Welcome to our podcast series, Coffee with the Council. I’m Alicia Malone, Senior Manager of Public Relations for the PCI Security Standards Council. Today I am thrilled to introduce the Council’s new Executive Director, Gina Gobeyn. Gina joins PCI SSC following the announcement of Lance Johnson’s retirement this year. As Executive Director, Gina will drive the organization’s strategic direction, its operations, and oversee the PCI SSC senior leadership team and staff. I’m delighted to have you join us today, Gina.
Gina Gobeyn: Hello, Alicia. Thank you. I’m happy to be here.
Alicia Malone: So, Gina, you joined the Council after a successful, nearly 18-year career at Discover, where you most recently served as the Chief Risk Management Officer in Payment Services. But you are no stranger to PCI SSC. As it turns out, you actually helped launch the Council as a founding member. And you’ve also served on the Executive Committee over the years. Can you tell us more about those two things?
Gina Gobeyn: Yes, that’s right. I am not a stranger to the PCI Security Standards Council. I joined Discover in 2006 and was fortunate enough to be part of the team that was helping to launch the Council at that time. And remember, this was at a time when each of the payment brands had their own security requirements. Merchants had to achieve compliance with each of those different standards. And the feedback from the merchant community was that they wanted one standard. Payment security was all of our priority, and we were able to agree that security was non-competitive. So, the bad actors were working together, and we needed to work together as well, to protect payments.
As an ExCo member, or an Executive Committee member representing Discover, I was in the unique position to help shape goals and objectives of the Council by representing the voices of Discover’s partners – so, merchants, acquirers, issuers, and other network alliances – that were able to address some of the evolving threats, best practices, or even some of the challenges that made adoption of the PCI Security Standards difficult in certain segments, or in various places around the globe. Just being able to access the materials in different languages, or with a different type of awareness education was some of the value that I was able to bring in my role as an Executive Committee member representing Discover.
Alicia Malone: So now, 18 years after its founding, why did you decide to take on this role to lead the Council?
Gina Gobeyn: I am excited to be leading the PCI SSC. Working with the Council has been one of the most notable accomplishments of my career, one where I have felt like my contributions and the partnership with stakeholders has really made a difference on something as important as reducing risk and improving the security of payments. That work has been both personally and professionally rewarding. It is a wonderful feeling to love what you do, and to know that what you’re doing has value. And it makes a difference to an entire industry.
PCI SSC has really been a shining example of what I think we can accomplish when an industry comes together to lead and work together towards a common goal. So, I am looking forward to helping lead the future direction of the Council with our industry stakeholders.
Alicia Malone: So, your career in payments actually spans 25 years, as you were also involved in information security for the Federal Reserve Bank of Chicago prior to Discover. How has all of this experience prepared you now for this next endeavor?
Gina Gobeyn: Well, I’ve learned that multi-stakeholder perspectives are so important in making sure that you get it right. I tell a story about how I was first actually introduced to the Payment Card Industry Data Security Standard, or PCI DSS. I was in a role creating security requirements for banks – depository institutions – that wanted to participate in the electronic channel to access Fedwire and FedACH. And what I learned from a pilot of those security requirements was that those were not going to work. The feedback was that our requirements were just way too rigorous, not commercially achievable by most. And this was a bit of a surprise, considering that what we were trying to secure was really kind of the central payment system. I learned of the standard at that time, the PCI DSS, in that it was similar to its mission to secure the data of commercial payments. And when I read that standard, it really actually felt like it was even more prescriptive than what I was trying to achieve. At the time, I didn’t realize there was a concept of, and maybe it wasn’t just documented as clearly, of compensating controls.
But back to my conundrum: I had a real problem to solve. And it really was only through the very collaborative sessions with the pilot banks or depository institutions that we were able to really get to the intent of each of the requirements. And through our discussions, you know, recognize that there may be multiple ways to achieve the same desired outcome. And so, it was based on this partnership that the requirements evolved, not to be less secure, but to allow for flexibility in how to meet each of these requirements. And it really is that collaboration that helped produce a sustainable, commercially achievable, security standard.
And so, over the course of my career, I think it’s this principle of collaboration, and the value of that multi-stakeholder perspective that’s been instrumental in so many of the programs that I’ve been able to build and maintain from an overall payment risk management perspective, whether it’s security, fraud, incident response, or even programs that address, you know, global regulatory compliance initiatives.
Alicia Malone: Your description of the evolution of PCI DSS really is a great segue to my next question, which is that, you know, over the years, the payment industry has really grown and changed tremendously. What is your vision for the future of the PCI Security Standards Council? And how will we get there?
Gina Gobeyn: Yes, the payment industry really has changed at a rapid pace; maybe even more so as a result of the pandemic. And so, it’s more important than ever, really, that the payment security standards and the supporting programs keep up with that change. Emerging technologies like artificial intelligence, biometrics, crypto – those are shaping our industry along with the accelerated rise in popularity of mobile payments and contactless transactions. Threats certainly aren’t going away. Malware and phishing continue to increase the risk of security breaches. And very importantly, there are new innovators in the industry. And they are our stakeholders. And they will help shape how the Council helps support the security of payments.
So, in the short time that I’ve been with the Council, the feedback themes that I’ve heard are consistent. We need to reduce complexity, we need to be faster, and that we have the full support of our stakeholders who really want to ensure that the Council remains that gold star it is today. And so, as the industry has transformed, I will be working with the Council and our stakeholders to ensure that the Council is able to lean into this transformation as well.
Alicia Malone: By accepting this position at the Council, you become the first woman to lead PCI SSC. What does this mean to you to reach this point in your career, and be the first?
