impact they seek through cyber means and that impact may very well have nothing to do with technology. We know that adversaries were attempting to steal the formulas for the COVID 19 vaccine. We saw a cyber attack against a water treatment plant. We’ve seen adversaries fueling both sides of social media campaigns just to cause social discourse. Cyber attacks are now recognized as low cost means (dollars, retaliation, ease of execution) to what may be a very significant impact.

The following are some of the top emerging cyber threats:

1. Phishing and ransomware attacks will continue to occur, because people are the weakest link in a cybersecurity program.

2. Ransomware has evolved from merely encrypting files, to data destruction, theft and disclosure of data and threats of DDoS attacks which can take firms and agencies offline entirely.

3. Attackers will continue to target Internet of Things (i.e., technologies connected to the Internet), because these devices are not usually designed with adequate security protections.

4. Insider threats, as more employees work from home, they may become lax regarding following security best practices.

5. Social media disinformation and deep fakes that facilitate phishing and ransomware attacks. Think about today’s written fake news and how this will impact us when its visual media meaning you are watching and listening to an individual who is discussing an opinion or a topic. How could you possibly know it’s fake when you watched a video of the conversation?

6. Remote working will continue to be an issue as firms were forced to quickly stand up remote access for employees. Weaknesses in those infrastructures will continue to be compromised by attackers and cloud instances that were put in place overnight and may still contain misconfigurations and vulnerabilities resulting in an increased and vulnerable attack surface.

7. Increase utilization of AI (artificial intelligence) by attackers to recognize and automate their activities to bypass network defenses.

8. The continuing problem of finding adequately trained cybersecurity personnel. Organized crime and nation states have no problem identifying and recruiting highly skilled staff.

9. Roll out and availability of 5G networks present high speed connections to even more vulnerable devices. Attackers will utilize these devices in a similar fashion as botnets to identify and attack victims.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I was Principal Director/ Deputy CIO for Cybersecurity for the DoD when the OPM breach hit the federal government and 24.1 Million records were stolen by the Chinese. Records that included the most significant amount of personal privacy information on all levels of individuals in the government, everything required to obtain a security clearance. The Secretary of Defense decided since 80% of the individuals were in DoD that the DoD would handle the response to the breach. This fell to my office. The technical component while challenging since the organization was a conglomerate of many businesses was not the most difficult part. The threat component was frightening. What would the adversary do with this powerful information? Pulling in everyone who needed to be involved and meeting all stakeholders’ requirements was the difficult task. The individuals in this database were in every U.S. state. That means they were constituents of every Senator/ Congressman. We spent a lot of time on Capitol Hill. We spent significant effort ensuring we had accurate information for every individual. We were directed to send a written letter to each individual. That’s a lot of stamps. Who can print 24.1 million individually addressed letters and appropriately collect and analyze ‘return to sender’ replies over a 2-month period? And there were lots of security concerns we had to address. It was technical, it was political, it was complicated, and it was very expensive.

I have many takeaways. First personal data is a High Value Asset; invest adequately to protect it. Second, understand your architecture. Know what is implemented, what is connected to your network and especially, where ALL of your data resides. Have a robust data management platform. Third, have a plan so that you will understand how to respond to a breach from both a legal and process perspective. Exercise that plan at least yearly. Have a great relationship with your CEO, COO, CIO, OGC, Public Affairs and Board of Directors before the breach. Make cyber investment decisions with their knowledge and approval. Know all regulations that apply to your data protection. These differ depending on the state where your company and your data reside as well as, where the individuals whose data you may be protecting reside. Be agile and able to respond to things you have not planned.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

• Firewalls — Control and monitor traffic to and from your internal network and the Internet and/or between segments of an internal network.
• Vulnerability scanner — Identifies operating system level vulnerabilities (e.g., missing security patches, misconfigured security settings) on endpoints.
• Email Security Gateways — Inspects email messages for malicious content and blocks them from delivery or sanitizes them prior to delivery to users.
• Multifactor authentication — Requires a user to provide something they know (personnel identification number, temporary code), something they have (hardware token) or something they are (fingerprint, face) when logging into an IT system or network.
• Device certificates and device authentication — Requires devices to securely authenticate to the network.
• Endpoint Detection and Response — Agent deployed to endpoints that identifies and can block malicious activities.
• Antivirus — Agent deployed to endpoints that detects and quarantines malware.
• Allowed and Blocked Lists — Prevents the installation of non-approved software and prevents unapproved security configuration settings.
• Mobile data management — Segments company email and applications from personal email and applications on mobile devices.
• AI for behavioral analytics — Can track typical user and machine digital behavior and identify when anomalous activity occurs.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Unfortunately, there are many different signs depending on the hack. Below are a few:

