Rona Michele Spiegel’s journey to cybersecurity might seem unconventional to some: She studied the arts. But as someone who grew up when computers first appeared and everyone wanted to experiment with them, she did a lot of multimedia work. She was always interested in technology and discussed with art colleagues about where the world was going regarding electronic “stuff.”
“I was doing musical work. I was doing all sorts of what we would call multidisciplinary art. And I played around a lot with the evolution of systems and digital technology and how people would interact with them. And I built that into some of my art pieces. I always loved painting and the traditional arts. But very quickly, I got involved in how it interacts with systems and tools and how technology is going to impact humankind,” Spiegel tells CSO.
She was in a band and then started doing electronic music. She was also interested in the film industry and found her way into it with sound design. It was a time of many opportunities, Spiegel says.
“It’s really about digital transformation and that is the thread for me, and it’s always been. Digital transformation and human computer interface concepts — how do people interact with systems and how do they influence one another?” she says.
And it was the digital transformation mindset that landed Spiegel at Deloitte Consulting where she helped create the first user experience practice. There she gained a lot of experience in product management and learned how to communicate with others about dependencies and risks.
At Cisco she started working in technology governance, but she had the opportunity to experience another change: from hardware to software, when enterprises start consuming products on a subscription model based in the cloud.
It was only after 10 years at Cisco that her mentor asked about her intentions of getting a master’s degree. The timing was right, as her son, whom she had raised for most of the time as a single mum, was going to college. So, Spiegel set about getting her master’s degree in cybersecurity.
Her next role was with Wells Fargo where she had “a whole other vision and really got to get deep into cloud controls. And I realized, ‘Yeah, I want to work in this space,’” she says. That role was impacted by a restructuring, after which Spiegel decided to work independently helping startups and small businesses with compliance.
Spiegel is now senior manager, security and trust, mergers and acquisitions at Autodesk and she spoke to CSO about all things cybersecurity.
What are the main cybersecurity concerns when it comes to mergers and acquisitions?
Spiegel: First of all, is understanding the difference between a mature company and a small company. In a small company you need to consider whether it is feasible for them to prioritize cybersecurity. If they don’t have a product and they don’t have customers, then there’s nothing to protect. And if they have very limited resources then it’s hard for them to justify. The whole thing about risk management is quantifying what the potential risk is, what you could lose.
So, it’s hard to justify putting tremendous amount of funding into purchasing a tool or hiring an experienced CISO to come in and do this kind of work when you know you barely have budget to have a product and you don’t really have much revenue yet.
When I’m doing merger work now I consider how absorbing that business is going to impact your risk. It’s going to impact your security posture, so you have to figure out how to understand its posture and then put together a strategy that allows the acquiring company to benefit from the acquisition without putting itself at risk by inheriting the vulnerabilities as well.
What are some of the key challenges you’re facing today when it comes to AI?
Spiegel: With AI the big questions are how to use AI, how to secure AI, and how to fend off AI all at once. And then look at that across different product lines and against different components. You also have to consider third parties and the ecosystem, and all of that magnifies with the acquisition and integration of other companies, large and small and scale does matter, actually.
You’re just adding so much complexity so fast. We’re adding complexity into the supply chain and the ecosystem so quickly. This transformation reminds me similarly of when we all moved to the cloud. Everyone is doing it at once but for what reason? And will it make us safer or more vulnerable?
What are your views on hiring and skills gap?
Spiegel: There’s this fallacy that we don’t have enough people. There are a lot of people. I’m grateful that I have a job in this space, but the expectations are very high that we’re going to have all this experience in all of these different areas. We have a lot of practitioners out there and some of them are out of work.
There are fewer entry-level positions offered and this is going to be a problem because the tools are good but you really need somebody who understands what they’re reading, and that means a wide range of experience, problem-solving, critical-thinking capabilities, to be able to aggregate all of this massive amount of data following prescriptive processes. Entry level positions help build this capacity and that is what we are missing.
There’s a fear, I think, in hiring people that don’t have all the experience everywhere. I’m working with this nonprofit group called Project Cyber and we are helping women get into the workforce and the technical spaces. One of the main considerations is, ‘What are the skills?’ And it’s like speaking Greek or Latin; it’s a different set of skills, and cybersecurity is a challenge because it’s so huge.
And it’s no different for CISOs: The expectation for cybersecurity leadership is to be able to rotate in different areas. It’s a very different mindset because it includes talking to the boards. You need to be able to present a business case for funding, you have to be a storyteller, you need to be able to understand data, and you need to be able to read the data and discern the data. And there is intelligence, and penetration testing, ethical hacking, there’s risk management. A lot is expected from cybersecurity professionals of all levels.
