By: Jennifer McGoldrick-Stenberg, Director, Membership & Operations, RH-ISAC
As Malcolm Forbes once said, “diversity [is] the art of thinking independently together.” This powerful message is paralleled in the thoughtful responses I received during my conversation with Deb Dixson. As you may know, Deb is the former senior vice president of information security and risk at Best Buy. Her background and breadth of experience speak to the importance of diversity and inclusion, not just in gender and culture, but also in thought and experience.
I hope you enjoy this installation of The Practitioner Mindset Series – Interview with a Cybersecurity Professional as much as I enjoyed my conversation with Deb.
Q: Tell me a little bit about your journey.
A: My background was non-traditional, and my career was reverse-engineered. I was educated in Home Economics, a secret I kept for a long time because I assumed people would think I was less capable. I landed in the technology world by selling testing, grading, scheduling and attendance software and hardware. At that time, if you sold it, you had to install it, and I was simply intrigued by how everything worked. I was good at trouble shooting, spent a lot of time on the phone with engineers, and learned a great deal about the field.
After some personal health issues, I began at a job training and QA testing at a software company. This forced me to learn architecture. Equipped with my newly gained backend knowledge and my former sales experience, I was asked to do more client-facing work and developer management. I took on jobs that others didn’t want and trained myself, asking for help when needed. Quickly I learned that if I was going to be successful, I needed to surround myself with the smartest people I could. This is a mantra I carried forward with me throughout my career and is how I’ve always judged my teams. If I’m the dumbest person in the room, I’ve done a good job pulling a wide-range of expertise together, and I know we’ll come up with the best solution, collectively.
It was by accident that I ended up at Best Buy. I was brought into the company on contract as program manager to implement their gift card program. Understanding the flow of money via gift cards was fascinating to me! After that program rollout, I was put on another project, continued to broaden my exposure to people, departments, and technology, and eventually took over responsibility for POS and mainframe reporting systems, and was a permanent employee. As I continued to deepen my understanding of how the payment card industry worked, and PCI was just getting legs (or teeth), it occurred to me that there would come a time when retailers would need to pay closer attention to information security. After much research, I proposed a Chief Information Security Role for the organization. It took some time, but I became Best Buy’s first CISO and one of the first in the retail industry.
So much has changed from those days; the threat landscape has exploded. It is one of the things I love about info sec and risk, its constantly morphing and you can never rest on what you knew or did yesterday. It’s never dull, and there’s always a need for new perspectives, skills and tools!
Q: What a ride! You clearly demonstrate a thirst for learning, ability to ask questions and aim to dig deeper. Are these the traits that pulled your career along?
A: The skills that propelled me forward were an endless curiosity to know how things work and a drive to ask questions and do research. It was always important to look for gaps and then bring solutions that fit those gaps. Coming from a different background, I often had a different perspective than many in the room and I wasn’t afraid to speak up. If I could give advice to up-and-comers, I’d say don’t apologize for your background, don’t be afraid to work hard, or differently, to get yourself noticed and get ahead. If you continually demonstrate your talent and skills, you will persevere.
Q: The last time we spoke, you mentioned that only recently in your career did you begin to share details of your educational background. Tell me more about that?
A: That’s correct. Only once I was older and more established in my career did I share my non-traditional journey. More than anything, the reason I spoke up was because I saw too many younger people or those wanting to make a career change into security excluding themselves from opportunities due to their degree or experience. I thought that if people could hear my experience they may decide to take a leap they otherwise wouldn’t. Too many people self-edit without trying. In today’s world, technology is in everyone’s hand, so it is that much more critical to unlock the unique talents that people with non-traditional technology backgrounds have to help us face what’s coming.
Q: Tell me how you have you seen these non-traditional technology employees impact the dynamics of the security team?
A: The more diverse your team can be, the more welcoming it is to individuals who are underserved or underrepresented. This is important for several reasons. Having people with diverse backgrounds and perspectives makes it easier to continue the forward momentum and uncovers answers to questions that might be missed if the room was filled with people who have the same background and thought patterns. As you tackle things like vulnerability management or handling a security incident, the more perspectives you can bring in, the bigger opportunity you have to approach things differently.
Think about the challenge of reaching and educating the population that doesn’t think security is important. How do you get them to care? Why do they do what they do? You need teachers. You need people with a psychology background. It requires innovation to build an effective approach. This shift in dynamics helps teams look at problems from a different angle, which is exactly what this industry needs.
Q: That seems straightforward, and yet we still see a lack of diversity within the cybersecurity industry. How do you think organizations can address the challenge of attracting and retaining talent and improve the gap and drive more candidates to the field?A: There are a couple of things we need to do. No matter the organization or the industry, it starts with looking at how job descriptions are written. Even if they are technically correct, they may exclude or discourage people with non-traditional backgrounds, different cultures or ethnic backgrounds from applying. People write themselves off if the words within the description don’t resonate with them. There is a psychology behind these incremental changes and it’s important to think about the way your organization is positioning roles that need to be filled. Relook at the places you recruit from, is there an unconscious bias playing out that doesn’t produce a diverse pool of candidates to pick from.
Organizations are all competing for talent; there are more jobs than there are people to fill them. Everyone seems to be looking for that “unicorn!” If you back up and decompose the skills necessary to fill that role, and you take a slightly different approach – you may find that you can accomplish the task by leveraging the discreet talents of several people on the team. Giving people a chance to stretch and grow by building a “unicorn team”.
Another way we can address this challenge is to be more involved in communities and schools. Focus on younger generations and show children that highly-technical fields are interesting and fun. Find ways to get kids interested in security and risk organizations through events like bring your child to work day or mentoring programs. Too often we get paralyzed by the problem. Figure out how to take little steps that turn into something big.
Q:That’s great advice, thank you for sharing. I have one final question for you if you don’t mind. Can you tell us what’s next for you?
A: Short answer, I don’t know. I would love to be able to continue to do something valuable and important. I’m not sure what that is yet, it could be sitting on a board, working with a start-up, or helping define strategy for an organization like the RH-ISAC. My journey isn’t over, and I look forward to seeing what’s next.