Podcast Transcript
Introduction:
You're listening to the RSA Conference podcast where the world talks security.
Kacy Zurkus:
Hello, listeners and welcome to this installment of our RSAC 365 podcast series. This month's theme is professional and workforce development. And today, we're joined by Cassie Crossley, who will be talking about the different cybersecurity jobs that are available even for those folks who don't have a cybersecurity background. Think about those transferable skills and in just a moment, I'll transfer the mic over to Cassie to introduce herself, but first I want to let you know that here at RSAC we host podcasts twice a month. And I encourage you to subscribe on SoundCloud or your preferred podcast app so you can be notified when new tracks are posted. And now, I'd like to ask Cassie to tell us a little bit about ourselves before we dive into today's topic, Cassie?
Cassie Crossley:
Thank you for having me, Kacy. I have been in the technology industry for a couple decades. I am the Product and Systems Security Director at Schneider Electric and I have primarily been on both the IT and the R&D side of the house. Starting originally as a software developer and then progressing into project management, and for the last five-plus years in cybersecurity.
Cassie Crossley:
I love working for Schneider Electric, we are a 25 billion Euro company with 135,000 people around the world. We are a leader in energy management and industrial automation and I want to just talk more about what brings cybersecurity into the normal everyday workforce because we're seeing it so much more on the news every day.
Kacy Zurkus:
Yeah. And we certainly are and I was looking through LinkedIn this morning and Chris Cochran, who has a great podcast was talking about he had created his sort of podcast channel for that same reason, just to make cybersecurity more accessible to people. Make it something that we understand because it is so much really a part of our everyday lives. But the word cybersecurity can sound a little bit scary and off putting to folks that aren't really in the industry. And I think that's largely because people don't really understand what the roles within cybersecurity are. So I would love for you to maybe share a little bit about what those classic cybersecurity roles are when we think of cybersecurity jobs like testing analyst, architect, engineer, incident responder, those sorts of things.
Cassie Crossley:
Yes. I think when people think about cybersecurity, they do tend to think about chief information security officers and all the folks that might be underneath that or in the side that I'm now on in the product security. And we have so many people that have excellent skills on, let's say, analyzing where threats happen in cybersecurity if somebody enters the network or let's say that they've created some malware and released it into an organization. We also have, when you're building products, you have specialists who can do the design from an architect standpoint and then test the products or software so that they can look for any kind of cybersecurity vulnerabilities.
Cassie Crossley:
And a lot of that background, some of the certifications maybe such as CISSP or they may have taken their current skills and really honed it so that it is very specific from a cybersecurity aspect. But as larger organizations and as cybersecurity continues to involve definitely seeing other areas that can augment those highly specialized skills such as penetration testers and incident responders.
Kacy Zurkus:
Indeed, a lot more sort of the softer skills being integrated into more traditional role to create new opportunities. And certainly, the testers, the analysts, the architects, those are the traditional roles that really come to mind when we talk about cybersecurity or even information security, which cybersecurity evolved from, right? But the industry has really grown to be much more expansive and inclusive of, like to your point, a wider variety of responsibilities. Many of which are not really technical at all. So can you talk a bit about the ways that job titles have grown and how multiple backgrounds and diversity actually increase and strengthen cybersecurity organization?
Cassie Crossley:
Absolutely. If you see a title saying security or cybersecurity on somebody's role, you really don't know their full background and maybe even what their role is. And what we're finding is, is that, especially I would say about four or five years ago, around that time, it was highly technical and specialized but we needed to be able to communicate what, let's just say, the average corporate individual user or end user needs to do. And so we began to see some training and awareness I think most companies operate now some phishing campaigns. That was the first step into it.
Cassie Crossley:
But from a title standpoint, what do you call those people because they're not necessarily security experts. They work in a security organization and cybersecurity organization. So understanding how you blend the two job titles has been important. So while we... There could be somebody who might be a security analyst, they may be in the same department as a security analyst, but that's certainly not their role. So we've been trying to adapt to kind of combine some of the titles together to show their previous roles and also that they're focusing on those cybersecurity topics so that we're not labeling somebody as an analyst and giving false expectations as to what that role is really supposed to be.
