This interview is the fourth part of our series "The 11%: A Look at the Women Closing the Cyber Security Gender Gap." This series takes an in-depth look at the variety of roles women play in the field of cyber security and the ways they're changing the industry. Check out the whole series here.
When Christie Verscharen first joined the world of risk management, cyber security was a low priority for most companies. But after 9/11, when concerns about physical and virtual threats skyrocketed, she quickly jumped into the world of cyber, helping clients build some of their first IT risk management processes and integrate them into business operations.
Today, cyber security is, of course, top of mind for most businesses. Over the past 17 years, Christie has moved from integrating the cyber security basics at her clients to helping them build and manage full-scale cyber security programs. Christie now leads a team of more than 40 cyber security professionals at Focal Point, as they help Fortune 500 companies build best-in-class PCI compliance programs, manage IT risk across the enterprise, conduct highly technical security reviews, and develop reliable business continuity plans.
Beyond helping her clients, Christie is passionate about her team’s success. She has worked hard to build an environment that encourages collaboration and teamwork. Through this experience, she has learned a lot about finding promising young cyber security pros and helping them grow in a fast-paced consulting environment. Some of her first college hires are now senior directors at Focal Point who have grown their careers with us for over a decade.
Christie sat down with Buffy Ellis, VP of our Academy division, and opened up about her journey through the infant years of cyber security, how she recognizes and develops cyber talent, and what she believes needs to happen to get more women in cyber security. Check out her full interview below.
Buffy Ellis (BE): I saw in your bio that you originally studied biochemistry in school. What drew you to biochemistry as a major?
Christie Verscharen (CV): Coming out of high school and into college, science was always something that I was interested in, and I honestly thought I would pursue it as a long-term career. I had various science-based internships an undergrad and then, when I graduated from college, I was a bioscientist in a biochemistry lab doing arthritis research. I really liked the order of it all. It was math, chemistry, and physics based, and very analytical. I liked being able to break things down and build them back up again to understand the complete picture of how a process works.
BE: How did you make the shift to cyber security?
CV: I was working in the research lab at the Shriners hospital on the USF campus, so it was very convenient to take more classes at the university. I started taking classes as part of USF’s MBA program, and my plan was to move into the pharmaceutical industry, on the business side of science. As I started the program, I found that I really enjoyed my finance classes.
So, I worked full time and went to school in the evenings for about three and a half years. As I reached the end of the program, I realized that if I took about another year of master’s level classes, I could add a master’s in information systems as well. IT was growing, and most folks in the industry that I talked to recommended adding a technology layer to my business degree. At that point, I stopped working in the lab and became a finance teaching assistant at USF while I finished the remaining IT classes for a dual master’s degree.
"It was a series of small steps that led me to cyber security, which wasn’t really even a 'thing' yet or at least, not a common business discussion."
BE: Interesting. So you didn’t have a specific career in IT or cyber in mind at that time?
CV: Exactly. I went in thinking I would stay in science, but I wanted to expand beyond research. I figured that a business degree would allow me to do that. And then when I was getting close to graduating, I went to a campus career fair, and I happened to meet a KPMG recruiter who was looking for folks with my background.
So that’s how I first got into IT audit and advisory, then, down the road, cyber security. It was a series of small steps that led me to cyber security, which wasn’t really even a “thing” yet or at least, not a common business discussion.
BE: There weren’t even very many schools that had computer science programs. At my university, computer classes were primarily learning how to type or use word processing applications.
CV: Absolutely. In my undergrad program, I took a coding class as an elective, and I honestly didn’t like it that much. I’m not even particularly drawn to technology – but I really enjoy the underlying business processes connected with it.
BE: If we move forward a bit, you were at KPMG for a few years before working at Focal Point (then Sunera), on their IT advisory team. When did you shift more into cyber security?
CV: When I started at KPMG, I was in their information risk management consulting practice. One of the things we did was IT audit in support of the financial audit, as well as data analytics. After 9/11, though, there was a shift from more traditional advisory areas to cyber security, as companies were reeling from that attack.
There wasn’t as much work in the projects that I had been doing originally, but there was a lot more work in the security space. It was different from cyber security today, in terms of service offerings. For example, it was more security as a layer within a large infrastructure project or developing a change management process that had security embedded within it. It wasn’t as much of a pure-play cyber focus as we see now.
