Last time, I had an excellent discussion with Keirsten Brager, a security engineer for a utility company. This time, I had the pleasure of speaking with Candy Alexander. She got into cybersecurity at least partly because of Kevin Mitnick. Kim Crawley: Please tell me about what you do. Candy Alexander: I am currently working as a vice CISO and consultant. That means I act in various capacities with clients depending on their needs to lead and guide them through the cybersecurity maze. Some clients I work with by guiding them through compliance and moving them to the risk view. KC: Do you advise them on security hardening? CA: Sometimes, but at a very strategic level. I advise them on putting together a security program based on their needs, such as compliance, risk and industry standards. I also work with how to get the business involved and help determine the level of acceptable risk. KC: Are clients sometimes surprised by your advice? CA: I have worked with security administrators to boards of directors. They're not really surprised; I guess I am surprised by that! I try to keep it in logical terms, and to that, they end up agreeing with the advice. Most times, when clients engage me, they know there's something that they should be doing; they just don't know where to begin. The trick is to break it down into small steps and grow it. KC: Do you often work with a client's in-house security practitioners then? CA: Yes, or the CIO or IT Director if there isn't a security practitioner. Yes, there are still places that don't have a named security person. Or should I say who are named but in title only. They are still doing an "IT" job. The main problem I run into is that companies still don't understand what information security or cybersecurity is. That's the biggest challenge – some think they understand but then don't allocate enough resources. KC: Ah, money. I hear it can be very difficult to convince the suits to budget for cybersecurity. CA: Yes, it is. They don't have a problem with IT budget allocation because they can see, touch and feel that. It's tangible. Cybersecurity is all about risk and ensuring that they don't see, touch and feel it. So, like the saying goes: out of sight, out of mind. Therefore, if you are doing a good job with cybersecurity and don't have the suits feel or see issues, then you don't necessarily get the money. Unless, of course, it is a risk-aware business like finance. They get it. They know the ramifications of not investing to mitigate risk. Other industries are often focused on spending and revenue, and it's hard to incorporate risk mitigation into that thinking. It is the age-old dilemma of information security. I've been in information security for 30 years and have had to deal with that return on investment issue for that long. Sigh. KC: Yes, I always find that financial companies have the best security in the private sector. I have second-hand knowledge of that. How did you get into cybersecurity in the first place? CA: I was working at Digital Equipment Corporation and we had been hacked by Kevin Mitnick. As part of the efforts to remediate that from happening again, they developed a really cool tool. I was working in a Learning Center and was asked to learn the tool and go around the country and teach folks how to lock systems down and use the tool. Seemed like a fun thing to do, and I was thrown into it and haven't looked back. KC: Kevin Mitnick? The Kevin Mitnick? Whoa. CA: Back then, security wasn't cool. I was then pulled into the data center to be a systems manager for VAX/VMS cluster in VAX Engineering, and since I was the only woman, I had been asked to do security because no one else wanted to. Mitnick and his friend Lenny Decico broke in and stole the VAX/VMS V5.0 source code. It was quite the event and investigation. You should look the story up sometime. It was hell to live through. KC: How did you get into the technology field? You were working at DEC when you got interested in security. CA: Yes. I started out as a secretary for an engineering group. Then I went into the Learning Center. From there, they asked that I teach the new security tool to system managers around the country. Since I knew how to lock down systems and use the tool, the IT guys came looking for me to join their group. Then I became a part-time system manager and part-time security person for the data center. Once security got big, I went full-time and never looked back. Although I did have one manager who told me that security wasn't a career and I should consider dropping it. KC: So, you were in an administrative role and your employers helped you become an IT professional? CA: Yes, but not in a progressive way – more in a reactive way. It was more like being in the right place at the right time from my perspective. Remember, this was back in the 80s and early 90s. Young women didn't get into tech. It was me and my good friend Robin Wheeler who were the only two women in the area who were into tech. KC: That's pretty cool. When you were a little girl, could you have imagined growing up to work with computer technology and advising companies on how to avoid cyber attacks? I was good with PCs as a kid, but I'd be shocked about my adult occupation. CA: Absolutely not. But I had an unbelievable role model in my mom. She was a single parent raising four kids. She did what she needed to do and told me that I could do anything I wanted if I put my mind to