…The first would be to not underestimate yourself. I think that, as a woman in tech, it’s easy to get intimidated because you don’t see a lot of other people at work that look like you or are sitting at the same table. One of the biggest lessons is to be confident in yourself, and the way to do that is also to sometimes recognize that no one else knows what they’re doing any more than you do. Everyone has imposter syndrome, what you do to overcome it and work through it is the real testament to those that become leaders.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Simone Petrella.

Simone Petrella is the founder and CEO of CyberVista, where she leads the development and delivery of cybersecurity training and education curricula as well as workforce initiatives for executives, cyber practitioners, and continuing education. Previously, Simone was a Senior Associate at Booz Allen Hamilton where she helped build the firm’s cybersecurity practice in the commercial sector focusing on the creation of cyber fusion centers and the integration of cyber threat intelligence, security operations, and cyber defense operations into effective cybersecurity operations. For a decade she led the firm’s all source cyber threat intelligence business in the national security and Defense sectors, where she built out a threat capability and team with in-depth subject matter expertise in all aspects of cyber threat intelligence, including intelligence support to both defensive and offensive operations.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

Growing up, there is sometimes an expectation to know what career path you would like to take in the future. I wanted to set the record straight by saying that I am not one of those people who grew up knowing that I would end up working within the technology field. I loved playing sports and was a competitive figure skater for over ten years. While that may seem unrelated, I strongly believe that the work ethic and ability to operate under pressure I developed from a lifetime of competing prepared me for the often unwelcoming world of cybersecurity.

My mother was a big influence in my life, as well. She was the scientist in the family and instilled in me a natural curiosity in the world around me. She was also a pioneer in her field, as the first woman to go to her graduate school in geology. She reminds me every day that I can do anything I set my mind to, that it doesn’t matter if it was something that was traditionally a “boy thing” or a “girl thing.” If I put my mind to something and worked hard I could achieve anything.

My origin story into cybersecurity is kind of happenstance. I majored in international relations during undergrad at Georgetown. After graduating in 2004, I entered the workforce as a post-9/11 graduate with my entire worldview shaped by being in DC and seeing the Pentagon burning. I’m originally from New Jersey and had family that worked in the Twin Towers, so watching them fall very much shaped my decision for wanting to work for the Department of Defense. I started my career with the DoD predominantly doing counterterrorism work.. I wanted to continue working in the intelligence community and after grad school, I ended up consulting a client on computer network operations with Booz Allen Hamilton.

I had no idea what computer network operations were at the time, but we did a lot of things to assess adversaries’ information warfare doctrine, like what Russia is doing now to interfere with the US today. If I said that to anyone in 2005, they wouldn’t know what I was talking about, and now it’s routine front page news. So that’s how I got into the intelligence community, totally by coincidence, and I ended up loving it and staying in the field. I ended up getting into cybersecurity within the Intelligence Community as a contractor in the midstream of 2006 and spent the next nine and a half years of my career pursuing doing intel support to network operations and cyber-threat intelligence for the DoD.

I ultimately transitioned into the commercial consulting side of our practice, where I worked with banks and retail companies who were trying to integrate cybersecurity operations into their businesses. Corporations like Target got hacked and Bank of America suffered an attack so everyone was waking up to the idea that they needed to have cybersecurity operations within private sector companies but didn’t know where to look. As the private sector started to seriously adopt the notion of cybersecurity, all the talent came primarily from DoD and military backgrounds.

Across my 10-year span at Booz Allen, building up and running these teams, the persistent issue was when you’re in consulting, ultimately you are responsible for hiring and placing talent. Anyone in the contracting field works to place brains and bodies. I had a team of over 120 people on staff that were doing threat intelligence work across the DoD and then a smaller team when I worked in the commercial sector side, and my whole job was to hire, place, train up, and get people on contracts so that they were performing the work needed by our clients. This has been a 15-year issue for me. I couldn’t find the talent or the talent wasn’t the right type of talent that we were looking for. I was essentially training new hires myself and inevitably, 18 months later, that person would walk into my office and say, “Thank you so much for this exposure and experience — it was really tremendous. I am going to take a job at Google or Amazon or anywhere else, and they’re paying me 35% more,” and I knew we couldn’t compete. So I just had to start the whole cycle again.