Gina Gobeyn: Yes, I’m honored to be the first. I certainly remember a time as a young professional when there were not very many women at the security table. And it was really noticeable at events like security trainings or security conferences. And I would say that generally, there was a time where I would not have been comfortable representing a demographic, whether female or Hispanic. I would have wanted to dilute anything that made me stand out, other than my qualifications. And that might be just kind of a reflection of the time.
But I have recognized that there is an importance in being able to represent diversity and how my past may encourage someone to pursue goals or opportunities that may not have otherwise seemed achievable. So, I’m encouraged by how far we’ve come. And I do believe the future becomes brighter, as both security and diverse representation are very important priorities in our industry.
Alicia Malone: We actually had the opportunity to interview you in 2020 as part of our Women in Payments blog and video series, where you spoke about the future of women in cybersecurity roles. From that interview we learned that you took a non-traditional route to the payment space. Tell us about those early beginnings, and what led you to this career choice.
Gina Gobeyn: Yeah. You know what? The PCI SSC has really done a nice job of highlighting so many amazing women leaders in our industry as part of that series. And I am grateful to have been asked to be one of your first spotlights, so thank you. And I did take a bit of a non-traditional route, but at the time, there really wasn’t much of a clearly defined route. Information security, cybersecurity, was pretty niche. And what I recall was that some of the common threats were things like website defacement, maybe some denial of service. The brand damage or the reputational risk that resulted from falling victim to those attacks, was something that companies were working to avoid. So, we’ve come a long way from that. But I was pretty fresh out of college. I was a business undergrad. And then I learned of a technology called a firewall. And I was immediately hooked. I wanted to learn everything about network security, and I wanted to be the best at it. Intrusion detection actually became my passion. And that really was the steppingstone into a career in security.
And from there I went from managing security service offerings to security operations, incident response, forensics, security policy, moving into compliance enforcement, and overall risk management. But for me, it’s always been about that feeling that I’m working on something really important, and that my contributions are meaningful. And that premise has helped steer me to pursue some of the other rewarding opportunities that I’ve been fortunate enough to have from the Federal Reserve Bank of Chicago, to Discover, and now to the Council.
Alicia Malone: In that interview that we did, you also talked about why soft skills are just as important as technical skills when it comes to protecting data and fighting bad guys. “Fighting bad guys” was a phrase that I remembered clearly from you. Can you explain what some of those soft skills are, and what they bring to the table?
Gina Gobeyn: Yes. So, security professionals have very important roles, and we want to be the best at our craft. We want to strive to be a subject matter expert and hone our technical skills. I would say that just as important are our soft skills. And when I think about soft skills, it’s about our effectiveness in our abilities to communicate, to motivate, lead teams, manage risk – not necessarily eliminate risk, manage risk – and to adapt to and influence change. And so, in a business setting, it’s important to understand the goals of the business, and the business problems that need to be solved. And then leveraging our hard skills, our technical skills, with our soft skills, allows us to find ways with our business partners to really optimize mutually beneficial outcomes.
Alicia Malone: So, Gina, outside of your day job, tell us a little bit about yourself. What kinds of things are you passionate about? What would you like others to know about you?
Gina Gobeyn: Alicia, I’m afraid I’m not terribly interesting. My husband and I have younger kids at home, an eighth grader and a fourth grader. And so, we certainly enjoy spending time with the family. A lot of time is spent chauffeuring them around. And so, you know, I’m certainly learning to love some of the things that they’re interested in. I give an example as football. I spent most of my life avoiding all things football. And my son loves it. So, I have found myself pretty passionate about football these days, and I’m having conversations about plays and strategies. And I’m like, “who are you?” I don’t recognize myself.
And my 14-year-old daughter, she well, apparently, skincare is a trend. And I’m finding she knows a whole lot more about skincare products than I do, so I’m happy to go along for that ride. So, we really enjoy time with the family, enjoy traveling with them. They’re really at a great age to start traveling internationally. We’re experiencing different cultures and foods. And it’s always really special when we are going to places that they may have learned about in school. And it comes to life in a more meaningful way when you travel there, or plan to travel there.
And for me, right now, I’m also completing an Executive MBA at Kellogg. And I am both energized and very much inspired by the professors and the people in my cohort that I’ve had the opportunity to meet. But I tell you, at the end of this year when I graduate, while I’ll miss the experience, I do have a whole bunch of stuff that I’m excited to get back to. And probably some family promises to keep.
Alicia Malone: I have a six-year-old son myself. And when people ask me what my hobbies are, I say, “Well, I work, and I’m a mom. And I don’t really have time for anything else.” So, I totally relate to what you’re saying there.
Gina Gobeyn: Yeah, it’s true.
Alicia Malone: Well, Gina, since you’re on Coffee with the Council, we like to ask our guests how they take their coffee. Or if you’re not a coffee drinker, what do you prefer instead?
Gina Gobeyn: Yeah, I do drink coffee. In fact, I have some right now, but I’m not fancy. I like a home-brewed coffeepot coffee. For me, it’s kind of more about the routine. I like a hot cup of coffee to kick off my day. So, it’s really more about that routine. But right now, I’m kind of on the kick of adding some oat milk or almond milk in my coffee. So, cheers to you right now.
Alicia Malone: Yes, cheers! That sounds delicious. Well, thank you so much for joining us on Coffee with the Council, Gina. And we look forward to working with you.
Gina Gobeyn: Thank you. I am happy to be here. And I’m very much looking forward to working with you and the team.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.
About Author
