Maryfran Johnson:  Hello there, and welcome to Tech Career Ladder. Tech Career Ladder is brought to you by Insider Pro, IDG’s new premium content digital publication that features in depth technology journalism, hands-on guides, career advice, and much more. Listeners to this podcast can use the promo code PRO30 for a 30% discount off an Insider Pro subscription.

[ Listen to Episdoe 1 of Tech Career Ladder ]

This is the very first episode in this Insider Pro podcast series, which every month will bring you practical ideas and actionable advice on advancing your technology career. I’m Maryfran Johnson, your host for this show, and also host of our CIO Leadership Live video series. As a longtime tech journalist and a former editor-in-chief of CIO Magazine, I know that finding and keeping the best technology talent is always in the top three concerns of IT senior managers and leaders.

But CIOs are already at the top of the tech career ladder, so this podcast series will be more about the career needs and perspectives of the rest of the IT organization. Some of you, for example, want to sit in the CIO’s chair someday, so you’re very keen on learning about leadership and business strategy. Some of you are looking to the startup world and you may be more interested in working on the leading and bleeding edge of technology innovation or cybersecurity or enterprise architecture or cloud management.

 And some of you are still exploring all the different pathways that a tech career can take you today. But wherever you are on that tech career ladder, we’re here to explore those possibilities with you. Now I’d like to introduce my very first guest, Sandy Silk. She’s the Director of Information Security (IS), Education, and Consulting at Harvard University. Sandy is a technology risk management and communications professional who excels at making cybersecurity a more approachable concept.

She has worked in the past at Fidelity Investments, Bose Corporation, Wellington Management, and of course currently at Harvard. In addition to more than 20 years of information security experience, she has formal training in instructional design, facilitation and adult learning. That unusual combination of hard and soft skills enables Sandy to create workshops and programs that bring content to life in an especially engaging way.

She’s a member of the Board of Advisors of the Master’s Program in Information Security Leadership at Brandeis University. She’s also involved in various Women in Technology organizations and is a very strong supporter of any opportunities that improve diversity, inclusion and belonging within the IS and IT professions. A big part of our conversation today will be about the four-part framework that Sandy has developed to help tech people upgrade their own leadership capabilities.

In fact, she’s branded this framework as becoming an EPIC leader, and that EPIC is an acronym. The E is for Expertise, the P for Presence, the I for Influence, and the C for Connections. Sandy, it’s great to have you here today.

Sandy Silk: It is great to be here, Maryfran. I feel so honored to be here and it’s interesting to be invited here, when I hear you introduce me I think how I never thought I would get into IT. It was never an area that was going to be my career.

Maryfran: That was the thing, when you and I first met at a Boston SIM meeting, Society of Information Management, at the beginning of December. I was interviewing you for the panel we were having a discussion on, and imagine my surprise when I find out that, like me, you were a language major in college. I was a French major.

Sandy: And I’m a German major.

Maryfran: You were a German major. We have such winding career paths to where we actually end up, don’t we?

Sandy: We do, and I think it’s wonderful you have this program to help people explore that it’s not really a straight line.

Maryfran: Yes, yes, and I think that’s especially true with technology jobs today, because they are evolving so quickly, they are widening. I mean the path to it, the fact worrying about your communications ability and your connections and your presence, these are things that technologists 10 years ago never had to think about.

Sandy: Not in the way they do today.

Maryfran: Right, right. Well let’s start out by talking a bit more about your day job at Harvard. Your title packs a lot of capabilities into one role, Director of Information Security, that’s understandable, Education and Consulting. So tell us about the team you work with and what you do at Harvard.

Sandy: So this is a subgroup within the Information Security team, so we’re education and consulting, and we are, I would say, the more people-facing group within that team that we are consulting across Harvard. We’re Harvard employees consulting to Harvard on high risk projects. So for the consulting side of it, these may be, whether it’s high-risk data that needs special handling, whether it’s administrative or research – we’re a research university – or whether the projects themselves that have high-risk functionality – as we’re building out new construction, state-of-the-art buildings that are going to be smart buildings, controlled, monitored remotely and could have dangerous life safety implications if something went wrong there.

So, part of the team deals with those projects, kind of advising how to be most successful in those areas, and the education side, we are educating the whole community about how everyone can contribute. It just takes small actions that make such a big difference to the information security posture of themselves, which translates to Harvard as well.

Maryfran: Give us an example of one of those small actions. I think we all could use some security tips.

Sandy: Sure, so a small action, update the software in your computer. Whether it’s your mobile phone, you have that little red circle with the one or two, however many apps need updating, just take the time to do it. Set it so it does the installs and the updates automatically. You never have to think about it. So many of the hacks that occur out there are because there are just these vulnerabilities that are forever exposed. They’re just never fixed. You can take something from five years ago, an exploit kit, and still use it today, easily. It doesn’t take long to do this, but it makes such a difference.

Maryfran: When we talked before, we were talking about kind of the before and after of you arriving at the job you’re in now at Harvard. It was a policy, risk and compliance department, which sounds so incredibly serious, yet we’re sitting here talking and you’re so easy going. Are the other members on your team – you have five people reporting to you, right?

Sandy: Yep, I have five people.

Maryfran: Is everyone like you, where they’ve got a real interesting mix of kind of hard-skills, soft-skill backgrounds?

Sandy: I am so fortunate to have the team that I do and I can take credit for some of the hires. Some were there already when I arrived. But we are probably more extroverted than you would ever expect information security people to be. I would say one of our favorite things to do together – we genuinely like each other, too – we love to go do karaoke together when we’re attending conferences wherever, and we like to speak at conferences.

But yeah, we have a mix of backgrounds, experiences, and we really, really are fascinated by the experiences we’ve each had, and we lean on each other to fill gaps that way, too. We have someone who use to teach Sunday school. We have someone who’s got a master’s in fine art and still makes sculptures and very kinetic kind of art.

So, we get left and right hemisphere brain going all the time. We’re creative. A lot of it we don’t really bring to light. We have great discussions about wouldn’t it be fun…Yeah, no, we can’t do that.

Maryfran: And your titles are somewhat unusual, too. You’d mentioned you’ve got someone who’s an awareness officer, another a community engagement manager. I mean, they don’t sound like titles that are part of a security group.

Sandy: No, and I would say we are maybe a little cutting edge to have that, a community engagement manager who finds partnerships for us everywhere across the university. You wouldn’t think information security and the office of sustainability together. We have this secure shredding disposal event where… This coming week we are partnering with parking services and commuter choice people who bike to start your day with coffee and securiTEA, so T-E-A, at the end. We’re sponsoring hot coffee, tea, hot chocolate. We’re giving away branded mugs, free tune-ups for your bikes.

We get these partnerships going and our community engagement manager knows everybody, and it’s a natural passion and strength for her and it benefits the team. My gosh, when we can have other people doing 90% of our work and then we come in and just augment, it’s sustainable.

Maryfran: What I particularly like about the way you’re approaching this is that a lot of companies, security is kind of a grim march toward compliance and you receive an email from the security officer and it sounds vaguely threatening, and you need to do this, that, and the other thing. It’s just, you don’t run into many organizations that are trying to put any fun into it.

Sandy: That’s true, and we all do have really good senses of humor on the team. Not that we wouldn’t take someone who does not. It tends to develop after being around us a little bit, too. I think when you’re at a higher ed institution, you don’t want someone’s lack of knowledge in an area to be a penalty against them. You want to give them an opportunity to learn. That’s what we’re there for. We love when people say, you can’t fix stupid. Well, actually we’re higher ed, so kind of education is our thing.

Maryfran: We’re kind of here to fix stupid.

Sandy: Yeah, let’s not call it stupid, but in that overall sense, yeah, there’s a lot of organizations that try to do that.

Maryfran: I think, too, the fact that you said this is kind of an ambassadorial program. It’s something that I imagine private corporations could learn a lot from, an approach like that. I like to think of a lot of former German majors ending up running programs like this. 

Sandy: When you think German, you’re probably not thinking fun and approachable. And I am very rules-based, I will say, on Myers-Briggs kind of tests, I’m off the scale for following rules.

Maryfran: We’ll definitely circle back to that because I think we owe our listeners and explanation of how does a German manager end up in security? But before we do that, I wanted to mention, anybody who is listening and is interested in seeing some of your work that is visible to the outside world, you’ve got a website that is publicly available.

Sandy: We do, yes. They can go to security.harvard.edu and you will see featured there our awareness campaign, which we’ve titled Small Actions, Big Difference. It’s really focused on very easy to achieve things anyone can do that just makes them so much less vulnerable. Most of the attacks are just looking for the most vulnerable way in to do something not targeted against a specific person.

Maryfran: I like, too, one of your sentences on there, you talk about how you provide the content and the ideas, including a box of stuff every two months. This is for people who become your community allies, your insiders.

Sandy: Yeah, we actually mail packages to them. We do this quarterly, where they’ve got the current mailing – I think it’s going out this upcoming week, so they’ll receive it early February a the latest –  because it has some robot-themed valentines in there that actually our awareness officer created himself. Very good with graphics. And chocolates, of course, because Valentine’s Day is coming up. Just things that they can have fun distributing to their office, their teams, to get them engaged in a discussion, a security-related discussion.

Maryfran: It’s such a nice idea that security doesn’t have to be gruesome.

Sandy: No it doesn’t. And frankly, if something’s going to go wrong, you better have a good sense of humor if you’re going to deal with that.

Maryfran: Yes. The next portion that I wanted to get into was talking about the workshops and the talks that you give externally to Harvard, this actually stems out of Harvard allowing and encouraging the staffers to have LLCs of their own, consulting businesses on the side.

Sandy: I don’t know if I would say they encourage it, but the entrepreneurial spirit is very much part of our culture.

Maryfran: It’s respected.

Sandy: Yeah, it is respected, so as long as you can still do your full-time job and this isn’t a conflict of interest, it’s a great opportunity.

Maryfran: And your consultancy is called Cyber Risk and Resilience?

Sandy: Yes.

Maryfran: Tell me a little bit about that, how long have you been running it, what sort of things are you doing out in the world?

Sandy: It’s probably two and a half years old at this point. It’s kind of evolved from what I thought it would be.

Maryfran: Well most new businesses are like that, aren’t they?

Sandy: Exactly. Where it is really going to organizations and running workshops to help their IT professionals understand business a little more. It’s, in a sense, kind of translating the gap between IT and business. So ideally, you’ve got both in the room learning to talk with each other about what the goals are for a project. How can we help you achieve success? What are realistic cyber risks, not the media hype, not the blockbuster movies that we see, but what’s most likely to happen.

And so it’s kind of rationalizing what is, let’s get out of the Armageddon kind of mindset, the Black Swan mindset and think about, alright, this is most likely. These are the easiest ways to prevent or detect if something happens. And then I also do workshops about, I’d say, personal resilience at this point. That holds still in the title. I noticed there was so much more demand for, you’re a woman or some other underrepresented population in IT, how do you become stronger in yourself to break into this world, especially cybersecurity.

Maryfran: One of the titles of your talks is about when you’re ‘the only’ woman in the room.

Sandy: Yes.

