Leading With Transparency – Candace Worley

Candace is the chief global product officer at Ping Identity, a leader in Identity Security. She is a veteran in the security industry with over 25 years of strategy and product experience with some of the biggest names in the tech industry like AWS and McAfee.

Listen to the episode on Apple PodcastsSpotifyGoogle Podcasts, or on your favourite podcast platform.

Detailed transcript :

Candace: .Determine your Ethical Barometer very Early in your Career. Figure out where the line is for you, that you won’t cross ethically and an instinct to it because at some point in your career, you’re gonna get pushed to cross that line, or you’re going to get asked to cross that line, or you’re going to find yourself standing on that line, and that’s not the time to figure out where the line’s at.


Neelima: Hello Everyone, Welcome to another episode of “Zero to Exit”. This is Neelima and Ankur, your hosts. Today we are excited to host Candace Worley on our podcast. Candace is the chief global product officer at Ping Identity, a leader in Identity Security. She is a veteran in the security industry with over 25 years of strategy and product experience with some of the biggest names in the tech industry like AWS and McAfee. 

She is a lifelong learner who embodies the Growth Mindset. Having started her career from a non-technical background, she quickly learned how to build market-leading security products. She was the first PM who helped build the McAfee Antivirus product before running their multi-million $ enterprise endpoint business. Over the years, she has built and managed many market-leading products as the industry has gone through multiple transformations. If you are a tech leader who wants to learn how to run a multi-million $ P&L from the countryside Hazelnut farm, you don’t want to miss this episode.


Neelima: Hi Candace, Welcome to the show!

Candace: Hello. It’s a pleasure to be here.


On SolarWind breach

Neelima:  I want to kick off with what’s top of mind for most of the country right now with the SolarWinds security breach. The attacker compromised many of our government agencies and enterprises. We spend more in security than all developed countries combined. What can we do better? How can we stay ahead of the bad guys?

Candace: it’s a great question. I think it’s one that those of us. And security wrestles with, throughout our entire career. We’re always playing a game of cat and mouse with the adversary and we finally get ahead of them, and they figure out how to supersede that effort and deliver something that can circumvent the controls that we’ve created or that the innovative security methodologies that we put in place.

And I think in this particular case, and I do have incredible empathy for the SolarWind folks, because I think they didn’t realise that they had a vulnerability and someone found this vulnerability and was able to parlay it into a very powerful and damaging attack. luckily we don’t probably know the extent of the damage yet.

But in this particular case, how I think people could have avoided being victims or potential victims of the attack. Normally, I would say, make sure you patch your systems and in this case because this was an unknown vulnerability that wouldn’t have necessarily saved you.

I will still tell you to patch your bloody systems. Like the best way to start your security practice is to keep your patches up-to-date, it’s kind of inexcusable when you’re 90, 120 days out, you haven’t patched and you get hit. It’s a difficult thing to explain.

Certainly I think in this case, probably the best, the remedy would have been hardening your systems, doing everything you can to follow the best practices recommended by your security and identity vendors to harden your suit, your compute environment again wouldn’t have guaranteed it, but I think it would’ve gone a long way.

To mitigating the risk that they could have got past the initial entry, they might’ve, they might have exploited the solar winds vulnerability, but they would hit now hardened environment behind it. And I think it could have saved a lot of grief for some of these organisations. It’s not too late, Companies can go back and harden now, just make sure that you’re clean before you hire them.

Ankur:  Great points. I’m a little bit more at the macro level Candace. I’ve always believed that we face an existential crisis from these States sponsors, cyber. Terrorists. what can our government agencies and those of us who are in the security industry do better just at a macro level. do we need to spend more money, as a country on security because clearly, that’s not working out, but maybe that’s the answer. Is it more awareness and training? like what are we missing at a macro level?

Candace: Well, I think there are two aspects to it. One of which we probably can’t help with much the other of which I think the security industry can help with the first is there’s a geopolitical aspect of cybercrime and ensuring that as a country we’re continuing to foster as much as possible congenial relations with both of our allies and as much as possible, those that perhaps at times are allies and at other times or not, I think is a critical part of this cause, I think again we as an industry can’t help with that other than to help educate our government on Cyber and the risks of cyber and what they need to be doing, et cetera.

and frankly, as we move to the second part of your question, what can we do as an industry?. Let’s help educate our government officials and both those in charge of foreign policy, as well as those in Congress, to help them understand the applications of cybersecurity, things like I look at the entire IoT world and critical infrastructure.

and what we should be doing from a security perspective around our power grid, our financial systems, et cetera. Our government officials need to be educated on the risks there. They need to be educated and at a very deep level so that they can start thinking about where to make investments, how to budget for those investments, et cetera.

In the future. I think on the flip side, we also need to be thinking in the security industry about what is that likely next attack? Like, Hey…. and you guys work with security researchers in your organization as well and like, there are people in companies that spend all day long, just trying to figure that out.

Just thinking about what could be the next possible attack? Read what adversarial AI looks like and how will the bad guys be able to use AI and ML in the future of hacking and cybercrime. And so I think We need to be anticipating as many of those moves as possible and starting to evolve our security solutions in ways that when those attacks happen, we can either be ready or we can be ready to evolve our products very, very quickly to help to mitigate those risks.


