Name: Dawn Cappelli
Title and company: VP Global Security and CISO, Rockwell Automation
Number of years in the information security industry: 18
RSAC: What was your first job in the infosec industry?
I started working at Carnegie Mellon University’s CERT Program one month before 9/11. I was hired to help the US. Secret Service to protect the Salt Lake City Olympics from cyber attack. What a way to enter the cybersecurity field!
RSAC: If you weren’t working in the infosec world, what would you be doing?
I can’t imagine doing anything else! I feel like this is what I was destined to do – I didn’t plan to be here but my career path has propelled me on an interesting journey!
RSAC: What does the RSA Conference 2019 theme of “Better” mean to you?
Some security issues are so overwhelming that we are tempted to just procrastinate and not address them at all. We need to keep working at the hard security challenges one small chunk at a time – keep getting better every day.
RSAC: What is the biggest challenge facing the infosec industry right now?
I’ll focus on one of them because I am living it every day at Rockwell Automation and with our customers: OT security. OT is operational technology – manufacturing and industrial control systems (ICS). NotPetya was a wakeup call for OT security, as it was the first cyber attack that had widespread impact on OT environments – specifically in manufacturing. Many companies with large OT environments had traditionally given their CISO responsibility for IT, and OT security was the responsibility of their OT – or manufacturing - engineers.
Since NotPetya I see CISOs increasingly being given responsibility for the entire ecosystem: IT, OT, and the connections between them, including the supply chain. These CISOs need to apply tried and true security strategies from IT to this expanded ecosystem, including use of the NIST Cybersecurity Framework to develop a holistic strategy. This is a new frontier, with new technology emerging for OT security that provides OT asset inventory management, detection of OT security alerts, and integration of those alerts into IT cyber defense tools. It’s a very challenging time, and critical to the protection of global critical infrastructure.
RSAC: Complete this sentence: 2025 will be the year of __.
Women executives in ICS security. I am frustrated by the lack of women in the cybersecurity field – especially in manufacturing and industrial control systems. I currently am hiring a director with OT security expertise, and I have not had a SINGLE female applicant! I’ve reached out to colleagues across the industry, posted it on a LinkedIn forum dedicated to women in cybersecurity, and no luck. I am now committed to helping to build that pipeline of women in our industry so that by 2025 we will have a plethora of women qualified for industrial control systems executive cybersecurity positions.
RSAC: Over the years, how has your focus has changed?
I’ve expanded my focus to include all threats. I had to think long and hard about this question because to tell you the truth, now that I have become CISO, our Insider Risk and Cyber Defense teams have been working much more closely together because I’ve discovered so many similarities between the two teams.
We provide ongoing security awareness training and communications so our employees understand how to help protect the company from both internal and external threats. Clearly defined policies and standards ensure that employees understand what behaviors are acceptable and not acceptable, as well as why: to reduce risk of both internal and external threats. Technical controls like identity and access management and endpoint security protect us from both internal and external threats. Finally, processes and technologies enable us to detect and respond to anomalous activity both from inside and outside the network.
One difference is the people angle. Our Human Resources team is an integral partner in our Insider Risk Program, because their awareness of things like upcoming organizational changes, extreme behavioral issues, and when employees are leaving to join a competitor provide important early warnings to the Insider Risk Team. Another difference is the sophistication of the threat: insider threats do not tend to be very technically sophisticated since they don’t need to be – they are already inside the network, know where the critical information is, and have access to it. External threats, on the other hand, can be much more sophisticated, particularly Advanced Persistent Threats and targeted malware coming from sophisticated nation state adversaries.