N2K logoDec 13, 2023

Solution spotlight: All in on cybersecurity.

Solution Spotlight: Simone Petrella sits down with Kristie Grinnell from DXC Technology to discuss their All in on Cyber program.

Simone Petrella: Just to get things started, I am so excited to be here today with the CIO of DXC, Kristie Grinnell. Kristie, thank you so much for joining me today.

Kristie Grinnell: Thank you so much for having us, Simone. It's great to be here and one of my favorite topics.

Simone Petrella: Awesome. Well, maybe just to kick us off and give everyone a little bit of background, can you tell us a little bit about yourself and your journey into the IT space?

Kristie Grinnell: Absolutely. So I am the CIO at DXC Technology, which is an IT solutions and services provider. We do technology from the bottom of the technology stack, storage, compute, network, all the way up to the top of the stack, analytics and engineering. So we have 130,000 employees across 80 countries which are really servicing most of the Fortune 500 in some way with their technology needs. And myself, I grew up in technology from a business analyst and strategy perspective. So I'm actually not technical, Simone, like I can't code. I can't, you know, design and architecture, I can't do anything like that, but I can ask a lot of questions and ensure we really focus on the business problems we're trying to solve and really growing our company.

Simone Petrella: I love, though, that you say that off the bat. Also, I'm going to call you out a little bit because I know you do have a degree in mechanical engineering, so to say you're not technical, maybe not in coding, but I'm going to call you out.

Kristie Grinnell: Yeah, so I have the problem-solving capability, and I was a mechanical engineer for three years at General Motors, and then I recognized that I was maybe more of a people person than I was an engineer who could design machines, so I went back to business school, but, you know, just always taking that, you know, methodical approach to solving problems, creative thinking, and finding the right answer for the company, regardless of the problem we're trying to solve.

Simone Petrella: Well, I think that's a great backdrop for the discussion that we wanted to have today around kind of people and how companies, especially DXC, think about sort of leveraging people, especially as we tackle what is arguably, you know, a chronic workforce gap that we have struggled with in cybersecurity, in particular, but STEM, and, you know, I think not only STEM in general, but especially for women and underrepresented talent. So I'm kind of taking it into a few directions there, but one of the things I know DXC has focused on, and I've heard you speak a lot about in talks that you've given, is how much the focus is in your firm and in your company on transformation and how people and being a people person just drives everything that you all do, and I'd love to see if you could share a little bit more about some of the initiatives that DXC has in flight that embody that philosophy.

Kristie Grinnell: Absolutely. So one of the reasons I actually joined DXC is for the values that we have as a company and what I saw across our leadership, and one of those is to care for our employees, first and foremost, and that means that we take care of each other and that were very inclusive, and that matters, because in order to bring diversity to the table, in order to have diversity of thought, people need to feel that they are being cared for and that they are included and that their voice is wanted at the table, right? So that's the first part. The other part, the other two values that really matter here are to collaborate and do the right thing, and I just firmly from my heart believe that in order to do the right thing, that is to accept people for who they are with all of their good, all of their bad, but all of that experience, all of that culture, all of that viewpoint that they can bring, that's what drives innovation. So I started by saying that, you know, I'm a problem-solver. I'm a decision-maker. I can, you know, have creative thinking, but the more we bring that around the table, the better off we are, and it is a problem when you look at the technology field, you know, the majority of the technology field around the world has less than 30% women, but we make up 50% of the workforce, Simone. That just doesn't sit right with me, right? And it's not because I'm like, "Hey, you know, we need to do this," but that means we're missing important perspective and viewpoints that will help us to solve more problems for businesses, to create more opportunity around the world in order to drive new things. So I think, you know, for me, I sit on the STEM For Her advisory board, I'm the executive sponsor of our Women Empowered employee resource groups here at DXC, which are a big part of what we do, but we also have programs like our Dandelion program, which is looking at neurodiverse abilities and how can we leverage those in the workforce, because we know there's a lot of untapped talent there who can do some really great things. So I think if we all just open our mindset, which is what we're trying to do at DXC, to care for people and the experience that they bring and allow that voice to be heard at the table, you just never know what we're going to do, and I know that at the end, we'll all do the right thing.

Simone Petrella: I love to hear about companies that are really kind of taking on that responsibility to sort of grow the talent. It's always so frustrating to me, when I am in situations or conversations where we're able to talk about the talent gap and everyone goes like, "Here are these opportunities for individuals. They just need to take the bull by the horns." And I'm like, no, like, we have to create an environment that allows them to do that and have something on the other side.