Maryfran: You’re the only person of color, you’re the only woman, you’re the only transgender individual. I like the notion that you’re also trying to remove mystery and anxiety around cybersecurity, and replace it with this achievable attitude. That’s really good.

Sandy: I think that translates from the Small Actions, Big Difference, that it doesn’t have to be Herculean, and it shouldn’t be Sisyphean. You should actually be able to accomplish something, because if you’re not accomplishing something, you’re throwing money out the window and maybe a false sense of security. No pun intended there.

Maryfran: The point you made when we were talking previously, is that what’s lacking in the training space around cybersecurity is making it accessible, making it something that business managers and nontechnical executives can actually feel less, I don’t know, whipped up about and nervous about.

Sandy: Absolutely, and there is a lot to do with the technology. The technology doesn’t run on its own in a vacuum. We’ve got to support people and processes and we need people and processes to support and use the technologies. Missing those two big areas is not taking advantage of the full adoption and rollout and embracing that you could have a really good running ecosystem.

Maryfran: Okay. So doing these kind of workshops, and the consulting work you’ve done with resilience and cyber risk, is how you arrived at the EPIC Leader idea?

Sandy: It is, and also some personal experience for where I felt I was lacking in confidence, in specific areas, and where was I told by others that I seem to have a skill or a competency that others in information security or technology didn’t have. Really looking at what a fully rounded employee is. What would be a great full set of competencies to bring to this profession, especially if you want to move up the leadership chain.

Maryfran: And not everybody who’s going to be listening to this wants to be the Chief Security Officer one day or even wants to be top senior management. In fact, some people may be actively avoiding that. They may want to be individual contributors, but everybody likes to feel appreciated and people like to get ahead and get raises and get better jobs and that sort of thing.

Sandy: And, everybody, I hope, would like to enjoy work, too. And part of that enjoyment includes your personal values and personal strengths. Those are part of the analysis of EPIC to ensure, when you’re playing to a strength or a passion or a value, that you get some joy out of it, but you also get more confidence from it because it’s hitting your core. It’s not something you don’t really buy into.

Maryfran: Right, exactly, I’m not just trudging along doing what I’ve been told to do and I don’t really approve, but I feel like I can’t speak up.

Sandy: Right, exactly.

Maryfran:The E in the EPIC Leader doesn’t stand for having to be extroverted. It doesn’t stand for you having to be out there educating people. It does stand for expertise, which of course people in IT and security usually have an abundance of. But from what you’ve told me, people, IT people especially, tend to double down on the tech expertise, and if anything, they need to back off of that a little bit. Explain that.

Sandy: Exactly, and that’s why I wanted to come up with an acronym of four letters. The expertise really only needs to be about a quarter of what you bring to the table as a fully rounded employee. And the expertise is an evasive goal anyway in IT. When you’ve chosen IT as your profession, you’ve chosen ongoing learning as your discipline, because it changes all the time. The minute you master something, it becomes obsolete. The next big thing’s coming in, the next technology, so you have to learn again.

This is where people tend to double down, like oh, okay, I’ll just learn this new thing then and…

Maryfran: And I’ll add another acronym to my resume.

Sandy: Yeah, and not looking at, okay, but can I also interact with people? Am I influencing decisions and strategy? Do I have a network of people that can help me when I’m feeling a little inadequate for whatever reason, or who could contribute to a bigger success like on my team, when we look for each other’s strengths and experiences in different areas?

Maryfran: I’m trying to imagine your audience at one of your workshops and you’re talking about this and becoming an EPIC Leader, and how the E is for expertise and everybody probably sits up and thinks, yes, I’ve got plenty of expertise. And then you tell them, but you need to back off that a little. Do you get a lot of frowning when you say that?

Sandy: Not so much from the people who are attending these because that’s probably where a lot of the imposter syndrome comes from, that whole I don’t feel I’ve mastered everything feeling, which is never going to be something that you can do because there’s just too many technologies and so much evolving. It’s a losing battle to try to be a master of everything.

And even if you did master everything, that’s only a better reason to keep you in your current job, because you’ve just become indispensable in that job, but not ready to move to anything else. If you want to move on, you’re going to need to be able to influence decisions, advocate for yourself, know how to promote what you do well, what you value.

Maryfran: I feel like that brings us to the P in EPIC, which it’s P for presence, but it could just as easily be for promoting.

Sandy: It could be promoting, it could be presence. A lot of people find that skill by identifying purpose. When you think of executive presence, it’s so you have this confidence as you’re standing promoting something or pitching – we can come up with all kinds of Ps – pitching some idea, some goal, some value. But it’s really finding what is my purpose here. What’s the value that I feel – when someone’s experienced that kind of confidence, it’s generally I really believe in this, it’s important to me, it’s a core value of mine, and they’re probably not so stuck on every task that has to happen just on what the vision is.

So trying to think about what was one of those experiences? What about it made you come out of your shell and feel this way and how can you translate that to work? What are the values, how do you add value to projects? So really getting into that, okay, here’s my sense of why I’m here, and I believe in this, so I can get behind this. And if people course correct along the way, I don’t take it so personally because we’re all still shooting for the same goal so we can course correct to get there. But I will have that confidence standing up there because I’m representing something I believe in.

Maryfran: Right, and the E part of EPIC, the expertise that you bring, in a perfect world would actually fuel your sense of presence because you do know what you’re talking about.

Sandy: Right.

Maryfran: How come it doesn’t work that way?

Sandy: I’m not sure it doesn’t, but if we’re particularly looking at when you’re an ‘only,’ you may perceive, whether true or not, that there’s extra scrutiny on you. So any mistake you make is going to maybe be amplified.

Maryfran: You have to be so much better than everybody else around the table.

Sandy: You may feel that there won’t be forgiveness, that people won’t see you as an individual human, but as representative of that whole group, and you can’t let that whole group down.

Maryfran: That sounds so much like a kind of a classic approach that leadership and life coaches take, where they talk about identifying and then setting aside your limiting beliefs.

Sandy: Yes, exactly.

Maryfran: Let’s move on from presence to the next one, and the I in EPIC is for influence, and it almost seems like they each – this is a very nice four letter framework because your expertise can help enhance your presence and the your presence actually is what the influence becomes about. Talk about that a little bit more.

Sandy: Absolutely. So the influence is, first of all, do you know how what you’re asking for is going to benefit the business or the goal? And this can even get to, I think I should be receiving more money for what I do, or I’m going to ask for time away. Maybe I want to cut down my hours to 80% instead of 100%. Okay, well certainly you have a personal gain from that, but what’s the gain for the organization from that, because that’s really what’s of concern to them.

So figuring out how is this good for the organization? How does it promote whatever the goal is that you’re trying to achieve, whether I’ll be more engaged, I will be fresher, I will be doing things in that 20% off that let me be more present the days that I am here, or I’m taking the time to take a course that’s going to expose me to new things. Certainly you have a personal interest, but if it’s especially going to help the organization – and you should expect a yes. Go in, if you have made a good case, if you’re able to look at how is this what I want, what they get from it, knowing there’s an overlap there. I’m not going to get into best alternative to a formal agreement and ZOPA and all the negotiation kind of stuff.

But just realizing there’s an overlap there and you just have to identify where the overlap is and then everybody wins. And you should go in with confidence expecting that if there is a benefit to all, why would someone say no to it?

Maryfran: Give us a real-world example from things your team has done at Harvard, someplace where you’ve seen influence in action.

Sandy: Oh my gosh.

Maryfran: Unfair, totally out of nowhere question on that, but I’m just, I always like to be able to visualize what would that look like, you can imagine presence growing out of your expertise and you’re confident about what you’re doing, and when you’re influencing someone, as you put it, you’re trying to get them to take some action.

Sandy: Right. I mean, so we could say this on a small scale, whenever we’re trying to get people to exhibit a certain behavior or take an action that’s going to be one of these small actions, big difference things, it’s not saying ‘what’ you need to do, but ‘why’ it’s of benefit to you, to the community. Here’s an example. Classic, you see a suspicious email message. You believe it’s a phishing message, and you probably delete it. Great. You didn’t click on a link, open an attachment or such. But the 50 other people who are receiving that same message, maybe one of them doesn’t realize.

And so trying to get the concept of a neighborhood watch out there, so appealing to those who know how to identify it to say, you know, because you were smart enough to identify this, you could help so many other people. And you just have to take, if you take this one action to send it here, the security team can then investigate and respond and you are protecting so many others. It’s kind of like see something, say something neighborhood watch, but it makes them feel really important and valued in the chain and they are.

Maryfran: And I know I experienced that myself with just our security people here at IDG. When I would get something that I thought was a phishing note, but I’m not nearly the expert, so I’d forward it to them and then they would send me back a nice note and sometimes the note would go around and you could see them warning everybody else. You do, you get that little fizz of pride, I did that.

Sandy: And on larger scales speaking with researchers who are going to take in really sensitive datasets, and we’re aware of more regulations and which platform is more appropriate for the kind of data? Just walking through with them it would be best if you could put it here. I know originally you wanted to work on it on this platform, but we want to make sure that none of the data gets corrupted or gets seen by people who shouldn’t see it. We want to make sure your name goes on the report that gets published, so we recommend you put it over here. But letting them know what’s of advantage to them in that.

Maryfran: That almost sounds like you’re providing the context where they realize that this is not just checking boxes.

Sandy: Right. And as you said before, it’s not compliance, it’s really what defines success for you being the first one out there with this published research that’s going to help the world somehow, and we want to make sure that happens.

Maryfran: And you know that your data isn’t corrupted, your data’s not going to go and do harm anywhere else, so yeah, I would think that when you explain it that way there’s a lot of motivation to go along with it. Alright, let’s talk about the fourth letter in your framework, C, and it could almost be change management because I feel like IT people have to really get better and better at managing change because they are dealing with it more constantly than anybody. But I also like the word connections. Your C is connections.

Sandy: It’s connections and it can be so broad. This can really mean, first of all, get to know people. I can’t tell you how many conferences I’ve been to where the salespeople there, I think it’s their goal to get rid of all their business cards. They don’t really make a connection. They just, here you go, business card, business card. I win, I gave out 500. They won’t know who you are.

But to really get to know people a little better, like what are their skills, what do they like, just anything about their family, whatever. Not get creepy, but get to know them. But then when you need to do something, do you have to do everything alone? And this gets back to also that being ‘the only,’ where you feel there’s so much more scrutiny and I’ve got to be better, I’ve got to prove myself. Doesn’t mean you have to do everything all on your own either. Who can help you? Who would make it better if you asked them for their opinions, their input? And as a manager, who might this help if I can give them something to do that gives them visibility?

Maryfran: Well, and I’m thinking, too, if there’s any generation in the workplace right now that could teach everybody more about that, it would be the millennials.

Sandy: Oh my gosh.

Maryfran: The social connections and the ability to work in groups and to be messaging each other. On your team, your five that you work with at Harvard, any ‘mils’ on there?

Sandy: Not on my team, and that might be more a function of the experience you need to have, but that said, we also do a lot of outreach to up and coming people who maybe are relatively new into IT who think they might want to go into security. We do have some apprentice kind of programs. We do girls in STEM, Girls STEM Summit with Mass Junior Tech every year, this will be our third year this year. I do encourage volunteer. Whenever anyone on my team says, oh I want to go talk at this high school that’s having career day, as long as it’s not a crunch time for some reason, absolutely.