Kacy Zurkus:
Yeah. I remember a few years ago ISC-Squared, one of their reports came out and they were highlighting the security champion, right? Which was sort of an offshoot from the security awareness campaign, but across the silos of an organization, there was within one sector a person who was sort of the go-to point for all things security, right? So even within the marketing or the HR department, there's someone who understands a little bit about how security matters to their department and can answer those sorts of questions for their colleagues.
Kacy Zurkus:
So let's maybe dive in a little bit deeper beyond just the job role and the description and look at real career paths that people have traveled on because I think one common trajectory for some marketing folks has been to move into that security awareness training because they understand that sort of mind and psychology of how people consume information. So can you share perhaps your own pathway to cybersecurity and even some of those of your colleagues at Schneider Electric?
Cassie Crossley:
Absolutely. As I'd mentioned earlier, I come from a software development background, so I do come from a technical background. But I moved into areas such as technical communications. I really enjoyed the people aspect, so I began leading communication and training teams for technical types of product lines and for, let's just say, software in general. And then I moved into project and program management where I was leading the dev teams through the project, both on maybe an R&D side or an IT side and getting full exposure and I've moved into different roles.
Cassie Crossley:
I actually started with cybersecurity back in the '90s when I worked at McAfee, but it wasn't called cybersecurity at that time. With the different roles that I've had though for project management, being aware of what was necessary to secure the areas when I worked, for example, at Ceridian, where we were of course, wanting to not only ensure and secure products for the different HR payroll systems, but also when it came to different requirements and compliance and regulations such as HIPAA and [GAP 00:09:16] and SACS.
Cassie Crossley:
So there were a lot of things that built up into cybersecurity so that when I took the different positions that I've had at Schneider Electric and then went into this CISO organization, I went into it as a program manager leading Crown Jewels and some other topics and another programs that we had. And so I brought all of that experience I had and brought it into the cybersecurity space, picked back up on the current cybersecurity topics, and then several years back moved over onto the product security side. We have a large portfolio of products, and we have a product security organization. And with the background that I have of R&D and developing software throughout the many decades, it has been really important to be able to take that background I had and apply it and understand really what the folks are doing in their current roles and how they can bring cybersecurity and secure topics into the secure development life cycle and all sorts of areas. So that's how I personally have brought all of my background and experience over to this field and made it a really combined force.
Cassie Crossley:
On my teams and throughout our organization as we've been building this, some of the skillsets that we've needed and talked about it just a moment ago about the training and awareness, having true change management, it's more than just phishing, especially on the product and application security side. Being able to provide information, we have a large portfolio of training, and we need to be able to communicate changes to processes, what's happening in the industry, if something happens that we need to be aware of. So we have change management on our staff, and so someone with a background also in communication similar to mine. But also as a business owner she was a consortium leader, a tech pubs manager, and coming into cybersecurity change management, bringing all those skills. But also bringing a new knowledge that cybersecurity and looking at it from an outside perspective because cybersecurity is not something that everybody has decades of experience with. So having that fresh view of, "I need to be able to understand this and relate this to everyone," is important.
Cassie Crossley:
And the same with some of the other folks in my organization. We've got project management so rather than just being a standard project manager, somebody who learns that cybersecurity aspect of it. So cybersecurity project manager is a natural evolution and I think we'll see that more and more where they're focused on those topics, such as releasing and deploying identity access management in certain cases like updating code signing platforms. And then we've got other areas and I think we're all familiar with the audit aspect and we've seen auditors and especially regulations. You might have somebody affiliated with maybe setting up your FedRAMP, but on our organization wanting to make sure that the secure development life cycle process is... There's a lot of different pieces to that.
Cassie Crossley:
So having somebody with that background to understand processes is bringing somebody on my team again with no cybersecurity background, but that has a Six Sigma Black Belt. I personally am also a Six Sigma Black Belt and bringing that process focus in and then applying and learning cybersecurity aspects is important. So it really requires somebody with a desire to learn cybersecurity, but also bring their skill sets in because it just really rounds out the organization.
