Say thank you. We are all just people — each with our own daily struggles — and I’ve found that genuine gratitude and recognition of effort and a job well done is a cornerstone of employee satisfaction. Feeling valued and heard also creates a powerful commitment to the mission, like the old story of President Kennedy asking the NASA janitor what his role was in the organization. His answer was simple — I’m helping put a man on the moon.
As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Lisa Easterly.
Lisa Easterly has been the driving force behind the San Diego Cyber Center of Excellence (CCOE), a local nonprofit dedicated to advancing San Diego’s cyber economy and turning the city into a global hub of cyber innovation. Today, she serves as CCOE’s first female president and CEO — an anomaly in this male-dominated industry.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I am the President & CEO of Cyber Center of Excellence (CCOE), a San Diego-based nonprofit dedicated to solving cybersecurity workforce, economic development and infrastructure challenges through collaboration with industry, academia and government. Prior to taking the helm, I served as founding Chief Operating Officer managing operations, programs, marketing, membership and fundraising to stand-up and grow the organization.
Before joining CCOE, I cut my teeth in economic development as Vice President for the San Diego Regional Economic Development Corp., a nonprofit driving the growth of the local innovation, military and tourism economies. I learned valuable lessons about cultivating tech clusters as a Founding Board Member and Education & Outreach Chair for Cleantech San Diego, a nonprofit stimulating innovation and adoption of clean technologies and sustainable industry practices. Last but not least, I survived 10 years in business development at global corporate law and wealth management firms, honing my communications and marketing skills. While working full-time, I earned an MBA and Bachelor of Science in Business Administration, Finance and Economics from the University of Florida — Go Gators!
I was born and raised in Miami, Florida and spent my formative years helping grow and sell tropical fruit on my family’s farm, traveling to gymnastics meets and getting in trouble with my younger brother. I learned the value of hard work from my parents. My single mom is a serial entrepreneur — from farming and construction to catering and finance — and my dad dedicated his 40-year career to special education. They are the wind beneath my wings.
When I was 12, my world was turned upside-down by Hurricane Andrew, a category 5 storm that ravaged South Florida. Sheltering with my family in a bathroom, while the wind, rain and debris whipped through our house was just the beginning. The aftermath of loss, devastation and disconnection from resources and the outside world was life changing. But, the experience helped me learn my own strength and resiliency and that nothing is more valuable than people. Looking back now, I think being part of a community that worked together to rebuild is what attracted me to a career in economic development.
I met my husband when I was 16 and we’ve been together ever since. We both worked multiple jobs to support each other through college and our early days in San Diego. Now our adventure continues as the proud parents of two amazing boys, ages 3 and 8. Being a mom is the best, most rewarding and hardest job I will ever have!
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
I’m a big Marvel fan and have always been inspired by the heroes that do not have superpowers, but instead harness their humanity to help save the day — hello Phil Coulson! Now, as I work in an industry led by real-life super heroes — from active duty military and veterans to brilliant cyber technologists — I’m reminded every day that we all have unique strengths to bring to this fight. And, just like the Avengers, diversity and collaboration are the keys to getting ahead of the bad actors.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I actually came into the world of cybersecurity by serendipity. I just had my first son and quickly realized I was not going to be able to leave him to go back to the office grind. My colleagues at San Diego Regional EDC had recently released a study on the fledgling cybersecurity industry in San Diego and the leaders were primed to collaborate on the challenges and opportunities identified by the research. I was asked to consult on standing-up a nonprofit industry accelerator to support and the rest is now CCOE history!
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
Early on in my time at CCOE, I was asked to ghost write an article for the Chairman of the Board, a decorated Retired Navy Rear Admiral. I used the term “battalion” to describe sailors in the first draft, soon to learn it refers to troops on the ground, not the sea. It became an inside joke but reminded me of the need to always do your homework.
Are you working on any exciting new projects now? How do you think that will help people?
Yes! With the global shortage of cybersecurity professionals cresting over 3.5 million and 500,000 unfilled job in the U.S., it’s prime time to seed and diversify the talent pipeline for this high-paying industry. With women and minorities only accounting for about a quarter of the cyber workforce, CCOE and San Diego’s cyber industry are collaborating to open the talent aperture. New programs include development of a cybersecurity autism training and internship program with the National Foundation for Autism Research; apprenticeship programs with the U.S. Navy’s Naval Warfare Systems Command (NAVWAR), cyber employers and community colleges to engage underrepresented students; cybersecurity awareness and career workshops with the Girl Scouts; and the launch of CyberHireSD with the San Diego Workforce Partnership to help underemployed workers join the field.
