With two decades in the industry, Emily O’Carroll reflects on how the threat landscape has evolved, the difference between in-house and virtual CISO work, and why mentoring and finding personal balance are just as important as managing risk.
Listen to the full episode on YouTube, Spotify, and Apple Podcasts.
Emily O’Carroll, a seasoned cybersecurity professional and CISO shares her journey into virtual cybersecurity support, sharing with CRN’s Cass Cooper the evolution of the threat landscape, and the importance of translating technical risks into business impacts. O’Carroll gives insights on the differences between being an in-house CISO and a virtual CISO, as well as the significance of mentoring and finding balance in one’s career and personal life.
Emily, you’ve been in cybersecurity since 2005, long before most people even knew what that meant. What first drew you into the field, and how did your path evolve?
Emily O’Carroll: Like many people in cyber back then, I didn’t realize I was in cybersecurity at the start. I was working in risk and compliance, but as the industry evolved, I realized that much of what I was doing was foundational to security. I stepped into leadership in 2010 and became head of security then eventually CISO at Callaway Golf. That role opened a lot of doors and really shaped the next phase of my career.
How has the threat landscape changed in the last 20 years, and what remains the same?
Back in the day, it was all about securing physical hardware, firewalls, and perimeter controls. Now, we’re navigating multi-cloud environments, generative AI, and remote workforces. But what hasn’t changed is the need to maintain visibility and control. The job today is harder because the tech landscape moves fast, and shadow IT makes things even more complex. But the core principle of protecting the business has always been the same.
You mentioned that translating security risks into business impacts is a critical skill. What’s your approach for making that translation resonate with business leaders?
Security teams think in zeros and ones, but business leaders think in terms of impact: downtime, revenue loss, brand damage. So, I always try to answer the “what’s in it for me?” question: If this vulnerability is exploited, how will it affect your storefronts, your supply chain, your customers? It’s also crucial to clarify that security teams identify risks, but the business owns them. Having clear, honest conversations with application owners and backing it up with real-world examples helps make those risks tangible.
What’s the biggest difference between being an in-house CISO and a virtual CISO (vCISO)?
As an in-house CISO, you’re responsible for every vertical—from disaster recovery to incident response. The job is demanding and unpredictable. I learned a lot and built a strong program at Callaway, but it took a personal toll. Now, as a vCISO at GuidePoint, I still deliver high-impact services, but I also have time to mentor, speak at events, and give back to the community. I’ve found a rhythm that supports both my professional growth and personal well-being.
What advice do you have for women, and especially women of color, who are entering or advancing in cybersecurity?
Find strong mentors and don’t be afraid to raise your hand for the hard assignments. Early in my career at KPMG, I had access to great mentoring programs and strong female leaders who made me believe I could do anything. That foundation mattered. Today, I try to pay it forward by mentoring others, especially those from diverse backgrounds. We need more voices at the table, and it starts by building each other up.
Final question: do you still golf?
I do! Ironically, I’ve spent more time golfing since I left Callaway. I meet up with old colleagues for lessons when I can. I may not be great, but I have beautiful clubs.
Catch more conversations with leaders like Emily O’Carroll in the Channel Women in Security series, hosted by Cass Cooper. This is where women’s voices, leadership insights, and cybersecurity strategy meet.