Maryfran: Always be recruiting. The works that I’ve done at various CIO events, as soon as you’re wrapping one up you know there’s another one coming down the pike, and every time you get a CIO on the phone, it’s like, whoa, what can I recruit you for? Another great point you made is that when you talk about connections and connecting with people, you’re not calling it networking, and that’s purposeful why?

Sandy: Well, A, when you’re in IT, calling it networking can be immediately confused with the technical networking. But it’s, when you think networking, a lot of people automatically have a negative reaction to that word, that it’s…

Maryfran: It’s a chore.

Sandy: Well, and it’s purpose driven and it’s icky because now, I’m only giving you my card and talking with you because I’m looking for a job or I need something, that I have to ask you for something, where really so much of it’s, when you look at it the other way, if someone asks me for a reasonable amount of help, not can you get me a job.

Maybe I’ve applied for a job at this place. Do you know anyone there or could you put in a word for me? I mean, any of us who really knows someone at that company and we do believe this person would be a good addition, of course you want to do that. Any of us like to help other people, so it’s really, once you connect, don’t connect with someone if you wouldn’t follow up with some small bit of help. And you should be able to reach out to those people for that small bit of help knowing that if they asked you, you would do that happily because it really brings joy. It does for me anyway, maybe not everyone.

Maryfran: Well, and that’s the thing. I recognize one of the people of my tribe here. We’re both kind of extroverted, and for extroverts, walking up to somebody at a conference and chatting them up is part of the enjoyment. But I’m always conscious when I’m in front of a room full of IT leaders. I mean, they may be forcing themselves to do a certain amount of networking because they know it’s expected in an executive role. Sometimes I wonder how many tech people avoid executive tracks because they feel like they don’t have the right personality for that.

Sandy: Oh my gosh. How many, well, how many of us think I don’t have the right personality or why would anyone want to talk to me? What is interesting about me? Because when you’ve lived your own life through your own eyes, perhaps you don’t realize it’s not what everybody has experienced.

Maryfran: It’s like when I was introducing you at the top of the hour here and talking about and you were sitting there looking kind of wide-eyed. You’re like, wow, I sound pretty impressive on paper.

Sandy: Who is this person? I want to meet her.

Maryfran: Yeah, exactly. I had wonderful advice one time from a good friend of our CIO family here. He’s actually a former CIO and now does executive coaching, and he tells all of his clients and all his friends, don’t worry about being the most interesting person in the room. Be the most interested. Walk up and ask questions, like, well what did you think of that last talk? And I’ve often given that advice from the stage to CIOs. I’m like, this isn’t hard. I know you guys are not like me. You don’t love being up on stage. You don’t want a microphone in your hand 24/7. But just walk up to somebody and ask a question, and everybody can think of one.

Sandy: Everyone can think of one, and I’ve had a good tip for people who find it difficult to answer questions on the spot. Very pointed ones such as asking someone what was the best or the worst thing about something is usually a question people can answer pretty quickly, even if it’s looking around the room and saying, what’s the best aspect of this room? Pretty quickly you can identify. Or what’s the worst breakfast you’ve had? Asking someone a question doesn’t have to be related to the conference. It could just be something really out of the ordinary.

Maryfran: Don’t you wish they had more pulled pork sandwiches? That kind of thing. Well, and whenever I think about connections, and this really shows one of my biases because I’m such a huge fan, I connect with a lot of people on LinkedIn. And when people come up to me at conferences and they’re like, oh, here’s my business card, could I have yours? I always say connect to me on LinkedIn. I mean, I’m very easy to find. You’re easy to find on LinkedIn, too, Sandy Silk.

Sandy: Got in early.

Maryfran: Yeah, exactly. Link in early and often. What do you like about it? And, you do a nice job on your profile, too.

Sandy: Thank you.

Maryfran: It’s informative. You’ve got the About section is in the first person. In an upcoming episode of this podcast I’m going to talk to some seriously expert people about LinkedIn and about the easy things you can do to make your profile a little better. Talk about your view of LinkedIn and how you use it.

Sandy: My view of LinkedIn is it should be kind of your billboard. It is your chance to define what your brand is, what you want other people to think or know about you. These are the things that you should know about me or that I want to become. Fake it ‘til you make it. Don’t lie, but don’t be shy either. I have gone to a LinkedIn workshop about how to make it better. You don’t have to put what your title is right under your photo. I forget how many characters you have there. You have pretty good amount.

Maryfran: Something like 50.

Sandy: It’s pretty generous.

Maryfran: You can put your headlines.

Sandy: Exactly. Put headlines out there. Put what makes you passionate, what do you love to do, what inspires you, what motivates you? Do it first person. I find it odd to read about, and Sandy likes to do this. Why is she talking about herself?

Maryfran: A lot of times what people do is they take a chunk out of their bio or their resume and the plop it in the About section. It is, talking about yourself in the third person always feels weird to me.

Sandy: You’ve took the time to put a photo out there and to put maybe some interests and skills out there. You want yourself to be approachable. Talking about yourself in the third person does not really make you approachable.

Maryfran: I know, and for God’s sakes, drop all the bullet points. I mean, just a few paragraphs. It’s funny because it’s so easy for people to write an email to somebody describing something their working on or maybe even introducing themselves. But I think there’s some kind of a freezing moment when you get in there and you’re like, oh, I’ve got to describe myself or market myself. A personal brand? A lot of people I think find that kind of weird.

Sandy: But wouldn’t it be wonderful if you’re about to meet someone you’ve gone through their LinkedIn profile beforehand, so you know about them, and when you meet them they actually sound like their LinkedIn profile. Like, oh, your personality actually came through and you sound like you’re the one who wrote your profile, not I had a professional do it.

Maryfran: Yeah, you want to have that experience of, I feel like I already met you, because I read that little thing about you. Well good. There’s a couple of books about improving your LinkedIn profile that I’ve got on my Kindle and I tracked the authors down of both of these books on LinkedIn, and I’m talking to both of them next week. I’m going to line them up and have them on Tech Career Ladder.

Sandy: I hope their LinkedIn profiles are stellar.

Maryfran: They are gorgeous. They are absolutely gorgeous. I’ll send you the names afterwards.

Sandy: Okay. Message me in LinkedIn.

Maryfran: Yes, exactly. I like something you said at one point, and I thought this was great advice, you talked about playing to your strengths, when you’re getting ready to, say, apply for a new job. And we’ll get to your German major stuff, too. I want to definitely circle back to that. Do you remember the approach you told me about how you pull out performance reviews. Talk about that. People don’t usually revisit their performance reviews, unless they’re good.

Sandy: I hope you have managers that write performance reviews with you, so this is assuming that you have some. I actually print out a hard copy every year of mine and I have my Chronofile of them, and I actually went through probably 10 years’ worth, and saw like, oh my gosh, I am seeing trends here, the same kind of things said over and over. Apparently, I’m very good at forming teams and motivating people to work together. And who knew? When it’s a natural strength you don’t think about it, and that other people realize it. And everyone’s so focused on overcoming weaknesses that maybe you forget what your strengths are. It’s like aha, I think this is true about me. I see this now that someone’s pointed it out to me 10 years in a row. I get it.

Maryfran: One of the ways I think that people might be able to especially develop their presence and make more connections and start having more influence is if they can’t stand to go through cataloging their own strengths, maybe sit down with a good friend and ask the friend, if you were writing – maybe not your obit, nothing gruesome like that – but write down three of the things you’ve noticed about me.

Sandy: Two things easily you could have people do – three adjectives that describe me, so then they don’t have to give large explanations, but what comes to mind. And if you were to write my intro for a presentation, what would you highlight and how would you say it? That’s the good thing with connections, back to the EPIC. They’re there to support you when you need it, so that what they’re saying about you, you can kind of internalize finally and say, oh, I guess this is true about me, and start getting comfortable saying it about yourself.

Maryfran: Well, when I recently went off to form my own consultancy I changed things up on my LinkedIn profile. I got in touch with some of my CIO friends and I said, if this isn’t too oogie, would you just write a recommendation for me. And they sent back such lovely things. I mean it was just, it was really almost kind of embarrassing, but you get to see that and I wish more people would do that. Just say write me a recommendation and then you get to see it before you post it.

Sandy: Absolutely, and I think you have to have your usual champions you go to. When I started presenting at conferences, I would text with them saying, oh, you know, I’m a little nervous. Wish me luck. And you’re really just expecting an, oh, good luck, and you get that, oh, Sandy, you’re going to do great at this because blah blah blah. I was like, oh my gosh. This is what you think of me? Good. And that’s the pep talk you need before you go out there, that okay, this is maybe how the world, at least my good friends, see me.

Maryfran: The thing, too, we’re both very comfortable on stage, so this is not something we have to learn or even think about anymore. But when I’m encouraging people, like I’m luring someone onto a panel and they realize they’re going to be interviewed ahead of time, they’re going to know what the questions are. They end up having a good experience with the whole thing and they don’t have to fake it ‘til you make it.  Don’t tell the audience, oh, I’m a little bit nervous to be up here, because the audience is so with you.

They’re sitting there. They’re wanting you to succeed. They’re all rooting for you. People don’t think of that. They think of the audience like, I don’t know, like it’s a room full of HR people about to give them a bad review. It’s not that way.

Sandy: You haven’t been thrown to the lions. They really, I would hope, want you to succeed and we’ve all been in the audience watching someone who’s maybe a new speaker who’s nervous, and you can see the nervousness and they’re maybe getting a little lost, and everybody watching it is just rooting for this person, like you got this. Come on, you got this. I wish more people would put themselves back in that experience for a moment to think, they’re not going to trash me. They’re going to root for me.

Maryfran: They’re actually on your side, because you’ve gone through something and they’re all sitting there and they’re glad that they’re not you right now because you’re up there and you’re talking to them and you’re taking that risk and they really are rooting for you.

Sandy: My team does karaoke so we’re accustomed to people being judgmental perhaps in the audience, but we can say, well you’re next.

Maryfran: I only did that once and I’m so hoping I never have to do it again. Some people really can’t carry a tune and they shouldn’t be made to.

Sandy: It’s not about the talent. It’s about the effort and it’s about the enjoyment.

Maryfran: And the attitude, the attitude. Well, we keep hinting around your German major and how that all happened. Now you’re a big mucky muck information security person at Harvard, and you were majoring in German in college. Tell us about your career path, your tech career ladder, how you jumped of the German ladder onto information security ladder.

Sandy: Well, first I had to change from the biology ladder to the German ladder. I went in as a biology major and then changed, switched to German because I was offered a trip to Germany if I would declare a German major. Not as a bribe. There were dollars from the German government to send someone who was a German major.

Maryfran: You went to Bavaria, right?

Sandy: I went to Bavaria. It is gorgeous, but for anyone who’s studying German and the official High German language, they don’t speak that in Bavaria.

Maryfran: They had a very heavy dialect.

Sandy: Very heavy dialect. Certainly, they can speak it, but it’s not the dialect so you start questioning your ability to speak. I thought I was studying this language. I don’t know these words.

Maryfran: Everybody’s looking at me funny when I try to speak German.