• Failed logins to Web sites may indicate that their passwords have been compromised. They may also receive email or text messages notifying them that their password has been changed.
• Frequent pop-up windows that encourage them to install anti-virus software or visit unusual Web sites.
• Unknown applications have been installed.
• Computer performance is slower than usual or their computer crashes frequently.
• Excessive network traffic, very slow Internet response compared to what’s normal.
• On a portable device, your battery just isn’t working like it used to. Background apps and traffic are draining the battery.
• Your passwords have been changed.
• Your friends are getting strange emails from you that you did not send.
• You notice that your antivirus program has been turned off.
• You see your PC operating on autopilot doing things that you didn’t authorize.
• You get a skull and crossbones ransomware pop up advising that your PC has been encrypted.

Enroll in a credit monitoring service or install an application like LifeLock ID Theft Protection, so you can be notified that your identity may have been compromised.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

1. Activate their incident response plan.

2. Contact their Office of General Council (OGC) to determine reporting obligations, based on the specific details of the event. Also determine if federal law enforcement should be notified to offer support. OGC may coordinate with outside counsel for additional legal expertise.

3. Consult legal (Chief Privacy Officer) if available to determine victim notification requirements.

4. Consult marketing/PR to get ahead of the press and create a press release to minimize corporate image and reputational damage.

5. Hire a third party incident response firm if you do not have adequate staff to determine the extent of the breach and execute an effective response and containment strategy.

6. Search for indicators of compromise (e.g., MD 5 hashes, unusual log entries, anomalies in privileged user activities, unusual outbound network traffic, etc.)

7. Turn on logging for high value assets if it is not enabled and start collecting data.

8. Collect network traffic flow logs.

9. Isolate compromised endpoints from the network and begin rebuilding clean and secure versions of the endpoints.

10. Test rebuilt endpoints to ensure they are clean and secure before deploying back to production.

11. Perform forensic analysis of the endpoints that have been or may have been compromised.

12. Change compromised user account passwords. This may require a global user account password change depending on the severity of the incident.

13. Implement multi-factor authentication (MFA).

14. Implement outbound firewall rules to block unusual traffic.

15. Remind employee population regarding safe email and Web browsing practices.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Below is a list of common cybersecurity mistakes. The solution is developing and implementing a robust cybersecurity program that address these issues including governance, policy, training and technology implementation. We often see that a company will implement a very immature aspect of these tasks, but they never finish. For example, they implement multifactor authentication, but they don’t do it everywhere because they have old tech that doesn’t support it. When the cyber actor hacks into to their environment by accessing the unauthenticated tech, they should not be surprised.

• Insufficient cybersecurity governance model and lack of management accountability.

• No identification of their high value/crown jewel assets, where sensitive data resides and what type of cyber event would cause them the most harm.

• Not having a prewritten, up to date, and tested incident response (IR) plan. If you get breached and don’t have a plan it’s too late and it will increase response time and cost substantially. Companies should also have an IR plan that identifies preferred (possibly on retainer) cyber law firms and IR providers.

• Decentralized identity and access management and have not implemented multi-factor authentication.

• Separate authenticated accounts for privileged user functions. Don’t browse the web with the same login you use for privileged functions.
• Strong access control/ data segmentation. People can only access what is necessary to do their job.
• Lack of enterprise data management platform. How can they protect their data if they do not know where it resides?

• Lack secure configuration management standards.

• Hastily stood up cloud instances that may be misconfigured and the lack of understanding of the cloud “shared responsibility” security model.

• Not proactively managing vulnerabilities and applying patches to “crown jewel” assets.

• Do not have a grasp on third party access and data sharing.

• Lack of awareness of vendor access to their network and the security “maturity” of those vendors. What vulnerabilities are they introducing?

• Lack of trained and skilled IT and incident response staff.

• Employees not adequately trained to avoid phishing and ransomware attacks.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

No, absolutely not. I believe the number is somewhere around 18%. So 82% of the individuals designing emerging technology in this country are designing it from a man’s perspective. This is increasingly troubling considering everything is digital today. These technologies are shaping our lives. To make matters worse, this country and many other nations do not have enough qualified STEM individuals period and yet we are not providing an environment that is attractive to women.

