Alyssa Feola is a Senior Cybersecurity Advisor for the United States Air Force.  Ms. Feola brings together and collaborates with federal partners and stakeholders to execute cloud, mobility, and supply chain strategies and directly advises the Air Force CIO and CISO on several other cybersecurity matters.  The experienced federal IT leader is extremely focused on the shifting from a compliance mindset to a culture of security by driving the acquisition process to becoming more adaptable and agile. She is passionate about getting value driven cybersecurity through the adoption of automation and innovation.  Ms. Feola is a strong advocate for Science, Technology, Engineering and Mathematics (STEM) initiatives. She is especially a cheerleader for Women In Technology and minority and under- represented groups. She firmly believes having a wide set of voices spurs innovation, entrepreneurship and civic engagement.

Describe how you came to be in Infosec

I came into Infosec a nontraditional route- I studied computer science and technology.  I know that seems traditional, but actually not a ton of people take that route to infosec.  I was taught secure coding, and the guys in the class had been coding since they were teenagers, so I felt inferior trying to get a job doing code-developing. I worried I would write insecure code because I wasn’t as experienced.  I had such a fear of writing insecure code, in a medical device for example, so I never actually wanted to be a coder. I began doing other technology projects. Since Hanscom Air Force Base was a purchaser of technology, I became the person on the team who would do requirements development and validation testing to make sure the equipment was secure. 

You’ve worked a lot in the public sector, what has been your experience been of the overall culture and tone in that sector?

There is a process for everything.  The organizations are very structured - first comes a strategy, next a plan, then the instructions. They do this for the craziest things - who gets what parking spot, if you want to do volunteer work, how many square feet your cubical is (based upon your service years), how they calculate the time stamp if you die.  There’s a lot of politics and bureaucracy.  There’s something comforting to have that detailed guidance but it also feels constrictive. There’s not a lot freedom or critical thinking because everything is cumbersome, some people might not follow policy, and since we’re not trained in exercising judgement this could cause serious harm from misjudgments. 

Our business is driven by cost, schedule and performance.  Cybersecurity is a sub-element to performance.  But the people who make the decisions and drive the train are motivated and compensated on cost and schedule, meaning they want things done cheaply and fast. So cybersecurity is seen as an impediment to getting their jobs done. 

So is cybersecurity seen as an enforcer for policy and can hold things up, or do they not have policy in cybersecurity? 

They don’t have a defined and dedicated cybersecurity role in the project management team, so it’s in some roles.  But there’s not a separate member of the team who’s considered critical. They need a cybersecurity sign off to make the purchase, but there are no enforcement tools.

Your last job you did a risk management/Infosec/engineering role but within a group that was not focused on that area. What was that like? Specifically, what were some challenges, and what were some things that worked well?  

I progressed in the role and was given more responsibility, and my purview of security and risk management was widened. First it was for one system, then a family of systems, then a family of family of systems. Toward the end I was as high up in that organization as possible in that location.  I had been doing the job for 2 years, and they opened the job at a higher grade and pay rate, so I applied for it.  I didn’t get any response from the organization about my application, which was weird.  I knew I had paid my dues and was the most qualified for the job. They ended up hiring a typical, 45 year-old white man for the role. 

What happened when you applied? 

I had been working for that organization for 4 years, so when I didn’t get a call about my application, I requested feedback or coaching on my application.  I heard through the grapevine they had hired someone.  They ended up temporarily promoting a man who was less-experienced than me to do the role, then they permanently hired a white man to do the role. Part of it probably had to do with the strict way that they code the job listings and match them up to the skills and experience of applicants. HR actually advised me to leave the organization and then come back, because it’s so difficult to move around civil service organizations.

I had an opportunity to return to that organization and work with the person who filled that role. That particular role was a hard position to be in because I was not a member of the core team, but the “Infosec” person assigned to that team.  When I returned, I was surprised to see the team still being very unprofessional with the new person.  At that point I realized their lack of acceptance of me wasn’t about my gender or age, but was a function of the team not liking the Infosec person. The job was to challenge them to make sure their work was adequate, so I think they didn’t actually want someone that skilled in the position. We need to do more to educate and bring awareness to technology teams about the importance of cybersecurity.

“I realized their lack of acceptance…was a function of the team not liking the Infosec person. We need to do more to educate and bring awareness to technology teams about the importance of cybersecurity”

You’ve recently made a big change, from Boston to Washington DC, and switched both the department you work for, and your job. Why did you make those changes? 

Yes, it was both a relocation and a promotion. I applied as an external candidate, not an internal candidate. I was going to leave my other job anyway, and was looking at many different options, such as going into private industry. I decided to stay in the public sector for several reasons, including financial reasons and my personal ethos not always aligning with for-profit motives.  Also, my skill set was not translating well into the private industry job market; I wasn’t matching their job descriptions. I had some experience that was for very high job levels, but then missing the many years of experience they wanted. 