Kristie Grinnell: Yeah, and a lot of people don't know, right? Like, when you hear about IT, a lot of people think -- especially IT, but also like STEM, just the engineering, the math side of it, the technology side, a lot of people, number one, have fear of it because they don't know what they don't know. The other fear of it is that this is going to cost me a lot of money to get the education and the skills I need and be smart enough to work in this area, and that's actually not true. There's so much we can do with talent that doesn't have a college degree but has the right certifications, with early professionals who are, you know, really willing to dig in and roll up their sleeves and learn a new craft, in technology, there's a lot of potential there, so I'm super excited about what it could look like, but we need to open up our aperture more for what we're willing to do as companies and people around the world.

Simone Petrella: Are there any things specifically at DXC that you all are doing around kind of entry-level talent? You mentioned some of the initiatives around neurodiversity and some other things, but once you actually identify those pools of talent, how are you kind of giving them that exposure and that training they need to be capable of fitting in these new roles?

Kristie Grinnell: Yeah, so, and this is specific to DXC, but also other companies that I've been at as well, number one, internship programs are one of the best ways for a potential employee in the company to find out if they're a fit, and that's to find out if they're a fit from the role in the technology perspective, but also that other part, that cultural inclusion and values part that I discussed, and taking that internship to the next level where you're giving them a view, not just into the role that you hire them into, but also allowing them to sit with other roles in the company to see what options might be, because that's what -- a lot of early professionals, they have no idea what it means to be -- like, you say, "Oh, we need a technical analyst," and they're like, "I'm technical." Like, what does that mean? They don't know what that is, and so, you know, the education of what are these things, and when you say you're an engineer, an engineer means a lot of different things in a lot of different companies, so the more we can bring in those early professionals and give them that internship, that's number one. The second thing is, though, is that I believe in a build-your-own-talent philosophy where we bring in early professionals and put them on the projects where they're going to get exposure to skills and leverage the talent they have, whether it be a certification or an education that they received, but also get that hands-on real-world experience, and I'll give you an example. The service desk is an amazing place to start, and I know that some people are like, "I don't want to sit and listen to calls all day that are really hard," but at the same time, you're seeing cyber issues, you're seeing network issues, you're seeing device issues, you're seeing application issues. You get a broad spectrum of what you're trying to do and you're being told how to solve some of those, you know, entry-level problems, and sometimes you have to escalate it, but you get that view, and then that gives us the ability to also see who's picking this up really quick, who's able to help solve those problems really well and understand, and then that person on the service desk -- and this, again, it's just one example, then they go, "Wow, I really like those problems that I'm solving in cyber. I want to do more," right? And so then, great, we have unlimited learning available here at DXC with Udemy and LinkedIn Learning to help our employees. They can go take more classes, then, in cyber, learn about it, and then apply for that next job, look at that next career path and opportunity you might want. So build-your-own-talent is a real key way of doing that. That takes the employee digging in, right? They need to be a part of it and be willing to learn. It takes the managers being able to really watch and help nurture and coach and mentor that employee, and also for the company itself to invest in the learning capability and the time to do it, but also to have those types of career paths for people in the company as well.

Simone Petrella: Yeah, and I love the example you just gave on the help desk. I mean, that's one of the attack vectors that is really prolific right now, we need more security on our help desks.

Kristie Grinnell: Yeah, I mean, you're not sitting on the help desk doing nothing. You are absolutely one of the first points of attack, but you're also the front door for the business, right? So it's a pretty exciting place to be.

Simone Petrella: Yeah. Well, you know, one thing I want to ask, because you brought up this idea of, you know, it's the companies have to provide the training, the individual has to have the experiences about the fit, but as a company, when you think about it from, you know -- and it's both IT but also cybersecurity, as those roles have, you know, importance across the board and there's a variety of roles one could go into, how does DXC think about the team skills it needs to execute its security strategy? Because that's sometimes the missing link, right? Like, you need to know what is integral to the business in order to provide the guidance to the individuals that may want to actually pursue that career path into those roles.