Sandy: So I went back. I stayed with it. I went back in my junior year in what was then still a divided Germany. I was in West Germany, I got to go through Checkpoint Charlie, all that. Graduated and started working a little bit, and then maybe five years later decided why don’t I have a master’s? Everyone I know is like lawyer or a doctor. What am I doing? I’m not even using my German degree. So I went back – into a PhD program actually – and I was going to be a professor of medieval Germanic languages and literature. It’s so highly employable.

Maryfran: I feel your pain here because I was a French language and literature major and I was really fascinated with the middle ages as well and I just had this vague idea of what I would do. Do you teach at some point? A friend of mine in college actually did go on to have a whole career as a French teacher and now she’s got an online teaching thing and all.

Sandy: Some will. Some people become astronauts. Not all of us can.

Maryfran: That’s right. 

Sandy: Actually I, the summer between the master’s and starting up the PhD, I took a summer job, because – this was years after graduating with a bachelor’s – we had a mortgage to pay. I needed money. I took a temp job working with Fidelity Investments over the summer, and they just saw so much potential. They saw the analytical skills I had from the language analysis tracing linguistic shifts and I had writing capability and communications capability. I had lived in other countries so I could accept other cultures, too, and they just nurtured me in that role and I was making more as a temp in IT than I was going to make as an associate lecturer, whatever my path would have been in German.

Maryfran: You worked directly for the CIO at that time, right?

Sandy: I worked for a CIO supporting a systems group and this was pre-Y2K, and we were FDIC regulated, so we had to come up with continuity plans for Y2K, it was the year 2000 century issue for those who were born after it.

Maryfran: There are people that don’t remember what Y2K was.

Sandy: Things were going to fall from the sky.

Maryfran: I was editor-in-chief at Computerworld when all that was going on and we did so much coverage on it and IT all over the world, especially in the US, mainly in the US I guess, that’s what we were covering, worked so hard to make that not be an issue. And it was almost one of those so much success it was a failure, because afterwards, all the businesses kind of said, oh, well, that wasn’t such a big deal, was it? This is where that connection and communication and that ability. I think if there had been more explaining going – here’s what we’re saving you from. Here’s the before and after. But then there was kind of universal, oh, that didn’t happen.

Sandy: Fizzle out. Done.

Maryfran: I know.

Sandy: So I stayed with Infosec and I was really encouraged. They sent me to all kinds of training, certifications, but I have always been kind of drawn to the people facing side of it which has just become so much more in demand. I was teaching classes and also got into financial services, into fraud detection and so teaching about identity theft before it became such a huge thing, how to protect yourself online. Took some instructional design classes. I actually got a graduate certificate in adult and organizational learning at Suffolk University at that point through Fidelity. So yeah, to have people skills and technical knowledge and business acumen is kind of a triple threat.

Maryfran: It is, isn’t it? And people who love to continue taking classes, the lifelong learners, they really do well in security, don’t they?

Sandy: Oh, absolutely.

Maryfran: Do security people give themselves enough credit for how much of that that they’re doing and that they’re thriving on? I mean this may be one of those unrecognized talents they have, where they’re all about learning the latest and dealing with change management. I wonder if they give themselves enough credit.

Sandy: I think internally they give themselves enough credit. This is probably going to get to the communication issue, does anyone know that they’re constantly reading everything. You want to break out of that stereotype of I’m constantly at my computer reading through all these dark web, dark reading, great things I follow, too. You can follow them on Twitter as well. But do you ever look up from your computer screen?

Maryfran: Get up, walk around the office, tell somebody something you just learned.

Sandy: Talk about it.

Maryfran: Talk about it.

Sandy: Debate with somebody about it.

Maryfran: We talked a little bit about that. That’s part of also getting tech people to develop more business acumen, and that is a complete and absolute necessity today that really wasn’t there 10 years ago maybe. I mean, CIOs have been onboard with that for a long time, probably for the last decade, they’ve essentially transitioned themselves into mostly being seen as senior business leaders who happen to be technologists. What are some of the ways that you have worked with people in your workshops or recommendations you give to your teams where tech people can kind of get over what might look like a painful hurdle? I don’t really want to know more about the business. I’m a technologist. So how do you encourage people to cross that bridge?

Sandy: Well, certainly if they ever want to get another job someplace else or even someplace else in their current organization, you better know something about what your organization does, because when someone asks why do you want to work here, it’s good to know what they do. Without the businesses, we’re really not employed. There’s no IT running for the sake of IT someplace unless it’s a research lab someplace, and then it’s going to be sold to some application.

Maryfran: I always cringe when I hear businesspeople say, well, you know, we’re not interested in technology for the sake of technology. That always makes me just grimace because I think, oh, how were you harmed there? Who talked in all acronyms to you? Who scarred you with this?

Sandy: Go ask someone if they want to go get coffee, tea, whatever, and ask them what’s a big challenge in your organization right now? Or what are you working on? What’s going really well and why is it going really well?

Maryfran: Be the most interested person.

Sandy: Exactly.

Maryfran: Asking questions.

Sandy: Ask about it. People love when you take an interest in what they do. It’s easy enough, a coffee is not a lot to ask of somebody, especially if you buy it for them and you really keep it to half an hour or so. Just talk with people. Ask. You don’t have to have the answers yourself because you’re just asking questions.

Maryfran: It seems to me, too, that there’s a wonderful opportunity now with so many organizations that are going through digital transformations of one sort or another, and now there’s all the focus on agile teams and in organizing people in product groups rather than projects. Are you seeing that at Harvard where there’s more likelihood that a technology person will be sitting down with someone in a different business unit?

Sandy: We’re definitely seeing more of that. We are adopting agile and we’ve got coaches around everywhere. It is great to have, frankly, security when we’re at the table early to hear what is the business trying to do when we can have that mix of technology and business together. Hey, if they want to throw in some users of it to say what do they want their experience to be as well, that would be a perfect design thinking and system thinking. It would be wonderful to have that full experience of, okay, this is how we think we’re going to use it, how we hope to use it. They can evolve after that, but really getting a sense of what defines success and how do we get you to success?

Maryfran: Alright, good. Well, as we are wrapping up here, let’s go over the EPIC framework just one last time. We’ve got expertise. Tech people have that covered. And let’s just give a couple of really pithy, fabulously well thought out bits of advice about our different letters. The expertise, check, we’ve got that.

Sandy: Right, we really do that just to say you got it, let it go.

Maryfran: And the P is for presence …

Sandy: Presence, which might come from knowing what your purpose is, really knowing what you want to pitch. But it’s the confidence you get from believing in something and knowing what your strengths are and playing to your strengths.

Maryfran: Someone just recommended it, I think it’s a book that’s been around for a while and I think it’s just called Strength Finder. It’s one of those classics where you can kind of analyze, there’s things in it where you fill out lists of stuff you’re good at and that kind of thing.

Sandy: There’s a survey that goes with it.

Maryfran: You know the book.

Sandy: It’s a whole questionnaire, it’s a whole study. It’s a research kind of study that’s gone on. And we’ve got a Women in Technology mentoring program at Harvard that a group of volunteers set up, myself in there, and everyone goes through that Strengths Finder to find out what do I do well? What’s natural to me? What do I gravitate towards, and when can a strength become too strong and become a negative? So, we’re constantly seeking expertise. We go through that so that they can start playing to that and building confidence, because oftentimes you don’t lack the competence, the expertise. It’s the other parts, the PIC, the presence, the influence, and the connections to help you be stronger and communicate and get things done.

Maryfran: Well, okay. Good. So we’ve got the expertise, we’ve got presence, then the influence which is going to flow out of your purpose.

Sandy: Know why you want to do stuff and why it’s of value and just trust that when you’ve pitched it correctly, when you’ve framed it correctly, it should be accepted and go in there with that confidence, and also know where you can negotiate. You may not get all of it, but you’ll get enough to get the goal accomplished.

Maryfran: Wonderful. And then connections.

Sandy: Connections. They’re your safety net. They’re your confidence builders. They’re going to make whatever you do even better because it’s the sum of all the parts. You’re going to help them, which is going to make you feel better and you feel more confident as a result.

Maryfran: Doesn’t everybody these days want to know a good security person? My sister’s phone got hacked – no, not her phone, her Comcast account – got hacked and it actually looked like it was actually Russians. And she asked me, she’s like what do I do about this? And of course, I talk to technology people, but I talk to technology people. So I sent a note out to a couple of lovely CSOs I know. You should have seen the detailed lists of helpful tips that I got, and two or three of them followed up with me a week later. Did your sister do what we told you to do? It was just, it was amazing. 

Sandy: People want to help each other.

Maryfran: They do. They do.

Sandy: Like New Englanders during a blizzard. We all come together then. And when we can help, we’ll do it.

Maryfran: And overall, that’s a great way to be climbing the tech career ladder, isn’t it? Look around you.

Sandy: Yes. See who you can help up and see who you can bring in to make your projects better. It’s not about you, it’s about helping the organization, but realize what you add to the organization and then look for those above you, around you who can help you up or across or whatever direction.

Maryfran: I often think when I hear that advice, fake it ‘til you make it, it’s great if that gives people a little extra confidence, but generally people really aren’t faking it. They actually are tapping into the abilities they do have.

Sandy: I think there’s that misconception you have to have 100% of the skills at any given time. Being in a hiring manager position sometimes, if I’ve written the job description correctly it’s not the unicorn I’m looking for based on 50 bullet points – but realistically, if someone comes in with 75% of the skills, really, that’s awesome, as long as it’s the 75% I need right now and we can train or develop the rest. If I get someone who’s 100%, they’re going to be bored right away. There’s no growth opportunity. None of us have 100%. That’s why we have connections.

Maryfran: And that’s why a lot of people in IT have gone into technology. I mean, they’re already really smart. They know how to figure things out, and maybe they haven’t polished up all the things that come naturally to extroverts. They’re not grabbing for the microphones, but oh my God, they have so much to say.

Sandy: If you give them time, introverts will shine – you’ve just got to give them a little notice, give them a little time, and then give them an opportunity.

Maryfran: One of my favorite self-deprecating ways to sum it all up with CIOs these days, I remind them that extroverts are speaking first and thinking later, and introverts are thinking first and speaking later, and that you’re aware of that. And of course, it makes them laugh a little bit, but it’s actually kind of true.

Well, thank you very much, Sandy Silk, for being here with us today and sharing all of your wonderful knowledge on this topic. I’m sure that our listeners are going to go out there and start working on becoming EPIC Leaders themselves.

Sandy: Oh, I hope so.

Maryfran: And if they want to reach out to you, what is the best way if they haven’t already LinkedIn with you while they’re listening to this, tell us how we can reach you if they want to.

Sandy: Absolutely, LinkedIn is going to be the best way to reach me. If you go to my profile, and it’s Sandy Silk, S-A-N-D-Y S-I-L-K, you’ll also see a link to my Cyber Risk and Resilience business there so you can also just get to that website easily right from my profile. If there’s something there that you want to explore with me, you’ll have all my contact information there. But LinkedIn, always the best way to contact me.

Maryfran: Wonderful. I fully agree. I’m a huge fangirl for LinkedIn. Thank you so much for joining us here today. It’s been a real pleasure.

Sandy: It has been so much fun. Thank you for having me here.

Maryfran: You’re welcome.