“my skill set was not translating well into the private industry job market; I wasn’t matching their job descriptions.  I had some experience that was for very high job levels, but then missing the many years of experience they wanted.”

This is a common problem that has been coming to the forefront over the past few years. One problem is HR often writes job descriptions or serves as the first line of applicant review, so qualified applicants are often missed. A number of organizations and individuals are working to try to solve this “match” issue. The ACSC is working with our members to help them with their hiring process, and also how to prepare professionals with specific skills they’ll need.

So how is the new job, location, department going?

It has been extremely helpful to restoring my ego.  I was approached by two different directors for different divisions for open positions, one more IT focused and one more security focused, and I ended up in the security role.  I am getting positive feedback from my supervisor and from the organization for the positive impact my work is having. They tell me they’re glad I’m here doing what I’m doing!

What is the difference in feeling between the old job and new job?

There’s more appreciation for me now. It felt so toxic before and I felt so underappreciated and unheard.  I’d go home at night and there was a running marquis in my head of all the things I said that day, and it really eroded my confidence, like maybe “I don’t know what I’m talking about because no one’s listening”.  I just wanted to escape and change environments.  I was constantly making little changes to try to make it tolerable, like working from another building, or working on a little side project.  

Now, I feel like people are seeking out my advice, and learn from me, and that feels good.  Now they say, “Wow, do you read up on this stuff at night?” and “That’s so cool how much you know.” I have my passion and energy back! And that makes me want to motivate other people and invigorate them as much as I am.

“I felt so underappreciated and unheard…I just wanted to escape…, people seek out my advice and learn from me and that feels good.”

What have you found to be critically important factors in your job satisfaction?

It’s critical for me to find a good match to my needs. I am reading this book “Good to Great” and one of the things that caught my eye was how high-energy people need a high-octane job in order to excel. A good job, for me, needs to have a wide range and enough variety to keep me interested.  

It’s also important for me to have the appreciation of what I bring to the table from the people who I’m helping, or my work is benefitting. Appreciation can be shown through feedback, feedback, feedback. I just want to know what’s helping and what’s not. 

What solutions and specific behaviors have you seen that indicate to you that there’s a strong, supportive culture where you can thrive?

The biggest indicator of what they care about is where they put their money and people. One quote I love is “Not all things need to be equal to be fair.”  I just want things to be fair - everything doesn’t need to be equal.  Non-performers or people who don’t take pride in their work should be managed out or treated appropriately.  It’s important to me to have a supervisor that totally aligns with my standards - I have high standards for myself and for the work I produce.  It’s hard if you have higher standards than the person managing you. 

There’s a lot of discussion about women’s initiatives, esp. in tech fields. What do you think of these programs? Helpful or not? 

I have such mixed feelings on it. A generic statement is that they’re a tool. People can benefit from them, and I have in the past. But as the participant’s career progresses, it’s important the programs don’t end up defining or pigeonholing anyone. People will want to grow beyond that narrow definition and not feel constrained or owned by it. It’s great to have that choice, but there need to be a lot of different options.

My Takeaways

Alyssa’s story of finding her way and overcoming challenges, and even barriers, is sadly all too-common in our industry.  It’s well-proven that rates of burnout in Infosec are extremely high. Alyssa’s story provides us clues and ideas about how women can overcome the challenges they face.  Alyssa has several traits which I believe are vital to her success. First, she has developed strong instincts, as many of our other contributors have, for what works for her and what doesn’t.  Second, she has confidence in herself and her abilities, which is critical when not surrounded by a strong support system.  Third is “grit”….the trait now the subject of many studies that have proven that the ability to bounce back from adversity and keep going is critical to one’s growth and happiness.  And with Alyssa, I notice something even stronger than grit- she sees challenges, keeps growing, AND retains her sense of humor, joy in the journey and optimism for the future. Alyssa embodies a special kind of grit- maybe a new term I’ll coin just for Alyssa-not just optimism, but dogged optimism.

Thank you to Alyssa for sharing her story-  I hope you all enjoyed reading it, and look for our next story coming soon! 

  • If you’re not being appreciated, and after you try a few “hacks” to improve the situation, then it’s time to move on.  Find somewhere your work will be appreciated.
  • Finding a cultural match with those around you is important. There are a lot of reasons you might choose a sector, but even within that sector, you should be able to find the right role and team for you.
  • Having an alignment on standards with your supervisor is really important.
  • Know yourself and what you need to thrive- if you’re high energy, look for variety and pace that will keep you engaged and challenged.
  • Use women’s programs, but make sure they are not constrictive to the very people they are meant to help. Design the programs to help or provide paths out as women advance in their career.