Early Days of McAfee

Ankur: Great Perspective, speaking of malware,  you were one of the originals,  you know, you started your career at McAfee. Tell us a little bit about early days.  You know, w what are you building a AB product, a solution looking for a problem where there any. Breaches back in the days where we had to constantly, nowadays,  AVS are like  commonplace even my dad and my grandfather know about it.  But you know, early days, like it was just not super popular. What were the early days like,  walk us through your career journey. And as you were building the AB products 

Candace: Well in fairness, there were lots of pioneers before me. I started in security in 2000. I was in a different industry prior to 2000, but started at McAfee as the kind of individual contributor product manager for the enterprise AB product which was their flagship product at that time,and what was very different then I think is different now is. When there was a serious piece of malware, it was like all hands on deck. I mean, if you think about it, we have serious malware hit all the time, like ransomware hits frequently now, other types of Trojans and that kind of stuff, we see them fairly frequently.

But I think because organisations have one created security strategies and processes and implement security controls, they’re able to mitigate a lot of those. I mean, obviously, ransomware did some damage a couple of years ago, but I think even that we’re learning how to prepare for it, how to mitigate the risk of it.

If it does hit us back then it was like code red and Melissa. Very early malware and in-between those big malware hits, you’d get jokes where some script kitty, you would write something and your screen would look like it was melting. 


I mean, they were just messing around and then when the big ones would hit, it was like everybody in the company was on deck for 72 hours straight. Our researchers were sleeping in their office and Vinnie gelada who ran the avert labs at that time was sleeping in his office and endup on coffee and Cheetos. It was a completely different vibe when there was a malware event versus I think.

Nowadays, I don’t know if we’re just numb or because I think the security controls have evolved significantly, organisations are better prepared to deal with them in vendors, or I think are better prepared when they do happen.

Ankur: Yeah. I remember, I came to this country in 99 and I think my second or third week, i was at one of the telcos, the MCI communications, and I thought a week into the job and, it was like one of the days, a lot of my coworkers started peeking at my cubicle.

(Laughs) I’m like, what’s going on here? better than the one of the malware that hit all the context in my address book, it automatically sends out an email with some nonsense stuff. And everybody’s like, what the hell are you thinking? I mean, I thought I was going to get fired, but apparently there was some AAV, maybe something, somebody was playing a prank, but that was a fun day.

Neelima: I think the education aspect, as you mentioned, we see now a lot of customers are fairly educated, at least on the basic Hygiene, it may or may not get implemented in time, but at least the awareness at that level is definitely way more than maybe 10 years back.

On the patching side, we do see a lot of challenges on the operational aspect that has not gone away to date.

Candace: I think there’s a big difference in terms of awareness and understanding depending on the audience. So if we’re talking about large enterprises or even what I would say commercial enterprises, They make it their business to get educated on cybersecurity and the implications of patching and having a good security practice.

And most of them have at least an IT team in larger organizations. Obviously, they have a cyber team, but when you start looking at small businesses and consumers, I think it’s a very different world. I mean, a small business, It really is a small group of consumers who come to work every day in an office together.

You’re talking 25 people, It feels more like a consumer environment than it does a corporate environment from an IT perspective. And I think those organizations really struggle because I think they don’t have a cyber expert unless they have a channel partner or a reseller that they work with that can provide them with that expertise.

And then I don’t know about you guys, but I’m still the cyber security tech person for my company, so if my dad starts to get weird spam on his phone, I get a phone call. Why am I getting this spam? Right. If my mom can’t get into her email, I’m getting a call. I can’t reset my password.

I have a virus. So we’ve all been there and I think we do still have a problem as a country in that. A lot of people in the consumer world that are not in high-tech by the way, which is most people in this country don’t have a deep understanding of this problem.

They don’t necessarily know how to identify a phishing attack. They don’t necessarily know how to deal with the fact that they’re. Email accounts got stolen and are now sending emails with links out to all of their contacts and so I do think, especially as we start to see the work from home, that’s been caused by COVID.

We know people at home whose worlds are even more mixed than they were before. COVID. So you now have that conser world and that world setting at the same desk and the home office and if those people are not educated on good cyber hygiene, I think it could exacerbate the problem for a lot of corporations.

Ankur: Absolutely.  you started with your career managing a single product. several features in that product, that’ll be very important. And then obviously spent several years then at McAfee and ultimately started running the end point business for them, which, I mean, for our list, endpoint security continues to be the largest and represents the lion’s share of the security business. And, McAfee is still one of the leaders and obviously you have new kids in the block like CrowdStrike, tell us a little bit about the journey from where you were. To, owning the entire,hundreds of millions of dollars in business. What, what was that journey like? 

Candace: So when I started at McAfee, I really was wondering why they gave me the job because I’m like, I knew nothing about security and it was actually a woman that had come from the EDA business, which was the industry I was in prior to McAfee. she had called me and said, Hey, come have lunch with me. I want to talk to you about a job. And I’m like, why would you talk to me about my job? I don’t know anything about security. And her perspective was she could teach me security, but harder to teach someone to be a great product manager. And she knew I had great product management skills, and so she figured I could learn security.

