Bringing empathy to cybersecurity: Sandy Carielli

Home Resources Articles Bringing empathy to cybersecurity: Sandy Carielli

Welcome back to the Unsung Women’s Project! We’ll be highlighting amazing women in STEM, sharing the stories of all of the incredible, meaningful things women have done in their STEM careers that haven’t gotten the recognition they deserve.

Sandy Carielli has spent over a dozen years in the cyber security industry, with particular focus on identity, PKI, key management, cryptography and security management. As Director of Security Technologies for Entrust Datacard, Sandy guides the organization’s next generation security and technology strategy. Prior to Entrust Datacard, Sandy was Director of Product Management at RSA, where she was responsible for SecurID and data protection. She has also held positions at @stake and BBN. Sandy has been a speaker at RSA Conference, SOURCE Boston, the NYSE Cyber Risk Board Forum and BSides Boston. She has a Sc.B. in Mathematics from Brown University and an M.B.A. from the MIT Sloan School of Management.

Can you describe what your job is, and what you do on a daily basis?

I am in the office of the CTO at Entrust Datacard, and what that actually means is that I am essentially an eternal student. My job is to stay up to date on emerging technologies, understand how they’re going to impact the industry and impact our business, and advise the product teams on that. I’m also in charge of trying to help drive innovation within the organization, identifying opportunities for our teams, taking on new projects, trying new ideas and taking some of the emerging technologies and integrating them with our existing product lines and applications.

I also do a fair amount of going out and speaking about what we do, as well as speaking about technology in general writing, blogging, webinars, etc. I’m also get involved a lot in standards and industry associations and representing Entrust Datacard at those. So I’m somewhere between a student and a professional talker.

How did you decide to get into the cybersecurity industry?

So it’s interesting my entire journey into cybersecurity and I’ve had different roles within cybersecurity in my career. So the role I have now is just the latest in sort of a stream of different roles in cybersecurity. I started as a software engineer, I went into consulting, and I did product management, so I’ve done lots of different things and the transition worked out very well for my current role. But if we go back to the beginning when I was in college, I was a math major. Even though I wasn’t sure what I wanted to do with it, that was what I decided to study.

Of course, at the time, I thought I’d be a math professor, but it was very clear early on that academia was not going to be my path– I was good at math, but I wasn’t phenomenal, at least at the college level. My favorite part of math was number theory, and around my junior year, some friends asked if I would want to do a group independent study of cryptography, which is pretty much the only practical application of number theory. And so, you know, I actually helped organized a one semester group independent study with me and maybe a half dozen of my friends and I thought that was really interesting and happened to get an internship the following summer in computer science where they were interested in crypto. Um, and learning a little bit more about that and trying to think, I got the chance to do a little bit more programming.

I also did some programming in college. So after graduation, I started to look for jobs where I could be involved in encryption or security or something like that. I still had a pretty narrow idea of what security was, because most of my dealings with it had been around encryption and cryptography and PKI. But my first job out of college was working at BBN in their information security group, and in particular working with Cybertrust doing prototypes for PKI. So my first introduction to the world of security was really through crypto and PKI– and then gradually as I took on new jobs in my career, I started to understand the industry was a lot broader than that.

What are some of the specific things that Entrust Datacard focuses on as a cybersecurity company?

Entrust Datacard is in the identity space. We’ve been in both the physical and logical identity spac. For years going back to the mid-90s, Entrust was the first commercially available public key infrastructure, so we’ve been in the PKI space for years and in that sort of system identity, and now we’re branching out into Internet of Things and being able to help manufacturers and operators manager what could be thousands to hundreds of thousands of IoT devices on a network, on a system.

We also deal with more personal human identity, and lot of our focus has been on how we can create something that is as transparent to the end user as possible, but still offers a higher level of security. For example, I’m sure most people have logged into an application and had to go through a bunch of steps for multifactor authentication, and you’re thinking, “Wow, I really don’t want to do this,” but at the same time, you know that it’s more secure. We’re trying to streamline that process to create a more frictionless user experience while still being highly secure. For example, if your mobile phone could essentially become a virtual smart card and through Bluetooth share an additional sort of authentication with you so that you didn’t have to type in a password, that would be a lot more convenient for the user while still remaining secure– so that you don’t have to feel like you’re jumping through hoops to keep your accounts secured, and you only have to do enter a whole bunch of information is when there’s an indication your account has been compromised.