I was there for a few years, moving between the IT audit/advisory/information security sub-practices, when SOX hit (The Sarbanes-Oxley Act of 2002), and I started working a lot in that area. When I helped to found Sunera (now Focal Point), I focused on SOX for a few years as a “SOX road warrior” for various clients. As SOX became business as usual and the focus on information security continued to increase within organizations, my focus did as well.
BE: What kind of things are you involved in today? Where has your career brought you?
CV: In terms of services, we do a significant amount of work with credit card security, as part of the PCI compliance requirement many of our clients have. We perform disaster recovery and business continuity work, and we’ve seen a marked increase in IT risk assessments, especially those against industry security standards. We also do a lot of deep-dive configuration reviews, things we would rarely have been asked to do a few years back – firewall configuration reviews, network segmentation reviews, cloud security reviews. I’m not that hands-on anymore; at this point, I focus on business development activities and the onboarding of new clients, quality assurance, and integration with other practices within Focal Point to deliver comprehensive solutions. I also ensure that our delivery teams have everything that they need to be successful for our clients, including the appropriate mix of resources through recruiting. It’s basically ensuring that our practice strategy aligns to organizational objectives to keep our client and team satisfaction high.
BE: To me, the shift to more technical analysis is partially attributable to the several highly publicized data breaches and their impact. Do you think there are other factors that have contributed to that change?
CV: I think folks are realizing that unless you take an in-depth look at defense at the technical controls level, you can’t truly understand your vulnerabilities. In other words, the bad guys have highly advanced technical acumen, so the good guys have to be equally knowledgeable about the technology and how it can be compromised, or it can lead to a false sense of security.
This shift has definitely changed the skillset needed to do our job, which has been interesting in terms of recruiting. Previously, we would hire folks with business process, analytical and/or audit backgrounds, but now we’re also hiring people with backgrounds in network administration, systems administration, and development, who are able to cross the bridge from understanding those types of technologies to how to assess them and recommend improvements, which can be a tricky transition. Or we identify folks who are just naturally drawn to it, coming out of school. We’ve had very good luck hiring folks right out of college who just have a natural aptitude and interest.
"Unless you take an in-depth look at defense at the technical controls level, you can’t truly understand your vulnerabilities."
BE: That’s interesting. When you’re looking at those young candidates, how do you assess that aptitude?
CV: We have a couple of different ways. One, because it’s a good predictor in some cases, we check their grades in analytical classes. It doesn’t have to necessarily be a technology class, but if someone is doing well in things like statistics, math, accounting, and technical IT classes, they’re showing aptitude for technology, time management, many of the skills you need to be able to do to become a consultant.
We also provide practical tests. For example, if someone in an interview mentions that they have knowledge of firewalls, we have a firewall test they can take to give us a sense of their general understanding.
We have writing tests that we give, as well. In the consulting world, it doesn’t matter how good you are at understanding or assessing an environment or identifying recommendations – if you can’t communicate it in a deliverable, it’s not useful to our clients. We make sure they understand technology but can also communicate effectively in writing as well as verbally.
We also look for other things. As an example, when he applied for a job with us right out of school, one of our (now) managers shared various YouTube videos he made to explain different technologies. It was clear from these tutorials that he understood what he was talking about, but also that he took the initiative to perform self-study to increase his understanding. This is a critical indicator of success, because, while we can provide training, our staff also have to get their hands dirty to truly understand the practical application of some of these technologies.
We’re looking for people that are flexible, adaptable, and hardworking and who have the aptitude and interest in doing what we’re doing - people who are capable of managing their own destiny.
"I always tell people that being a consultant is like learning in dog years."
BE: Now that you’re in a leadership position, what do you enjoy most about your role?
CV: The people. We see folks come onto the team and evolve very quickly. I don’t even know if you can call it evolution, because it is so fast. Someone joins the team with little to no work experience and some positive characteristics, and over the course of 4 or 5 years, they’re in a management role. In between their start date and that management role, they grow extremely quickly, and it’s really rewarding to see that.
I always tell people that being a consultant is like learning in dog years. If you’re in an operations role in industry, you’re working with the same people, technology, and management team day after day. While that can be interesting and challenging, we are working with a different client, different technologies, and different personalities every few weeks.
We also have a lot of really loyal clients that we’ve grown alongside as a practice and a team. It’s really nice to see the transformations that these organizations have made. Some clients that we started with years ago didn’t even have the most basic, core processes from a security and IT-control perspective, and now they’re exceling compared to their peers in their industry.
