Neill Sciarrone, Founder and President for Presenting Sponsor Trinity Cyber sharing her perspective at the CyberWire's 6th Annual Women in Cyber Security Reception, Thursday, October 24, 2019, at the International Spy Museum in Washington, DC.
Dave Bittner: [00:00:09;29] Next step, from Trinity Cyber, please join me in welcoming Marie "Neill" Sciarrone.
Neill Sciarrone: [00:00:19;18] So, Marty, if it makes you feel better, I go by Neill which is just as shocking to people that I'm a woman named Neill. I feel it's kind of appropriate to follow Armani.
Neill Sciarrone: [00:00:31;00] I have to say, I never in a million years expected that I would be following a CIA Agent to speak to all of you. Let's just say that's set the bar as the first speaker really high. So that makes it a little difficult for all the rest of us that have to go after that because I don't know how to shoot and ram other cars, sadly, but I would like to learn that.
Neill Sciarrone: [00:00:57;09] I had a really unconventional path into cyber security. I'm not an engineer and I didn't study computer science. So some of you in this room are probably looking at going "Then what is she doing here?" Believe it or not, I actually studied government and women's studies. When I told my dad that's what I was studying, he was extremely disappointed. But what I wanted to do was study gender communication, so how men and women communicate differently. I had originally thought I was going to help use that to target female voters or to help female candidates better communicate.
Neill Sciarrone: [00:01:40;06] The reality is that this work on communication wound up being a great prep for the work I've done in cyber security. Because what I've learned is I've spent the majority of my career spending time doing that translation and translating between the technical world and the policy world or translating between the different things that are needed. So that means taking these really complex concepts that we deal with on a daily basis and making them simple and actionable things that we can do.
Neill Sciarrone: [00:02:13;06] Based on that translation piece, I thought I'd share with you three different areas of advice. The first advice I have is when you speak, be specific. We talk about cyber security and my first question is, is that a noun? Is that an adjective? What do you mean by it? One of the more fascinating things is sitting in a room with a group of leaders and saying, "What's cyber security?" Everyone knows it's important, they've been told it's important, but everyone of them has a different idea of what cyber security really is. When you think about it, we use that term to mean threats, vulnerabilities, vectors, solutions and one of the things that I think is a real challenge is that we're still having the same conversation around cyber that we had 17 years ago.
Neill Sciarrone: [00:03:15;16] I started out in a little known office called the CIAO, the Critical Infrastructure Assurance Office and we worked cyber issues back during the time of Code Red, so 17 years ago we were still having some of these conversations. I think that by being more specific and clearly articulating the problem we're trying to solve, that will help us make more advances that what we're trying to do. Let's talk about it. Are you addressing an insider threat? Are you addressing identity theft? Are you talking about a nation state actor? What specific aspect of the cyber threat are you trying to address and how do we best go about it? The other thing about being specific? It shows that you know what you're talking about. So, the ability to dive and be very specific is the key to success.
Neill Sciarrone: [00:04:09;20] The second thing I would tell you, I learned early on, speak the language of people. People are always the most important part of what we're doing. A lot of times in cyber when we talk about different topics we tend to get extremely technical, which means we have one of two issues. Either you lose the people that don't really understand what you're talking about or you miss the policy in practical implementation decisions. So you might have the best technical solution, but if from a people standpoint or a policy standpoint it can't be implemented, I'm not sure that's the best way to approach something.
Neill Sciarrone: [00:04:54;11] I'll tell you a story. I had the privilege of serving for President Bush, 43, and at the time, we were working on a really big initiative around what the government was going to do to address some intrusions we had into our network. For the first time, I was going to have to brief him and briefing the President is a little scary. The first time I was briefing him, I was going to do so in the situation room with the entire cabinet. No pressure. I was also told I was one of the younger folks who had briefed him. Again, no pressure. And my boss basically said to me, "I've put my reputation on the line for you, don't screw this up." She didn't exactly use that word but I got the point.
Neill Sciarrone: [00:05:50;03] My team and I had practiced for an entire week. What I was going to say and what questions they would ask? You're standing there, the President is in front of you, the Vice President's there, Condoleezza Rice, Secretary Gates. We had teamed out what was each person going to ask us? What was the question they were going to have? What was the concern? How do I get this approved? So I'm sitting there, completely ready and I was totally unprepared for the first question the President asked. His first question was, "Neill, before you start, tell me a little bit about yourself." So I'm thinking what about me is relevant to share with the leader of the free world? There's not much. At one point I thought of saying, "I like long walks on the beach." No, you can't say that!
Neill Sciarrone: [00:06:52;14] I stumbled through an introduction and he helped me along the way by saying "How long have you worked for me?" "Do you have a family?" "What do you enjoy doing?" And in that one moment, he taught me so much about leadership. When you think about it, no matter how significant the person is or the technical discussion we were going to have, he wanted to know me as a person first. And he wanted to put my recommendation into a context of who I was.
Neill Sciarrone: [00:07:25;12] So I would just encourage you at any point in time not to forget that it really is about the person and relationships. I will echo what other women have said before me about finding a mentor, but I'd add two caveats to that. The first one is make sure one of your mentors isn't in cyber security. There are so many things to be learned from a diversity of experience that I think is important. The second thing in addition to a mentor, have a sponsor. Know the difference, use the difference to help you.
Neill Sciarrone: [00:08:02;29] A little more on the human thing in the cyber realm that I find ironic is that operationally we really forget that most cyber attacks, on the other end there's an adversary, there's a person actually trying to attack your network. And in forgetting the fact that there is a person pushing those ones and zeros, I think we miss a little bit of what we could do as we try to target and secure our networks.
Neill Sciarrone: [00:08:32;10] I'm really proud I have a bunch of women from my company here today and that I founded a company focused on an adversary, focused on that person. I have a business partner and an entire team that keeps the person in mind and, to me, that's really important when we do something very technical.
Neill Sciarrone: [00:08:52;01] My last piece of advice to you is even though you speak the language of cyber, learn to speak the language of business and translate cyber security needs into a business decision. Regardless of what you're doing, whether you're a CIO, whether you're an analyst briefing the team, fundamentally that cyber security effort is a business effort. You need to understand how the decisions they make in cyber help the business grow and the fact that in many cases you're a cost center. So being able to explain to the leadership the benefit of the investment and cyber in terms that they understand is key. It will help you. No matter your role, whether that's government, it's that same piece, being able to articulate the importance of what you're doing to the leadership and how it helps them succeed.
Neill Sciarrone: [00:09:48;10] Finally, I would just say that having a non traditional path and finding my way through cyber security, the best thing that helped me was to be curious. Ask questions. Rosa made the point, admit when you don't know something. I've often found that by admitting you don't know, opens up a whole world of possibility in the answers and that sometimes the most powerful question you can ask in a room is, "Why?" And if you're too afraid to ask the question, "Why?" maybe you say, "Tell me more." If you're too afraid to say, "Tell me more," maybe you just want to say, "Really?"
Neill Sciarrone: [00:10:34;18] My last piece of advice, because I know I stand between you and networking which is the real point of tonight, is be open. Don't believe that there's only one path and you have to check each box on your career progress. Things in cyber constantly change and so being open to that change and being open to a diverse environment and a diverse way of finding your own career, I think is really what's going to help us as we do a constant innovation in a technology world.
Neill Sciarrone: [00:11:03;06] So I thank you and thank you for all being here. I encourage you all to keep doing what you're doing.