And so they ended up getting this job. I’m like, great. So I spent that first year just burying myself in understanding just the security space and my product. I was one of those PMs that like to run the product on my system so that I can sit in front of a customer and show them like, Oh yeah, we have that feature.

See it’s right here in the UI and here’s how you’d set it and configure it. I wanted to be very involved in the product and have credibility with customers and so over time i managed the AV product and then I managed a little product called Virus ScanASAP, which eventually was a managed service product.

So literally a lot of people don’t know McAfee had a managed service product clear back in 2001, 2002, there was an agent that’s on the endpoint, but there was a knock and the knock is where you manage all the configuration and the reporting and the deployment and everything. But that was very, very early.

If you think about it for a company to have that kind of a security product. So I managed that product for a while and then after about two and a half years, I guess, and it’s been long enough now, I don’t remember the exact timeline I was asked to take on a group product manager role. And I started managing I think, two or three other PMs.

And the most interesting thing for me was,  I also had some experience managing the HIPS product and I ended up managing the person that replaced me as the individual contributor PM and the hips person and I literally remember the day that I actually became the manager because for the first, probably four or five months, I was still the, the AVPN like, I was still thinking like the AVPM

and I literally remember the day that the AVPM came into my office and was like, blah, blah, blah about the hips PM. He’s not doing what I needed to do, blah, blah, blah, and it gets the PM was right. He shouldn’t have been doing what the AVPM wanted him to do and so my comment to the AVPM was like, actually, I completely agree with him.He shouldn’t be doing that. And you need to figure out how to get around this particular challenge and let’s talk about how that might work, and that person left my office,and I turned around with my computer, and in my head, I think I just became a manager. Like I think that was the moment of transition for me. 

And over the course of the next. Let’s see, probably five to seven years. I worked my way through director, and then up to VP of product management and I took the VP of product management role probably around the end of 2007. 

And I think Dave dwelt had recently come on board as the CEO and he put in place a business unit structure he made all the other businesses business units, except the end point. 

And I was a bit put out about that to be honest because it was the largest of their businesses and his perspective as listen, it’s a mature business. It’s kind of a cash cow. We don’t really need it to be a BU, and my argument was we need it to be a BU because it is literally the most important business you have on the enterprise side, in terms of revenue generation.

Pure cash generation, et cetera, and he and I debated that for a while and I think about 2009, I’d been doing all the forecasting and all of the tracking the business numbers and the support costs basically doing the GM role, and I went to him and said, either hire a GM or make me the GM and I’m good with either,

But it’s not okay that our most Critical Business does not have a General Manager. It’s just not okay that this business needs a seat at your staff table, and he’s like Candice, I really respect your opinion, thanks for bringing that to my attention. No, I’m not going to put a GM over the business. I’m like, okay, well I gave it a shot. A year later in 2010, he actually promoted me to the General Manager position.

I asked for it, he wasn’t ready to make that transition over the course of the next year. I did my best to illustrate to him why I felt that was important to how I felt I had the skill set to meet the requirements of that role and how I could add value to the broader business by putting me in that position.

And, hopefully, that was why he made that call. And in 2010, I moved into the general manager role for their enterprise business in that role.  I basically had P and L responsibility for the end point business. So I was held accountable for the number, even though sales didn’t report to me, you know, as a product manager, you get used to having a lot of accountability with no authority,  for any PM’s out there. They’re all laughing right now because they know exactly what that means.

Engineering doesn’t work for you, but you have to have them to deliver the product’s sales doesn’t work for you, but you have to have them to sell the product marketing doesn’t work for you. You can’t tell any of them what to do, so you have to influence and so as a GM, sales didn’t work for me. So I had to influence them in terms of selling the product and spent five years in the GM role and then after that they dissolved the business unit. Went to a functional structure in 2015 And I had the option to either run product management across all of McAfee’s portfolio, network, web, everything, or take on the VP of product marketing role across the entire portfolio.

It was a really hard decision, cause I thought I could do the PM job. Like in my sleep, I’ve got 15, 18 years of product management experience at this point I had to be able to. I’d be able to do that, but I thought to myself, it wouldn’t really be challenging me. Like I, I might learn to manage a bigger team.

I might learn to help product managers with products that I haven’t been directly involved with in the past. But, as a set of core capabilities, I know the PM. And so I opted to take the product marketing function and I ran product marketing for McAfee at the VP of PM or PMM level for two years across the entire portfolio.

and then after two years, they came to me and asked me to take on the chief technical strategist role, where I had a team of X CSOs. And we spent our time evangelizing McAfee strategy talking with CSO CIO. Customers of all types, just about where we were going as a company where the industry was going, how it was evolving and then learning from them, of course, how their businesses were evolving and how that was having impacts on the security posture of the company and the security practice of the company and then we would take that information and bring that back into the products or to color our corporate strategy and portfolio direction. So, that’s kind of like the arc of my career at McAfee for that 20 years, it was an amazing ride. I mean, I believe me, they’re still my family.Love the company, just I needed to go somewhere else in order to grow.


Lesson For Women

Neelima: What were some of the lessons that women listeners can take a way besides this, of course asking what were some of the other things you had to do to break the glass ceiling?

Candace: A couple of things, one is, and I continue to this day and I think we talked a little bit about this at some point in the past where I presume there are always people in the room that know more than me. Like I am, I am rarely the smartest person in the room. And especially when it comes to technology, because there’s almost always someone in the company or the room that knows a piece of technology better than you.

