BreachQuest Cybersecurity Chief Sandy Dunn on Talent Strategies

A lifetime of horse training, barrel racing and now the team roping competitions she does with her husband and daughter inform her approach to cybersecurity, she told WSJ Pro Cybersecurity.

Ms. Dunn said she doesn’t mind a wild streak in the people she hires. A spirited horse will often get itself and its rider into a mess, she wrote in an essay on LinkedIn, and both parties learn from it. “I throw my saddle on knowing there is going to be a wreck, I know they will try me, but I want the wreck to happen when I’m ready and I can correct it immediately,” she wrote. After a bold employee makes a misstep, she added, “the better action or approach is clearly evident to them.”

Here are edited excerpts from her interview with WSJ Pro.

WSJ Pro: How did you get into cybersecurity?

Ms. Dunn: The decades ago that I studied [at college], there weren’t a lot of computers. There wasn’t even cybersecurity. It wasn’t even a career path. I was very much involved in the horse world going into college. Animal science was the closest degree to a horse in my tiny brain. [After college] I found a set of Time Life books on computers at a yard sale and read them over and over. [I went into] software sales, then computer sales, network sales. My first [cyber] certification was important because it exposed me to that community, more certifications and then my masters.

If you want to pursue a career in cybersecurity, you can do it if you’re willing to learn and study.

WSJ Pro: What goes into a good cyber team?

Ms. Dunn: I often use my experience from my rodeo, western and horse-training life to think through and problem-solve in the cybersecurity world. When I am training a horse, it’s a puzzle I’m trying to figure out in the same way solving an organization’s cybersecurity challenges are a puzzle.

As an industry, we are in this situation where we build a wall, we put one brick on the wall, and the attackers build a higher ladder. We put another brick on the wall, they build a higher ladder. We are always in this game. I think right now we have gone to a point where that’s not the right approach. Is there a better, more effective way to approach the problem?

The more different perspectives you have, the more valuable the input and the better the outcome. I always hire for the person first and the skills and certifications second. I want to see a person on their resume…show they understood that the business was [in fact] in business. They were able to save money or reduce business friction. They understood that they couldn’t just work solo and that it was beneficial to the organization to work across teams.

WSJ Pro: Do you see any misconceptions about the profession?

Ms. Dunn: I really believe to have a long career in [cybersecurity] you have to be passionate about it because it is a really tough job. No one is excited when I walk in a room—like I’m either going to slow them down or tell them about a problem. You get very little recognition for all of the good work. But you get a lot of recognition if something fails.

A lot of people think all we do is hack all day. Everyone wants to be a penetration tester. The skills that we absolutely need are people who can do risk management and risk assessments and [information-technology] audit controls. Are you good at communication? Are you good at project management? Are you good at identifying processes? And if they have those skills, then I absolutely need them on my team.

Write to Nicolle Liu at nicolle.liu@wsj.com