candy-alexander.pngCandy Alexander is a cybersecurity executive and independent consultant serving as a Virtual CISO. She is an ISSA Hall of Fame recipient and thought leader in the profession, with 25-plus years' experience performing many aspects of information security. She is the Chief Architect for the Cybersecurity Career LifecycleTM which is used to deliver services to ISSA members worldwide.

We caught up with Candy and asked her to share from her knowledge and experiences. 

SW: What made you get involved in InfoSec?

CA: In the late 1980s I was working in a Learning Center at Digital Equipment. I was asked if I wanted to learn how to use and teach others a new security tool. From there, I learned the VAX/VMS operating system along with the networking components in order to “lock systems down” and was asked to join the IT team to become their “security coordinator.” Looking back, I felt like it was an exciting game of cat and mouse. We protected the systems from the “bad” guys, and around and around it went. It was when malware and hacking was just starting, and it was an incredibility exiting time—and it still is!

SW: What is the most challenging aspect of your job?

CA: The biggest challenge is in trying to get people to understand what exactly cybersecurity or information security is. That goes for business folks as well as security folks. We as security folks are getting better at understanding our jobs, but it wasn’t too long ago that you’d ask a security pro what their job is, and they’d say protecting the environment through the use of technology, when actually our jobs go beyond that. It is protecting the environment through technology and business processes.

It’s the business processes part that is the challenge. Making the argument for security is tough, because the benefits of “doing it right” aren’t easily understood, whereas the deficits of “not doing it right” are a lot easier to understand. I think it comes down to the skills and natural abilities that make us good technologists, that don’t necessarily contribute to us having good people/sales skills. It is something that most of us have to learn, and usually the hard way.

SW: What do you think would get more people to fill the employment gaps in security?

CA: It comes down to preconceived notions that in order to fill security positions, you need good technical staff, and they come at a price (which is true). But, let us not forget that there are a lot of transferable skills that can be used in cyber/information security. I truly believe that if more organizations were willing to “grow” the security staff that they need—by getting staff with a good foundation of knowledge and work ethic and training them with the security skills—it would go a long way to solving this problem. But in order for that to happen, they (the business) would have to understand the job and role of security within the organization, which is one of the biggest challenges that most security people face today.

SW: What words of wisdom would you share with someone just getting into this industry?

CA: My words of wisdom for anyone just starting out in this profession is to stay persistent and tenacious. Keep trying and think outside the box to solve your dilemmas. I hear from “pre-professionals” asking for advice because they are looking to get into the field, but they don’t have any experience. Many entry level positions require 1-5 years’ experience, which is crazy! I say to them volunteer. Get involved with your community organizations to see how you can help them. Join a professional group, like the ISSA or Cloud Security Alliance, and network. When I think about all the opportunities I’ve been given, many of them have been through networking with others. Just keep trying. Get your name out there and don’t be shy.

We as a profession have a lot of work to do in educating the business world to open up and look at providing opportunities to new folks coming in. Like you can’t list an entry level position requiring 1-5 years’ experience. Take a risk on hiring someone and invest in that person. That is how you create a good security person, and we most certainly are a loyal group of professionals. Businesses will get their ROI with that approach. It’s the old tried and true approach.

SW: What do you like to do outside of security for fun?

CA: Ride my motorcycle through the back roads of New England, without a care in the world.

SW: What's the coolest place you've been?

CA: Actually, I am just returning from the coolest place I’ve been. My heaven on earth, if you will. The Race of Gentlemen, which is drag racing period hot rods (pre-1937) and motorcycles (pre-1945) on the beach in Wildwood, New Jersey. It really doesn’t get much better than that to me. Sun, sea air, and watching people race.