CCOE is also partnering with the City of Carlsbad to provide basic cybersecurity training to Carlsbad small businesses that may be vulnerable to cyber threats at a time when they are also economically impacted by the pandemic. The initial one-year pilot program is targeting up to 250 small businesses and includes an FBI Executive Briefing, Mastercard RiskRecon Cybersecurity Snapshot Reports, ESET Cybersecurity Awareness Employee Training and connectivity to San Diego’s cyber industry at no cost to participants.
Lastly, CCOE is a member of California’s CADENCE team, supporting the U.S. Department of Defense’s Defense Manufacturing Communities Support Program. Together we are developing a state-wide Consortium and Cyber Innovation Center to propel DoD’s modernization priorities in cybersecurity, 5G, and AI technologies, as well as workforce development, research and analysis, and mechanisms for knowledge sharing and scaling.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
While the pandemic is still generating daily headlines of economic strife and workforce reductions, the cybersecurity industry continues to grow in leaps and bounds, protecting our data, technology, critical infrastructure and national security.
And my home town of San Diego is leading the charge with 874 cyber firms and NAVWAR who’s presence in the region not only drives talent attraction, but spurs new company creation and R&D by spending billions annually on developing and securing critical Navy systems. The cluster now accounts for more than 24,000 jobs — including 12,400 cyber-specific roles — and has a total economic impact of $3.5 billion annually. Put simply, the impact of the cyber industry on the regional economy is equal to hosting 9 Super Bowls or 23 Comic-Cons! So what’s our special sauce? It’s the collaboration between industry, academia and government that seeds the talent pipeline for these high-paying jobs. And, helps innovate new technology and solutions to combat the ever-evolving cyber threat.
And, the best part is…cybersecurity is advancing next generation technologies like AI AND it’s creating jobs. According to CCOE and San Diego Regional EDC’s “Securing the Future: AI and San Diego’s Cyber Cluster Study, local cybersecurity firms are developing AI at a rate three times the regional average to identify, escalate and resolve cyber threats. As a result, productivity in the cybersecurity cluster has grown 7.5 percent since 2018, nearly triple the average for all San Diego industries. AI has helped to sidestep chronic labor shortages by increasing employee productivity with automation of repetitive tasks. More than 40 percent of survey respondents agreed that AI has boosted the demand for workers, and three in five say that they will need to hire additional cybersecurity workers in the next 12 months.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
- Cybersecurity is now everyone’s business. Since the pandemic began, the FBI reports a 300% increase in cybercrimes, with IBM estimating the average cost of a breach climbing over $3.8 million. While the threat landscape and defenses are ever-evolving, one constant of war remains…you can’t go it alone. It’s time to collaborate to address cybersecurity at a societal level — not incident by incident, company by company or agency by agency. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is off to a good start with the new One Stop Ransomware site but there is so much more work to be done.
- There is a global shortage of cybersecurity professionals cresting over 3.5 million and 500,000 unfilled jobs in the U.S. The National Initiative for Cyber Education (NICE) is leading the charge to increase access via new career pathways, work-based learning, and establishment of job-tied knowledge, skills and abilities but the real shift comes with the on-the-ground collaboration between industry and academia.
- And, women and minorities only account for a quarter of the industry. Homogeneity creates easier access for bad actors. It’s time to not only seed but diversity the talent pipeline beginning with K-12 curriculum.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
According to the FBI, the top 5 cybersecurity threats facing all businesses are social engineering, ransomware, DDoS attacks, third party software and cloud computing vulnerabilities. Companies need to prepare for when, not if and ensure they have updated back-ups, exercised incident response plans and business continuity strategies at the ready.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I am not a cybersecurity technologist, but use antivirus software, multi-factor authentication and regularly monitor CCOE’s cyber score through RiskRecon, a Mastercard Company.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
According to IBM, the average time to identify a breach in 2020 was 207 days and the average cost of such a breach has climbed over $3.8 million. Training employees to look for these tell-tale signs below can expedite the time to containment and recovery.
- Unusual admin and login activity
- File changes and database manipulation
- Locked accounts and changed user credentials
- Missing funds or assets, such as intellectual property or sensitive data
- Reduced internet speed
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Every company needs to have an incident response plan — a living document that offers a course of action for all significant breaches to help IT staff stop, contain, eradicate and recover. The plan should include:
- Enterprise wide risk assessment to identify and address vulnerabilities
- Key team members and stakeholders including roles and responsibilities
- Security incident types and who is in charge of activating
- Business continuity plan
- Summary of tools, technologies and physical resources
- List of critical network and data recovery processes
- Communications, both internal and external (including law enforcement, legal, insurance and public relations counsel)
- Incident event log to keep track of all steps taken during and after a cybersecurity incident so that you could gauge the efficacy of your response and glean lessons. This account will also support your legal team and law enforcement both during and after threat detection.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
Unfortunately with the ever-evolving global threat landscape, cybersecurity is not a set and forget exercise. Since 95% of cybersecurity breaches are caused by human error (Cybint), regular employee cybersecurity training and hygiene checks are critical to help reduce easy access to company networks.