Kristie Grinnell: Yeah, so it's a good question. We, so first and foremost, we have the philosophy, and it's been the theme of our cybersecurity awareness last month, which is "All in on Cyber," so first of all, it's not just our cyber team that has to be aware of cyber, everybody has to be aware of cyber, right? This is a team sport. Every single employee is responsible for ensuring that they are helping to secure the data and assets that we have the privilege of hosting and transacting here at DXC, and so because of that, we need people who are always keeping that at the forefront, that it is their job to protect the brand of DXC. We don't want to be the one who made that mistake, who didn't follow the policies and controls that we have, and ended us up on the front of the Wall Street Journal, right? So everybody has to have that mindset, first of all, and we do a lot of training on that, from our cybersecurity awareness training, we do annual training, we do, you know, continuous phishing testing to ensure people are there. But from a cyber-specific team, right, we want problem-solvers. We can teach you a lot of the cyber technical skills that you need. Helps to have certifications, but some of those certifications, it takes five years to get, right? So you're not going to get some of them right off the bat, but we need to bring you in as somebody who is, you know, curious, always curious about what's happening, who is a problem-solver, who likes to look at patterns, because a lot of security and cyber events happen in patterns that we can see, and is willing to collaborate, because the more we can talk with the people around our company about what's going on, the more we start to see, you know, different vectors that threat actors might be taking.

Simone Petrella: Yeah, how do you guys end up screening for that? Is it through observation of managers? Is it through interview processes? And is that manual -- is that something that's fairly time-intensive, or just the cultural priority that you guys place on looking for that kind of problem-solving perspective?

Kristie Grinnell: Yeah, I mean, it's absolutely, when we think about who we want to hire, like, especially, I'll speak for my own team, but this is really for all of DXC, we need high-performing individuals, right? You're not going to come here if you want to slack off and just sit back and really do nothing. You are coming here to do some really great things in the airline industry, in the food industry, in the pharma industry, in the technology industry. We work across all industries, and so we need high-performing people, and what that means is that when we interview, we look for things like are they collaborative? Are they willing to escalate when there's a problem? Are they willing to speak up and have a voice? Are they willing to learn and continue to be curious? Because if you don't want to do those things, right, if you just need somebody to set a path that's always going to be there and you don't want to put in the extra work to get that done, it's probably not going to happen here. Sometimes we do, you know, just a behavioral type interview, which is testing for, like, tell me a time when you solved a problem, or tell me a time when you had conflict, because that helps you with those behavioral things to understand your values and how you will behave in a time of pressure, because we know that cyber jobs, especially, are under pressure, and a lot of IT, but the other side of that is, you know, we can do case interviews, too, which sometimes we do, sometimes we don't, it depends on the role, of, you know, we're going to present you with a problem, and then we want to hear how you're going to approach solving it. It's not about getting the right answer. It's about hearing your approach to solving a problem, ensuring that you're a critical thinker, ensuring that you have a methodology to solving a problem, and really able to move us forward in getting to the right answer.

Simone Petrella: No, that's fantastic. One thing that kind of always perpetually frustrates me, and I talk to a lot of folks around this concept of, you know, as security leaders, as IT leaders, we have to be not only kind of implementers of controls and processes and new technologies, but also be architects of the workforce that enables all of those things.

Kristie Grinnell: Absolutely.

Simone Petrella: And so that really boils down to having a people strategy, regardless of kind of what those people do, and I think there's a, you know, what you're describing is culturally, you know, really phenomenal at DXC, but sometimes I find there's a lot of talk to pay lip service to this idea that we really want to kind of invest in the people, but then we're not necessarily taking -- and I say "we" in this, like, industry-wide, like, we're not taking the action to really kind of put our money and our actions where our mouths are. I'm curious, you know, maybe looking even across the broader industry, what do you think is -- are some of the roadblocks for security leaders in particular or companies to kind of adopt these types of things that you're discussing across the board? Like, what are -- what's standing in our way?

Kristie Grinnell: Yeah, it takes time, right? And when we're at work, it feels like we never have enough time, but I know from experience, though, you know, several decades I've been in this business, if you take the time upfront, it's just like, you know, measure twice, cut once. It's the same exact thing in getting the right skilled people and pulling the right team together to be high-performing, to be that cyber team that's really going to do the right thing for DXC or whatever company you're at. And so as an example, I take great pains in my organization, we have corporate goals that we then drill down to my team goals that we then drill down to individual goals. Every single person here should know exactly what they do and the value that they add to help that company achieve the goal, but it can't stop there. We need to have people managers who are willing to have continual performance discussions with people, from you're just in a meeting and you approach this, this way, you might have wanted to say it this way instead because you might have gotten further in a conversation and a resolution, so continual performance discussions, and official performance discussions as well on what you can do, what you're really doing well in areas where you can improve. And then the second part of that -- and by the way, that is a goal. Every one of my people managers on my team has to be having one-on-ones with their team in order to, number one, be ensuring that we're delivering on our promises, but number two, that you're having an actual performance discussion with your employees. But the second thing is that every single person on my team has a goal. They have to take at least one if not multiple courses to improve their skills for the year. That could be relationship skills. It could be technical skills. Who knows what skill it is, but having a conversation with your manager about if you want to do these goals and if you're trying to get here from a career perspective and this is what we're trying to achieve as a company, here's some of the new skills that you have. It takes time, right? It takes time to have that discussion. It takes time to think about what that might look like. It takes time for the employee to take the courses, and you need to give them that. So I think a big part of the problem is time to get it done, but, you know, again, I believe in measure-twice-cut-once philosophy, that if you do all of that upfront, you're going to have a better outcome at the end.