Maryfran Johnson:  Hello there, and welcome to Tech Career Ladder. Tech Career Ladder is brought to you by Insider Pro, IDG’s new premium content digital publication that features in depth technology journalism, hands-on guides, career advice, and much more. Listeners to this podcast can use the promo code PRO30 for a 30% discount off an Insider Pro subscription.

[ Listen to Episdoe 1 of Tech Career Ladder ]

This is the very first episode in this Insider Pro podcast series, which every month will bring you practical ideas and actionable advice on advancing your technology career. I’m Maryfran Johnson, your host for this show, and also host of our CIO Leadership Live video series. As a longtime tech journalist and a former editor-in-chief of CIO Magazine, I know that finding and keeping the best technology talent is always in the top three concerns of IT senior managers and leaders.

But CIOs are already at the top of the tech career ladder, so this podcast series will be more about the career needs and perspectives of the rest of the IT organization. Some of you, for example, want to sit in the CIO’s chair someday, so you’re very keen on learning about leadership and business strategy. Some of you are looking to the startup world and you may be more interested in working on the leading and bleeding edge of technology innovation or cybersecurity or enterprise architecture or cloud management.

 And some of you are still exploring all the different pathways that a tech career can take you today. But wherever you are on that tech career ladder, we’re here to explore those possibilities with you. Now I’d like to introduce my very first guest, Sandy Silk. She’s the Director of Information Security (IS), Education, and Consulting at Harvard University. Sandy is a technology risk management and communications professional who excels at making cybersecurity a more approachable concept.

She has worked in the past at Fidelity Investments, Bose Corporation, Wellington Management, and of course currently at Harvard. In addition to more than 20 years of information security experience, she has formal training in instructional design, facilitation and adult learning. That unusual combination of hard and soft skills enables Sandy to create workshops and programs that bring content to life in an especially engaging way.

She’s a member of the Board of Advisors of the Master’s Program in Information Security Leadership at Brandeis University. She’s also involved in various Women in Technology organizations and is a very strong supporter of any opportunities that improve diversity, inclusion and belonging within the IS and IT professions. A big part of our conversation today will be about the four-part framework that Sandy has developed to help tech people upgrade their own leadership capabilities.

In fact, she’s branded this framework as becoming an EPIC leader, and that EPIC is an acronym. The E is for Expertise, the P for Presence, the I for Influence, and the C for Connections. Sandy, it’s great to have you here today.

Sandy Silk: It is great to be here, Maryfran. I feel so honored to be here and it’s interesting to be invited here, when I hear you introduce me I think how I never thought I would get into IT. It was never an area that was going to be my career.

Maryfran: That was the thing, when you and I first met at a Boston SIM meeting, Society of Information Management, at the beginning of December. I was interviewing you for the panel we were having a discussion on, and imagine my surprise when I find out that, like me, you were a language major in college. I was a French major.

Sandy: And I’m a German major.

Maryfran: You were a German major. We have such winding career paths to where we actually end up, don’t we?

Sandy: We do, and I think it’s wonderful you have this program to help people explore that it’s not really a straight line.

Maryfran: Yes, yes, and I think that’s especially true with technology jobs today, because they are evolving so quickly, they are widening. I mean the path to it, the fact worrying about your communications ability and your connections and your presence, these are things that technologists 10 years ago never had to think about.

Sandy: Not in the way they do today.

Maryfran: Right, right. Well let’s start out by talking a bit more about your day job at Harvard. Your title packs a lot of capabilities into one role, Director of Information Security, that’s understandable, Education and Consulting. So tell us about the team you work with and what you do at Harvard.

Sandy: So this is a subgroup within the Information Security team, so we’re education and consulting, and we are, I would say, the more people-facing group within that team that we are consulting across Harvard. We’re Harvard employees consulting to Harvard on high risk projects. So for the consulting side of it, these may be, whether it’s high-risk data that needs special handling, whether it’s administrative or research – we’re a research university – or whether the projects themselves that have high-risk functionality – as we’re building out new construction, state-of-the-art buildings that are going to be smart buildings, controlled, monitored remotely and could have dangerous life safety implications if something went wrong there.

So, part of the team deals with those projects, kind of advising how to be most successful in those areas, and the education side, we are educating the whole community about how everyone can contribute. It just takes small actions that make such a big difference to the information security posture of themselves, which translates to Harvard as well.

Maryfran: Give us an example of one of those small actions. I think we all could use some security tips.

Sandy: Sure, so a small action, update the software in your computer. Whether it’s your mobile phone, you have that little red circle with the one or two, however many apps need updating, just take the time to do it. Set it so it does the installs and the updates automatically. You never have to think about it. So many of the hacks that occur out there are because there are just these vulnerabilities that are forever exposed. They’re just never fixed. You can take something from five years ago, an exploit kit, and still use it today, easily. It doesn’t take long to do this, but it makes such a difference.

Maryfran: When we talked before, we were talking about kind of the before and after of you arriving at the job you’re in now at Harvard. It was a policy, risk and compliance department, which sounds so incredibly serious, yet we’re sitting here talking and you’re so easy going. Are the other members on your team – you have five people reporting to you, right?

Sandy: Yep, I have five people.

Maryfran: Is everyone like you, where they’ve got a real interesting mix of kind of hard-skills, soft-skill backgrounds?

Sandy: I am so fortunate to have the team that I do and I can take credit for some of the hires. Some were there already when I arrived. But we are probably more extroverted than you would ever expect information security people to be. I would say one of our favorite things to do together – we genuinely like each other, too – we love to go do karaoke together when we’re attending conferences wherever, and we like to speak at conferences.

But yeah, we have a mix of backgrounds, experiences, and we really, really are fascinated by the experiences we’ve each had, and we lean on each other to fill gaps that way, too. We have someone who use to teach Sunday school. We have someone who’s got a master’s in fine art and still makes sculptures and very kinetic kind of art.

So, we get left and right hemisphere brain going all the time. We’re creative. A lot of it we don’t really bring to light. We have great discussions about wouldn’t it be fun…Yeah, no, we can’t do that.

Maryfran: And your titles are somewhat unusual, too. You’d mentioned you’ve got someone who’s an awareness officer, another a community engagement manager. I mean, they don’t sound like titles that are part of a security group.

Sandy: No, and I would say we are maybe a little cutting edge to have that, a community engagement manager who finds partnerships for us everywhere across the university. You wouldn’t think information security and the office of sustainability together. We have this secure shredding disposal event where… This coming week we are partnering with parking services and commuter choice people who bike to start your day with coffee and securiTEA, so T-E-A, at the end. We’re sponsoring hot coffee, tea, hot chocolate. We’re giving away branded mugs, free tune-ups for your bikes.

We get these partnerships going and our community engagement manager knows everybody, and it’s a natural passion and strength for her and it benefits the team. My gosh, when we can have other people doing 90% of our work and then we come in and just augment, it’s sustainable.

Maryfran: What I particularly like about the way you’re approaching this is that a lot of companies, security is kind of a grim march toward compliance and you receive an email from the security officer and it sounds vaguely threatening, and you need to do this, that, and the other thing. It’s just, you don’t run into many organizations that are trying to put any fun into it.

Sandy: That’s true, and we all do have really good senses of humor on the team. Not that we wouldn’t take someone who does not. It tends to develop after being around us a little bit, too. I think when you’re at a higher ed institution, you don’t want someone’s lack of knowledge in an area to be a penalty against them. You want to give them an opportunity to learn. That’s what we’re there for. We love when people say, you can’t fix stupid. Well, actually we’re higher ed, so kind of education is our thing.

Maryfran: We’re kind of here to fix stupid.

Sandy: Yeah, let’s not call it stupid, but in that overall sense, yeah, there’s a lot of organizations that try to do that.

Maryfran: I think, too, the fact that you said this is kind of an ambassadorial program. It’s something that I imagine private corporations could learn a lot from, an approach like that. I like to think of a lot of former German majors ending up running programs like this. 

Sandy: When you think German, you’re probably not thinking fun and approachable. And I am very rules-based, I will say, on Myers-Briggs kind of tests, I’m off the scale for following rules.

Maryfran: We’ll definitely circle back to that because I think we owe our listeners and explanation of how does a German manager end up in security? But before we do that, I wanted to mention, anybody who is listening and is interested in seeing some of your work that is visible to the outside world, you’ve got a website that is publicly available.

Sandy: We do, yes. They can go to security.harvard.edu and you will see featured there our awareness campaign, which we’ve titled Small Actions, Big Difference. It’s really focused on very easy to achieve things anyone can do that just makes them so much less vulnerable. Most of the attacks are just looking for the most vulnerable way in to do something not targeted against a specific person.

Maryfran: I like, too, one of your sentences on there, you talk about how you provide the content and the ideas, including a box of stuff every two months. This is for people who become your community allies, your insiders.

Sandy: Yeah, we actually mail packages to them. We do this quarterly, where they’ve got the current mailing – I think it’s going out this upcoming week, so they’ll receive it early February a the latest –  because it has some robot-themed valentines in there that actually our awareness officer created himself. Very good with graphics. And chocolates, of course, because Valentine’s Day is coming up. Just things that they can have fun distributing to their office, their teams, to get them engaged in a discussion, a security-related discussion.

Maryfran: It’s such a nice idea that security doesn’t have to be gruesome.

Sandy: No it doesn’t. And frankly, if something’s going to go wrong, you better have a good sense of humor if you’re going to deal with that.

Maryfran: Yes. The next portion that I wanted to get into was talking about the workshops and the talks that you give externally to Harvard, this actually stems out of Harvard allowing and encouraging the staffers to have LLCs of their own, consulting businesses on the side.

Sandy: I don’t know if I would say they encourage it, but the entrepreneurial spirit is very much part of our culture.

Maryfran: It’s respected.

Sandy: Yeah, it is respected, so as long as you can still do your full-time job and this isn’t a conflict of interest, it’s a great opportunity.

Maryfran: And your consultancy is called Cyber Risk and Resilience?

Sandy: Yes.

Maryfran: Tell me a little bit about that, how long have you been running it, what sort of things are you doing out in the world?

Sandy: It’s probably two and a half years old at this point. It’s kind of evolved from what I thought it would be.

Maryfran: Well most new businesses are like that, aren’t they?

Sandy: Exactly. Where it is really going to organizations and running workshops to help their IT professionals understand business a little more. It’s, in a sense, kind of translating the gap between IT and business. So ideally, you’ve got both in the room learning to talk with each other about what the goals are for a project. How can we help you achieve success? What are realistic cyber risks, not the media hype, not the blockbuster movies that we see, but what’s most likely to happen.

And so it’s kind of rationalizing what is, let’s get out of the Armageddon kind of mindset, the Black Swan mindset and think about, alright, this is most likely. These are the easiest ways to prevent or detect if something happens. And then I also do workshops about, I’d say, personal resilience at this point. That holds still in the title. I noticed there was so much more demand for, you’re a woman or some other underrepresented population in IT, how do you become stronger in yourself to break into this world, especially cybersecurity.

Maryfran: One of the titles of your talks is about when you’re ‘the only’ woman in the room.

Sandy: Yes.