And so I, I have just always felt like getting the perspectives Of the, those people, those experts in a particular technology or a particular functional space or whatever that might be as a part of the decision making process or a strategy development process was critical. And, and especially the more senior you get, that can be hard Because you want to be seen as the person who has the answers, the person who’s going to lead the company.

And I think sometimes when you start thinking you can’t be vulnerable because people need to see you as a strong leader, a strong leader can show vulnerability. A strong leader is human to the people that work with them. 

I mean, there’s lots of studies around leadership where leaders who will show vulnerability, a.k.a.. I don’t have all the answers or I’m just not having a great day or, you seem a little out of sorts today. Is there anything I can help with? That, very human part of being a leader. I think that’s hard. The more senior you get, because you’re afraid that if you show that vulnerability, whether you’re male or female, frankly, that it will be perceived as weakness. I think that’s exacerbated for women by the way. I think women already in the workplace.

I feel like they shouldn’t show weakness. God forbid that you should shed a tear. You shouldn’t have a bad day because a woman with a bad day is looked at very differently. In many cases, a man that’s having a bad day. And, and so I think that what I learned from it is what I’m human and they’ll get over it.

I’m a very genuine, very transparent leader and I think as long as you’re consistent with that, Then you have that bad day or you have that weak moment, people embrace it and they actually step in and help you and lift you up on those days as opposed to going like, wow. Maybe they shouldn’t be in that role.

So I think don’t put a wall up that people can’t see through. I’ve witnessed a leader and I’m just going to say in the last several years that was in my SIS person, but always had a veil. Like there was always something between them and the audience or so I always something between them and the employees.

And this individual was seen as loose and distant by many of the people in the organization, and yet I believe that they have incredible capacity to lead, but that inability to let people in Hindered their ability to accomplish as much as they could have. 

“Remember vulnerabilities.”

That’s the one thing I think the second thing is really ask for what you want. Like, I’ve got these top 11 things I’ve learned over the time I’ve been in business and leading, and one of them is like, ,, pearls lie on the bottom of the sea. If you want one, you’re going to have to dive for it.

Nobody’s responsible for your career as much as you are. So like, just don’t assume that your boss or anybody else in the company cares as much about your career, as you do think about where you want to go. Think about what it’s going to take to get there, and then like to lay out the bowling pins that you got to knock down in order to achieve that goal. And when you achieve the goal, set the bowling pins back up with new titles on them and figure out how to knock them down to get to the next Goal.

 I think that’s really, really important. And then, another one of my top 11 is Humility. like no one likes working for an arrogant jerk. So like, especially as you become a manager, remember humility is critical. My bullet point is that

“Confidence without Humility is simply arrogance.”

And if you’ve ever worked for a leader like that, you don’t want to follow them, but if you’ve ever worked for that leader, who’s both confident and humble. You’re like, I’ll follow you off a cliff man. Like, what do you need me to do? I don’t care how hard it is. I’m there for you. I don’t know if you guys have been in both of those situations, but I have been, I’ve worked for someone on both sides of that and it’s absolutely true. The one guys you’re like, listen, I’m going to do my job for you and you’re on your own, the rest of the time and the other guy, you’re like, I’ll give you every ounce of blood I’ve got, you just tell me what to do and I’ll kill myself executing for you. And you have to learn that as a leader. if you want people to follow you.

Ankur: Yeah, well said, a lot to unpack. I think we can spend the next couple of hours just on these three subjects that influence vulnerability, hility but let me start with influence. Do you have any story about Candace from back in the days where you used your power of influence against the sales folks or engineers why engineers are like, yeah, I know this is a silly idea. I don’t want to build it. I’m like, how did you do it? any great stories that you can share with us?

Candace: Yeah.

“The most critical part of gaining Influence with people is to first Gain Credibility.” 

So if you’re respected by the people that work for you and with you and you develop credibility with them, influencing them. It is very easy, If you haven’t taken the time to build that trust relationship with them and gain credibility with them, you do what you say, you say what you’re going to do.

You do what you, you do it. then, I think influence is hard. And so I spent a lot of time with the salespeople because obviously, salespeople and SES sales engineers or the path to the customer. I mean, they are a gatekeeper to our customers. If you’re a product manager right now, granted they’re going to sell products that make them money.

Don’t get me wrong. Sales. Person’s all about quota and commission and the hunt. but ,, if a product starts having a quality issue or if it’s missing a feature or if your deadline moves. Now you better employ influence because you have to go out and build confidence in the field that here’s what’s going on.

I’m extremely confident we’re going to hit these dates, or I’m extremely confident we’re going to fix this problem. Here’s the timeline for that And you need them to believe you so that they’ll continue selling. If you can’t get them to believe what you say, AKA, that influence, then your job becomes much, much harder and your product will be damaged for it. with engineers, it was more about viewing them as my partner, not as my employee. So like when I was on the AB product at McAfee, I like having the most amazing team of people I’ve ever worked for in terms of just the team jelling, like the engineering manager that I worked with, a gentleman named Andy Woodruff.

