Building More Than Just Security: A Conversation with Paul Connelly

Anyone who has had the privilege of knowing Paul Connelly knows he’s more than a leader—he’s a mentor, an ally, and a genuinely good human. As the first-ever CISO for the White House and a key figure in shaping cybersecurity at a Fortune 100 company, his career is legendary. But what truly sets Paul apart is his dedication to lifting others up—he hasn’t just built security programs, he’s built people. 

He has mentored and championed so many—myself included—helping us grow, break barriers, and step into leadership. His impact extends far beyond the organizations he’s led; it’s reflected in the people he has empowered. In this conversation, Paul shares his extraordinary journey, his philosophy on leadership, and the power of allyship in shaping a more inclusive future. 

The Path of a Trailblazer

Your career has been nothing short of extraordinary, from being the first CISO for the White House to serving as CSO for HCA Healthcare. What inspired you to pursue a role in cybersecurity, and what were some of the pivotal moments in your journey? 

Thank you, I have been fortunate to be in the right place at the right time – four times over!  I wish I could claim to have had some strategic vision forty years ago for how cybersecurity would evolve, but candidly, I fell into our field by chance and developed a passion for it that continually grew as the field evolved.

I have degrees in Agriculture and intended to pursue that field (no pun intended).  Jobs were scarce when I graduated, and through strange twist of circumstances I landed an offer from the National Security Agency. I had never heard of it - back in 1984 the government did not acknowledge the NSA existed (we used to say NSA stood for No Such Agency).  They offered me a job in a new area called “Computer Security.”  Once I started, I realized I’d found a calling.  The noble cause of protecting people and our country, the challenge of trying to beat bad guys, and the rapid rate of change all connected with me.

The most pivotal moment of my career was when my supervisor at the NSA asked me to take a temporary external assignment at the White House. I really did not want to and had a much safer position lined up, but my boss has confidence in me and her push to do it changed my mind.  That assignment led to me getting the incredible opportunity to build the first InfoSec program at the White House two years later, and put my career on a whole different trajectory.

That experience taught me the importance of leaders seeing the potential of their people, actively finding them opportunities, sometimes giving a gentle nudge, and then helping them succeed. 

As a pioneer in cybersecurity leadership, what were some of the most significant challenges you faced, particularly in shaping an industry that was still in its early stages of development?

When I started, there was no Internet or CISOs and cybersecurity was not even a word. We were mostly worried about the Soviet Union intercepting our communications. In the nine years I was at the White House, the USSR went away and the Internet and mobile devices arrived – changing our world and our security needs completely. 

The biggest challenges I faced then are unfortunately still familiar today – educating and convincing leaders of the risks, getting the workforce and third-party partners onboard, and getting the resources and support to make security an integrated part of the business strategy. Convincing people that security is important was much harder then, and I learned to be a security evangelist and partnership builder.

Evolution of Cybersecurity

You've witnessed the industry grow and evolve over decades. How has the field of cybersecurity and risk management changed, especially regarding diversity, inclusion, and opportunities for women?

In the early days pretty much everyone in information security came from IT, which had a very high percentage of males, resulting in Information Security being very technology-focused and mostly staffed with males.

Since the early 90’s, security has emerged from the dark corners of the data center and become more business-centric, and along with that change – more diverse.  Like every other area of business, we have learned that having more and broader perspectives and ideas leads to better solutions. Building the best and brightest team means building a diverse team.

The Role of Mentorship

You are known for being an incredible mentor, selflessly helping others grow and succeed, including myself. What drives you to invest so much in mentorship, and how has that shaped your legacy in the industry?

I have been the beneficiary of great mentors and supervisors throughout my career, so I learned from the start that the development of others is a critical responsibility of a leader.

I have had so many outstanding people on my teams, helping them find and develop their talents, and giving them opportunities to grow, made our programs (and me) better.  

It is incredibly gratifying to see someone soar! Having 39 members of my teams become CISOs is one of my biggest points of pride.   

