John Downey – Chief Information Security Officer at GoFundMe | Your Company Isn’t Safe From Hackers

Like The Show? Leave A Rating: https://ratethispodcast.com/successstory

Join Our Free Slack Community To Up-Skill Yourself: bit.ly/3IY8kwK

About The Guest

Talking Points

• 00:00 — Intro
• 02:52 — Genesis of a Cyber Guardian: John Downey’s Origin Story
• 04:43 — Driving Force: John’s Security Path
• 07:50 — CISO Trends in 2023
• 10:23 — Taming Advanced Threats: SEC’s Role
• 12:44 — Tech Passion Meets Nonprofit Purpose
• 17:17 — Sponsor: Nudge Podcast
• 18:01 — Nonprofit Vulnerabilities Exposed
• 21:01 — Unraveling Human Errors in Attacks
• 23:54 — Breach Recovery: Blameless Postmortems
• 31:44 — Innovations in Security at GoFundMe & Classy
• 33:18 — Sponsor: The Kelly Roach Show
• 34:28 — Battling Beyond Human Threats: Perpetual Struggle with Advanced Threats
• 35:43 — Trust & Transparency: The Key to NPO Success in 2023
• 37:33 — Battling Cyber Threats: Classy and GoFundMe
• 40:14 — Parting Wisdom from John Downey: A CISO’s Advice to the Audience
• 42:10 — Connecting with John Downey: Socials and Websites
• 43:10 — Defining Success: John Downey’s Perspective

Show Links

• https://twitter.com/jtdowney/
• https://www.linkedin.com/in/jtdowney/
• https://jtdowney.com/about/

Podcast & Newsletter Sponsors

• HUBSPOT —  https://hubspot.com/successpod
• NUDGE PODCAST – https://www.nudgepodcast.com/podcast/
• THE KELLY ROACH SHOW – https://www.youtube.com/@KellyRoach
• SHOPIFY —  https://shopify.com/successstory
• NETSUITE —  https://netsuite.com/scottclary

Watch on YouTube

---

Show Summary: From Security Leader to Nonprofit Crusader: One Man’s Mission to Protect Crowdfunding Against Cyber Threats

John Downey wasn’t satisfied with the traditional career path in technology.

After honing his skills at innovative companies like Braintree and PayPal, he landed a prestigious role leading security for all of PayPal’s major acquisitions.

But after years in the hypergrowth startup scene, John felt unfulfilled. He wanted his work to be about more than just business outcomes. He wanted purpose.

As John looked around at his older colleagues, he saw lifelong technologists who regretted decades of sacrifice. They lamented not having enough time for family, friends and passion projects outside of work.

John was determined not to let that happen to him. There had to be another way.

At just 30 years old, he refused to spend the next few decades chasing promotions and prestige.

John knew in his gut he wanted two things:

• To make a positive impact on people’s lives
• The freedom to work on fulfilling projects

And he set out on a journey to find an organization aligned with those two outcomes.

Along the way, John would dive into the nonprofit sector, take on the challenge of securing fundraising platforms from cyber threats, and protect the personal data of millions of donors worldwide.

His story is inspiring not just because of the security expertise John lends to prominent nonprofits. It’s the mindset shift that opened up new possibilities for combining purpose and technology.

John realized that doing meaningful work was first and foremost an internal search. Once you gain clarity on what fulfills you, other’s opinions fade into the background.

I had the honor of speaking with John on the Success Story podcast recently. In this deep dive article, we’ll explore key insights from his journey in John’s own words.

If you’ve ever felt disillusioned with chasing accolades and prestige, or you want to align your career with what matters most to you, John’s unconventional path will expand your beliefs on what’s possible.

Let’s get started.

From Startup Star to Seasoned Security Leader

John cut his teeth in the early 2000s building software and experimenting with cybersecurity vulnerabilities. He shares how an unexpected discovery put him on this path:

“The moment that kind of set me down this path was, you know, my like 12th or 13th birthday I went over to my grandfather’s house to you know kind of say hi to him and he gave me a $20 bill. On the drive home we stopped because we saw a garage sale and I grew up in the Midwest so very common to see garage sales all over the place. So we stopped, saw a garage sale, figured we’d browse around.”

At this unsuspecting garage sale, John found a Commodore 64 — an early home computer from the 80s. His parents only agreed to buy it because it didn’t have internet access.

But the computer came loaded with manuals and books, including one that would change John’s trajectory — How to Program Computer Games in BASIC.

