Sandy Carielli has spent over a dozen years in the cyber security industry, with particular focus on identity, PKI, key management, cryptography and security management. As Director of Security Technologies for Entrust Datacard, Sandy guides the organization’s next generation security and technology strategy. Prior to Entrust Datacard, Sandy was Director of Product Management at RSA, where she was responsible for SecurID and data protection. She has also held positions at @stake and BBN. Sandy has been a speaker at RSA Conference, SOURCE Boston, the NYSE Cyber Risk Board Forum and BSides Boston. She has a Sc.B. in Mathematics from Brown University and an M.B.A. from the MIT Sloan School of Management.

Kasha Gauthier (KG): Can you tell me a bit about your career and work?

Sandy Carielli (SC):I studied math and a little bit of computer science in college. Through math, I became interested in cryptography, and that started me on the journey into security. After college, I began my career as a software engineer, then went to get my MBA and went into product management. In my current position as Director of Security Technologies at Entrust Datacard, I focus on research, thought leadership, follow trends and drive product and security decisions — different things that have revealed themselves as opportunities at different times.

What do you mean by an “opportunity”? A job presents itself or you just have a feeling it will be the right fit?

Early on an “opportunity” was a job presenting itself. I moved to BBN because I had friends who worked there, and they had a network security and PKI group. When I joined @stake, I began to realize how broad cybersecurity is – more than just crypto and PKI. I then went to business school because I wanted to understand the business side of companies, which ultimately led me to product management jobs. Later, I realized that I enjoy speaking and blogging, so I began looking specifically for opportunities to do that. 

Understanding the breadth of opportunities makes a difference. But as I’ve gotten further along in my career, I’m less willing to settle for whatever job happens to come along. I don’t panic if I can’t find a job right away. I give myself the time to find the exact right job. I have a better sense of roles I like, what I’m good at, and the types of projects that excite me. Then I can better align myself to what a company is looking for, and make sure it’s the right fit. 

I have also learned to be much more careful and critical of culture and environment. I pay much more attention now during interviews to red flags or keywords that tell me whether I’m going to be a good fit. It took me a while to figure out how important this is. I’ve just figured it out in the last few years. 

Since we worked together at RSA, you’ve become much more visible in the cybersecurity community. Can you speak a bit about what led you to this?

At RSA, I started doing some blogging related to product launches, but it wasn’t a regular part of my job. My mentors like Sam Curry (now Chief Product Officer at Cybereason) did a lot of that thought leadership and writing. I watched him and said how can I do that? How can I be like Sam Curry when I grow up? I wasn’t thinking about doing it intentionally as part of a job, it just sort of happened by accident. 

When I left RSA, being visible became a necessity. When I was let go, I realized I needed to use my extensive network to help me find my next role. I began reaching out and was introduced to new events and forums, which eventually led to invitations to speak. Also, I started submitting proposals to conferences I wanted to attend. I realized that I wanted my next job to include these things as a part of the job responsibilities. 

It didn’t start as a branding activity, it started as a job search. I found social media and now can’t imagine #Infosec Twitter not being part of my life and work. Now I proactively seek these kinds of opportunities. It’s been a fast evolution to this — probably about 12-18 months. The work I did during my time off actually established my credibility to do that type of work during my job.

I had a similar experience: I found the activities I did outside of work gave me the very skills I needed to find the next role that I could really enjoy. Do you consider visibility and personal branding as vital to a career in Infosec or only do it if you enjoy it?

There are lots of different ways to build yourself and develop yourself. But it doesn’t have to be speaking or blogging if that’s not what you’re into. Do CTFs, contribute to projects, volunteer at events …find what is right for you. That said, I always advise my mentees and others to go to events, build their network, and be seen. These things help establish credibility, especially in this industry where it can be very difficult to break in. There are lots of local events, which do not cost a lot to attend.

How do you think about personal brand and advocacy work in the context of being a woman in cybersecurity?

My work and efforts don’t feel different because I’m a woman. I encounter folks that are excited I’m there. They see that I’m a little different and are happy to have me come into a classroom or speak. My existence gives them different options of someone to put in front of a group. It may get a little more attention, and that’s not a bad thing. I don’t get the opportunity just because I’m a woman. I still need to be competent and have something interesting to say.

There’s a lot of debate recently about women’s panels. What’s your feeling about them?
I can see both sides. I can understand wanting to sit on a panel and talk about your areas of expertise and not just being a woman in security. I don’t mind being on women’s panels for a couple of reasons 1) there are always going to be new people entering the industry who may not have seen the last women’s panel, and by participating in it, I show them something new and possible. 2) I don’t think participating in those panels takes away from my credibility. Very often afterwards, the conversation continues with people about my work. Talking about my experience as a woman in security has not taken away from my credibility as a security professional.

Do you think that men are more easily regarded as experts/speakers, or is it a pipeline problem that there are not enough women security experts?