As someone who has mentored countless professionals, including women like me, what do you see as the key barriers women face in advancing in cybersecurity? How can leaders and male allies work to remove those barriers?

I have seen women have to break through barriers of acceptance and credibility in the work environment that men did not have to deal with, and also overcome internal barriers of self-doubt. In every role I had at NSA, PricewaterhouseCoopers, and HCA Healthcare, I worked for fantastic women leaders and together with remarkable women on my teams. I also have three sisters, my wife, four sisters-in-law, and a daughter who are all incredible - so it is hard for me to fathom that double-standard.

Our cybersecurity adversaries come from all over the world and all walks of life, and they are looking from every angle to find ingenious new ways to crack our defenses.  We cannot allow homogenous thinking and must be just as diverse in how we look for edges to defend against them. Diversity makes us better.

Leaders must be deliberate – creating a culture of mutual respect in their teams, finding and developing diverse talents, and giving everyone opportunities to grow. Sometimes that means taking the risk of giving a stretch assignment to someone, sometimes that means giving someone a gentle nudge forward (like my boss at NSA did for me), and sometimes that means that leaders need to take a step back to allow members of their team to step forward. 

Lastly, leaders and male allies should not just passively support diverse candidates for opportunities, they should actively sponsor them – work on their behalf to find good opportunities, vouch for them, and help them succeed.

Lessons in Leadership

What lessons have you learned from working with women in cybersecurity? How has their perspective influenced your approach to risk management and decision-making?

Most of my bosses across my career have been women, and I have had outstanding women and other individuals who bring diversity in key roles on my teams at every stop.  They have taught me to view differences as a positive and be intentional in choosing to work with people who don’t think like me.  I have seen the value of applying as many ideas as possible on every challenge.

Building Diverse Teams

In your experience leading cybersecurity programs for high-stakes organizations, how does diversity—whether in gender, thought, or background—impact the effectiveness and success of a team?

Imagine you are looking for something in the dark. With one flashlight you could easily miss it or may eventually stumble upon it, but if you have a bunch of flashlights shining from different directions, you are going to see a bigger and clearer view. That is how I think diversity benefits a leader and their team – it brings different perspectives and backgrounds that shine different lights on every problem and illuminate better solutions.

Future of Cybersecurity and Emerging Trends 

With your extensive experience and perspective on the field, how do you envision the future of cybersecurity? What emerging trends in cybersecurity and technology do you believe will shape the industry in the coming years?

The biggest shifts I have seen over the past twenty years are the need to balance between technology and business acumen, and the growing strategic role at the senior leadership and boardroom tables. 

Obviously, the threats are always going to advance, and so will the defenses (e.g., use of AI). Apart from that continual evolution, tomorrow’s cybersecurity leaders must be business leaders – speaking the language of the business, aligning their program with business goals, adept in the boardroom, and eventually serving on boards.

Not Truly Retired

Even after stepping back from your full-time roles, you're far from retired. From serving on boards to sharing your wisdom through platforms like Cyber Tuesday, you’ve continued to inspire others, including me as I founded Tech She Secures. What motivates you to keep giving back, and what are your goals for the future?

There is still so much room for improvement in our field, I do not feel “done” and want to keep contributing.  I am hoping to continue to advance our field by mentoring and coaching upcoming leaders and by helping blaze the trail for CISOs to move to the other side of the table and serve on public company boards.

Despite the huge role of technology in growth and risk for most companies, very few boards have directors with the been-there-done-that experience in cyber and technology of a CISO or CIO, and that is a limitation on boards’ oversight. I serve on one private company board and am a technical advisor to another, and my expertise and perspectives prove to be valuable in every single meeting – and in many areas beyond cybersecurity. Most boards have deliberately pushed themselves to become more diverse in their member composition - they need to consider skills composition, too. I hope to help make that happen as the last act of my career.

A Reflection on Impact

Tell us about the 'BADdest' challenge you've taken on in your career—the boldest, most authentic, and driven moment you're most proud of—and how it shaped you.