We could finish our sentences for each other. That’s how tightly we thought and worked together and by the time it became that I know it became, we became that close as a working team was, I would come back from the field and say like, are our customers are saying X, have you, like, I don’t know why we would need that.

like why would they need that in the product? And I’d be like, well, I’m still learning the product, but they said, here’s how they’re using it. Blah, blah, blah. He was like, I just don’t get it. So we used to do these customer advisory councils and I went to the guy that ran engineering and I said, I would really like the engineering leader and the QA leader to attend the customer council with me.

And the way these customer councils work is. Yeah, we would do a roadmap review and a strategy review for the products. And then basically you would take a beating from the customer for 30 minutes because you didn’t give them the feature they wanted or they had a quality issue. I mean, again, product managers are all kind of smiling because we’ve all lived through that and so what I did during the Q&A session, I had the QA person and the engineering person join me in front of the room. So I introduced them as my compatriots in building this product. And I said, they’re going to help me today with the Q&A, you have really technical questions about any of the COVID or anything like that.

These are the guys that answer the question and about three questions one of the customers said, why can’t the product do X, Y, and Z. And Andy said, I don’t understand why it would need to do that. And he said, well, because when we do this, we need the product to do this because of this and both the QA and the engineering, what you went for.

I had no idea our customers were using our product that way. And the rest of the group said, well, don’t use it that way, and it was that moment where they realized that they just didn’t have a clear understanding of how customers were using the product. And I was the conduit for that information back from the market, into the engineering organization.

And so I continued to have them come to the calves by the way, because it was just the right thing to do, but it showed it completely changed the dynamic of the relationship because they now understood. Oh, my goodness. Our customers are doing things with our products. We have no idea. And the only way we can understand that is that Candace brings that information back to us.

That’s critically important as we’re coding the product so that we understand how it will ultimately be used and it led to that ability for me to just come back, say, here’s what we need to do here are the use cases. And I didn’t have to fight for it. Like at that point they, they got it. It was like, I understand why you’re asking for this now let’s figure out how to build it and it just completely changed the dynamic of the relationship.

Ankur: Yeah, great advice. A lot of PM’s quote unquote, high debt engineers or they’re busy doing their thing, but like just doing the simple act we’re putting them in front of the customers can make a huge impact. , you talked about kind of the cab and customer feature request, a lot of the product people have this issue that the backlogs at mile high, have you had situations where customers have yelled at you because you didn’t do something or the product was buggy?

Candace: Never had that happened to me. I had a profit, literally tens of millions of nodes installed around the globe. I got yelled at for not delivering features on a regular basis, and the way I dealt with that was I would sit down with customers and I would try to help them.

I would try to put it in the language that they would use in their business. And I would say, if I’m sure in your business, you get requests into products for all kinds of things, and some of those are extremely important to one product, one customer, but no one else would use them. And I said, anytime, I have to think about what features to put in the product I have to contemplate.

what percentage of the installed base would leverage this capability? would it create complexity in the product that would make it more difficult to use? Is there any way to implement it that we could mitigate that complexity? Would it prevent? would it introduce a security risk?, and it was a scary product. So this was easy. If somebody asked me to do something that I thought introduced a security risk, I just said, no. Like, I’m sorry. I’m not going to apologize for saying no, but like, you’re asking me to introduce a security vulnerability into a security product, and that’s completely acceptable.

If we can figure out a way to deliver that capability to you, without it being a security risk, we’ll do everything we can to do that, but I’m just telling you if we can’t let it go and so I think. I would always try to couch it in. If I put every feature into a virus scan, every customer wanted, it would be a Frankenstein product.

It would be a product made up of the bits of many people’s opinion and it would be completely unusable by everyone and so I had a set of rules around a certain percentage of the customers I had to believe it would be applicable to……it couldn’t create undue complexity, it couldn’t introduce known security issues into the product.

So yeah, there was a set of criteria that I always used in kind of identifying which of those capabilities would make the cut. And then I was very transparent with customers. You’d be surprised you can go to a customer and say no and get away with it. You can’t avoid saying no and get away with it because the longer you wait, the more irritated they get.

So I tried to dispose of FRs as quickly as possible so that if I’ve had to say no and they needed to make a business decision based on my answer, I wasn’t dragging that out for them.


Out of Time and Scope, Which One have you Traded More or the Other?

Ankur: Great insight. Assuming people as constant meaning number of engineers that’s constant. Out of time and scope, which one have you traded more or the other?

Candace: Oh, that definitely depends on the product. if it’s a very mature product, then it’s probably scope. Right because you already have a myriad of capabilities in the product that serve the lion’s share of customer requirements,

You’re probably now working on, we’re not even talking the frosting on the cake, we’re talking the cherry on top of the cake because it’s a super mature product. I would say it’s pretty specialized stuff that people are asking for. If it’s a very new product. Then it’s probably time. I would rather get a few features to market faster that are high quality and trade scope than wait a year and a half to get that product to market, but have it be pretty robust.

And so again, I think it’s, it can be very dependent on the maturity model of a given product.


How have you Managed to Remain at the top of your Game for all these years?

Ankur: Good stuff.  You know, as product people can geek out,  for quite a bit of time on all the subjects, but I think we have to move the part forward. So I want to switch the subject on you a little bit. You know, our industry has gone through many transformations.  But somehow you’ve managed to remain at the top of your game. We’ve gone from endpoints and cloud and now identity.  How have you managed to remain that the top of your game For all these years?

