RTC Conversation with Evelyn Lam: Security Architect & VP at Morgan Stanley
“RTC Conversations” is an interview series with mentors and advocates of Rewriting the Code. The series is spearheaded by two RTC alumnae Lucy Zhang, a software engineer at Apple, and Alice Chen, a software engineer at Two Sigma.
Evelyn Lam is a Lead Security Architect and Vice President at Morgan Stanley. We spoke with Evelyn over Zoom about her experience as a woman in technology.
L: Could you talk us through what you do at Morgan Stanley?
I am the lead of the Identity and Access Management Security Architecture team. My core responsibilities as a Security Architect include anticipating possible security threats, identifying areas of potential weakness in systems, and recommending ways to enhance them. In my day job, I make strategic and architectural decisions related to authentication, identity management, and cloud security. Outside of team-related work, I am also active in public speaking, teaching, and mentoring: I spoke at the 2020 Grace Hopper Celebration and InfoSec Finance Connect, teach several security courses from entry level to advanced at Morgan Stanley, and am actively involved in our campus recruiting in North America.
L: How did you get here from being a software engineer?
When I was a programmer, I was responsible for building a system that met all the functional requirements so that our users were happy. But I came to realize that one successful hack could potentially derail all engineering efforts. As a result, I was always vigilant and curious about edge cases and all the different ways one can break a system. As a Development Manager in Shanghai, I led global teams to implement enterprise-scale security applications, and that experience inspired me to pursue a career in cybersecurity. I then got a chance to relocate to New York as a Product Manager in Enterprise Security Platforms. In that role, I learned more about security products focusing on identity and authentication. More importantly, I worked with some talented security engineers who were subject matter experts. A few years later, I became a Security Architect.
L: Do you still get to break things as a team lead?
Sometimes. I consider myself both a people manager and a subject matter expert. Beyond supervising people and allocating resources, I like to inspire my team to identify risks and think about best strategies. In cybersecurity, you can never fix every single problem, but you need to understand the most important one and prioritize solving them.
A: Do you still have time to code? Or are your days full of meetings?
I don’t code anymore but do still create and assess security architecture designs. In the morning, I have meetings with people mainly in EMEA (Europe, the Middle East and Africa). Then, I meet with teams and clients based in North America. The best part of my work day typically starts after 3pm, when my programmer personality shines through as I focus on independent tasks. During this time, I like to do security assessments, learn about the latest security products the Firm is developing, read up on the latest security standards, and check out news about data breaches and security attacks.
A: You have a pretty international team! We also noticed that you worked in Hong Kong before relocating to Shanghai and now New York. How does the international aspect affect your career?
The work and company culture felt pretty consistent across different locations. Relocation affected my personal life more. For example, when I moved from Shanghai to New York, I was a mother of a one-year-old, had no family support around me, and was taking on a new role in my career. Mentorship from people who had had similar experiences helped my transition significantly.
A: What’s your favorite piece of advice from those mentors?
When you relocate, you’ll encounter lots of chaos at the beginning no matter how well you plan. So be confident, tackle problems as they come, and take the time to adjust. At the end of all that, you will become a new person.
L: What is one of the biggest challenges you’ve encountered in your professional life?
Early in my career, it was challenging for me to voice my opinion when I disagreed with someone more senior or experienced than me, or when I tried to push something new forward. My lightbulb moment was when I heard someone say that women should stop worrying about not being liked. That’s absolutely true. Nowadays, I’d rather worry about being slow to change or not innovative enough.
L: How did you build that confidence?
I voice my opinion after I’ve carefully listened to, incorporated feedback from, and built trust with everyone, and when I’m certain that my proposal is a solution that benefits more and compromises less. I also intentionally train myself to communicate my decisions and next steps as clearly as I can. As a result, people see me as a true leader rather than a facilitator, and I gain more confidence in myself.
A: Do you have any advice for RTC alumni like us in terms of career development?
Keep your eyes open, try out new things, and worry less about job security. Most people don’t know what they are good at or what they truly want at the early stages of their careers.
Invest your time in mentorship. Talk to people. Reach out to role models at your company or in a completely different industry, learn about their journeys to where they are today, and even schedule recurring chats so that you are forced to constantly think about and plan your own career.
A: Where do you see yourself in the future?
I believe cybersecurity will be increasingly important as more and more people migrate to the cloud. I would like to stay hands-on in security assessments, continue to advance my Cloud security profession, and give back to the industry by sharing my knowledge and experience at cybersecurity conferences.