Maryfran: You’re the only person of color, you’re the only woman, you’re the only transgender individual. I like the notion that you’re also trying to remove mystery and anxiety around cybersecurity, and replace it with this achievable attitude. That’s really good.

Sandy: I think that translates from the Small Actions, Big Difference, that it doesn’t have to be Herculean, and it shouldn’t be Sisyphean. You should actually be able to accomplish something, because if you’re not accomplishing something, you’re throwing money out the window and maybe a false sense of security. No pun intended there.

Maryfran: The point you made when we were talking previously, is that what’s lacking in the training space around cybersecurity is making it accessible, making it something that business managers and nontechnical executives can actually feel less, I don’t know, whipped up about and nervous about.

Sandy: Absolutely, and there is a lot to do with the technology. The technology doesn’t run on its own in a vacuum. We’ve got to support people and processes and we need people and processes to support and use the technologies. Missing those two big areas is not taking advantage of the full adoption and rollout and embracing that you could have a really good running ecosystem.

Maryfran: Okay. So doing these kind of workshops, and the consulting work you’ve done with resilience and cyber risk, is how you arrived at the EPIC Leader idea?

Sandy: It is, and also some personal experience for where I felt I was lacking in confidence, in specific areas, and where was I told by others that I seem to have a skill or a competency that others in information security or technology didn’t have. Really looking at what a fully rounded employee is. What would be a great full set of competencies to bring to this profession, especially if you want to move up the leadership chain.

Maryfran: And not everybody who’s going to be listening to this wants to be the Chief Security Officer one day or even wants to be top senior management. In fact, some people may be actively avoiding that. They may want to be individual contributors, but everybody likes to feel appreciated and people like to get ahead and get raises and get better jobs and that sort of thing.

Sandy: And, everybody, I hope, would like to enjoy work, too. And part of that enjoyment includes your personal values and personal strengths. Those are part of the analysis of EPIC to ensure, when you’re playing to a strength or a passion or a value, that you get some joy out of it, but you also get more confidence from it because it’s hitting your core. It’s not something you don’t really buy into.

Maryfran: Right, exactly, I’m not just trudging along doing what I’ve been told to do and I don’t really approve, but I feel like I can’t speak up.

Sandy: Right, exactly.

Maryfran:The E in the EPIC Leader doesn’t stand for having to be extroverted. It doesn’t stand for you having to be out there educating people. It does stand for expertise, which of course people in IT and security usually have an abundance of. But from what you’ve told me, people, IT people especially, tend to double down on the tech expertise, and if anything, they need to back off of that a little bit. Explain that.

Sandy: Exactly, and that’s why I wanted to come up with an acronym of four letters. The expertise really only needs to be about a quarter of what you bring to the table as a fully rounded employee. And the expertise is an evasive goal anyway in IT. When you’ve chosen IT as your profession, you’ve chosen ongoing learning as your discipline, because it changes all the time. The minute you master something, it becomes obsolete. The next big thing’s coming in, the next technology, so you have to learn again.

This is where people tend to double down, like oh, okay, I’ll just learn this new thing then and…

Maryfran: And I’ll add another acronym to my resume.

Sandy: Yeah, and not looking at, okay, but can I also interact with people? Am I influencing decisions and strategy? Do I have a network of people that can help me when I’m feeling a little inadequate for whatever reason, or who could contribute to a bigger success like on my team, when we look for each other’s strengths and experiences in different areas?

Maryfran: I’m trying to imagine your audience at one of your workshops and you’re talking about this and becoming an EPIC Leader, and how the E is for expertise and everybody probably sits up and thinks, yes, I’ve got plenty of expertise. And then you tell them, but you need to back off that a little. Do you get a lot of frowning when you say that?

Sandy: Not so much from the people who are attending these because that’s probably where a lot of the imposter syndrome comes from, that whole I don’t feel I’ve mastered everything feeling, which is never going to be something that you can do because there’s just too many technologies and so much evolving. It’s a losing battle to try to be a master of everything.

And even if you did master everything, that’s only a better reason to keep you in your current job, because you’ve just become indispensable in that job, but not ready to move to anything else. If you want to move on, you’re going to need to be able to influence decisions, advocate for yourself, know how to promote what you do well, what you value.

Maryfran: I feel like that brings us to the P in EPIC, which it’s P for presence, but it could just as easily be for promoting.

Sandy: It could be promoting, it could be presence. A lot of people find that skill by identifying purpose. When you think of executive presence, it’s so you have this confidence as you’re standing promoting something or pitching – we can come up with all kinds of Ps – pitching some idea, some goal, some value. But it’s really finding what is my purpose here. What’s the value that I feel – when someone’s experienced that kind of confidence, it’s generally I really believe in this, it’s important to me, it’s a core value of mine, and they’re probably not so stuck on every task that has to happen just on what the vision is.

So trying to think about what was one of those experiences? What about it made you come out of your shell and feel this way and how can you translate that to work? What are the values, how do you add value to projects? So really getting into that, okay, here’s my sense of why I’m here, and I believe in this, so I can get behind this. And if people course correct along the way, I don’t take it so personally because we’re all still shooting for the same goal so we can course correct to get there. But I will have that confidence standing up there because I’m representing something I believe in.

Maryfran: Right, and the E part of EPIC, the expertise that you bring, in a perfect world would actually fuel your sense of presence because you do know what you’re talking about.

Sandy: Right.

Maryfran: How come it doesn’t work that way?

Sandy: I’m not sure it doesn’t, but if we’re particularly looking at when you’re an ‘only,’ you may perceive, whether true or not, that there’s extra scrutiny on you. So any mistake you make is going to maybe be amplified.

Maryfran: You have to be so much better than everybody else around the table.

Sandy: You may feel that there won’t be forgiveness, that people won’t see you as an individual human, but as representative of that whole group, and you can’t let that whole group down.

Maryfran: That sounds so much like a kind of a classic approach that leadership and life coaches take, where they talk about identifying and then setting aside your limiting beliefs.

Sandy: Yes, exactly.

Maryfran: Let’s move on from presence to the next one, and the I in EPIC is for influence, and it almost seems like they each – this is a very nice four letter framework because your expertise can help enhance your presence and the your presence actually is what the influence becomes about. Talk about that a little bit more.

Sandy: Absolutely. So the influence is, first of all, do you know how what you’re asking for is going to benefit the business or the goal? And this can even get to, I think I should be receiving more money for what I do, or I’m going to ask for time away. Maybe I want to cut down my hours to 80% instead of 100%. Okay, well certainly you have a personal gain from that, but what’s the gain for the organization from that, because that’s really what’s of concern to them.

So figuring out how is this good for the organization? How does it promote whatever the goal is that you’re trying to achieve, whether I’ll be more engaged, I will be fresher, I will be doing things in that 20% off that let me be more present the days that I am here, or I’m taking the time to take a course that’s going to expose me to new things. Certainly you have a personal interest, but if it’s especially going to help the organization – and you should expect a yes. Go in, if you have made a good case, if you’re able to look at how is this what I want, what they get from it, knowing there’s an overlap there. I’m not going to get into best alternative to a formal agreement and ZOPA and all the negotiation kind of stuff.

But just realizing there’s an overlap there and you just have to identify where the overlap is and then everybody wins. And you should go in with confidence expecting that if there is a benefit to all, why would someone say no to it?

Maryfran: Give us a real-world example from things your team has done at Harvard, someplace where you’ve seen influence in action.

Sandy: Oh my gosh.

Maryfran: Unfair, totally out of nowhere question on that, but I’m just, I always like to be able to visualize what would that look like, you can imagine presence growing out of your expertise and you’re confident about what you’re doing, and when you’re influencing someone, as you put it, you’re trying to get them to take some action.

Sandy: Right. I mean, so we could say this on a small scale, whenever we’re trying to get people to exhibit a certain behavior or take an action that’s going to be one of these small actions, big difference things, it’s not saying ‘what’ you need to do, but ‘why’ it’s of benefit to you, to the community. Here’s an example. Classic, you see a suspicious email message. You believe it’s a phishing message, and you probably delete it. Great. You didn’t click on a link, open an attachment or such. But the 50 other people who are receiving that same message, maybe one of them doesn’t realize.

And so trying to get the concept of a neighborhood watch out there, so appealing to those who know how to identify it to say, you know, because you were smart enough to identify this, you could help so many other people. And you just have to take, if you take this one action to send it here, the security team can then investigate and respond and you are protecting so many others. It’s kind of like see something, say something neighborhood watch, but it makes them feel really important and valued in the chain and they are.

Maryfran: And I know I experienced that myself with just our security people here at IDG. When I would get something that I thought was a phishing note, but I’m not nearly the expert, so I’d forward it to them and then they would send me back a nice note and sometimes the note would go around and you could see them warning everybody else. You do, you get that little fizz of pride, I did that.

Sandy: And on larger scales speaking with researchers who are going to take in really sensitive datasets, and we’re aware of more regulations and which platform is more appropriate for the kind of data? Just walking through with them it would be best if you could put it here. I know originally you wanted to work on it on this platform, but we want to make sure that none of the data gets corrupted or gets seen by people who shouldn’t see it. We want to make sure your name goes on the report that gets published, so we recommend you put it over here. But letting them know what’s of advantage to them in that.

Maryfran: That almost sounds like you’re providing the context where they realize that this is not just checking boxes.

Sandy: Right. And as you said before, it’s not compliance, it’s really what defines success for you being the first one out there with this published research that’s going to help the world somehow, and we want to make sure that happens.

Maryfran: And you know that your data isn’t corrupted, your data’s not going to go and do harm anywhere else, so yeah, I would think that when you explain it that way there’s a lot of motivation to go along with it. Alright, let’s talk about the fourth letter in your framework, C, and it could almost be change management because I feel like IT people have to really get better and better at managing change because they are dealing with it more constantly than anybody. But I also like the word connections. Your C is connections.

Sandy: It’s connections and it can be so broad. This can really mean, first of all, get to know people. I can’t tell you how many conferences I’ve been to where the salespeople there, I think it’s their goal to get rid of all their business cards. They don’t really make a connection. They just, here you go, business card, business card. I win, I gave out 500. They won’t know who you are.

But to really get to know people a little better, like what are their skills, what do they like, just anything about their family, whatever. Not get creepy, but get to know them. But then when you need to do something, do you have to do everything alone? And this gets back to also that being ‘the only,’ where you feel there’s so much more scrutiny and I’ve got to be better, I’ve got to prove myself. Doesn’t mean you have to do everything all on your own either. Who can help you? Who would make it better if you asked them for their opinions, their input? And as a manager, who might this help if I can give them something to do that gives them visibility?

Maryfran: Well, and I’m thinking, too, if there’s any generation in the workplace right now that could teach everybody more about that, it would be the millennials.

Sandy: Oh my gosh.

Maryfran: The social connections and the ability to work in groups and to be messaging each other. On your team, your five that you work with at Harvard, any ‘mils’ on there?

Sandy: Not on my team, and that might be more a function of the experience you need to have, but that said, we also do a lot of outreach to up and coming people who maybe are relatively new into IT who think they might want to go into security. We do have some apprentice kind of programs. We do girls in STEM, Girls STEM Summit with Mass Junior Tech every year, this will be our third year this year. I do encourage volunteer. Whenever anyone on my team says, oh I want to go talk at this high school that’s having career day, as long as it’s not a crunch time for some reason, absolutely.