Candace: There’s probably a couple of things. One is continuing to Hone the core Skills. Product management skills or Product Marketing Skills or engineering skills engineering might differ a little bit just because you have to learn a new language, coding languages and all that kind of stuff. 

But certainly I think a PM and PMM, you have a core set of capabilities. You need to be able to execute in order to be a product manager or product marketing manager and, and continuing to refine those and understand how those may need to evolve or be different based on changes like, we’ve moved to agile now versus waterfall that have impacted product managers and how they do their jobs.

So just continuing to understand what that core set of capabilities you have to have are and continue to evolve those capabilities based on the environment in which you need to work. So I think that’s critical. I think Secondly, trying to find new ways of doing things.

When we’ve been doing something for a long time, you get comfortable doing it the same way all the time. And so I’ve tried over the years, especially as I’ve moved into leadership positions to build a team construct where I want my team to challenge me. Like I have really strong opinions.

Anybody who’s worked with me will tell you I have really strong opinions. But I want the people on my team to have strong opinions too. And if they think I’ve got it wrong, I want that debate because I think only through those debates, do we as professionals, whether that’s leaders or whether that’s individual contributors, do we learn new ways of doing things like we don’t have all the answers and the way we’ve done it for the last five years may not be the way we need to do it for the next two years.

And so. If we’ve got people on our team that have different ideas, let’s hear those ideas. Let’s put them out on the table, let’s debate them. And maybe we try it that way, this time. that just understanding that the way it’s been done may not be the way we need to do it in the future. And, and so like be open to other people’s input, be open to a different way of doing things, be open to new ideas.

It’s absolutely critical to staying relevant.


Remote Experience 

Neelima: Yeah, we hear about this new terminology nowadays. They call it growth mindset. You basically just articulated that you’ve been. Actually, , following that for years. , and uncle personally, I think you, you are using this podcast to learn all the curve, the product management concepts from Candace.

So switching gears a little bit,, , on, , where you stay and as you are a native Oregonian, And you’ve managed a successful career remotely before working remotely was even a thing., in fact, , I can tell, I can see this many of us in McAfee. We’re always surprised to hear you were,, you’re not a burial native. How did you do it?

Candace: Well, the original engineering team for Meyer scan, In fact, up until the time I left a large part of the virus scan team was based out of a suburb of Portland, Oregon. And so I was actually hired to work with a local team and then over time, As my roles evolved, hints were built there as well.

EPO was built out of Portland. We then expanded the teams to Bangalore. So I worked with the Bangalore team a lot and it was a fairly progressive company in terms of being open to have people work remotely, as long as I was willing to travel to the Bay and meet with my leadership or travel to customers or to Bangalore, to meet with the engineering team over there.

It really didn’t matter. And since I had the willingness to travel, I think that’s why no one ever knew that I wasn’t in Santa Clara because I oftentimes I’d be there two or three weeks out of a month. Most of my team, most of my product management team, when I was VP of PM was remote.

They weren’t actually located in Portland. And honestly it didn’t matter. Like, I got used to managing these remote teams and part of that process was I bring them together once a quarter, for a quarterly business review or, twice a year, we’d get together for off sites, really creating that team culture where you can do that in person and I think we’re all learning this through COVID, by the way, it’s not that hard to work remotely if you’re committed to the cause. I just happened to be one of those people. Who’ve done it for years and I think that’s why this worked for me and, kudos to my leadership at McAfee that allowed me to continue to live here all this time Cause I have a lot of family here and I just wasn’t willing to give that up. That was more important to me. I could go find another job. I couldn’t go find another family.


Adapting New Normal

Ankur: As remote work becomes the norm, in COVID is kind of forcing that situation. What two, three tips do you have for people who want to get used to this new world order?

Candace: Yeah! So it’s Interesting. 

I joined ping identity in may of 2020. I interviewed for the job Virtually, I onboarded Virtually, I work Virtually. I have yet to meet a Single Person that I work for, or that works for me. 

So you want to talk about the ultimate in virtual work from home?I’m like, I feel it right now. I think a lot of people are being changed jobs during this Too.

I think one for my team,for the first three or four months, I had weekly one-on-ones with everybody who directe reported to me. Even if we didn’t have an agenda, I spent 10 or 15 minutes, so that 30 minute call, just chatting and getting to know them, gave them an opportunity to talk with me. I also do skip levels with everybody in the product management organization every other quarter, so that I’m not just this faceless person that joined the company. Every product manager in the company has now met with me at least twice, in the seven months I’ve been here. I tried to do again, I think that transparency lets people know, what are you thinking?

Why are you making the decisions that you’re making? How do you believe those decisions are going to impact the company and the team and potentially even individuals on the team? So I think that transparency is even more critical when you’re not standing in front of people cause they don’t get the body language as much, through online stuff.

And so for me, it’s been all about making myself available, communicating transparently and clearly, and let’s see, those two words are obvious to me. I’m not coming up with a third one here. So I think I’ll just stick with two.


Routine Of CPO

Ankur: Yeah. And,  have you always had a routine,  from morning till evening to make sure that,  you know, it says if you are in a work hour,  how important is routine or are you like more of an unstructured? We just need to get the job done. I’d rather have that.