John recounts the pivotal moment:

“It was just printouts of source code for for games that you could type into the Commodore and get it to go and actually I’ve since lost the book but I went and found one on eBay years later because I wanted to keep that as a memento. But that’s kind of set me down this path like I was really interested in software and computers and this moment kind of solidified that I wanted to do something with computers.”

This early exposure to coding and hacking sparked John’s lifelong fascination with technology and security. In his teens, he began developing software and sharing it on early internet forums.

John recalls his first “bug bounty” experience after someone discovered a vulnerability in his code:

“Someone actually found a security issue in one of the things and they reported it to me and I thought that was so interesting. I really got into security for a while and then it I kind of flipped it around that I found like the most interesting security aspects to me were about software and bugs in software.”

From this foundation, John went on to study computer science and land a job as a software engineer at a promising payments startup called Braintree.

Little did he know at the time, Braintree would be acquired for $800 million by PayPal just two years later.

John suddenly found himself leading security for one of the largest fintech disruptors in the world.

He shares his rapid career ascent:

“I was the 12th engineer, 40th person in the company very small. I wrote software, wrote banking software, for you know and we were powering, companies like Uber and Airbnb and GitHub. So not small companies, very fast growing companies…but then I, you know, was kind of looking around going, you know, I saw this passion for security.”

John proposed building out a security team to the CTO. The CTO empowered him to make it happen.

Before long, John was leading security not just for Braintree, but for all of PayPal’s major acquisitions like Venmo.

He had quickly risen the ranks to spearhead protection for some of the hottest startups in Silicon Valley.

But an important evolution was on the horizon. John was about to take his skills in an entirely new direction.

The Realization: Trading Passion for Prestige

During his 6 years at PayPal, John achieved tremendous professional success. He had become a cybersecurity leader at one of the most disruptive fintech companies in the world.

But with each achievement, John gradually realized prestige alone would never fulfill him. Life had to be about more than status and accolades.

He took notice of colleagues who had been in technology for decades. They were regretting so many years of sacrifice.

John reflects on this pivotal insight:

“At PayPal I ended up leading security for all their acquisitions, for Venmo, Braintree, Xoom. As well as, you know, some great experience. But towards the end of my time at PayPal I actually ended up feeling a little unfulfilled.”

He knew he wanted to focus his skills on something more meaningful. John just wasn’t sure what that looked like yet.

So after hitting a ceiling at PayPal, he decided to explore opportunities in other areas of financial services. John spent some time in insurance to get exposure to different parts of fintech.

But he quickly realized corporate life would never be the right fit. John wanted to feel passionate about the mission behind his work.

He explains why payments technology continued calling him:

“My passion is for payments and it’s weird to say but I kind of got really good at it. I learned a lot about how the banking system works, how messy it can be but how functional and in a lot of ways it is and how important it is.”

John hoped to find a way to stay in the payments space while also connecting to a cause he cared about.

Little did he know, an exciting opportunity was right around the corner. The perfect alignment of purpose and technology was closer than he imagined.

A New Path Revealed: Protecting Crowdfunding Platforms

As John searched for more meaningful work, he came across a nascent company called GoFundMe.

In just a few short years, GoFundMe had pioneered a powerful new form of payments — crowdfunding.

The platform allowed people to quickly rally funds for medical bills, disaster relief, charities and personal causes through online campaigns.

John was instantly intrigued by the social impact GoFundMe enabled. After years of facilitating commerce, this felt so much more uplifting.

But John also knew first-hand the security risks involved with payments technology.

GoFundMe had a massive opportunity to connect people and change lives. He wanted to ensure the platform could operate safely at scale.

John decided to take a leap of faith and join GoFundMe to head up their cybersecurity program. He explains his motivation:

“GoFundMe and Classy offer a way to kind of like for me stay in payments but also feel a lot better about what I was doing on a day to day. I was very fortunate to be at PayPal and kind of be acquired and be there during a terrific run-up in the company, kind of you know finances. But for me a lot of what I want to do is have the best impact that I can to help people out.”

In his new role, John could take everything he learned securing platforms like Venmo and apply it to safeguarding crowdfunding.

After years leading teams at iconic companies, John was excited to join GoFundMe in its early stages.

He knew firsthand the security risks innovative startups face as they rapidly scale. He wanted to ensure GoFundMe never compromised on protecting its community.

John recalls the fulfilling impact of his work:

“I used to joke with people like it wasn’t a day that I would go by that I wouldn’t leave, just crying about something because there’s so much emotion wrapped up in the site. There’s so many great stories, so many things that go on in the world and GoFundMe is a place where you can find that and you can find people to connect with who are in need and then you can help them out.”

