Scholarship winner looks to transform the security awareness community
Don’t underestimate 2019 Infosec Cybersecurity Scholarship recipient Steffanie Schilling based at her number of years in the field. This roll-up-your-sleeves security awareness pro has done a lot in just a few years in the industry.
Growing up in Cleveland, Steffanie graduated from Miami University in Ohio with two degrees — business marketing and organizational communication.
“I have a background in the social sciences and at heart I’m a social scientist,” Steffanie said. “I study people and have found them fascinating throughout my life. I really enjoyed going to college and learning the theories and the explanations for behaviors and how people work.”
Transitioning to cybersecurity
Steffanie was bitten by the cyber and security awareness bug while working for a major medical equipment company. Because of her marketing and communications background, she was brought in to help the whole company understand the sometimes-mysterious workings of the IT department.
“My CISO came up to me one day and said, ‘I need to talk to people, and people like talking to you.’ He asked me to come along when he was training new hires for cybersecurity. After listening for an hour, we went back to his office and he asked me to build a security awareness program. I was like, ‘I don’t know what that is.’”
Steffanie was given a blank slate to build the program and valued the trust and support placed in her by leadership.
“I asked my CISO how much I could change,” Steffanie said. “He told me, ‘I chose you for a reason. Go.’ That’s all I needed, so I just dug into it and built it from the ground up.”
Building a security awareness program
To build the security awareness program, Steffanie drew on her experiences as a marketing communications professional and being the daughter of a teacher — a lifetime of absorbing the social science of how people teach and learn.
“You want people to be aware of the threats out there,” Steffanie said. “You’re trying to manage and mitigate cyber risks by teaching them safe behaviors, by getting them to care and by helping to properly scaffold where their knowledge and skills are up to where you want them to be.
“I started by asking questions about the IT and security team. Does our employee base know who we are? Do they know how to contact us? Do they even want to talk to us? And so I went about starting to brand the security team as a ragtag team of technical misfits who are here to help with all their cybersecurity needs.”
Bringing marketing and sociology to security awareness
Steffanie points to her experiences in marketing for her success in crafting the new security awareness training program.
“As a marketer, I create content for a living,” Steffanie said. “I started off and spun up a cybersecurity portal where we posted company IT news. I used it to help with phishing simulations and explain the background of a simulated attack. I’d post blogs and discussions about social engineering and what to do if someone calls saying, ‘Hey, I’m from the IRS. Let’s go talk about your taxes.’
“To help people become engaged and invested, I created little videos about how to be a cyber shark because sharks eat fish for breakfast. I added little cartoons and made infographics. We held a big cybersecurity awareness week and ran a company-wide contest where employees created mock phishes and we’d send them to the IT department.”
Steffanie wants to spread information about marketing and the social sciences as a positive in cybersecurity. She calls it her “soap box.”
“Bringing evidence-based learning from sociological theories into cybersecurity will literally make us all safer,” she said. “It will not only make the cybersecurity professionals easier to work with, it’ll help them become more aligned with the business and prove their worth. It’ll help us better engage with our end users. It’ll help us engage with senior leadership so we can get the backing and the support we need.”
Helping open the doors for others
Being a factor in making the industry more diverse and inclusive is another priority for Steffanie. She’d like to help open the door to more individuals without them having to go through discouragement or belittlement because they don’t fit the mold.
“How cool would it be if we were able to invite people in to share their experiences, backgrounds, thought processes and how they see the world,” Steffanie said. “Diversity of thought and those experiences just allow you to be safer. It allows you to know how to talk to other people. It also allows you to better look for gaps and opportunities. And I think it’s desperately needed.”
In April 2020, Steffanie joined a multinational insurance provider as a Global Program Manager for Cybersecurity Policies, Communications and Security Awareness. She’s also an active member of Women in Cybersecurity and InfraGard.
As a recipient of a 2019 Infosec Cybersecurity Scholarship, Steffanie will receive CompTIA Network+ and Security+ boot camps and certification vouchers. Additionally, she’ll be able to take another live boot camp of her choosing from the Infosec Skills course catalog.
“The scholarship will allow me to build my technical foundation,” Steffanie said. “I’m really excited to bring both the technology and the sociological theories of it closer together.”