What do you think that the average person should be doing to take steps for their own internet security?

We definitely don’t make it easy as an industry for people to know how to protect themselves. We have complex jargon, and we tend to be somewhat condescending and to look down on people who don’t have as much knowledge or experience about cybersecurity– and that’s the wrong thing to do. I think what I would say to people is to always think about what you share. Assume that everything you’re sharing is going to be out there. Use a password manager. Don’t use repeat passwords, use two-factor authentication, and figure out ways to do that as easily as possible for yourself.

Know certain authenticators and certain approaches are going to be easier or more consistent across multiple sites than others. Cover up your webcams when they’re not in use.

More generally, you almost have to teach yourself to be professionally paranoid. You have to assume that some of your data could always be taken, and that some of your data could be used maliciously. Therefore, when you’re making decisions about what you share and when you share it and how you share it, you should be making those decisions in that mindset– and that’s hard! It’s not an easy thing, and it’s not a natural thing, but I have become more careful as I’ve gotten older. I share a lot less in email. I don’t usually post pictures of my kids. I don’t share a lot of information about my family, or where I live, or things like that, particularly with my kids because I feel like they should make that decision when they’re older. So I’m careful about that, but I think it’s a learned approach over time. It’s not something that we are innately born with this– we have to develop this sense of paranoia over our data and our privacy. People tend to be trusting, and that’s not necessarily a bad thing, but it’s why we have to start teaching people about some of this early and getting people thinking about what it means to be safe.

So do you think that it’s difficult for people in cybersecurity who might be a lot more aware of their internet security to empathize with the average person?

It definitely is. There’s this sense of “security shaming”– and it happens not just from inside the cybersecurity industry, but also from a parental standpoint, and from security leads inside of organizations. If someone comes to you and says, “Hey, I think something happened,” the right thing for you to do as a security professional is to support them for coming forward and thank them for being honest. If someone comes to you and says they think there might be a problem, they probably already know what they did wrong. They don’t need that extra layer of shame. What you want to do is to encourage those people to come back to you fo help another time, because we all make mistakes. We all click a weird link every once in a while, or whatever else.

As far as with my family, I let my kids do a lot of stuff online. I let them watch videos and stuff like that that they want to do, but I also make sure they don’t share information and stray away from the social components of the internet. I ask them to tell me if anyone tries to get information from them or tries to engage with them, and they do because we’ve built that trust. So it’s not just in companies, it’s also trying to build the trust between parents and kids so they understand what’s appropriate and that they come to you when they see something that seems a little bit not right.

Sometimes we all get into a bad headspace where we make a bad decision about what information we share. It’s really easy to do. But if we approach it with empathy, whether we’re talking to colleagues or friends or family, that approach goes a long way. Even though I’m so familiar with this sort of thing, I still constantly second guess things that are potentially just mindless tweets, or I’ll wonder stuff like, “Should I like this? Should I wake retweet that? What’s that going to say about me? What does that add to the information that somebody has about me? How much am I willing to share about myself?” I definitely still struggle with how much of myself I’m willing to have available out there. It’s not an easy task or any easy thing to get used to, but I do think it’s really important.

Can you go into a little bit about how you learned growing up, and why you chose to be a math major?

I love math. Growing up, it was what I really was interested in, and it wasn’t the only thing I loved, but I really enjoyed it. I was good at it, too, and I had really great encouragement from a lot of teachers. I had a teacher in high school, Mrs. Glenn, who taught the honors pre-calc class my sophomore year and told me that I should really take the computer science classes that my school offered. I hadn’t really thought about programming before, but I went ahead and did that, too. So I knew I liked math and I had some background in programming, and when I got to college that was the thing that excited me, the obvious thing that I wanted to study, even though I didn’t have a clue what I was going to do with it afterwards.