When I left Booz Allen, it was to found CyberVista. Our goal was to fill or solve that big skill and a shortage in the field. We are working to solve a problem I’ve had throughout my whole career, and not just because it’s about supporting or creating new talent at an individual level. My perspective was, and has been, that the employers of the organizations are the ones that need to step up and take accountability and responsibility for growing the talent they need to fill these roles. For 15 years, we’ve been saying that we need a bigger pipeline, we need more people, and you’re never going to close the gap that way. It just keeps getting bigger. Our whole approach as a company and what we have evolved into has been driven by this idea that it’s got to be based on the employers taking charge of what talent they need, the roles, and the skills needed to fill those roles. Ultimately they’re the ones that know their needs best, and we tailor our products and services to address their particular needs and gaps.

So that’s essentially taken us to where we are today. I’ve been in the cybersecurity industry for 15 years, been doing the training and human capital side for the last five, since founding CyberVista. I do believe that anyone can be a cybersecurity professional.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

Having spent my entire career being one of the few women in an industry dominated by men, especially at the start of my career, I always think back to a podcast NPR did a number of years ago entitled When Women Stopped Coding. The episode is short but it explores the history of computing and its initial dominance as a field for women, as well as the possible underpinnings that led to a plummet of women pursuing computer science in 1984.

The NPR episode explores the possibility that the introduction of the personal computer, more pointedly the marketing around the introduction of the personal computer, is responsible for setting off a chain reaction that led to the computing and technology field being dominated by men. It reminds me that the gender gap is often caused by unintended consequences and it is rarely a result of an inherent lack of skill or abilities.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My career in cybersecurity started at a time where information assurance and security weren’t hot or trending fields. In fact, I started my career as a counterterrorism analyst in the Department of Defense. At the end of grad school, I had an opportunity to work in an office focused on intelligence support to Computer Network Operations, which I did as a part-time detail to help out a very small team there. The work was interesting and challenging; I was totally fascinated by the concept that something as subtle as toying with computer systems could have such massive impacts on physical, political, and geopolitical events.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Early on as we were first establishing ourselves as a company in the enterprise space, we ended up relaunching the company, and to bring more awareness we attended a conference as one of the sponsors. So we were set up on the expo floor, and I had just hired a new head of marketing, and we wanted to pick out swag that was given away at the booth, that was still somehow reflective of what we were trying to do as a training company right. We thought of catchy slogans like “flex your mental muscles” and our marketing head found hand exercises or stress balls we could and out, as opposed to just putting it on a t-shirt or a sticker. Long story short, we bulk order the swag and the hand exercises come in. When we placed the order we thought maybe they were about the size of a roll of duct tape, and they ended up being about the size of a roll of scotch tape as a general size comparison. Many inappropriate jokes about the size of the rings were made, and the conference was in Las Vegas. So of course, we’re in Las Vegas of all places, giving these rings away and the moral of the story is not that we did anything critically wrong. In fact, we ran out of every single one, they were incredibly popular at the conference! But it showed me that you have to be willing to take some risks or sometimes be wrong. Because mistakes are inevitable. The important thing is to take what you’ve learned in stride, apply the lessons learned and roll with it because nothing is permanent. Don’t be afraid to take some risks.

Are you working on any exciting new projects now? How do you think that will help people?

The cyber talent shortage is real. According to data from Cyberseek, there are 464,420 cybersecurity job openings, most of which are unfilled due to a lack of talent. My background in cybersecurity and cyber threat intelligence put me right in the thick of dealing with this shortage over the last fifteen years. I founded CyberVista with the mission to provide organizations a data-driven view of their cybersecurity talent in order to inform, shape, and execute their people strategies. I believe this type of employer-driven approach will be a necessary paradigm shift that ultimately allows for increased diversity of thought and representation in the field as companies, agencies, and organizations wake up to the realization that in order to make any kind of dent in a nearly half a million gap they’ll have to invest in growing their own talent as opposed to waiting for someone to grow it for them.

