Opportunity in Cybersecurity: Q&A With Carolann Shields From KPMG

  • By Maddie Rosenthal
  • 25 January 2020

Carolann Shields was recruited for a Chief Information Security Officer role at KPMG LLP almost 7 years ago after rising through the ranks at McKinsey & Company. Starting in system reconciliation and deployment, going on to managing development for all of their enterprise systems, and then to becoming the IT Security Program Manager (de facto deputy CISO).  Throughout her career and to date, she’s driven more than fifteen company-wide cybersecurity initiatives and has done so by developing collaborative, positive security cultures and multi-faceted teams.

While Carolann had an interest in math and aced computer classes from a young age, she actually studied and earned a degree in Business Studies in Ireland  before starting down the path to cybersecurity. Having a background in business has shaped her style and approach to security, driving a focus on efforts that reduce an organization’s overall cyber risk.

“At the time I started working at McKinsey, the CISO was a woman. So it never even occurred to me that it wasn’t possible to achieve what she had or that it was in any way unusual for a woman to be in that position.”
Carolann Shields Former Chief Information Security Officer, KPMG

Q. Describe your role as a CISO in 300 characters or less.

I lead a team with complimentary talents and skills to work together effectively and bring transparency to an organization’s cyber risk in order to identify and design solutions and processes to mitigate those risks. I also educate and influence behavior to ensure compliance and protection while making security a commercial benefit, not just a cost.

Q. What would encourage more women to pursue roles in cybersecurity?

Need is the mother of invention. Highlighting the number of open positions and highlighting the fact that there are women with these skills in and outside of the industry is the first step.

The fact is, you’re cutting out 50% of the population when you don’t create an environment for women where they feel they can excel and actually progress in their careers. Even if you hire a lot of women – which we’re seeing now they don’t move through the ranks as easily because they don’t have enough role models or advocates. That’s why it’s so important that the women that do become successful reach back to support the women who are coming behind them. Encouragement is incredibly meaningful, and it doesn’t take much for leaders to give it. 

Q. With that in mind, can organizations really ever guarantee diversity within teams?

When you decide you’re only going to hire the most qualified or the one with the most potential , you naturally have diversity. On the other hand, if you start saying I’m only going to hire women, or men, or this ethnic group or that religious group, the goal of recruitment breaks down. Decisions-makers should only be interested in your brain and emotional intelligence. Who is the most qualified with the most potential? That’s who you should want for that role.

Q. Have you had role models or advocates throughout your life who enabled you to achieve the success you have?

The CISO at McKinsey at the time I started working there was a woman, Denise Hart, who has since retired, so it never even occurred to me that it wasn’t possible to achieve what she had or that it was in any way unusual that she had because she was a woman. On top of that, I had a father whose beliefs were sort of the reverse of what we typically think of.. He believed that men should be out physically working and that women were much better as lawyers and accountants and doctors. For me, there were no limits as a child growing up about what I could be from a career perspective.

Q. What are some of the skills, interests, or personal attributes that lend themselves to a career in cybersecurity?

People who care about consequences and the bigger picture and who understand the larger impact of their role in an organization are the ones who will be successful and really excel in this industry. It shouldn’t be about just a paycheck; you need to care about what you do. Why? The vast majority of organizations get hacked because of mistakes; someone clicks on a link, firewalls are misconfigured, access is overly permissive etc. The way to really prevent that is to have people care about their work so that they pay attention to the details, identify mistakes early and correct them before there is any harm done.

Q. Are there any misconceptions about cybersecurity that you want to set straight?

Security teams believe in the mutual benefit of being safe, which makes it collaborative by nature. While – yes – some of the most talented security engineers are at their desk working alone, a lot of it is about relationship building and collaboration and working with teams to develop and manage secure solutions.

This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Nielsen, Funding Circle and more.

#TheFutureIsCyber

Maddie Rosenthal