So how did you end up making your way to your current job, then, from studying math?

I just figured out the rest as I went along and I’d say that’s not unusual. You hear some people talk about how they had some plan from the beginning of going from x to y to z– that was not me.

Instead, I tried things that interested me. I explored one thing, and then when new opportunities presented themselves, I jumped on them. It’s not that I had a direct plan of how I was going to get from being an undergraduate math major to team director of security technologies at a cybersecurity firm, where I get to write and talk about blockchain and AI and post-quantum crypto. I have a lot of fun in my job, but my job as it stands did not exist 20 years ago. A lot of my career has just been around trying new things and finding new opportunities. It goes back to that “eternal student” thing, where I want to always be picking up new things. I went back and got an MBA midway through my career, for example, and I found that a lot of those skills have been really helpful as well, particularly in terms of being able to storytell around tech. I like to try to make tech consumable and interesting for everyone, not just the people who are interested in the technical stuff.

I’m also learning to appreciate the skill of communication more and more. When I mentor people, whenever anyone asks me about a class to take, if they’re pursuing computer science or cybersecurity or anything in tech, I say for God’s Sakes, take a communications class to learn how to explain things. You’ve got to learn how to communicate with a team. It’s super crucial, and it’s a skill that’s missing in tech, so I’ve tried to do my little bit in my part of the world to try to push that helpful skill.

What would you say is your “superpower”?

I’m always asking questions and trying to learn more– my superpower is definitely being a learner who’s always trying to read and research and talk to people to fill in any gaps in my understanding that I possibly can.

The other thing I think I’ve gotten really good at is storytelling, and being able to relate technical concepts to something that’s a little bit more real world or tangible, so it doesn’t feel so esoteric. I’ve had a couple of really great successes in my career where I’ve come up with these awesome analogies for things that are really technically complicated, and I can’t tell you how happy it makes me to be able to explain things in way that people actually get it, and not only do they get it, but they’re not horribly bored by it! I love to be able to move away from those deeply technical explanations.

Who were your inspirations growing up?

Generally, it was teachers and family.I had some great teachers in elementary school, junior high, and high school that all really encouraged me along the way. From a “women in STEM” standpoint, my mom is a nurse and my grandmother was a biochemist, so I had this line of female scientists in my family. Because of my background, I was raised to see this as normal and I don’t know that I necessarily fully appreciated how important that was when I was a kid. Being older, I’ve realized that not everyone had that. Not everyone had teachers saying, “Hey, you should take computer science.” That was huge. As I look back on it and I hear other people’s stories, I start to appreciate how unique that was. It was a pretty big deal, and it really did help push me forward. I can imagine that if I hadn’t had that level of encouragement from family and friends and teachers, it could have been very different.

Is there anyone who inspires you today, professionally?

A lot of people that I’ve built relationships with– people that I’ve worked with and gotten to know and have continued to be friends and mentors even after we no longer work together– a lot of those people are really inspiring to me. The person that I sometimes say I want to be when I grow up is Sam Curry, the CSO at Cybereason. He’s been a phenomenal mentor and champion and source of guidance for me over the past six or seven years I’ve known him, and he’s probably one of the biggest inspirations for me because he and I have in some ways similar roles, and similar paths. There’s a lot of things that we both try to do. I definitely watch him– I’ve watched how he tells a story and I’ve watched how he engages an audience and that’s been really critical for my own development.

What’s the biggest lesson that you’ve learned in your career?

Don’t assume that people around you are going to necessarily advocate for you without you advocating for yourself. You need to be comfortable with some self-promotion. You need to be comfortable making sure that people know about your contributions, because if you assume that people have the time to pay attention to everything that you’ve done, you’re going to find that a lot of things you’re really proud of or that you’ve worked really hard on just get swept under the rug. That’s not something that people are always comfortable with, particularly women, and it can benefit you a lot to learn how to toot your own horn a little bit.