Candace: I don’t think I’m the model structured leader. Right now I’m very structured in that I spent 7:00 AM to 4:00 PM every day and in zoom calls. So I don’t really have a choice, but to be structured however a lot of times I did go to the office, even when I was no longer working with the teams here in Portland, I would go to the Portland office whenever I wasn’t traveling.

So I was visible to everyone there. So there was a lot of engineering and a lot of QA people that worked out of Portland. Many of them I had worked on Products with and so I would go to the office to get there by eight, eight 30 at the latest, work all day. A lot of times I’d have somebody stop by and just say, Hey Candace, great to see in the office.

What’s going on? What are you hearing from customers?  just that, that visibility as a leader, even though I didn’t work with them directly anymore was critically important to them. So that was a routine when I was working for them. Now, No, I do. I get up at 15, 20 minutes before I have to be on a call.

I’m skimming through email, making sure there’s nothing hot in the email. I read my email real quick before I go to sleep at night, check my schedule the night before. So I know exactly what my day is gonna look like and then the time in between is controlled chaos. Cause I have a meeting schedule and then I’m responding to emails and the five minutes in between.

And I’m hoping at some point. I get to go grab, I don’t know anything to eat. I’m in love with Epic bars. They’re like these there instead of a granola bar they’re actually made of meat and like, they’re my lifesaver right now. Cause I’ve got five minutes and that’s lunch. I can eat one of those in five minutes and it’s protein.

So, that’s kinda my routine. I spend all my time in meetings right now. So that’s the life of a CPO..


Ankur: Yeah, Neelima and I are waiting for a day where we’ll have our calendars, like Warren buffet, where there is literally nothing scheduled for weeks and months.  he spends most of his time thinking but maybe in few years from now, we’ll see

Candace: I just had that conversation. I’ve been mentoring a woman for the last six months and I just told her You have to make time for White Space. If to be creative, you have to have White Space in your calendar, whether that’s White Space on your weekend, whether that’s, White Space at the end of your day, but, for you to really problem solve in an innovative and creative way, you have to allow your mind to be still, and it is. I think it is one of the most difficult things to do in the work that we do in High-Tech is to find time for your Mind to be still in Quiet.


Prediction for the next Five Years for Security?

Ankur: Yeah couldn’t agree more, that brings us to the last question before we move on to a rapid fire round and that is the industry has transformed quite a bit over the last few decades, but it seems like we’re still in that endpoint security network security identity data and we have thousands of companies. So in the wake of the recent security breach and the industry in general, what’s your prediction for the next five years for security?

Candace: Well, if I could tell what was going to happen in the next five, 10 years, I’d be making a lot more money than I am right now  (Laughs)….And we could predict what the problem is going to be. We’d all be consultants making boatloads of cash. So as I think about where I think, we need to focus, like I know adversarial AI is not that big a thing now.

I was doing some research on it right before I left McAfee in 2019. there’s a lady there who does a lot of research in that area that I spent some time with an eye. That one keeps me awake at night. Like, how the bad guys were, especially how nation States could potentially use adversarial AI in an adversarial way.

That one keeps me awake. I think that will happen. And unfortunately, I think it will happen in some of the most critical parts of our world. Like I think that critical infrastructure thing I mentioned earlier, that one terrifies me. Like, if there’s anything that keeps me awake, it’s that combination of IOT and adversarial AI, That causes sleepless nights.

So that was a big one. I think, part of the reason I took the job at Payne is because I kinda had come to the conclusion probably three or four years ago that if you boiled security down to its essence, like what are kind of, ,, just the foundational things around security it’s identity and data it’s can I be sure?

But you are who you say you are. Can I be sure that what you’re asking for access to you have a right to see or have access to? and can I be sure that the data you’re accessing is in fact, the data that we think it is like, like it really, it just boils down to those two things. And if you think about what hackers are after they’re day interrupted and pretend to be something they’re not in order to get it.

And if you think about what we’re protecting all the time, we’re trying to protect people against people getting access to things, they shouldn’t have access to AKA identity, and we’re trying to protect the data. That’s so critical for our business and our customers. And that’s why I took the job at ping because I was like, I now get to look at security through the lens of identity.

And I’m just increasingly becoming convinced that identity is the pointy end of the security sphere. Like if you can get identity right, You can mitigate a whole lot of downstream issues. If you don’t get identity right, then you better hope your security practice is Bulletproof because you just left the door wide open.

And so I do think that identity lead security or like, I think identity and security need to become more intertwined over time, because I really do think that they’ve been connected, but it just doesn’t feel like they’ve been connected enough, looking at all of the ecosystem elements around a given request for access, whether that’s the device they’re on the geolocation, they’re in the application they’re attending to access the data.

They’re attempting to get to whatever it might be. All of those factors of time of day, that becomes extremely important because unfortunately, humans are creatures of habit, and when they break those habits, it’s usually worth looking at whether that’s for insider threat or whether that’s for this isn’t really them.

So I think those are the two things. I think identity will become increasingly important, the broader context of, kind of a security practice and then secondly is adversarial AI in the context of  kind of the IOT world and critical infrastructure.