Businesses should set-up auto updates, backups and scans, and schedule quarterly employee training/testing and at least annual incident response exercises. Businesses can also sign up for external monitoring of their cybersecurity score (similar to a credit score) with alerts for any signs of hygiene issues or suspicious activity.
For individuals, invest in antivirus software, keep your devices and software updated and back-up your data/create machine images off network regularly. Practice good cyber hygiene — use strong passwords and multi-factor authentication, beware of phishing and scams, keep privacy settings on, and only use secure Wi-Fi. Monitor your financial statements and credit reports regularly to catch any suspicious activity.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
We have made great strides advancing women in STEM, but as demonstrated by the cyber workforce, we have long way to go. Partnering industry with education to align academic supply with industry demand and showcasing the plethora of different jobs and career pathways is critical.
Evolving the way we work is also key. As evidenced by the pandemic and shift to remote working and schooling, flexible employee schedules can be effective for businesses and allow for more women to manage the circus of parenthood and a successful career. I am grateful to my last two employers for allowing me the flexibility to prioritize my family, while expanding the businesses and growing in leadership roles.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
Myth: I must have an advanced degree and 10 years-experience to work in the cybersecurity field.
Cybersecurity career pathways have evolved and now include certifications, military to commercial tracks and bootcamps. And, employers are putting a much higher value on soft skills like multitasking, high-paced performance, life-time learning, critical thinking, etc. (hello all you moms out there!). To help, CCOE partnered with the State of California, Journeys Map and cyber industry leaders to develop the Cyber Career Map, featuring customized career pathways based on the NICE framework. Similar to Google Maps, users can create FREE personalized journeys catering to their skills and interests including education, certifications and work-based learning resources.
Myth: Cybersecurity is just for techies.
Cybersecurity weaves throughout all aspects of business and is not just for techies. Professionals with more diverse backgrounds help create a culture of cyber awareness — from integrated business strategy to employee training to supply chain management to internal and external communications. Also, homogeneity is the bad actor’s best friend. Employers value teams of individuals with different backgrounds, experiences and expertise to tackle the ever-evolving threat landscape.
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned from My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
- Surround yourself with the smartest, get-it-done people, and let them do their thing! When standing up both CCOE and Cleantech San Diego, we convened leaders from industry, academia and government to help define the mission and empowered teaming to address the challenges and opportunities facing these fledgling industries. This allowed the ecosystems to drive programs and initiatives under a larger, communal vision, yielding successful tech clusters that are now incubating the next generation of technologies.
- Get in the trenches and do your homework. I have spent the majority of my career in technical fields without a STEM degree. By really listening and learning from those in the trenches, I not only developed a better understanding of the technology and operations, but was able to translate the challenges and opportunities discovered into actionable business strategies.
- Build a professional network and keep in touch. I’m not talking about having a lot of followers. I’m talking about old-school networks of current and former colleagues, business partners and classmates that serve as a sounding board, provide expertise, inspiration, constructive criticism and connectivity and cheer you on to your next milestones. And you never know when your paths will cross again. After 10 years, I have been reunited with one of my all-time favorite colleagues who is now CCOE’s newest team member!
- Extend a hand up (many, many times). No matter what stage of your career you are in, you can help open the door and inspire the next generation of leaders. I know we’re not supposed to have favorite children, but the work we are doing at CCOE to open the talent aperture and create a more inclusive and diverse cyber workforce really gets me out of bed in the morning! Engaging underrepresented populations and non-traditional candidates not only provides untapped resources for the industry, but can be life-changing for whole communities.
- Say thank you. We are all just people — each with our own daily struggles — and I’ve found that genuine gratitude and recognition of effort and a job well done is a cornerstone of employee satisfaction. Feeling valued and heard also creates a powerful commitment to the mission, like the old story of President Kennedy asking the NASA janitor what his role was in the organization. His answer was simple — I’m helping put a man on the moon.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them ☺
I would be honored to meet Jen Easterly, the new Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Although I have fielded many inquires as to whether we are related (Easterlys represent!), sadly we are not, but I would love to share ideas and see how San Diego can serve as a template to mobilize other regions. Together we can connect the dots on best practices to grow our nation’s cyber warriors, defenses and innovations.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!