Kacy Zurkus:
So I see a lot of job titles come in in hundreds of speakers that we have at RSA Conference, cybersecurity change management is not one that I've seen before. Can you just explain a little bit about what that role is?
Cassie Crossley:
Yes. It can cover many different topics, so we consider it an internal communication type of role. And so some of those areas are leading the training plan and the training development organization for the product and application security. With all of the different trainings available, understanding secure software concepts, and then into testing. So for example, how do you do proper testing for specifically cybersecurity and security topics, working with the penetration testing team to be able to deliver more of the ground level information to the standard validation and verification teams, the VnV teams for security test cases, being able to understand and relate how to handle vulnerabilities that may come in.
Cassie Crossley:
So let's say a vulnerability is the least, and it could be as part of one of the core systems or one of the core libraries, how do we respond to that? Or a researcher comes and says, "There's a vulnerability in our system." It's not something that, especially when you have a R&D audience of over 10,000 people, it requires you to accept that not everybody's going to be trained in everything so there needs to be some ad-hoc and on-demand. Another item is that specific, we need immediate release of certain updates or communications to the internal population, what's the best method. So having that experience as internal communications and being able to relate it is really, really important. And I think, again, we've seen it on the CISO side where some of those folks lead phishing campaigns where they're dealing with the entire audience, but when you're working with specific populations, it's really important to have somebody who's communicating directly to that audience and receiving feedback from that specific audience, which in our case is a lot of R&D.
Kacy Zurkus:
Yeah. So, you know, I've heard and this is sort of common conversation when we talk about the skill gap, right? That the job descriptions are looking for the purple unicorn and they're sort of overwhelming and people just feel like I don't have a lot of skills. I can't apply. I'm wondering if perhaps one of the greatest obstacles to people who want to get into the industry, that job description aside is really that sort of self-assessment of what skills do I have and how can those skills transfer from my current role or even my former role into this potentially interesting cybersecurity job? So can you share with our listeners how they can sort of evaluate, assess, use their own skills to transfer into a new cybersecurity role?
Cassie Crossley:
If you're currently at a company, no matter what the size, it could be smaller or larger, being able to have the conversation and look at yourself to say, "This is my skillset. How could I apply it?" You would first vocalize that. Being able to talk with your leadership, your HR, saying, I have this desire. I want to pursue it. I'm reading more, I'm taking classes. You might have different things that you might be exploring, but I want to really focus on this piece of it by applying what I currently know into that space. So saying to somebody specifically, I have a passion for cybersecurity. I have been doing this and I'd like to look for roles that will allow me to utilize and develop further. That aspect of it is really important. I have people come to me weekly, monthly that are saying, "I really want to get into cybersecurity. I'm not a fit for this role. What do you see?" And we have that almost mentorship conversation to talk about what they could do to really broaden what they are doing into role.
Cassie Crossley:
So I absolutely believe that talking to the leadership in your company and expressing that interest, you can say, I'll do this on its side. You know, give me something 10%, 20% of the role so that I can help you and also be able to learn as I'm doing. So I think that, that's one of the greatest activities that you can do no matter if you're in a company of 20 or in a company of 200,000. If someone's in school and I've done some mentoring for students before.
Cassie Crossley:
Now, there's almost too many different paths, which is ironic because it used to be, you couldn't find anything related to cybersecurity. There are, for example, if you are on a business major or something, there are some IS classes some Information Systems classes, and just some general cybersecurity policy classes that you could take. You can explore your school, or you could look on different sites like Udemy or definitely explore all the great content through RSA for learning different topics, where you might want to focus your attention either by modifying your degree, adding in a specialization, adding in a certificate, or just expanding it to a certain area where there may not be a lot of movement.