Simone Petrella: Yeah. Well, and not only does it take time, it's actually really complex. What you just described is a combination of understanding and synthesizing what team members need to contribute to accomplish your business objectives.

Kristie Grinnell: Right.

Simone Petrella: While also taking in mind what's in their career, you know, path, their progression, their own aspirations, and those things are -- those things should be aligned, but they're not always one-to-one, you know, so one might want to do something professionally that's actually growing them out of a role and the business needs them to do something else, so finding that balance is kind of personal, but it's also systematic at the same time. That's hard.

Kristie Grinnell: Yeah, and, Simone, like, let's not kid ourselves, right? People who are really technical, they don't always excel in this area, either, right? Like, that's a hard discussion to have. To be a true people manager and to have all those technical skills, that's not necessarily a one-for-one match. So we have taken great pains to really provide special training for our people managers because we are a technology company and, you know, you see somebody, "Oh, you're really good at this. We want to -- we want to grow you and, you know, have you be in charge of this area." Well, in charge of that area means not just in charge of the technology. There are some individual contributors, but you're also in charge of people, and so we give our people leadership training, how to have hard conversations, how to be a mentor, you know, there's real stuff there that is not just something that everybody comes to the table with. It is learned, it is practiced, like role-play is really big in that, so and I believe that I have to demonstrate it from the top. I have one-on-ones with every one of my direct reports. We have performance conversations. We address skills that they need to continue to improve it, and I do it myself as well. So I think it's really important.

Simone Petrella: Yeah. Well, I appreciate how much of an example you're setting as a leader in kind of demonstrating that really focusing on the people and developing them is part of what we need to do to solve this problem.

Kristie Grinnell: Absolutely.

Simone Petrella: So thanks for kind of taking that flag and running with it. Is there anything else I didn't ask about some of the things DXC in particular is doing, what -- how you've kind of tackled the workforce and experience gap we have in cybersecurity and tech that I just didn't have a chance to ask?

Kristie Grinnell: I think there is only one last thing I would add, and that is the mindset that you have the team take. So there are teams where -- I've seen security teams, I've seen IT teams where, you know, their symbol or the mascot, it's the shield or the padlock that locks everybody down, right? But I actually ask for a different mindset of my team and that's "get to yes." When we have everybody all in on cyber and we're giving them that training, the problem is that if we lock them down and they can't do their work, they can't add that value that we talked about every day. They get frustrated. But we have really smart people, so they're going to find a way, which means you end up -- they start sending things to their personal email, they start creating an app over here and putting data, and you're, "No, stop." So instead of having that mentality of "no," if instead you have the mentality of "get to yes," figure out a way to secure things and manage the cost and the employee experience so that we're going to meet all of those needs together of doing so securely, then we will get to the right answer. So that mindset is really big.

Simone Petrella: I love that. I absolutely love that. I am a recovering attorney, and I feel like attorneys and cybersecurity -- so I like double-whammied myself, like the two professions where everyone's like, "Oh, you're just like the Office of No," like, we're like constantly battling that, right? So I love --

Kristie Grinnell: Yeah, you're all risk, risk, risk.

Simone Petrella: Right, yeah, so I love the -- I love the kind of, you know, perspective paradigm shift around like, no, like, well, let's help you get to yes. It might not be exactly how you thought it would be, but we're going to work with you as a partner to get there, and I think that's as much cultural as it is something we have to instill in whole teams. >>KG: That's right. That's right. Thank you. Great. Well, Kristie, I appreciate you taking the time to join us this afternoon and really appreciate it, and loved the discussion.

Kristie Grinnell: Absolutely, Simone. Thank you so much, and always happy to have these kinds of discussions.