Maryfran: Always be recruiting. The works that I’ve done at various CIO events, as soon as you’re wrapping one up you know there’s another one coming down the pike, and every time you get a CIO on the phone, it’s like, whoa, what can I recruit you for? Another great point you made is that when you talk about connections and connecting with people, you’re not calling it networking, and that’s purposeful why?

Sandy: Well, A, when you’re in IT, calling it networking can be immediately confused with the technical networking. But it’s, when you think networking, a lot of people automatically have a negative reaction to that word, that it’s…

Maryfran: It’s a chore.

Sandy: Well, and it’s purpose driven and it’s icky because now, I’m only giving you my card and talking with you because I’m looking for a job or I need something, that I have to ask you for something, where really so much of it’s, when you look at it the other way, if someone asks me for a reasonable amount of help, not can you get me a job.

Maybe I’ve applied for a job at this place. Do you know anyone there or could you put in a word for me? I mean, any of us who really knows someone at that company and we do believe this person would be a good addition, of course you want to do that. Any of us like to help other people, so it’s really, once you connect, don’t connect with someone if you wouldn’t follow up with some small bit of help. And you should be able to reach out to those people for that small bit of help knowing that if they asked you, you would do that happily because it really brings joy. It does for me anyway, maybe not everyone.

Maryfran: Well, and that’s the thing. I recognize one of the people of my tribe here. We’re both kind of extroverted, and for extroverts, walking up to somebody at a conference and chatting them up is part of the enjoyment. But I’m always conscious when I’m in front of a room full of IT leaders. I mean, they may be forcing themselves to do a certain amount of networking because they know it’s expected in an executive role. Sometimes I wonder how many tech people avoid executive tracks because they feel like they don’t have the right personality for that.

Sandy: Oh my gosh. How many, well, how many of us think I don’t have the right personality or why would anyone want to talk to me? What is interesting about me? Because when you’ve lived your own life through your own eyes, perhaps you don’t realize it’s not what everybody has experienced.

Maryfran: It’s like when I was introducing you at the top of the hour here and talking about and you were sitting there looking kind of wide-eyed. You’re like, wow, I sound pretty impressive on paper.

Sandy: Who is this person? I want to meet her.

Maryfran: Yeah, exactly. I had wonderful advice one time from a good friend of our CIO family here. He’s actually a former CIO and now does executive coaching, and he tells all of his clients and all his friends, don’t worry about being the most interesting person in the room. Be the most interested. Walk up and ask questions, like, well what did you think of that last talk? And I’ve often given that advice from the stage to CIOs. I’m like, this isn’t hard. I know you guys are not like me. You don’t love being up on stage. You don’t want a microphone in your hand 24/7. But just walk up to somebody and ask a question, and everybody can think of one.

Sandy: Everyone can think of one, and I’ve had a good tip for people who find it difficult to answer questions on the spot. Very pointed ones such as asking someone what was the best or the worst thing about something is usually a question people can answer pretty quickly, even if it’s looking around the room and saying, what’s the best aspect of this room? Pretty quickly you can identify. Or what’s the worst breakfast you’ve had? Asking someone a question doesn’t have to be related to the conference. It could just be something really out of the ordinary.

Maryfran: Don’t you wish they had more pulled pork sandwiches? That kind of thing. Well, and whenever I think about connections, and this really shows one of my biases because I’m such a huge fan, I connect with a lot of people on LinkedIn. And when people come up to me at conferences and they’re like, oh, here’s my business card, could I have yours? I always say connect to me on LinkedIn. I mean, I’m very easy to find. You’re easy to find on LinkedIn, too, Sandy Silk.

Sandy: Got in early.

Maryfran: Yeah, exactly. Link in early and often. What do you like about it? And, you do a nice job on your profile, too.

Sandy: Thank you.

Maryfran: It’s informative. You’ve got the About section is in the first person. In an upcoming episode of this podcast I’m going to talk to some seriously expert people about LinkedIn and about the easy things you can do to make your profile a little better. Talk about your view of LinkedIn and how you use it.

Sandy: My view of LinkedIn is it should be kind of your billboard. It is your chance to define what your brand is, what you want other people to think or know about you. These are the things that you should know about me or that I want to become. Fake it ‘til you make it. Don’t lie, but don’t be shy either. I have gone to a LinkedIn workshop about how to make it better. You don’t have to put what your title is right under your photo. I forget how many characters you have there. You have pretty good amount.

Maryfran: Something like 50.

Sandy: It’s pretty generous.

Maryfran: You can put your headlines.

Sandy: Exactly. Put headlines out there. Put what makes you passionate, what do you love to do, what inspires you, what motivates you? Do it first person. I find it odd to read about, and Sandy likes to do this. Why is she talking about herself?

Maryfran: A lot of times what people do is they take a chunk out of their bio or their resume and the plop it in the About section. It is, talking about yourself in the third person always feels weird to me.

Sandy: You’ve took the time to put a photo out there and to put maybe some interests and skills out there. You want yourself to be approachable. Talking about yourself in the third person does not really make you approachable.

Maryfran: I know, and for God’s sakes, drop all the bullet points. I mean, just a few paragraphs. It’s funny because it’s so easy for people to write an email to somebody describing something their working on or maybe even introducing themselves. But I think there’s some kind of a freezing moment when you get in there and you’re like, oh, I’ve got to describe myself or market myself. A personal brand? A lot of people I think find that kind of weird.

Sandy: But wouldn’t it be wonderful if you’re about to meet someone you’ve gone through their LinkedIn profile beforehand, so you know about them, and when you meet them they actually sound like their LinkedIn profile. Like, oh, your personality actually came through and you sound like you’re the one who wrote your profile, not I had a professional do it.

Maryfran: Yeah, you want to have that experience of, I feel like I already met you, because I read that little thing about you. Well good. There’s a couple of books about improving your LinkedIn profile that I’ve got on my Kindle and I tracked the authors down of both of these books on LinkedIn, and I’m talking to both of them next week. I’m going to line them up and have them on Tech Career Ladder.

Sandy: I hope their LinkedIn profiles are stellar.

Maryfran: They are gorgeous. They are absolutely gorgeous. I’ll send you the names afterwards.

Sandy: Okay. Message me in LinkedIn.

Maryfran: Yes, exactly. I like something you said at one point, and I thought this was great advice, you talked about playing to your strengths, when you’re getting ready to, say, apply for a new job. And we’ll get to your German major stuff, too. I want to definitely circle back to that. Do you remember the approach you told me about how you pull out performance reviews. Talk about that. People don’t usually revisit their performance reviews, unless they’re good.

Sandy: I hope you have managers that write performance reviews with you, so this is assuming that you have some. I actually print out a hard copy every year of mine and I have my Chronofile of them, and I actually went through probably 10 years’ worth, and saw like, oh my gosh, I am seeing trends here, the same kind of things said over and over. Apparently, I’m very good at forming teams and motivating people to work together. And who knew? When it’s a natural strength you don’t think about it, and that other people realize it. And everyone’s so focused on overcoming weaknesses that maybe you forget what your strengths are. It’s like aha, I think this is true about me. I see this now that someone’s pointed it out to me 10 years in a row. I get it.

Maryfran: One of the ways I think that people might be able to especially develop their presence and make more connections and start having more influence is if they can’t stand to go through cataloging their own strengths, maybe sit down with a good friend and ask the friend, if you were writing – maybe not your obit, nothing gruesome like that – but write down three of the things you’ve noticed about me.

Sandy: Two things easily you could have people do – three adjectives that describe me, so then they don’t have to give large explanations, but what comes to mind. And if you were to write my intro for a presentation, what would you highlight and how would you say it? That’s the good thing with connections, back to the EPIC. They’re there to support you when you need it, so that what they’re saying about you, you can kind of internalize finally and say, oh, I guess this is true about me, and start getting comfortable saying it about yourself.

Maryfran: Well, when I recently went off to form my own consultancy I changed things up on my LinkedIn profile. I got in touch with some of my CIO friends and I said, if this isn’t too oogie, would you just write a recommendation for me. And they sent back such lovely things. I mean it was just, it was really almost kind of embarrassing, but you get to see that and I wish more people would do that. Just say write me a recommendation and then you get to see it before you post it.

Sandy: Absolutely, and I think you have to have your usual champions you go to. When I started presenting at conferences, I would text with them saying, oh, you know, I’m a little nervous. Wish me luck. And you’re really just expecting an, oh, good luck, and you get that, oh, Sandy, you’re going to do great at this because blah blah blah. I was like, oh my gosh. This is what you think of me? Good. And that’s the pep talk you need before you go out there, that okay, this is maybe how the world, at least my good friends, see me.

Maryfran: The thing, too, we’re both very comfortable on stage, so this is not something we have to learn or even think about anymore. But when I’m encouraging people, like I’m luring someone onto a panel and they realize they’re going to be interviewed ahead of time, they’re going to know what the questions are. They end up having a good experience with the whole thing and they don’t have to fake it ‘til you make it.  Don’t tell the audience, oh, I’m a little bit nervous to be up here, because the audience is so with you.

They’re sitting there. They’re wanting you to succeed. They’re all rooting for you. People don’t think of that. They think of the audience like, I don’t know, like it’s a room full of HR people about to give them a bad review. It’s not that way.

Sandy: You haven’t been thrown to the lions. They really, I would hope, want you to succeed and we’ve all been in the audience watching someone who’s maybe a new speaker who’s nervous, and you can see the nervousness and they’re maybe getting a little lost, and everybody watching it is just rooting for this person, like you got this. Come on, you got this. I wish more people would put themselves back in that experience for a moment to think, they’re not going to trash me. They’re going to root for me.

Maryfran: They’re actually on your side, because you’ve gone through something and they’re all sitting there and they’re glad that they’re not you right now because you’re up there and you’re talking to them and you’re taking that risk and they really are rooting for you.

Sandy: My team does karaoke so we’re accustomed to people being judgmental perhaps in the audience, but we can say, well you’re next.

Maryfran: I only did that once and I’m so hoping I never have to do it again. Some people really can’t carry a tune and they shouldn’t be made to.

Sandy: It’s not about the talent. It’s about the effort and it’s about the enjoyment.

Maryfran: And the attitude, the attitude. Well, we keep hinting around your German major and how that all happened. Now you’re a big mucky muck information security person at Harvard, and you were majoring in German in college. Tell us about your career path, your tech career ladder, how you jumped of the German ladder onto information security ladder.

Sandy: Well, first I had to change from the biology ladder to the German ladder. I went in as a biology major and then changed, switched to German because I was offered a trip to Germany if I would declare a German major. Not as a bribe. There were dollars from the German government to send someone who was a German major.

Maryfran: You went to Bavaria, right?

Sandy: I went to Bavaria. It is gorgeous, but for anyone who’s studying German and the official High German language, they don’t speak that in Bavaria.

Maryfran: They had a very heavy dialect.

Sandy: Very heavy dialect. Certainly, they can speak it, but it’s not the dialect so you start questioning your ability to speak. I thought I was studying this language. I don’t know these words.

Maryfran: Everybody’s looking at me funny when I try to speak German.