The biggest, exciting part of our bottom line is that we are using, as part of training, diagnostic assessments to quantitatively give leaders in companies a baseline of where their workforce is at. Whether it be their strengths, their weaknesses, gaps in skills, which allows them to gain insight and reporting from our diagnostics so it’s not just for the individual. Learning about what insights can be gleaned from that data is really integral to leadership because it’s a first step towards being able to quantifiably measure the efficacy of your people, which is very, very hard to do and I think that’s really exciting. The analogy I would use is if we scan your networks for vulnerabilities, why wouldn’t you do the same for your people. Our assessment-driven approach allows you to do that and get measurable results by figuring out where the gaps and growth restraints are so you can target training and development on areas most needed for them to be effective in their jobs.

When you start out knowing what you have, then you can actually figure out where your security skill gaps really are across the organization and prioritize how to fill those gaps, whether it’s through hiring, training, upskilling, or other initiatives. It’s more deliberate, you can be more thoughtful, and deploy a strategy around your actual people.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

The first thing that comes to mind about what excites me in the industry is how dynamic it is. The cybersecurity industry is so new compared to almost every other field out there. Everything is evolving in real-time, right before our eyes, and every day is a new opportunity to tackle a new problem or even old problems in new ways. For example, “zero trust” architecture is a new approach to security in direct response to the trust-based system computing, and the internet, was founded on.

Cybersecurity is also expanding into other fields of work and study. It touches almost everything now, so the career opportunities to get into cybersecurity have exploded. There are IT roles that require security, analytic ones, operational ones, legal, policy, compliance, the list goes on. For example, software developers are an integral job within almost every company but there is now a recognition that code needs to be built securely from the outset, which means that developers need a security skillset as well as a coding skillset. The same can be said for policy positions where an understanding of how data is transmitted across networks, and thus the places where it is vulnerable, is critical background in order to draft effective policies.

The third thing that excites me about the cybersecurity industry is, and this is what got me into this role in the first place, is that it’s incredibly exciting to fulfill a higher mission or purpose. So much of our livelihood and security is based on the fact that technology needs to be more secure and it’s disproportionate to having such a wide gap in the workforce. There is a dual mission of participating in the cybersecurity industry that contributes to the security of our infrastructure, our national security, along with everything else and I think that is mission-driven. The fact that cybersecurity is such a mission-driven industry is so exciting and compelling. Then at the same time, we’re approaching it from the angle that there is also an opportunity for us to actually bring more people into this industry to accomplish this mission, and give them greater opportunity to grow within the field.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

It’s the most exciting and simultaneously frightening thing about the cybersecurity industry, how dynamic it is! When everything is a constant moving target it can be difficult to really plan for the future and prepare workers to enter a field that doesn’t have an established starting point. That’s why initiatives like the US Government’s National Initiative for Cybersecurity Education are so important because they’re attempting to set a common framework and lexicon for these new roles moving forward.

Another major concern is the lack of diversity. Cybersecurity definitely has a stereotype of being predominately white and male — and it is. The issue is exacerbated since humans tend to gravitate to– and thus hire– people that look, think, and act like them. That’s troubling not because it creates artificial barriers and inhospitable work environments to women and minorities who are interested in pursuing careers in cybersecurity, but it also does a disservice to the mission of cybersecurity. The sheer complexity of it requires a lot of creativity and perspectives in order to even start to achieve security.