it. I believed her. I strongly believe that you have to have an aptitude for cybersecurity. We are the "good guys" with social challenges. KC: I can relate to the "social challenges" part. I have nonverbal learning disorder. Was your mother a feminist? CA: Not necessarily. She just did what she had to do, to survive and keep us kids fed and housed. She was a remarkable woman. She volunteered in the Civil Air Patrol and made the rank of Major. That's something that woman didn't do back then, so when she said I could do anything, I believed her because she was able to accomplish so much. I never experienced women having limits set on them. I didn't observe that. I just kept marching along and did what I wanted. That's why in the 70s when women were raising children and giving boys dolls and girls trucks, I think that was a good thing. It's our culture that's the problem, not our abilities. KC: I remember being discouraged from pursuing a technology because my Grade Five (Fifth Grade to Americans) teacher told me that you have to be excellent in math to even consider such a career. She thought she was encouraging me to improve my math. In reality, she was just discouraging me from thinking about a computer technology career. CA: Yes, I know! That's one thing about technology and the aptitude for it. I was a horrible student. I hated school, I now know I have ADD, and I sucked at math. But I'm fascinated by computers and technology, so I learned the type of math that you needed to know to excel in tech. That's where we, as a profession, are missing the boat. We need to clearly define what are the natural aptitudes necessary to succeed in tech. It doesn't always have to come from IT; there are cross-career paths that would do nicely. Take program management, for example. There are a lot of program managers who would make it big in cybersecurity from the GRC perspective. But they are thinking that they need to know technology inside and out to be successful. And for GRC, that's not the case. KC: Maybe there's a perception that IT is like rocket science or astrophysics. CA: I think so! Seriously. I think that is why we have a problem with businesses not understanding our roles. There are too many misperceptions out there. When you think about it, our profession is that of a reaction to our enviornments. At Digital, Kevin broke in, so we had to react to that and lock down systems. I was tapped to do that – there was no career planning, no analysis to say what skills were needed and where I go from there. Even the certifications are a reaction. ISC2 was formed after a few years of security pros being out there and understanding how important the job is and that there should be some level of assurance that people know what they are doing. That is why I have been pushing through my work with the ISSA to define our profession. Not by the security training industry but by us, the professionals. What is it we need to do our jobs? Knowledge, skills, aptitudes. And to build a framework for that that isn't rigged because each job is affected by environmental variables. Right? KC: I agree completely. And also, quite frankly, when employers in our industry whine about a "skills gap," that really pisses me off. You are very fortunate to have had employers help train you to take on new roles. CA: I agree. I truly believe it has a lot to do with the security training industry pushing that agenda. KC: The companies that sell courses on how to pass IT certification exams? CA: Yes, I am very fortunate. That is why I feel obligated to give back and help others. We as a profession need to educate businesses what our jobs are. We need to define cross-career skills and convince businesses to look beyond IT and infosec for people to fill those jobs. Don't get me wrong, I support and believe in training; it's just that I believe we need to define what we need, and then the training companies provide it. Not the other way around. That's a very dangerous model. KC: I think another factor is employers having really unrealistic job postings (must have 10 years of experience with Windows 10!) so they can turn to government and say, "Hey, we couldn't find any qualified domestic job candidates, we need a foreign worker who we can pay $1.00 per hour!" CA: Yes, which is terrifying! But employers who list an "entry level" position that requires five years of experience is just foolish. It tells me that they don't know what they are talking about and don't know our jobs. KC: A lot of employers have zero interest in paying for any sort of training. I see that as a cybersecurity problem when companies don't have well trained staff to deal with rapidly evolving cyber threats. CA: Yes. That goes back to a cultural thing. They are slowly learning that without investing in their people, there is no loyalty. And with security folks, we are getting calls like crazy. That goes back to the ROI conversation. Companies don't know how to allocate budgets. This conversation is making me realize that we, the profession, need to have a louder voice and leadership to work with business to educate them on these issues. KC: What are the types of people and professional experiences outside of IT and computer science who make good candidates for being trained for cybersecurity jobs? CA: Data analyst, program managers, people good at computer games, anyone with a good appetite to learn.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