I don’t think men are more regarded as the experts. If you look at attendance at events, still only 10-15% are women. So if you’re going to events find viable speakers, you still have a smaller pool. I have struggled myself to find the right women who have niche experiences in each thing. It does require more effort to find them sometimes. A few months ago, I tried to help my local CSA Chapter to find speakers on DevSecOps. I didn’t know local women in it, and I needed really experienced people and I had difficulty finding the right people. I know they’re out there but struggled to find them. So in that respect we do need to be visible and build our brands so people can find us. I personally am eager and happy to be out there talking about these issues, but I completely empathize with the women who say, why is it on me to fix this? These are such difficult conversations, and there are multiple sides. I get it. I can’t begrudge anyone who’s exhausted by it, just because I don’t happen to be.

I am sometimes exhausted, but some male colleagues haven’t understood what I mean by that. I’ve used the metaphor of a suitcase to illustrate the dynamic. Men go to work and face the difficulty of the work, political/cultural environment, and all the other normal business challenges. I experience all those same things, but carry an invisible suitcase that comes from being an outlier in my environment.

Interesting. I think of it like this: I have the knowledge or fear that my success or failure will reflect on women as a whole, whereas a man’s success or failure reflects solely on him as an individual. This is not just true in cyber, but other areas as well. Several years ago, I was asked to lead a non-profit when I was pregnant, and I worried that if I said no, the leadership would never ask another pregnant woman again, they would think that pregnant women shouldn’t be considered seriously for this or other roles.

I feel like in some circumstances, my words and actions go through a filter because I am a woman, whereas often the men in the room just get to be themselves without having that. What are some indicators to you that men/companies are serious about ensuring gender parity?

That’s a hard one. In a job interview, they can talk about their women’s initiatives and there’s little way to tell if it’s bull---- and how successful those programs really are. I judge receptiveness towards women depending on how they treat me. A mentor that I mentioned, Sam Curry, respected my perspective, encouraged and listened to me. It’s harder to tell at the company level. I can often tell by how they treat me and how they treat my peers. Do they promote women? What’s the brand as an employer? If people I know inside the company say, yeah, this is a problem, that’s a good indication there’s a problem and I should stay away. 

I’ve had men ask me what to do about it at their companies. One time, a friend told me that a colleague he didn’t know well had made a comment about a woman at an event. My friend froze and didn’t know how to respond. I told him try something like, “yeah, and she’s really good at her job. She’s really sharp.” You can obviously call it out directly, but is that the most effective in being heard? That’s a hard thing to answer.

What do you think about the “women’s initiatives” that are popular these days? Are they helpful or not?

I love attending women’s conferences and events. I get such a jolt of energy from them, but I don’t think it translates into advancement at work. What I think impacts advancement at work is to identify high potential women and then develop them and make sure they can get spots. Some leaders talk about how it’s important to get women in the organization, but they also need to promote the women they have! If the program is window dressing, women will figure that out. You can’t have a women’s initiative and say a few things and show up once a quarter, and think that counts as real commitment. A company needs to show real results like advancement and promotion. Sponsorship is also important. Leaders need to make sure that women get promoted and not just rely on the corporate program to handle it.

What would you like to see happen, or what solutions have you seen, that will help us move towards greater diversity (gender diversity specifically)?

Alex’s (Stamos- Facebook CISO) keynote at Blackhat was interesting. He called out the community for making everything too technical, and not user friendly, and he challenged us to embrace communication, pragmatism and diversity. It’s the first time I’ve seen someone with that kind of platform challenge us as an industry to grow up. We have to get over that hack thing that started us as an industry. We are a group of industries now! We won’t be able to truly get at some of this gender and diversity stuff until we really internalize what Alex talked about and get over ourselves and evolve from our roots. 

I talk a lot about soft skills and the need for them. If we realize these soft skills — negotiation, communication, problem solving — have value, then we could attract more women. But I don’t want to diminish the technical skills. We need people with diverse skills. If we were more open about that, we would get more interest in our industry. I want to encourage less technical people to go into the industry, but don’t want it to be at the detriment to the women that are more technical.

Thanks, Sandy, for your time today.

Thank you for having me.

Kasha's Takeaways

I learned a lot from Sandy about what it looks like to take charge of your own brand and career decisions. The biggest surprise for me from our conversation was her level of clarity across the topic of women in security. Her clarity seems to stem from an integration she’s found between looking at things analytically balanced with her intuition and emotional intelligence. Here are a few key takeaways I learned from Sandy’s stories: 

  • Broaden your scope of view to find new opportunities. Go towards work that you enjoy or have a necessity to do to build your skills. 
  • Participate in the industry in whatever way you are able to. Build your network, attend local events, seek out skill building trainings, etc. 
  • Look for the silver lining. You have an opportunity to bring your unique perspective or view as a launching pad to do good work and gain credibility. 
  • Find mentors you admire that will support and help you develop into what you want to be. 
  • Leaders and companies should examine their teams and ensure high performing women are being recognized, developed and ultimately promoted and advanced. Women, look for these measurable results for indications of the level of commitment to gender parity. 
  • Attend women’s events or have women’s initiatives, but don’t expect them to be a panacea. Ask to see the results of such programs.