After seeing GoFundMe thrive under his security leadership, John took on an expanded role overseeing protection for Classy as well.

Classy offered enterprise fundraising tools tailored specifically for nonprofits. Together, GoFundMe and Classy could provide critical infrastructure to power causes worldwide.

And John was determined to arm these organizations with cutting-edge security capabilities typically only Fortune 500 companies had access to.

By bridging his tech expertise with purpose-driven platforms, John had found the fulfillment he long craved.

Let’s explore the evolution of cybersecurity threats that makes his role so crucial.

When Cyber Attacks Started Affecting the Whole Company

For the early years of consumer tech, cybersecurity lived in relative obscurity. Most hackers were hobbyists probing at networks for a challenge, rather than malicious actors.

But high profile breaches in the mid 2010s marked a turning point. Corporate cybersecurity could no longer be siloed to IT teams. Entire companies would be held accountable.

John points to the 2013 Target breach as a wakeup call for executives:

“In 2013, there were a couple major retailer breaches — Target, Neiman Marcus. And that was kind of the point at which it became clear that a security incident was not just going to affect the chief security officer. It was also going to affect other c-level executives at the company.”

Hackers made off with tens of millions of customers’ payment card and personal details. Target’s CEO was fired as a result.

Soon after, the infamous Sony Pictures hack rattled Hollywood. Embarrassing company emails were leaked and films were leaked pre-release.

For the first time, cyber incidents had multi-million dollar impacts on revenue, reputation, and shareholder value.

This dfrew increasing scrutiny of how prepared organizations were. Security leaders couldn’t be lone rangers anymore.

John emphasizes collaboration is crucial as threats escalate:

“One of the things I always recommend to folks is the human firewall concept. Knowing that we could have the best security in the world but we still need humans out there helping us. It’s not just the security team’s problem.”

However, another seismic event in 2016 would reveal cyber risk extending far beyond profits and data. Sophisticated nation-state actors were getting involved, and they had their eyes set on the heart of American democracy.

When Cyber Attacks Became a National Security Issue

In the spring of 2016, the Democratic National Committee (DNC) detected unauthorized users in their systems.

They quickly assembled a technical team to assess the breach. What they found was unnerving.

The hackers had gained access to vast troves of emails, opposition research, and strategic planning documents. Sensitive communications between top level party officials were compromised.

It didn’t take long to determine the likely culprit. Metadata from the documents showed Russian language settings.

The Kremlin was orchestrating an unprecedented foreign interference campaign targeting the United States’ presidential election.

Looking back, John sees the DNC breach as a seminal moment for cyber conflict:

“Fast forward to 2016 you had the election interference and the hack of the DNC. That kind of it was another big aspect.”

Russia weaponized the stolen data, coordinating document leaks to exacerbate discord and sway public opinion.

This brazen digital attack on America’s democratic process marked a dramatic escalation. It made clear cyber warfare could threaten national security and geopolitical stability.

In response, governments are still grappling with doctrines of cyber deterrence, retaliation and norms. Partnerships between tech companies and public agencies have also strengthened.

For business leaders, the incident was a reminder that cybersecurity know-how would become an increasingly important skill. No field could avoid these emerging threats.

But just as awareness was growing about cyber’s prominence, an even greater upheaval was on the horizon — one that would force immediate action overnight.

When Working From Home Blows Open the Cyber Attack Surface

In early 2020, organizations in every sector were faced with an unprecedented challenge.

The COVID-19 pandemic was spreading rapidly. To curb contagion, offices needed to close and employees had to work remotely.

IT teams scrambled to enable virtual collaboration for workforces accustomed to centralized networks and on-premise systems.

Sensitive data and devices were on the move. Opportunistic hackers sought to capitalize on the chaos.

John explains how “the great remote work experiment” changed everything:

“Then you know fast forward to 2020 everybody went to work from home…This distributed model blew the doors wide open for attackers. You can no longer just secure the network perimeter and on-site devices. Cybersecurity was now everyone’s problem.”

Overnight, enterprise technology footprints exploded in scale and complexity. Every employee’s home WiFi network was now an access point.

Once internal systems were exposed on the public internet, the risks of phishing and malware spiked dramatically.

The overnight shift left security teams scrambling to gain visibility and control all while supporting a workforce struggling to adapt.

For many organizations, it necessitated years of digital transformation in just months. Cloud adoption accelerated and device management became even more critical.

John believes there is no turning back from the new normal of hybrid work:

“I don’t think you put that genie back in the bottle. The workplace has been transformed.”