(Long story) In my last CISO role, many years ago we had a former employee living in Florida find a work USB thumb drive at home, and with the best of intentions, mail it back to their former supervisor. A ripped, empty envelope with what looked like rubber tread marks arrived, postmarked in Gainesville, FL. We determined the missing USB stick contained data from a cancer research study involving several thousand patients. The state of the envelope made us guess the postal service machinery had ejected the drive from the envelope, versus it being stolen, and we hated the thought of notifying and adding another worry to patients already dealing with cancer.

We got the exact make of USB drive from the sender, and bought 25 of them, packaging them the exact same way, and I flew to Gainesville with the goal of finding the USB stick or mailing the 25 letters to prove it was lost in the postal service machinery. 

I went to the USPS sorting center wearing an orange and blue Florida Gators tie, met with the Postmaster, showed her our empty envelop, and explained our situation. She looked at the envelope and immediately confirmed that their machinery had likely ejected the USB drive.  Then she explained their strict handling of objects ejected from envelopes by their machinery (Held for 90 days in secure storage and then incinerated). She also mentioned how those objects foul up their machinery and can halt their processing. Thinking my problem was solved, I asked if I could search their collection of ejected objects for our drive – to prevent having to notify and frighten several thousand cancer patients. While she was sympathetic to our issue, the Postmaster said, no – no one outside the USPS team is allowed in that area.

I tried my best to change her mind, but she was rightfully a stickler for the rules, and finally said the conversation was over and I should leave. I am not sure what difference I thought it would make, but I refused and said, “I’m not leaving until you let me search for that USB drive.”  That bold idea failed miserably when she said she could arrest me if I did not leave.  So, my last gasp was to show her the twenty-five envelopes with matching USB drives in my briefcase.  I said, “Did you say this kind of stuff messes up your machinery and halts your processing? If I can’t search your lost items for our drive, my alternative is to mail these twenty-five letters with matching USB sticks from random mailboxes all over Gainesville, so we can at least prove our theory that the drive was lost within USPS control and not stolen.”  She was really unhappy about that and I thought I was going to be arrested, but after a moment of thought and a phone call, she had three people escorted me back to a secure storage room with a 50 gallon drum full of pens, jewelry, coins, and thousands of other things that had come out of envelopes people had tried to mail.  They dumped it on the ground and gave me ten minutes to search, while they watched every move I made. I found a matching drive in less than five minutes. I plugged it in and verified it was ours!

What did I learn? Think out of the box, stand your ground, and be relentless - do not give up until you have tried every angle. 

A Message for Tech She Secures

Tech She Secures is about inspiring people to fearlessly pursue their passions and break barriers in tech. What message do you have for my readers, especially those navigating challenges, aspiring leadership roles, and striving to make an impact?

If an Ag major can become the CISO at the White House and a Fortune 100 company – anything is possible. It is not about what school you attended, your race, your sex, or where you are from – it is about having passion for the mission, finding where you can make a difference, developing your skills for collaborating with others, and then being relentless and out-working everyone else.

Closing Reflections

I met Paul a few times over the years and was always impressed by his leadership—his humility, his wisdom, and how well-respected he is by those who’ve worked with him. It took me a while to work up the courage to ask if he’d mentor me. When I finally did, he said yes without hesitation—and that simple yes changed everything.

Tech She Secures wouldn’t exist without his encouragement, guidance, and generosity. If there’s one thing I’ve learned, it’s this: never be afraid to reach out to the people you admire. More often than not, they’re happy to share what they’ve learned and help you grow. If you don’t ask, the answer is always no—but if you do, you might just find someone who changes the course of your journey, just like Paul did for me and so many others.

Maliha

Disclaimer: The content on this blog and website reflects my personal experiences, perspectives, and insights. It does not represent the opinions, policies, or strategies of any organization I am currently affiliated with or have been affiliated with in the past. This platform serves as a personal space for sharing ideas, lessons learned, and meaningful reflections.