How do you keep your team inspired?
Spiegel: I think it’s important to give people a voice, to make sure they are enjoying what they’re doing, making sure they’re learning, they feel respected, they feel connected. Not forcing people to be in the office but treating people like adults; they can make those choices themselves, because everybody’s different.
Being aware of the signs of burnout, making sure people take time off. Really listening and respecting, I think is the most important thing. I don’t believe in old school top-down management because I don’t feel like I’m smarter than other people. I do think that with experience I can see things coming and I can see patterns that I feel like that’s a little bit of a superpower for me, that someone half my age isn’t really going to be able to see yet because they haven’t lived through those cycles. Collaborating across a multigenerational workforce is going to motivate everyone and produce better outcomes.
Where do you see the cybersecurity leader role going in the next few years?
Spiegel: Many people across the CISO community have been talking about the notion of the cybersecurity profession versus that of a trade. When we look at that, the whole cybersecurity profession and CISO leadership development, it’s an interesting conversation. I find it to be a combination of both, or I should say some really believe it’s a profession, and it’s problematic for it to be considered solely as a trade, although there are some aspects of the skillset that support that argument.
But I do think that the trend of thinking right now is that the trade is the hands-on entry level, starting out in the field, and the sort of technical hands-on aspect of it. And the profession is really about that elevation and standardization, and helping one another grow and evolve, and the greater good, and in the interconnectedness with other technology and risk management types of professions. I think the jury’s still out collectively about whether you know we’re a profession or a trade. But the more I talk with my peers, the more we’re all landing on it is a combination of both.
Then there is the exposure concern. The trend is for CISOs or cybersecurity leaders to not be anywhere for very long. I think that’s a mistake. I think it is rising outside of being embedded in the secondary leadership team. And I think it’s becoming a top-level leadership.
There’s a merging that’s happening between governance, risk, compliance, and all the software-driven vulnerabilities and data-driven vulnerabilities and technology-driven vulnerabilities I think when we see cybersecurity in the engineering space, we start to see that notion of trust and that transparency of trust, which then starts to merge with physical security, sometimes even privacy, resiliency. So, I’m seeing chief trust officers now.
What are you most and least proud of in your career?
Spiegel: What I was most proud of in my career really was the ability to build this career while I was a single mother, commuting back and forth between school and work, and I don’t even know how I was able to do this. I don’t recommend it for everyone but going back to school at the same time and getting my graduate degree.
I will say that the UC Berkeley School of Information’s Master of Information and Cybersecurity (MICS) program is tremendous. And the network, that’s probably really in part how I was even able to do all of this, by having the right mentors and having the right people around me and support. And just the program is amazing.
Also, it enabled me to get these certifications, and to just go all in and prepare myself for this pivot and really pivoting to cybersecurity ultimately has been really that end result. That, and bringing up this wonderful boy.
I was really blown away when I got my CISSP certification. That was really hard for me, studying that hard and sitting and taking a test like that and then feeling like I could put that at the end of my name. That felt really, really good.
Right now I’m also really enjoying mentoring people, these college students who are studying behavioral psychology and cyber, and data science, and are really recognizing how amazing that is.
I feel like it takes a lot of emotional maturity to handle the personal relationship aspects of working in any profession. For me, working in technology and working in cybersecurity, and just developing leadership qualities, I feel it requires a self-awareness, and I feel like it took me a long time. … What I’m least proud of is perhaps some of the emotional responses I had.
We talk about burnout. But back in the early days we didn’t talk about burnout. I think it’s important to talk about that, and to make sure that you don’t do more harm than good when you’re moving and pushing yourself as hard as you can. And sometimes that means really figuring out ways to depersonalize in terms of how you respond to difficult situations, but also to remember that the people aspect and the relationships are more important than anything else in the long term and really helps everybody succeed.
I feel that earlier in my career I lagged in that emotional intelligence, and it took me a long time to build that. And any bridges burned along the way, I think, is something that you really pay for later. And I feel like I’ve grown in leaps and bounds in that area, and that really contributes to my ability to lead.
Do you have any book recommendations for fellow cyber leaders you’d like to share?
Spiegel: The Seventh Sense by Joshua Cooper Ramo is about just being prepared for the future, which I think is very, very important. And it’s historic, and it’s sort of anthropological, and I read it a couple of times, and I’ve quoted from it as well. I love that book.
The conversations around AI, the one that really hit me that I’ve been recommending to people also is The Coming Wave by Mustafa Suleyman. About the kind of convergence of all the huge leaps and bounds that we’re making in technology.
No Responses