Cassie Crossley:
One thing I didn't mention earlier is that, with all the new cybersecurity executive orders, all the new topics on policy, there is a lot of activity for those that may not be on the side of cybersecurity, on the technical space to work on the policy space, or if they're interested in a legal aspect, focusing more on cybersecurity. So if you're looking at that and then that timeframe of school, that's something to consider. If you're not on the technical track, if you're graduating soon, looking at your LinkedIn contacts and different areas and different organizations that focus on cybersecurity, for example, if you are a technical, but you haven't started, if you're a software developer or something of that route, you could go to different organizations that really look at cybersecurity.
Cassie Crossley:
Again, RSA has a lot of trainings and definitely conferences that are wonderful to attend. There's OWASP, there's different areas and different groups like BSides which focus some on application and product security or there's different organizations for ISC, which could handle more of the IT security. But if you're again, not on the technical space, I would definitely look at the larger conferences such as RSA, where you can see a flavor and attend different talks. You can understand what's your passion better so that you can help focus that. And then by looking again on LinkedIn, reach out to some people out there.
Cassie Crossley:
And if you want to change the company that you're working for, let's say you've been in a company and you've done certain roles, but you want to apply to a cybersecurity job, don't be afraid to go ahead and apply. I know most of these jobs that'll say CISSP-required or this required, or this required never be afraid to apply. We now know that some of those engines will reject, try to reach out to the recruiters, reach out to some people in that organization, security people definitely in the industry, reach in through LinkedIn, again, to them asking them about it. But don't stop yourself just because you don't have all this long list of certification, because it's really, again, more in many cases about the passion and the focus. And I really think that you can cross that bridge and really make it one of your own. It's such a growing industry. There's really no limits at this point.
Kacy Zurkus:
It's interesting. I have... You know just listening to you reminds me of conversations that I've had with a friend of mine who is quite happy in her current position, but she often will apply for jobs just to see and her philosophy is why not me? And even if she's not qualified, she looks at it and says, "Well, why not me?" And I admire that confidence so much, right? Because I think to the point of the question, a lot of times people feel like I can't, it couldn't be me. I'm not enough, but really, you know the job descriptions are flawed in themselves. The search engines are flawed and to your point, there are ways that you and the skillsets that you bring are qualified. And I love that advice of have a conversation to ask if you can speak on 10, 20% of that role and learn while growing, right? Like there are definitely ways to turn that around and say, "Yes, definitely me." And that makes total sense. I love it.
Kacy Zurkus:
I certainly feel completely inspired and perhaps someday you all even see my resume come across your desk and think, "Oh, I remember that podcast I did with her." And know that you helped me get to there from here, but not that I have any technical prowess whatsoever. So I'm slightly joking with you, but, you know, I think your advice matters and reminding folks that it doesn't have to be as black and white as the description that you read for a job. So before we wrap up, I would love to hear from you any parting words of wisdom that you might have additionally to add for our listeners.
Cassie Crossley:
Well, I'd probably have had over my experience, so many different roles and titles. And from a perspective of my own it's what job am I going to love doing? And that's where it's been driving. How can I use my skills to better the company that I'm working for? And I think that, especially with cybersecurity, the passion I see what people spend time doing on their own learning on their own it's because it's what really drives them. I think that that matters so much.
Cassie Crossley:
You know, part of it is that focus and attention because you feel like you're doing something that betters society, betters your company that has a lot to do with it. So I don't want people to stop themselves or say, "Well, I'm just not the right fit." Because if this is what you love, this protection aspect that we feel and the passion that we want to improve what we're building, to make the world a better place that really is what is key in my opinion to great cybersecurity. It's not every little technical detail, it's what you do with it and how far you're willing to go for it.
Kacy Zurkus:
I love it. Cassie, thank you so much for being here with us today, lots of great advice. Listeners, thank you for tuning in. A reminder that here at RSAC we host podcasts twice a month and I encourage you to subscribe on SoundCloud or your preferred podcast app so you can be notified when new tracks are posted. Interested in being a guest on one of our podcasts? Visit rsaconference.com/become-a-contributor to learn more. Thank you so much for being here today.