Neelima: I have to ask this one Candice. Do you see or the infrastructure companies taking more responsibility as well as baking security throughout their stack? is that something that needs to change?

Candace: So I haven’t spent as much time on that in 2020 as I did probably an 18 and 19. At the time I was looking at it they had a lot of work to do. I did not see them taking it as seriously as I thought they should. Security needs to be baked into those devices before they ship.

and at that point that wasn’t happening. And, I think about things like my mom has a pacemaker. Now it literally talks to a device that sits on her bed and she goes over and hits a button and it transmits all that information. And like not that my mom’s not a target? Obviously, that terrifies me that she’s got a device in her body that’s connected to an internet connected machine.

and so I do think that  there’s a level of culpability. That should be connected to these devices and ensuring that these devices are shipped securely. And by the way, they’ll never get it a hundred percent, but if they can address 60, 70% of the security issues upfront at manufacturer, and then the industry can take care of the other 30, 40 after the fact that’s a huge win and I just think there’s still a lot more work to do there. 

Ankur: Absolutely, well said, really enjoyed getting your perspective industry and identity is the new perimeters and I couldn’t agree more. One of the key threat factors that i think the industry has been and continuing needs to focus on in the coming years.

So that brings us to the final round. Like i said we typically ask questions about all things in general but 2020 is coming to a close and although it’s been a shitty year (Laughs), pretty forgettable year, i’d love to get your take on the best of 2020. So if you are ready, then i am going to start with Best Book Of The Year? or Favorite Book Of The Year?

Candace: For me a book called the first 90 days was a great book because it’s all about the first 90 days and the job and the things that you should be looking at in the first 90 days of a job and taking the CPO role and all virtual. That was pretty important for me, so i’ll go with that book.

Ankur: Yeah. It always happens to me all the time. Yeah. A favorite show of the year?.

Candace: so i am not a reality TV junkie, in fact i’m kind of opposed to it but i am THE VOICE junkie. So the voice is my, is like my one go-to reality show that I actually watch. So the voice was my favorite show.

Ankur: Got it. Have you seen Queen’s gambit?

Candace: i have not.

Ankur: Okay. All right. 11 more days. I am willing to bet that it will end up becoming your favorite show. fascinating one. Event of the year?.

Candace: it’s a very personal event, in addition to, i think you mentioned neelima that we have hazelnuts, so we live on a hazelnut farm. We also have 600 lavender plants And so my favorite event of the year was We harvested our lavender for the first time. I just build it into lavender oil, so that was a pretty big event for us and it was a blast.

Ankur: love it. Company of the Year?

Candace: I’m not going to be able to give you one company. I’m going to give you any pharmaceutical company. That’s able to ship a vaccine this year. So right now  Madrona, AstraZeneca, Merck, any of the other step ups. They all deserve huge kudos for busting their hump to get something, put together, tested to the extent that enough people, doctors and scientists felt it was safe enough to accelerate the release.

Neelima: Yeah. Some people in my family I’ve started getting it on these calls. So we are really excited.

Ankur: Yeah. But then I would be on my list as well. Can you imagine candace, shipping your first product ever and getting and getting to a $60 billion in market cap. they have never shipped any product? The first one that ships but yeah totally its up there. Okay it the second last question. If you were the times editor, who’s your person of the year?

Candace:  I’m going to do persona of the year, not person of the year. So I’m going to cop out on you and I’m going to say that the Medical Professional is the Persona of the Year.

Ankur: Yeah. well said, all the healthcare workers. Absolutely and the last question which is weird is away from theme of this rapid fire, we were suckered for getting this insight and that is that One Advice you’d give your 18 year Old Self.

Candace: So this is probably super serious advice. What comes  to mind is don’t take things too seriously. Cause I think, 18, you’re either not taking anything seriously. You’re taking everything seriously. So this is what I often do. When they have me,   companies have me talk to interns a lot of times. If we had interns in the office, especially women, McAfee would set up an exit meeting with me to talk with them and.

One of the things that I always tell, like an intern when I meet with them is, Determine your Ethical Barometer very Early in your Career. Figure out where the line is for you, that you won’t cross ethically and an instinct to it because at some point in your career, you’re gonna get pushed to cross that line, or you’re going to get asked to cross that line, or you’re going to find yourself standing on that line, and that’s not the time to figure out where the line’s at. 

So give some thought early in your career, your, your 18 year old self probably before you go to college would be good too, right? Cause there’s plenty of opportunities at college to make mistakes.  Figure out where that line is. Cut that shit in the sand.

And that way, when those situations come up, where you have to think about whether or not you’re willing to do something that seems a bit dodgy,  you know exactly where the line is and you can hold yourself accountable to it. It makes it much easier to make those difficult decisions. If you know where that lines up. That’s my advice to every 18 year old,

Ankur: very well said. ,with that, we’ll call it wraps. Candice, it’s been a pleasure having you, we really appreciate you taking time.

Candace: It’s been fantastic. Thank you ankur, thank you and Lima. Thanks. I appreciate the opportunity. I’m grateful that you thought I could contribute here, so appreciate it and have a wonderful holiday.

Ankur: You too. Thanks a lot.

Listen to the episode on Apple PodcastsSpotifyGoogle Podcasts, or on your favourite podcast platform.