Cybersecurity Expert Reflects on Her Career

Dawn Cappelli Advises Young Women to ‘Go for It’

Cybersecurity Expert Reflects on Her Career
Digital Exclusive

The Flexible Packaging Association (FPA) continually seeks to recruit new people into the industry while developing leaders from within. The September/October 2022 edition of FlexPack VOICE® largely is dedicated to some of those efforts. Earlier this year, for example, the Emerging Leadership Council (ELC) started a new committee on diversity, equity, and inclusion (DEI), and it held its second annual intern program over the summer. Many of these efforts include hearing from women in leadership positions.

FlexPack VOICE® had the opportunity to interview Dawn Cappelli, Dragos director of Operational Technology—Cyber Emergency Readiness Team (OT-CERT), for an article in its July/August 2022 edition on cybersecurity. Cappelli, who is the former chief information security officer at Rockwell Automation, also is a member of the Manufacturing Cybersecurity Advisory Council for the National Association of Manufacturers (NAM). NAM is partnering with Dragos OT-CERT, a program trying to help small- to mid-size FPA member companies combat cybercrime. FPA also is working with NAM to offer FPA members a cybersecurity product, NAM Cyber Cover.

After offering her insights into how manufacturers in the flexible packaging supply chain could protect themselves against cyber thieves, she agreed to talk about her career and what it took for a woman to excel in fields traditionally dominated by men.

Cappelli received her Bachelor of Science in computer science and mathematics from the University of Pittsburgh in 2.5 years—at age 20—graduating magna cum laude.

She was good at math, she says, and was eager to move on with her life that included a decision to marry her high school sweetheart. “We are still happily married today—41 years later,” she adds.

After college, Cappelli worked at Westinghouse as a software engineer, programming nuclear power plants for nearly eight years.

“I enjoyed the work, but when I became pregnant with my first child, I found that Westinghouse did not provide the flexibility I needed. The mid ‘80s was a time of great conflict between working mothers and stay-at-home moms and I wanted to be both,” she says. “Westinghouse did not offer that flexibility, but Carnegie Mellon University did, so I went there and continued working part time until my second child started first grade.”

Her career continued to progress, despite being part time, and she moved into management positions, including leading technical projects.

“I found myself interested in cybersecurity, and in August 2001, I took a job at CERT [Computer Emergency Response Team]—the first cybersecurity organization in the world—located at Carnegie Mellon,” she says.

As a project manager, she worked with the U.S. Secret Service to protect large national events like presidential inaugurations and the G7 Summit from cyberattacks, as well as the Salt Lake City Olympics in the winter of 2002.

“This job seemed to be very cool until the Sept. 11 terror attack occurred one month later, and that cool job suddenly was extremely frightening, since intelligence sources determined that the Olympics could likely be the next terror target,” Cappelli says. “This sudden responsibility to save the world filled me with a passion that drove—and still drives—the remainder of my career in security.”

While working to protect the Olympics, her team found that insider threats were a significant concern.

“So, we broke the team into two parts, and I led the insider threat team. The insider threat work grew into subsequent research performed jointly with the Secret Service, then the FBI, other government agencies, and the intelligence community,” she adds. “As a result, I founded the CERT Insider Threat Center and co-authored the book ‘The CERT Guide to Insider Threats,’ which was inducted into the Cybersecurity Canon—a list of must-read books for all cybersecurity practitioners.”

Her career at Rockwell Automation followed. Here is the interview with Cappelli, lightly edited for clarity and style.

FlexPack VOICE®: The flexible packaging industry has been looking for ways to attract and retain more people, particularly women and minorities. From your experience, what should companies focus on? What works best? What doesn’t work as well?

Dawn Cappelli: I would focus on flexibility—that’s more important than ever now that many of us experienced the ultimate flexibility working from home during COVID. Also, introduce them to people “like them” in leadership, executive, and senior positions. Let them meet people they identify with who have achieved positions they might aspire to, so they believe your company is a place where they can be successful. And, by the way, if none of those people exist in your company then focus there first—make sure your current employees are being given opportunities to grow.

FPV: How have things changed for women during your career? 