In this distributed model, the risks John navigated at tech unicorns as they scaled globally are now ubiquitous.

With billions of records at stake, cyber preparedness can no longer be siloed to IT. Every business must make security a top priority to protect its future.

For the nonprofit sector in particular, enhancing cyber resilience is an urgent imperative. Especially when controversial causes provoke malicious actors.

Let’s explore the unique challenges nonprofits face on their security journey in John’s experience.

Bridging the Cybersecurity Talent Gap for Nonprofits

When John assessed the cyber risk landscape at GoFundMe, he noticed a concerning trend.

Most nonprofits were years behind the private sector when it came to security capabilities. Many still saw cyber protection as limited to passwords and antivirus.

But John knew their trusted brands and community-driven missions could make them prime targets. It was crucial to arm them with advanced safeguards.

He explains the motivation behind his move to crowdfunding platforms:

“On average, non-profits do not have the expertise that the for-profit business world has. I’m interested in this as a case study as to what made you want to move into the non-profit world.”

In GoFundMe’s early days, awareness of cyber risks among donors was also low. Back then, contributing to an online fundraiser was still novel.

If a breach damaged trust in the platform, it could derail the entire movement of online crowdfunding before it realized its potential.

John was determined not to let this happen:

“My goal here is to deliver help through whatever means we can. We’re providing that platform and I’m providing security for it.”

But he knew the standard corporate IT model would never work for most nonprofits. They lacked big budgets and dedicated security staff.

John reflects on the realities of working at resource-constrained organizations:

“A lot of charitable organizations, they live and die based on how much money they can raise every year. And most want to maximize dollars going to programs.”

This led John to get creative in his approach. He focused on ways to “outsource security” so these groups could punch above their weight.

Power partnerships would be crucial to uplift nonprofit defenses. Let’s explore John’s tactics.

3 Steps Nonprofits Can Take to Bolster Security Posture

While nonprofits face limitations around security expertise and funding, John believes there are paths forward.

He offers 3 best practices to addresse the cybersecurity skills gap:

1. Partner with IT consultants to implement security fundamentals

Very few nonprofits can justify a full time CISO. But technical partners can ensure the right controls and tools are still in place by offering security services and support.

John suggests common priorities like firewalls, endpoint protection, access management, and encryption should be table stakes even for 5 person nonprofits.

2. Conduct ongoing phishing and security awareness training

With staff wearing many hats and focused on delivering programs, basic security hygiene often gets overlooked.

Training is essential to build a human firewall alert to risks like credential theft and social engineering. Test them frequently with simulated phishing attacks to shore up weaknesses.

3. Develop incident response plans for proper reporting and containment

Despite best efforts, breaches still occur. Emergency response plans create clarity on roles, managing PR, notifying authorities, informing donors and recovering.

Tabletop exercises to practice response are invaluable for underskilled teams navigating a crisis.

While budgets are limited, John emphasizes nonprofits can partner creatively to maximize impact and protection.

What’s most important is getting adequate security embedded early before a preventable incident spirals out of control.

Now that we’ve covered nonprofit best practices, let’s discuss the wider cybersecurity trends John is observing from his unique vantage point.

Evolving Cyber Threats and Regulatory Compliance

As cybersecurity risks grow in frequency and impact, John has a front row seat to the latest attack trends from his CISO lens.

Some of the rising threats he’s tracking include:

• Ransomware attacks paralyzing operations: Ransomware remains top of mind for security leaders, with incidents like the Colonial Pipeline attack disrupting critical business and infrastructure. Attackers are ruthless about exploiting security gaps to encrypt data and extort victims.
• Business email compromise on the rise: Email scams that impersonate executives and request urgent money transfers lead to billions in losses annually as employees are manipulated into compliance. Strong awareness training is key.
• API and supply chain vulnerabilities emerging: As businesses interconnect through APIs and third-party partnerships, one weak link can jeopardize the broader ecosystem. Vetting vendor security and pen testing APIs minimizes contagion.
• Deep fakes weaponizing disinformation: Advances in AI like generative adversarial networks (GANs) allow creation of realistic fake audio, video, images and text. This expands the potential for highly targeted social engineering and privacy violations.

To drive organizations toward better preparedness, government policy and regulation is also evolving quickly.

John expects to see expanded cyber reporting requirements:

“Increased regulations like proposed SEC disclosure rules aim to hold public companies accountable to take cybersecurity seriously. Fines and reporting requirements incentivize preparedness.”

He points to recent proposals requiring companies disclose board expertise in cyber risk oversight. This pressures the c-suite and directors to get up to speed fast on threats impacting the business.