A final concern within the field is the sometimes short-sighted approach. The cybersecurity industry is notorious for having a few hot trends each year or so, and that’s all you see, everywhere. A number of years ago it was all about endpoint protection, then there was a focus on threat intelligence, and now mobile and “zero trust.” They’re all important components but there’s an overemphasis on creating technology solutions that purport to be silver bullets when in fact the entire ecosystem of security requires improvement on all fronts. The industry does the same thing when it comes to people. We culturally tend to rely on technology or process solutions because they can be deployed faster, but end up glossing over the reality that those solutions are only as successful as the people we have implementing and maintaining them.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Just as there are trends in the research and development of cybersecurity technologies, there are also trends in the types of attacks companies and the government can expect in the future. A few common threats, including phishing scams and especially ransomware, are already here but recent events have shown the devastation that can occur when the availability of a service or critical infrastructure is made unavailable. This was especially apparent with the attack on the Colonial Pipeline.

What worries me on the horizon is the disruption of the integrity of data, meaning attacks where threat actors manipulate or change information that can have devastating consequences. This could be alone or in concert with something like ransomware. Imagine a situation where payments are changed between financial institutions or healthcare information is changed that could lead to devastating consequences within patient care. Doctors have access to certain dosages or medication lists, and instead of not being able to access it, which is a problem. But imagine if someone manipulated that and changed it so that the dosages are wrong. That’s something that we haven’t seen yet. But at what point do hackers or cyber attackers go from just saying, “Oh, we’re going to deny you access to this information so you can’t operate,” to now we’re going to start messing with it?

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

One of the first breaches I worked on in the commercial sector was a major breach at a high-profile company. The response team had pretty much every incident response firm and major consultancy you can think of working on the situation. But what I remember the most was that in helping the company optimize their security operations moving forward, we found that different divisions within their current cybersecurity apparatus were doing great work, but didn’t even have access to the others’ workspaces. As a result, the teams didn’t even know each other existed! The takeaway was, and is, that cybersecurity is a multi-faceted team sport and you need to know all the functions that need to work together, as well as, making a real effort to ensure those teams are capable of working together.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

As a CEO of my own company that focuses on people and training, I almost never do operational cybersecurity work anymore. But we certainly incorporate common open source tools into all our training courses. For instance, using Nmap to scan ports or Wireshark to analyze packets of data moving across a network. We focus more on implementing widely available, open-source tools that are translatable across any enterprise.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

If we’re talking laypersons, I’m assuming we mean what they’d notice on their own workstations. If that’s the case, they’d probably initially notice significant degradation of your device’s performance. If the processing power is taken up by things running in the background and you’ll notice everything runs a lot slower. Secondly, unexplained online activity — think spoofed emails being sent to friends or families, or even your own account. Ultimately, you would start seeing pop-up ads or your device suddenly restarts.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Once a company becomes aware of the issue, they should take immediate steps to identify the scope and scale of the breach and inventory the impacted systems and/or devices. This can include forensics, data capture, and more.

Next, companies can leverage a hopefully preexisting incident response plan and follow that playbook to start the process of doing the internal investigations and remediation. At this point, it is most beneficial to also send any notifications to law enforcement, the public, important stakeholders that need to be aware of the situation.

Breaches need to be communicated in an honest and transparent way to the public. Think about how they will be notified, what you need to make them aware of based on the information compromised, and what you are going to offer in order to mitigate the issue.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

A lot of companies still don’t have the strong foundations set. They don’t have password policies in place or they don’t have awareness programs to minimize phishing of employees. Another common issue we see in cybersecurity is a lack of network segmentation to really control access to data based on a need-to-know basis on the front end. Another common mistake I see is the basic misconfigurations of routers, firewalls, and other security devices that have been improperly implemented. As much as technology is available to help businesses, it’s essential to hire and train IT professionals, who very often have some of the most privileged access, on how to apply security principles and controls into their work functions.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

Nope, there are increasing improvements in women being represented in STEM but there’s still a long way to go in cybersecurity in particular. I think the biggest change that needs to be made — outside of continuing to expose, market, and encourage young girls to get involved in STEM early in their educations — is for employers to fundamentally rethink their STEM hiring strategies and commit to investing and growing STEM talent within their ranks that can fill critical roles that have had a chronic underrepresentation of women.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