Sandy: So I went back. I stayed with it. I went back in my junior year in what was then still a divided Germany. I was in West Germany, I got to go through Checkpoint Charlie, all that. Graduated and started working a little bit, and then maybe five years later decided why don’t I have a master’s? Everyone I know is like lawyer or a doctor. What am I doing? I’m not even using my German degree. So I went back – into a PhD program actually – and I was going to be a professor of medieval Germanic languages and literature. It’s so highly employable.

Maryfran: I feel your pain here because I was a French language and literature major and I was really fascinated with the middle ages as well and I just had this vague idea of what I would do. Do you teach at some point? A friend of mine in college actually did go on to have a whole career as a French teacher and now she’s got an online teaching thing and all.

Sandy: Some will. Some people become astronauts. Not all of us can.

Maryfran: That’s right. 

Sandy: Actually I, the summer between the master’s and starting up the PhD, I took a summer job, because – this was years after graduating with a bachelor’s – we had a mortgage to pay. I needed money. I took a temp job working with Fidelity Investments over the summer, and they just saw so much potential. They saw the analytical skills I had from the language analysis tracing linguistic shifts and I had writing capability and communications capability. I had lived in other countries so I could accept other cultures, too, and they just nurtured me in that role and I was making more as a temp in IT than I was going to make as an associate lecturer, whatever my path would have been in German.

Maryfran: You worked directly for the CIO at that time, right?

Sandy: I worked for a CIO supporting a systems group and this was pre-Y2K, and we were FDIC regulated, so we had to come up with continuity plans for Y2K, it was the year 2000 century issue for those who were born after it.

Maryfran: There are people that don’t remember what Y2K was.

Sandy: Things were going to fall from the sky.

Maryfran: I was editor-in-chief at Computerworld when all that was going on and we did so much coverage on it and IT all over the world, especially in the US, mainly in the US I guess, that’s what we were covering, worked so hard to make that not be an issue. And it was almost one of those so much success it was a failure, because afterwards, all the businesses kind of said, oh, well, that wasn’t such a big deal, was it? This is where that connection and communication and that ability. I think if there had been more explaining going – here’s what we’re saving you from. Here’s the before and after. But then there was kind of universal, oh, that didn’t happen.

Sandy: Fizzle out. Done.

Maryfran: I know.

Sandy: So I stayed with Infosec and I was really encouraged. They sent me to all kinds of training, certifications, but I have always been kind of drawn to the people facing side of it which has just become so much more in demand. I was teaching classes and also got into financial services, into fraud detection and so teaching about identity theft before it became such a huge thing, how to protect yourself online. Took some instructional design classes. I actually got a graduate certificate in adult and organizational learning at Suffolk University at that point through Fidelity. So yeah, to have people skills and technical knowledge and business acumen is kind of a triple threat.

Maryfran: It is, isn’t it? And people who love to continue taking classes, the lifelong learners, they really do well in security, don’t they?

Sandy: Oh, absolutely.

Maryfran: Do security people give themselves enough credit for how much of that that they’re doing and that they’re thriving on? I mean this may be one of those unrecognized talents they have, where they’re all about learning the latest and dealing with change management. I wonder if they give themselves enough credit.

Sandy: I think internally they give themselves enough credit. This is probably going to get to the communication issue, does anyone know that they’re constantly reading everything. You want to break out of that stereotype of I’m constantly at my computer reading through all these dark web, dark reading, great things I follow, too. You can follow them on Twitter as well. But do you ever look up from your computer screen?

Maryfran: Get up, walk around the office, tell somebody something you just learned.

Sandy: Talk about it.

Maryfran: Talk about it.

Sandy: Debate with somebody about it.

Maryfran: We talked a little bit about that. That’s part of also getting tech people to develop more business acumen, and that is a complete and absolute necessity today that really wasn’t there 10 years ago maybe. I mean, CIOs have been onboard with that for a long time, probably for the last decade, they’ve essentially transitioned themselves into mostly being seen as senior business leaders who happen to be technologists. What are some of the ways that you have worked with people in your workshops or recommendations you give to your teams where tech people can kind of get over what might look like a painful hurdle? I don’t really want to know more about the business. I’m a technologist. So how do you encourage people to cross that bridge?

Sandy: Well, certainly if they ever want to get another job someplace else or even someplace else in their current organization, you better know something about what your organization does, because when someone asks why do you want to work here, it’s good to know what they do. Without the businesses, we’re really not employed. There’s no IT running for the sake of IT someplace unless it’s a research lab someplace, and then it’s going to be sold to some application.

Maryfran: I always cringe when I hear businesspeople say, well, you know, we’re not interested in technology for the sake of technology. That always makes me just grimace because I think, oh, how were you harmed there? Who talked in all acronyms to you? Who scarred you with this?

Sandy: Go ask someone if they want to go get coffee, tea, whatever, and ask them what’s a big challenge in your organization right now? Or what are you working on? What’s going really well and why is it going really well?

Maryfran: Be the most interested person.

Sandy: Exactly.

Maryfran: Asking questions.

Sandy: Ask about it. People love when you take an interest in what they do. It’s easy enough, a coffee is not a lot to ask of somebody, especially if you buy it for them and you really keep it to half an hour or so. Just talk with people. Ask. You don’t have to have the answers yourself because you’re just asking questions.

Maryfran: It seems to me, too, that there’s a wonderful opportunity now with so many organizations that are going through digital transformations of one sort or another, and now there’s all the focus on agile teams and in organizing people in product groups rather than projects. Are you seeing that at Harvard where there’s more likelihood that a technology person will be sitting down with someone in a different business unit?

Sandy: We’re definitely seeing more of that. We are adopting agile and we’ve got coaches around everywhere. It is great to have, frankly, security when we’re at the table early to hear what is the business trying to do when we can have that mix of technology and business together. Hey, if they want to throw in some users of it to say what do they want their experience to be as well, that would be a perfect design thinking and system thinking. It would be wonderful to have that full experience of, okay, this is how we think we’re going to use it, how we hope to use it. They can evolve after that, but really getting a sense of what defines success and how do we get you to success?

Maryfran: Alright, good. Well, as we are wrapping up here, let’s go over the EPIC framework just one last time. We’ve got expertise. Tech people have that covered. And let’s just give a couple of really pithy, fabulously well thought out bits of advice about our different letters. The expertise, check, we’ve got that.

Sandy: Right, we really do that just to say you got it, let it go.

Maryfran: And the P is for presence …

Sandy: Presence, which might come from knowing what your purpose is, really knowing what you want to pitch. But it’s the confidence you get from believing in something and knowing what your strengths are and playing to your strengths.

Maryfran: Someone just recommended it, I think it’s a book that’s been around for a while and I think it’s just called Strength Finder. It’s one of those classics where you can kind of analyze, there’s things in it where you fill out lists of stuff you’re good at and that kind of thing.

Sandy: There’s a survey that goes with it.

Maryfran: You know the book.

Sandy: It’s a whole questionnaire, it’s a whole study. It’s a research kind of study that’s gone on. And we’ve got a Women in Technology mentoring program at Harvard that a group of volunteers set up, myself in there, and everyone goes through that Strengths Finder to find out what do I do well? What’s natural to me? What do I gravitate towards, and when can a strength become too strong and become a negative? So, we’re constantly seeking expertise. We go through that so that they can start playing to that and building confidence, because oftentimes you don’t lack the competence, the expertise. It’s the other parts, the PIC, the presence, the influence, and the connections to help you be stronger and communicate and get things done.

Maryfran: Well, okay. Good. So we’ve got the expertise, we’ve got presence, then the influence which is going to flow out of your purpose.

Sandy: Know why you want to do stuff and why it’s of value and just trust that when you’ve pitched it correctly, when you’ve framed it correctly, it should be accepted and go in there with that confidence, and also know where you can negotiate. You may not get all of it, but you’ll get enough to get the goal accomplished.

Maryfran: Wonderful. And then connections.

Sandy: Connections. They’re your safety net. They’re your confidence builders. They’re going to make whatever you do even better because it’s the sum of all the parts. You’re going to help them, which is going to make you feel better and you feel more confident as a result.

Maryfran: Doesn’t everybody these days want to know a good security person? My sister’s phone got hacked – no, not her phone, her Comcast account – got hacked and it actually looked like it was actually Russians. And she asked me, she’s like what do I do about this? And of course, I talk to technology people, but I talk to technology people. So I sent a note out to a couple of lovely CSOs I know. You should have seen the detailed lists of helpful tips that I got, and two or three of them followed up with me a week later. Did your sister do what we told you to do? It was just, it was amazing. 

Sandy: People want to help each other.

Maryfran: They do. They do.

Sandy: Like New Englanders during a blizzard. We all come together then. And when we can help, we’ll do it.

Maryfran: And overall, that’s a great way to be climbing the tech career ladder, isn’t it? Look around you.

Sandy: Yes. See who you can help up and see who you can bring in to make your projects better. It’s not about you, it’s about helping the organization, but realize what you add to the organization and then look for those above you, around you who can help you up or across or whatever direction.

Maryfran: I often think when I hear that advice, fake it ‘til you make it, it’s great if that gives people a little extra confidence, but generally people really aren’t faking it. They actually are tapping into the abilities they do have.

Sandy: I think there’s that misconception you have to have 100% of the skills at any given time. Being in a hiring manager position sometimes, if I’ve written the job description correctly it’s not the unicorn I’m looking for based on 50 bullet points – but realistically, if someone comes in with 75% of the skills, really, that’s awesome, as long as it’s the 75% I need right now and we can train or develop the rest. If I get someone who’s 100%, they’re going to be bored right away. There’s no growth opportunity. None of us have 100%. That’s why we have connections.

Maryfran: And that’s why a lot of people in IT have gone into technology. I mean, they’re already really smart. They know how to figure things out, and maybe they haven’t polished up all the things that come naturally to extroverts. They’re not grabbing for the microphones, but oh my God, they have so much to say.

Sandy: If you give them time, introverts will shine – you’ve just got to give them a little notice, give them a little time, and then give them an opportunity.

Maryfran: One of my favorite self-deprecating ways to sum it all up with CIOs these days, I remind them that extroverts are speaking first and thinking later, and introverts are thinking first and speaking later, and that you’re aware of that. And of course, it makes them laugh a little bit, but it’s actually kind of true.

Well, thank you very much, Sandy Silk, for being here with us today and sharing all of your wonderful knowledge on this topic. I’m sure that our listeners are going to go out there and start working on becoming EPIC Leaders themselves.

Sandy: Oh, I hope so.

Maryfran: And if they want to reach out to you, what is the best way if they haven’t already LinkedIn with you while they’re listening to this, tell us how we can reach you if they want to.

Sandy: Absolutely, LinkedIn is going to be the best way to reach me. If you go to my profile, and it’s Sandy Silk, S-A-N-D-Y S-I-L-K, you’ll also see a link to my Cyber Risk and Resilience business there so you can also just get to that website easily right from my profile. If there’s something there that you want to explore with me, you’ll have all my contact information there. But LinkedIn, always the best way to contact me.

Maryfran: Wonderful. I fully agree. I’m a huge fangirl for LinkedIn. Thank you so much for joining us here today. It’s been a real pleasure.

Sandy: It has been so much fun. Thank you for having me here.

Maryfran: You’re welcome.