It’s a learned skill, but people are busy! You might think what you’re doing has been super important and highly visible, but not everyone sees it, and when you have opportunities to share things with management, make sure to share the good feedback you’ve gotten with them. When you write your annual review or whatever it is, make sure that you’ve really highlighted all of the things that you think should be highlight. Collect quotes over the year of things that people have said to you– whether it’s “Hey, nice job on this” or “this was really important,” and include that stuff in there. Making sure people understand how the rest of the organization viewed your contributions and stressing the value in them is so important, because you can’t assume that somebody else is going to notice that on your own. You can’t assume that everything you did is just going to speak for itself– you have to speak for yourself as well, and you’ll get much better results that way.

What have been some of your challenges, either in your career or personally?

Finding a type of role that fits the type of lifestyle I want to have was a bit of a challenge. I didn’t want to have a job where I was going to be on the road 80 percent of the time. I don’t want to move; I’m happy where I am. So I have posed some limitations in terms of the type of work that I will do and the types of jobs that I will have, because I care about my lifestyle. I care about my family and my mental health and everything else that goes along with that, and I want to live a balanced life. Wanting that balanced life does come with career limitations, but I’ve accepted that so that I can have the life that I want. I don’t need to be on the road all the time; I don’t need to constantly be working– there are plenty of other ways that I can add value and make myself heard and deliver at my job

So, finding ways to work around the limitations I’ve imposed on myself and to still feel like I’m really performing is an ongoing challenge, but I think it’s one that is more possible than people think. Especially nowadays, it’s easier to define how you attack a position, but it definitely does require some thought and some proactivity.

Finding what sort of career that you want is a combination of the professional and the personal, where you have to feel excited about your job and like coming into work everyday, but you don’t want to have to push all the other things that you care about to the side to have that job. Being able to have that sort of rewarding, fulfilling experience in my career on terms that work for me is always going to be a challenge. I think it’s really important to understand that it’s never going to be perfect, and I’m going to have to compromise on both sides.

Something that I’ve learned is that the grass is always greener. Every company and every job has some type of dysfunction– and the question just ends up becoming what kind of dysfunction you can handle. From a value standpoint, you need to figure out what are your “non-negotiables.” What’s really important to you, and what kind of challenges can you handle in your workplace? Which can you really not handle? No place is going to be perfect, so you have to decide what are the imperfections that you can deal with. I see people all the time who leave jobs constantly in search of this perfect job that doesn’t exist, and they don’t even realize that all they’re really doing is trading one set of challenges for another. Understanding what problems you’re trading can be difficult, but it’s really critical to having career satisfaction.

What are some of your career “triumphs,” or accomplishments you’re particularly proud of?

Over the past couple of years I’ve really gotten into a good amount of sort of public facing stuff– blogging and speaking and getting engaged in standards and I’ve really enjoyed that and I’ve really enjoyed being able to contribute in that way. In this side of my job, get to tell stories and bring out the more creative side of myself in that way. I get to relay things that maybe don’t make sense at first to something else, or tell them a goofy analogy where I can bring more of my personality in. Yes, I’m a techie, but in this side of my job, I have the opportunity to bring a lot more creativity in.

I had a product launch several years ago at a company where it was a very technical product, and I came up with a way of telling the story  in terms of talking about puzzle pieces and how things fit together. We came up with a way of telling it in a way that explained something really technical with absolutely no jargon and it became the focus of our entire marketing campaign around it. I was really thrilled with how that came out and coming up with a way of doing that. Those are the things I have the most fun on. I got to do another launch where we gave our technical sales people Legos to help illustrate this technical idea. I just love helping people be a little more excited about these really technical products and ideas– being able to make it fun is really rewarding for me.

What does success mean to you?

On the one hand, I want to continue to grow in leadership roles and build up responsibility and leadership and stuff like that, but on the other hand, I want to do fun work. I want to be excited about what I’m doing, but I definitely want to still have energy left in the tank at the end of the day for everything else. Being successful is to have that combination of doing interesting work inside my career and also remaining engaged outside of work, and having time for family and hobbies. I don’t want to be so exhausted that spending time with my family or going out and doing things isn’t so much fun anymore. Of course, it’s never going to be exactly the perfect balance, but I try to strive for something close.

