Q&A: The non-technical side of cybersecurity with Sasha O’Connell

In partnership with

Cybersecurity, dear reader, may sound like it’s outside of your purview — but the reality is that it’s a part of all of our perpetually digital lives. 📱

Sasha O’Connell, senior director for cybersecurity programs at Aspen Digital (a program of the Aspen Institute), is entrenched in cyber policy, but her perspective remains relatable. With a background that includes a long tenure of cyber policy and strategy work at the FBI and a professorship at American University, she didn’t come from a technical background. “I'm really passionate about diversity of skills in cyber and folks with non-technical backgrounds knowing they have a space here,” said O’Connell.

We sat down to discuss her work and how the industry is changing. Indulge in the Q&A after this brief ad for internal comms solution Axios HQ (which, believe it or not, has operated independently from Axios Media since 2022).

51% of employees feel confused at work

Less than half say they can easily find the...

• goals

• strategies

• directives

...their leaders have shared. Worse, only 9% of staff feel tightly aligned with org-wide goals.

We surveyed 1,200+ professionals to see what's going wrong — and how to get it right.

Get the full report

Wanna buy your creator a coffee while you’re at it? Click here. 😉

How has cybersecurity and cyber policy changed since you left the bureau in 2016?

So many more folks are talking about it. Back in the day at the FBI, when I worked with Sean Henry, who just left CrowdStrike recently, and Steve Chabinsky, these guys were talking about cyber. There were not a lot of folks in DC talking about cyber. Some of the large companies didn't even have DC offices, or if they did, they weren't focused on cyber and tech policy. They were focused on tax policy and HR, these other things that very large tech companies have policy equities in. The environment has entirely changed. Just the level of discourse, engagement from companies, engagement from elected officials, has all astronomically changed.

There's so much more engagement at the c-suite level than there used to be, but also there are still very significant gaps.

So you’ve ended up at Aspen. I would love a high-level overview of what you're focusing there on these days.

We get to do cyber policy both top down and bottom up. Top down, we have a US group and a global group, and these are very senior private sector leaders who meet often with all kinds of different government officials twice a year. They have an opportunity to convene, build trust, work on issues in a space where people can really speak freely, and it's been a really important vehicle for building relationships so people can collaborate, and then also working through complex cyber policy issues. Then we have our summit, which is our public facing big event, and we do salon dinners and more. 

On the other side, we do a lot of work with the Cyber Civil Defense community. This is the direct service community that is largely funded by Craig Newmark Philanthropies that's doing things like volunteering for critical infrastructure, workforce issues, training, cyber clinics, all of this bottom-up direct service cyber work that Craig's been supporting over the last couple of years. 

Everyone has a role to play in cyber. You, my friends and neighbors, need to care. We all know to use multi-factor authentication, complex passwords, back things up, accept software updates, right? These routine things that have proven really difficult to get people to care about at the consumer level. So we're going into year two of a massive public service awareness campaign called Take9.

On the top-down side, where would you say the US is at, and where are we headed in the cyber policy realm? 

I’m excited about, here in the United States, the new structures we have in place with the National Cyber Director, Sean Cairncross who finally got confirmed. We've had [that leadership] in the Biden administration too, [but] that is new over the last couple of years — to me, that's an important sign of the elevation of cyber within the national priorities coming out of the White House. 

We see a lot of increased education on the Hill for members of Congress who are really upping their interests. The threats are growing, and we know what needs to be done, but really getting it prioritized. 

Another really interesting thing that's happening right now is there is a real increase in prioritizing frauds and scams, because they've become so rampant, particularly with the addition of generative AI. A lot of those issues are overlapping, and we're seeing some real growing interest in doing something about fraud and scams, because they are just so rampant and impacting consumers so much.

We all live in a digital ecosystem that's very challenging to secure without infringing on the efficiencies we want, the privacy we want. Keeping it front and center is a real challenge, but there are signs of increasing focus here. And I think some hope that we can mitigate some of the downsides.

Shifting to the personal side of it, you mentioned coming from a non-technical background. From another angle, various sources talk about the gender gap in the industry. I'm curious what makes an effective population of experts in this field, and how can we tap into the most valuable voices, the most valuable talent, without overlooking them based on surface-level factors.

When I think about this problem set, I think about supply and demand. What can we as organizations do to make sure that we are looking for talent in new and different places? We can't go to the same places and expect a different result. Who are we rolling in and who are we ruling out? 

Me and Diana Burley, who's the Vice Provost for Research at American University, did a project called Cyber Unicorn. Employers are saying we have this huge gap in cyber and we need all this talent. And we know from working at the university, students can't get jobs. The study was qualitative and focused on public sector entities in Florida, but we found some really interesting things happening on the employer side. For example, when public sector employers in Florida were looking to hire entry-level cyber folks, they actually were hiring for help desk jobs first, and then, if they went well, moving them over to cyber. Before you really give folks the keys to the cyber security capabilities, you want to know and trust them. Folks weren't even applying to the help desk jobs, not knowing that the way to get a cyber job is to go to the help desk first. 

On the demand side, there's a lot we can do in organizations to think about how our internal processes are either conducive to bringing in a wide diversity of talents or are hindering that. 

Step two is the supply side. I had the privilege of teaching at AU full time for five years, undergrads and grads, and working with younger students, I realized how many people don't think they can do cyber. At American I worked with students who mostly all wanted to work in government. There is no job in government that doesn't have a cyber component anymore. A large percentage of students who came [to my intro class] are like, ‘Oh, I can do this.’

Thanks,