DC: Things have changed dramatically. Most companies now provide flexibility for all employees for work-home life balance that we didn’t have when I was struggling to balance my career and being a mom. I enjoy seeing how involved fathers now are in the lives of their children; it’s no longer just moms at doctors’ visits, after-school soccer practices, and school field trips. The dads recently outnumbered the moms on my granddaughter’s preschool field trip. Many companies’ diversity, equity, and inclusion programs are having a huge impact on the respect and opportunities for women. It’s truly gratifying to see this sea change in our society and the world of business.

FPV: Who was your mentor? 

DC: Terry Roberts, founder and president/CEO of White Hawk CEC, has been a mentor since I started working with her at CERT. Her background is impressive, including deputy director of Naval Intelligence, executive director at the Software Engineering Institute, and vice president of Cyber Engineering and Analytics at TASC, a large defense contractor. Based on her experience, Terry helped me to navigate situations I faced at CERT as one of the few women in cybersecurity, and to map out career path options at various points in my career. I sincerely appreciate Terry’s mentorship, and as a result, I made mentoring women in cybersecurity a high priority.

FPV: What advice would you give a young woman who is thinking about a career in technology or the sciences? This could be someone in high school or college who isn’t quite sure what direction to go in but wants to go into those sectors.

DC: Go for it. If you enjoy technology or science, then the world is your oyster. My first major in college was social work, then psychology, then economics. I finally realized that I loved math and got easy A’s in every math class I took. I had no idea what I would do with a math major, but finally decided to go for it, because I realized that’s what I loved, so why not do that for a career? Fortunately, my adviser forced me to take a computer science course—the University of Pittsburgh was one of the few colleges that offered a computer science degree back then—and I fell in love with programming. Get the education that will position you for roles that you find challenging and fun and see where life takes you.

FPV: How about someone who has started a career and wants to advance it?

DC: Don’t be afraid to take risks, and don’t feel confined to the usual career path. Always be on the lookout for a new opportunity, even if you don’t check all the boxes in the job description. I took the position at CERT with no security background and was thrown into the most intense security position I could imagine. I became CISO at Rockwell Automation—a Fortune 500 company in critical infrastructure—without climbing the typical security career ladder like most CISOs at that time.

FPV: Tell us more about your work with Rockwell Automation.

DC: In 2013, Rockwell Automation recruited me to build its Insider Risk Program, and I couldn’t resist the opportunity of building a comprehensive program from the ground up. Our program was awarded the Global Team Leadership award by the Society of Women Engineers in 2016.

In 2016, I became the chief information security officer (CISO) of Rockwell Automation, responsible for developing and executing a holistic cybersecurity strategy to ensure that Rockwell Automation and the Connected Enterprise Ecosystem—the company’s infrastructure, products, and customers—is safe, secure, and resilient. In 2022, I felt that we had achieved the security road map we created in 2016 and retired from Rockwell. I intended to finally relax and spend more time with my two grandchildren and my family.

But I was approached by Rob Lee, CEO of Dragos, an industrial cybersecurity company, to create the OT-CERT, which will provide free security resources for small and mid-sized organizations running OT (operational technology) environments. The Dragos mission is “Safeguarding Civilization,” which is perfect for someone with my passion to help “save the world.” And as Rockwell CISO, I had been advocating for over a year for the community to step up to assist small- and medium-sized organizations that can’t afford security programs but pose a risk to the rest of critical infrastructure globally. I couldn’t pass up this timely opportunity, so I now work at Dragos part time as OT-CERT director and spend the remainder of my time with my grandchildren and family.

FPV: Is there a particular experience that stands out in your career, good or bad, or both? 

DC: When 9/11 happened and my new job suddenly changed from cool to terrifying, I had a terrible internal conflict. I realized that being on-site at the Olympics would literally put my life in danger, and I was the mother of two children. I met with my brand-new boss of one month and told him that I couldn’t do the job he had hired me for—I couldn’t travel to the Olympics—so he should fire me. This was the most difficult workplace conversation I have ever had throughout my career. Fortunately for me, he responded that I was hired by Carnegie Mellon, not the Secret Service, and I never agreed to take a bullet for anyone. I could still lead the project and participate in all the advance trips before the Olympics, and there would be plenty of volunteers from CERT who would be willing to take my place at the event. Lesson learned: When your values are tested to the extreme, don’t be afraid to have a hard conversation. And thank you to Tom Longstaff, who is now CTO of CERT, for his understanding and leadership style.

Thomas A. Barstow is the senior editor at FlexPack VOICE®.