There has been quite a bit of research on this topic.

1. First, we don’t target women at an early age for STEM education. We need to encourage girls in elementary and middle school. They need to understand how they can contribute. We don’t advertise what they can do. There are so many cool things they could be developing that would apply to their interests. Tech is everywhere today. It’s not just automobiles, power plants, cloud computing. It’s communication, healthcare, music, photography, advertising, social media, fashion design, on and on.
2. Second, it is still mostly a man’s world. Many of those women who go for tech degrees in college, change their major mid-stream. Not necessarily because it’s difficult but because they don’t see a role for themselves. They have no role model. The majority of STEM professors are men. I remember reading an article about Maria Klawe, President of Harvey Mudd College. She was determined to increase the number of women graduating with Computer Science degrees. Among her efforts she tailored the classes to interest women, she established all women study groups and she significantly increased the number of female STEM professors. Over a 10 year period her female computer science graduates went from 10% to 40%.
3. The solution is to make tech appealing to women. We need to help our educators from elementary school through college with creativity in reaching females and we need females in those STEM teaching roles. We need to continue to highlight women who are breaking that glass ceiling every day and the way they are changing all aspects of the world.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

There is one very common myth and while things are getting better it is still very prevalent. The Myth: Cybersecurity is only a technology problem and is the responsibility of the IT department. Cybersecurity is the responsibility of everyone from the mailroom to the boardroom. Cyber threats come in every flavor and companies need a comprehensive plan to protect themselves. We’ve discussed the weakest link for decades. Adversaries find the weakest link. I’ve seen companies do one thing — for example, issue tokens for authentication (which can often be duplicated quite inexpensively), and then they allow full physical access to their buildings and infrastructure. Cybersecurity is very complex and very difficult. It involves people, technology, processes and governance all working to support one another. If someone tells me they have it covered, I am assured they do not. On a scale of 1 to 20 they may be a 14 but no one is a 20.

The Myth: Technology will solve our Cyber problem. Technology implemented properly will certainly help solve our cyber problem but it is not the only component. Also, industry need to get better at developing interoperable security technology. Today, it is a huge burden for technology staffs. Companies and agencies need to have very strong security architects to understand how to implement a comprehensive cybersecurity program. How does your legacy architecture integrate with your cloud environment? Do you label your data, are you issuing your multifactor identities to your people, data, devices and then utilizing that towards a zero-trust architecture? Do you have a strong back up of all your data, including what’s in the cloud? Do you use AI for behavioral analytics? Your adversary does. How frequently are you scanning for and patching vulnerabilities? As fast as your adversaries?

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

1. Perseverance is the key to success. This applies to many things in life but especially to a Woman in Tech. While it is getting easier, we are far from where we need to be. I have found that I must prove myself as being technically competent multiple times before I gain the respect of many of my male counterparts. Once you’ve crossed that hurdle things are fine. Early in my career this was an everyday occurrence, but it is still very prominent in the tech community. For women who want to go into tech my advice is to be tough and do a great job. Never have insecurities in your abilities. If you are in company that doesn’t respect you, go somewhere else. They don’t deserve you.
2. Always have the attitude that you work for your employees. It is your job to remove obstacles of all types to make them successful. Make sure they know how important you think they are. Get to know them. Mentor them and help them grow.
3. When an employee makes a mistake, never make ‘it’ feel personal. It doesn’t matter what the ‘it’ is but it should be helpful, positive and timely. If there is an issue you need to discuss with a team member, then ‘discuss’ it and listen. Don’t attack them and make them feel you are not supportive of them resolving the issue. If you make it feel personal, they’ll never come to you again for support and you’ll have an unhealthy climate. This is not the culture you want to promote.
4. Always be upbeat and positive around your workforce. Whether it is a small hello, a wave across the parking lot, a two second conversation in the cafeteria or a quick note to check on someone, the impact of being present and engaging can make someone’s day. If your workforce thinks you care, they will care too! Don’t ever underestimate how powerful this small acknowledgement can be or how detrimental the lack of it can be.
5. Establish a learning culture. It starts with you. Never stop learning and promote that mindset in your organization. A tech organization cannot remain relevant without constant learning. Be the role model.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

Melinda Gates. She grew up in a very tech world. She has had a very successful career. She is changing the world with her initiatives and she is an inspiration to women everywhere. It would be an honor to meet her.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!