BE: Are there any unique challenges to your role or to being a woman in cyber security in general?
CV: It is challenging to attract other women to cyber security. I’m not sure if that’s just because there aren’t a lot of women in this field to begin with or if there are other factors, but it is a constant struggle. We are always actively looking to hire qualified women and there just aren’t as many interested as we would like to see. There are much fewer women than men applying. If you attend just about any security conference, there just aren’t that many women in the room in general.
I also think that women are less likely to take chances if they don’t feel confident that they will succeed, which I think that applies to both women in cyber as well as in the workforce in general. Not seeing many other women in this field makes it a challenge to take risks when you’re a woman starting off in cyber security.
BE: I’m curious as to what you think the root cause of that lack of women in cyber is.
CV: One line of thought is that it’s because there isn’t interest cultivated at a younger age. It seems that if you aren’t interested in technology or security by junior high or high school, then the chances of you going into those fields down the road are quite low. I think the problem is that there are limited opportunities at those younger ages to grab young girls’ attention, get them interested, and keep them interested.
At this point, my generation and older generations are already “hard-coded” to some extent. We can educate them on the importance of women in cyber, which may change their outward actions, but it isn’t necessarily going to change how they truly feel. I think the real opportunity we have is in early childhood education. Some would recommend starting in junior high, but I think programs in elementary school are important too. Girls need to know that these opportunities are available to them, and boys need to grow up expecting that girls will be working with them in those types of technical fields.
"I think the real opportunity we have is in early childhood education. Some would recommend starting in junior high, but I think programs in elementary school are important too."
BE: I often think that they’re just not aware of what types of activities and personalities are found within cyber security. I personally always pictured a hacker sitting alone coding all day. And what I’ve discovered through this series is that most of the women in cyber security usually started in some other profession. But there are these underlying things – problem solving, understanding systems, creating processes, mentoring, etc. – that don’t seem to relate directly to cyber but they are all important in cyber. Part of the goal for this series is to bridge that gap and to explain all the different paths to get here.
CV: Yes, absolutely. There is definitely an awareness component to it.
BE: If you could give advice to a young person considering a career in technology or cyber security specifically, what would you share with them?
CV: I think my advice probably applies to anyone in any field. It’s go for the internships that will give you the right exposure to different areas. Keep an open mind when trying a variety of things, whether it’s in risk management or something more technical, to get a good sense of the different areas of cyber security.
There are also more and more groups that offer opportunities for involvement. Using Tampa as an example, Tampa Bay Technology Forum has a Women in Cyber Security Forum each year and a group for women in cyber security that has mentorship opportunities for young women in this field. I think it’s important to reach out and get to know people in the industry in your area and to experiment in different roles.
BE: Being involved, you really get to see firsthand what the work is like.
CV: I agree. School is a base, but the quality of cyber security programs can vary greatly between universities because the schools are also trying to develop their (at times) flagship programs. I wouldn’t rely solely on a cyber security program to show me what cyber security is really about.
BE: Do you have a specific recommendation on how to gauge the level of sophistication of a specific program?
CV: It would be good to network with professionals who hire from those programs. Ask them where they hire from and which folks are coming best equipped out of school. There are lesser known schools that are really excellent, but we wouldn’t have known about them without networking. I think students should do the same thing.
BE: In our field there is a requirement to stay current and it’s one of the things we look for in job candidates. How do you keep current now that you’re beyond the realm of academics?
CV: I find great value through involvement with our clients. It allows us see the trends, processes, and technologies in action. When news comes out of a breach, we also get to see firsthand how organizations are reacting and responding to it.
I also attend various conferences each year to network with people in industry and see what new vendors and tools are emerging. It’s the networking component and experiencing what’s happening in the market that’s critical.
BE: What do you feel that the future holds for you in terms of your career?
CV: I think based on where I am, I will continue to focus on broader risk management in the context of security. In other words, we frequently hear about the tools and technologies utilized in the cyber security space, but there is also a wealth of opportunity on the governance, risk, and compliance side as well, ensuring that a framework for the ongoing management of a security posture is in place. In addition, I am really excited to continue to build our team of consultants and help with their continued professional growth in this field.
If you are interested in participating in our series or would like to suggest someone for us to feature, we would love to learn more. Just complete the short form below, and we’ll be in touch.