It’s a myth that all the roles in cybersecurity are hyper-technical and that it’s an industry for introverts. It’s also a myth that you have to be a cybersecurity degree holder or a computer engineer to work in the field. There are a lot of introverts in this field, but really successful people know how to work across an organization. There’s this assumption that everyone working in cybersecurity is a gamer in a dark hoodie in a basement. And while there certainly are those people in the field, cybersecurity is incredibly team-oriented and it requires working across (and communicating with) a lot of diverse functions and skill areas. The majority of roles in cyber are dynamic, analytic and require strong communication skills which I would consider executive skills. There’s a lot of room for growth here because that’s what’s so needed in this space.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

The first would be to not underestimate yourself. I think that, as a woman in tech, it’s easy to get intimidated because you don’t see a lot of other people at work that look like you or are sitting at the same table. One of the biggest lessons is to be confident in yourself, and the way to do that is also to sometimes recognize that no one else knows what they’re doing any more than you do. Everyone has imposter syndrome, what you do to overcome it and work through it is the real testament to those that become leaders.

The second thing that I have definitely learned is that yes, mentors are important but it’s important to really identify, throughout your entire career, the people who are champions and advocates for you. Those people who you have worked for, who you have worked with, men or women. I definitely think that I owe a lot of my leadership development and success, frankly, to a lot of the men that I have worked with and for over the years who were those champions and who stuck their necks out for me.

The other big lesson is to be decisive. You don’t need to be right all the time. You’re not going to be right all the time, but you need to be willing to make a decision. It may be wrong, and if you’re wrong, then you take a step back, course correct and make a different decision, but you will not get anywhere by sitting, waiting, and ultimately leading to inaction. That can be daunting, especially in situations where you have to absorb and synthesize inputs from different people who may not all agree, but moving forward is always a better direction than staying in one place.

Another leadership lesson I’ve heard is that you have to be empathetic. In that, we live in a world where there can be a lot of emphasis on just the bottom line, or what you’re trying to accomplish in the business. Ultimately, being a leader, including building a team or anything else, is recognizing that we are all in the business of people. I train and care about people, but even as a CEO and having been an executive in my past life, we are nothing if we don’t hire and have good people around us, and we’re good people to others. Understanding that whether it’s work-life balance, we bring our whole selves to our work. It’s not like there’s Simone, the executive, then Simone the cybersecurity person, and then Simone the wife and mother. I am all of those things all the time, at the same time. Of course, my priorities and focus are different at any given time and that’s true of everyone. The scariest, most intimidating person I’ve ever worked with is still a person. And so it’s important to take the time to get to know people, as people on a personal level. It’s an incredibly powerful leadership tool to take that time and understand what you know what makes someone tick because that’s what’s going to optimize their performance. It’s going to wake them up and be motivated by the fact that you actually are invested in them. It’s got to come from that genuine place and authentically caring to really maximize the potential of the people that you work with and for.

The last lesson I’ve learned is that people’s potential is optimized when they are empowered and supported in achieving their own career goals. I tell my team all the time that my goal for them is to work their way out of the job. At first blush it sounds like an excuse to not do more work, but what you essentially have to do is create an environment where other people are empowered and you have to be willing to empower others to kind of take control. It’s important to give others a chance to do things their own way, take stock of how they do and support them. The truth is that the chances that someone does something exactly the way you would do it, are very small. That can be really difficult as a leader because you need to let go of the control in order for that other person to have a chance to succeed. They may not do it the same way you do and that can be really hard to watch, but that doesn’t mean that the way they do it is wrong. In fact, they could be doing something that’s better than you ever thought of. So in a way, being able to let go of the control to allow other people to be empowered and thrive is ultimately what also is going to propel you as a leader and hopefully the organization that you support.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I’d probably have to say Condoleeza Rice. She is a true renaissance woman and broke so many barriers for women in the field of national security and policy. And she did so with a tremendous amount of poise and respect regardless of what side of the political aisle you fall on.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!