In any given week, month, or year, either my career or my life outside of my career might take priority depending on what’s going on, but that kind of balance is what I look for on a larger scale. Other than that, a job where I’m constantly learning and getting to engage in the community sounds pretty good. If I defined the type of job where I feel like I’m going to be successful, having the type of role where I get to constantly grow and have a chance to get my voice out there and tell interesting stories would definitely be it.

You’ve mentioned giving talks– what are some of the subjects that you usually speak on?

I’ve done different things– I did a talk on mentoring that I really enjoyed doing last year, and since then, I’ve done a couple of things on that. I’ve talked about PKI and post-quantum crypto, and a little bit about blockchain recently. It’s a combination of things. I like talking about emerging technologies as much as I like talking about more “soft skill” topics. Generally, though, if I’m doing a talk on an emerging technology, it’s got to be fun. There has to be a hook in it for me; I have to be able to tell the story in a fun way that’s going to engage people. Whether I’m talking about the impact of technology on our business or what I see coming with different technologies or the people side of things, I’m actually equally comfortable, and I like doing a combination of both.

What do you think are some of the biggest cybersecurity challenges that technology is going to have to evolve to adapt to?

One that I’ve been paying a lot of attention to recently is quantum computing and post-quantum cryptography, which revolves around the idea that a quantum computer can eventually be developed. We’re not there yet, but the concept assumes that a computer can eventually be developed that can break RSA and elliptic curve and that the industry is going to need to adjust to that. The challenging thing is that no one knows when this is going to happen– is it five years? Is it 20 years? Is it more? I personally have come to the conclusion that it actually doesn’t matter when it happens; we need to start planning now. It is so difficult to evolve cryptography and software, and with post-quantum computing, we’re talking about replacing plumbing.

Currently, we’re not even sure which algorithms it’s going to be yet, and we’re not actually sure when a sufficiently-sized quantum computer is going to come along. The challenge is that with all of these unknowns, we still have to make progress forward. We still need strategies in place, because we don’t know when this could happen. It’s a really difficult challenge, but it’s a really interesting one, and it’s one of the ones that excites me the most.

What’s something that keeps you up at night?

I actually have insomnia, so I’m not the best sleeper anyway. I have trouble turning my brain off. I don’t think it’s any one thing; it’s more just I think of something that happened during the day and that will keep my mind engaged. Is there something specific I worry about? No, not necessarily, but I think that I– like many other people– have to learn to turn my brain off sometimes.

If you had three more hours in a day, how would you spend them?

I’d probably just immediately allocate one of the hours to sleep, and the other to exercise, because I don’t do that enough. I’d allocate the last one to what I’ll call ‘fun,’ which could be anything from baking cookies, to playing board games with my kids, to doing an art project or something.

What’s something that someone who knows you would be surprised to know about you?

Most people probably don’t know that I collect chess sets! I don’t do it as much now– mostly because I’ve ran out of space for all of them– but I do have a sizeable collection. The first chess set that I had my parents gave me, and it was Sherlock Holmes themed. I played a little bit of chess as a kid, but not competitively. It was just for fun, but I really liked looking at all the different pieces. It can really be such a creative thing. I have pocket sets, glass sets, stone sets, and a lot of other really cool themed sets. My favorite is my Alice in Wonderland set, which, when you consider the story of Alice in Wonderland, actually makes a lot of sense and is really fun and whimsical.

Unfortunately, though, chess sets take up a lot of room, so at some point I realized I couldn’t collect that many more, although there are a few themes I’d like to collect to round out the collection! I just love that this one game can have so many visual appeals, and that there’s really a form of storytelling through those pieces.

What do you currently geek out about?

Definitely space! I’ve always been really fascinated by space, from when I was a kid to now. I grew up in the era of the space shuttle and I was so interested by all of that, and then more recently, I thought it was the coolest thing when the InSight landed.