Sandy Dunn: Everyone has a cybersecurity ‘superpower’
We recently met with Sandy Dunn, CISO at Blue Cross of Idaho and an adjunct professor of cybersecurity at Boise State University. Sandy brings more than 20 years of experience in the technology industry as well as an interesting and winding career path to her current role in cybersecurity.
Her career began in software and hardware sales, where she worked with clients that include NASA, JPL, Secret Service, and the IRS as well as other federal agencies. Later, at HP she began her security career as a digital sending and security analyst for HP multifunction printers within the competitive intelligence team. She has a CISSP, Security +, and is a SANS mentor.
Here, we speak with Sandy about her career and how to get newer generations engaged with cybersecurity careers.
Thank you for taking the time with us today. What would you say to someone considering entering the security field?
I appreciate the opportunity. I’m interested in discussing how we in security can pay it forward. The fact is that we all stand on the shoulders of giants in this field, and we have to do our part to help those who come after us.
That’s one thing that I view as a significant positive in the cybersecurity industry. We are supportive of each other. We recognize how difficult of a challenge this work is, and we support each other – our support network is broad as a result. Yet, we still need to do everything we can to bring new and young talent into the field.
Now, to those who may be reading this and wondering where they may fit into security, even though they are not what one would consider a “super hacker,” I want to say to them: That is the wrong question. I believe that every person has, based on their own skillset and their own experience, their very own superpower. Their challenge is to figure out what that superpower is and how to show an organization how it provides a true business value.
One of the things that sets me apart, my superpower, as I made my way up through the trenches, was that I wasn’t afraid to ask questions and admit I didn’t understand something. I would sit in a room full of brilliant people with somebody brilliant at the front of the room, and they would be explaining something, and if it didn’t make sense, I’d stand and ask “I appreciate what you are saying, but can you go through it one more time? I’d like to understand, but there’s a gap for me now.”
Asking such questions not only helped me to understand a flaw in one of my assumptions, or a flaw in what he was trying to explain, but others in the room appreciated it. They didn’t get it, either, and said they weren’t brave enough to ask.
I think it’s important that everyone realize that they have skills they can bring to the table – and it doesn’t have to involve technical skills. It can be technical skills, but it can also be communication skills or some other skill an organization needs to reduce risk.
And know that, if you keep educating yourself, and you keep working at it, all of a sudden you will find yourself to be the person who knows quite a bit more than anybody else and your career begins to take off. I ended up on the cybersecurity team at HP. I was with HP for 16 years, eight years as a contractor, eight years as an employee, and then transitioned to Blue Cross of Idaho three years ago.
Could you tell us about your background in technology and how your career moved into security?
I’m grateful to have been part of this amazing industry that has grown and changed so much over the past 26 years. In 1995, I started out in sales, specifically inside phone sales. My job was to help people to configure the PCs that they were buying and help them to determine the right amount of RAM and hard drive capacity. During this time, I also helped clients with pre-sales advice for their networks, servers, desktops, and other accessories. It was a great learning experience. During this time, I learned quite a bit about technology and networking. I earned my Microsoft Certified Solutions Expert (MCSE) Certification – and I got accustomed to everyone asking me “How does this work? How do I do this? Why does this talk to that? Why does it even matter?”
It was during this time that I first learned about the Internet. People started telling me that they heard of our company on the Internet. “What’s the Internet? What’s happening here?” I wondered. Shortly after that, I can remember downloading Back Orifice on the corporate network to play around with my friends. When you look back at it now, you were a part of history.
In 2001, I was hired by HP to conduct competitive intelligence for its multifunction printer sales. I absolutely loved this work. Your role as a person within competitive intelligence is to serve the engineers. They needed to know what competitors had the potential to become real challengers, competitively, within five years. The job entailed a considerable amount of data and trend analysis.
Because of my technical background, I realized that multifunction printers were making it possible to send a lot of data. I wondered, “Shouldn’t we care about what they’re sending and to who?” I dug into the security. I started listening to podcasts and reading and talking to everyone I could about the topic.
To answer your question, my career grew organically. It was driven by passion and curiosity as well as my being able to look to the horizon and see how important security was, yet people weren’t paying attention.
What would you advise those who are interesting, or new to, in security today about finding their superpower?
It’s an interesting question. I have a related funny story. I went to meet with my daughter at her high school. They had just implemented a new verification system – and they asked to scan your driver’s license as you walked in. I just had a rough couple days, and I was seeing data flying out everywhere. I didn’t react positively. I said “What? You guys want me to scan my license? You think that I believe with any level of certainty that you can protect my data? This is ridiculous!”
They had the policeman there. The school patrol officer. He asked me to calm down and explained that, if something happened, I’d get free credit checks. I asked him if he really thought that was helpful. I was just having a meltdown. Interestingly, what came out of that was I was invited to come speak to all of their students for a day about cybersecurity.
When I arrived, I was really excited. I talked about the book Cyber Spies. I talked about the history of security. The movie War Games. I talked about how the world almost experienced a nuclear war because of software and human mistakes. To me, it’s all amazing. But all of these kids were looking at me sleepily. I realized they don’t care.
It was an epiphany to me. All of this technology that was so fascinating and life-changing was just part of their daily routine – and not as compelling to them. I think I found, in that whole day, one person interested in computers and another person interested in cybersecurity. Why? Why is this? I think it’s like having grown-up with cars. To many of us, they just aren’t that interesting. However, if you lived riding horses your entire life and suddenly you were introduced to a car, you’d be fascinated. I think we have some work to do making computer technology fascinating to the younger generation.
I actually just accepted a position as an adjunct professor here at PSU and I’m excited about that. What people, especially young people, want to hear about is hacking. Everyone wants to be a hacker – and the reason everyone wants to be a hacker is because that’s what’s in the movies, that’s what’s on the front pages, that’s what seems compelling.
Yet, the reality is that the better jobs, and important jobs, are blue teams. It’s security architects. It’s all of the builders and defenders, the IT auditors making sure we do the right thing, which is part of the reason I accepted the position.