CyberWire Daily - Encore: Dawn Cappelli: Becoming the cyber fairy godmother. [OT] [Career Notes]
Episode Date: March 17, 2024Dawn Cappelli, OT CERT Director at Dragos, sits down to share what she has learned after her 25+ year career in the industry. She recalls wanting to have been a rockstar when she grew up, now she re...fers to herself as the fairy godmother of security. She shares some of the amazing things she got to work on throughout her career, including working with the Secret Service when the Olympics came to Salt Lake City, Utah in 2002. She shares how she was able to rise through the ranks to get to where she is now. Dawn talks about how she wasn't ready to retire quite yet because she loved the industry so much, saying "I retired, but I knew I still loved security. I have this passion for protection and so Dragos came along and they offered me this role of Director of OT CERT. I feel like I'm the security fairy godmother." She shares words of wisdom for all trying to get into the industry, saying that you need to always take the risk like she did when she first started her career. We thank Dawn for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security.
Hi, I'm Dawn Capelli, and I am the director of OT cert at Dragos.
When I was a kid, I wanted to be a rock star.
As a little girl playing with her Barbie dolls, my Barbie doll was always a rock star. But then as I got older, I got a little more realistic as to my realistic career aspirations.
I always loved math, loved math. And so in school, I was always good at math. It was my favorite subject. Went to college and finally I realized I should do something with math if I'm going to pick a career. But my guidance counselor
at the University of Pittsburgh said, if you're going to be a math major, you have to make
yourself take one computer class. And I said, I do not like those computers. They scare me.
And he said, you have got to take one class. So I took one class and I loved it.
So for the rest of my whole junior and senior year, I took two to three computer classes
each semester so that I had a joint major in math and computer science.
I went to Westinghouse and I got a job as a software engineer programming nuclear power
plants. And nuclear power was booming back then. After Westinghouse, I went to Carnegie
Mellon University and I just did various kinds of software engineering projects.
I just did various kinds of software engineering projects.
What really changed the course of my life was when we did a prototype of a portal for collaboration and emergency response in case of a bioterrorism attack.
I really enjoyed that. But then I thought, you know, no one has mentioned
security and we're talking about a portal for a bioterrorism attack. So I decided to go to CERT,
which was the very first cybersecurity organization in the world, and it happened to be at Carnegie Mellon University.
So I lucked out and ended up getting a job in CERT, changed the course of my career.
I took my job at CERT, and they told me, we just got a new contract with the Secret Service.
And at that time, the Secret Service, their protective mission was not just for the president.
It encompassed all national special security events.
Like the first one that we had to help the Secret Service with was the Salt Lake City
Olympics. And so that was our job. And I thought, this is the coolest thing in the world. I get to
work with the Secret Service protecting the Olympics, and I know nothing about security.
So coolest job ever until a month and a half later, 9-11 happened.
job ever until a month and a half later, 9-11 happened. And all of a sudden, that cool, neat job became really serious because they thought for sure that would be the next terrorist attack,
that it would happen at the Olympics. So that, again, life-changing day for many of us.
But for my career, that was a big game changer.
And so that ended up leading to the creation of the CERT Insider Threat Center,
which we started up after the Olympics, and I left in 2013 to go to Rockwell.
So it was very successful.
So I was CISO from 2016 until 2022.
And when I took the job, I told Rockwell that I was planning on retiring in January of 2021.
And then when that was approaching, I said, you know, I'm still having fun. I don't think I'm
ready to go. I'm going to give it another year. Well, 2021 pretty much did me in as many CISOs.
That's when ransomware was becoming more prevalent. I don't think people
realize how stressful the job of CISO is. And so I finally thought, okay, now I'm ready.
So I retired, but I knew I still loved security. I have this passion for protection.
And so Dragos came along
and they offered me this role of director of OTCert.
I feel like I'm the security fairy godmother.
I get to give things away for free to small and
medium businesses to help them start and mature a security program. I believe strongly that as a
leader, you should have people working for you that are smarter than you and better than you.
Looking for you that are smarter than you and better than you.
I think the main thing as a leader is I surrounded myself with people that had the same passion as I did.
And the same at Dragos.
I don't have a team at Dragos.
I have a habit of taking a job and never asking, do I get any money or any people? Everyone is so passionate about the mission
of the company, which is safeguarding civilization, that I have people coming to me and just saying,
what can I do for you? So I think it's just my leadership style is just that passion. It seems to be my secret to success because it wants people to want to help
instead of making me try to get people to help.
My words of wisdom that I tell people all the time is take a risk.
In your career, if you see a job, like I saw that job insert, leading a project with the Secret Service, and I felt like, I don't know if I can do this.
I know nothing about security. How am I going to do this? But it was so intriguing and challenging
and exciting that I took it. And if I hadn't, I'd probably still be back at Carnegie Mellon
writing boring code. So every job I've taken, I've been terrified,
intimidated, but yet excited. So I like to tell people, just don't be afraid to take that risk.
If someone's willing to pay you to take the job,
they have confidence in you. So you need to have confidence in yourself. Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.