While controversy exists around more prescriptive cyber regulations, John believes sunlight is the best disinfectant. He explains:

“So far, companies have faced little fallout from breaches and lack of preparation. Their stock prices rebound, executives shuffle seats, and it’s back to business as usual.”

By increasing transparency and liability for executives, boards, and companies at large, stronger cybersecurity accountability is on the horizon.

For security leaders like John driving these efforts internally, it also lends more strategic importance to their function and voice at the leadership table.

Now that we have perspective on the cyber landscape, let’s discuss what success looks like for John and the mindsets that drive his ambition.

Redefining Success as Fulfillment and Making an Impact

Over nearly two decades in technology, John reached conventional markers of success like leadership titles and compensation.

But he’s always pursued fulfillment over lofty positions. John knew prestige alone could never sustain him long-term.

He measures success based on making a positive impact through his work. As John puts it:

“For me success is being happy with what I do — day to day — and helping make an impact.”

John found connecting his security expertise to platforms advancing medical treatments, disaster relief and other social causes much more rewarding.

Knowing his skills enable those life-changing efforts is the true driver.

But John’s motivations for pursuing meaning evolved over time as he gained perspective.

Early on, he focused intensely on ambition and achievement. John reflects:

“I think from me personally like the, I was very fortunate to be at PayPal and kind of be acquired and be there during a terrific run-up in the company, kind of finances.”

He was on the hypergrowth startup track focused on rapid career growth and absorbing as much wisdom as possible from luminaries like Peter Thiel.

But John gradually realized prestige alone couldn’t sustain him. He yearned for fulfillment through his daily work.

John’s career shows success is an evolving journey to align vocation with purpose for the long-term.

Financial rewards may be a byproduct, but pursuing security and technology solely for status or riches leaves one unfulfilled. Staying attuned to how your work connects to meaning is crucial.

For those leading people, John emphasizes the importance of empathy and psychological safety as well. He advises:

“Promoting psychological safety allows employees to promptly report mistakes so breaches can be rapidly contained. Otherwise, folks may try to cover up problems which only raises the severity.”

By building a blameless culture focused on learning, people feel empowered to raise issues early before they escalate.

With the proliferation of cyber threats, the coming years need more leaders like John blending compassion and conscience with technological expertise.

Let’s conclude by recapping key lessons from John’s perspective.

Key Takeaways: Top Security Insights from a Principled Leader

John’s journey offers inspirational lessons for security leaders and professionals at any stage of their career:

• prestige alone does not yield fulfillment — find work aligned with your values
• bringing empathy and compassion to leadership uplifts teams during times of crisis
• nonprofits need creative “outsourced” security models tailored to constrained resources
• never stop evolving your skills — combine expertise with purpose for greatest impact
• ransomware, BEC, phishing remain prevalent — double down on security basics
• increased regulation promotes transparency and executive accountability
• blend security expertise with business acumen and communication skills
• measure success by the positive impact created, not status or money

John’s story dispels the myth that to thrive in technology, you must silo yourself solely to STEM skills and climb the corporate ladder relentlessly.

By daring to bring more heart and humanity to his leadership, he shows how cultivating emotional intelligence multiplies your influence.

And when technologists connect their know-how to causes bigger than themselves, new levels of fulfillment emerge.

Here’s to more leaders heeding the call to leverage cyber skills for good, not just personal gain. Because defending the greater good unlocks the best in all of us.

---

What is the Success Story Podcast?

On this podcast, you’ll find interviews, Q&A, keynote presentations & conversations on sales, marketing, business, startups, and entrepreneurship.

The podcast is hosted by entrepreneur, business executive, author, educator & speaker, Scott D. Clary.

Scott will discuss some of the lessons he’s learned over his own career, as well as have candid interviews with execs, celebrities, notable figures, and politicians. All who have achieved success through both wins and losses, to learn more about their life, their ideas, and insights.

He sits down with leaders and mentors and unpacks their stories to help pass those lessons on to others through both experiences and tactical strategies for business professionals, entrepreneurs, and everyone in between.

Website: https://www.scottdclary.com

Host of the Success Story Podcast: https://www.successstorypodcast.com

YouTube: https://www.youtube.com/scottdclary

Instagram: https://www.instagram.com/scottdclary

Twitter: https://twitter.com/scottdclary

Facebook: https://facebook.com/scottdclarypage

LinkedIn: https://linkedin.com/in/scottdclary

Medium: https://medium.com/scott-d-clary

Newsletter: https://newsletter.scottdclary.com/