INTERVIEW WITH

QUIESSENCE PHILLIPS

DEPUTY CISO, CITY OF NEW YORK AND HEAD OF THREAT MANAGEMENT FOR NYC CYBER COMMAND

Original Interview, May 4, 2018

Quiessence Phillips built a career in cybersecurity by first taking things apart. In her role as Deputy CISO, Threat Management for NYC Cyber Command, she has helped unify the city’s once decentralized cybersecurity network to safeguard its IT systems and protect vital services. Phillips has risen quickly in a predominantly male-dominated field and learned how to manage in what she calls its “bromance” culture. “Words matter,” she says. “When you use the word ‘female,’ it almost loses its edge. Why can’t I just be a boss? Not a female boss. A boss.”

Did you think you were going to go into cyber?

Yes, I always wanted to be in technology. I had a knack for reverse engineering things. I’m still the same way, taking apart things to see how they work, such as my parents’ VCR, my computer. In the realm of code, it’s the same. Something is engineered, and you want to reverse engineer to see how it’s created.

Who in your life influenced you most?

My mother understood what I was good at. My mother is a connector. She knew she didn’t know it all, but she knew how to connect me with people who could give me knowledge and help me make the best decisions.

She was working at a bank and met a girl with a computer science degree. My mother told me, “You should meet this young lady. She is doing what you would be good at.” The girl came to my home, and I started doing research into computer science. I gravitated towards computing. I knew the power of what this could do, and if I understood at a deeper level, what it meant to me in my life.

What had the greatest impact on you during college?

I joined the computer lab and worked for the network administrator, setting up all the network connections. I took everything they threw at me. I was interested in how effectively all the computers worked together, how we could make them more efficient with software, etc.

My bosses gave me tons of projects and allowed me to screw up a lot of things. The ability to play and test in a lot of environments with regard to computers and networks helped me understand the work, not only from a theoretical standpoint, but also from a practical one. I was studying coding languages, algorithms, etc. By the time I graduated, I had amassed a lot of network admin experience. I’m the first one in my family to graduate from college.

What has changed in the relatively short time you have been in cybersecurity?

We’re doing the same thing now that we were doing ten years ago. I took a lot for granted at the Federal Reserve that people are now just doing. There’s more spotlight on the industry. There wasn’t a lot in the news about the threats we were facing at the time. A lot of the foundational work is the same. Now we have added components such as cloud computing, amassing so much more data because of the inter-connected devices, etc. At its foundation, the work is the same.

What do you consider one of your biggest successes there?

My biggest success was building an excellent team that worked incredibly well together. We were a lean, mean fighting machine with incredible collaboration and comradery. I’m still connected to them.

What do you see as the biggest challenges in cyber?

There’s so much data and only finite resources. That is and was one of the biggest challenges. That’s where you have a lot of need for automation and orchestration. We know we are under-resourced. We have a lot of doors to protect and only finite resources.

What about on a personal level?

There’s a lot of bromance culture. It’s a male-dominated field. It wasn’t a huge issue for me, but not all women feel comfortable in that environment. At times, you have to have a thick skin; things men do or say in these environments may not have malicious intent but may have some negative impact on their female counterparts. Everyone has inherent biases.

You went on maternity leave while at the Federal Reserve. How did that affect you?

I was twenty-five years old and gone for about six months to take time to focus on myself and my child. Coming back to an environment that is so dynamic, where things change so fast and there’s a race to the top, if you’re a driven person, you worry, “Did I miss out on showing my worth?” Also, when you come back, you have to juggle parenthood. Sometimes that’s a real issue for a lot of women. You question, “Am I at an impasse where a man has an unfair competitive edge over me?” However, times are changing and I think both parents want a healthy lifestyle for their child (or children) that allows parents to be more involved.

Still, you continued to get promoted.

I’ve moved up pretty swiftly based on my track record. I treat everyone the same. I’m fairly young in this industry. I did get some backlash, especially from older men who were my seniors before I became their boss. They weren’t very happy with it. That was challenging for me being a leader. It takes time to understand the environment and why people feel certain ways. I did second-guess whether I was ready to lead a team of that size. At the end of the day, you get over that. You are awarded this job because of skill.

How did you overcome those feelings?

Women have to get out of our own way. We undersell our abilities. If there’s one job and ten responsibilities, a woman will say, “I can only do seven of ten.” Whereas a man may only be able to do five out of ten but will say, “I’ll learn on the job.” It’s one reason more women aren’t applying for top jobs in cyber. Women tend to look at things we cannot do and say, “We are not enough.” That mentality is flawed.

What about mentors?

All the bosses I had that were men were incredible. I’ve heard horror stories from other women. Thankfully, I haven’t had those experiences. My bosses have been super allies for me. I had one female boss, and she was awesome. She taught me a lot about how to carry yourself as a female leader.

Among the lessons: Dial into people. Lead without managing. Be financially strategic.

Dial into people:
People who are busy looking at their phone are not dialed into you. My female boss was totally the opposite. No matter how many calls, if it was time for you to meet, she was completely dialed into you. It set the stage for me to be that way for and with others. I think it goes a long way—recognizing that both your time is valuable and equally important.

Leading without managing:
My manager at the Federal Reserve promoted me to Operations Manager of the Threat Analysis Center. Prior to that, I did amazing work, but I didn’t talk much. I’m a social introvert. I’ll speak to a lot of people, but I like to be in my bubble and work with my computers and look at data. She said, “You’re always behind the computer screen, but I started looking at how people come to you for things and noticed how you’re leading without managing.” That really stood out to her.

Be financially strategic:
I was going to leave the Federal Reserve and take a consulting job with a Fortune 500 company but decided not to. I’m very much into finance. I made good investments. I had been at the Fed for about four years. I was 80% vested. If I left, I would lose my vesting. My manager said, “One, this has nothing to do with career growth, but if you take this new job, I feel you will not be happy. Two, you are going to lose a lot of money if you leave before being fully vested. How much are they willing to pay you?”

Her boss counter-offered, giving her both a promotion and lifelong, financial advice.
She asked me, “Is it about the money or the work?” For me it was both. I felt I needed a change. I needed to shake things up. My boss said, “We can give you a different type of work, and in this instance, you can fulfill both needs, and you don’t lose vesting. Resist the urge to leave now. Next year you will be in a better position.”

I really appreciated that type of information. She didn’t have to share that with me. It made me reconsider certain choices and affected how I make decisions. I decided to stay, and I carry it forward. I always want people to make the best decision for themselves, and they have to be happy with the decisions they make. Don’t settle with short-term fixes.

What are the top three things you bring as a woman to cyber?

A difference Perspective. Inspiration. Mission-driven.

Perspective:I bring a different perspective to the table. I feel diversity is important because of the unique opinions and perspectives people bring because of their own upbringing. Think about emojis. There were no black emojis until 2015. If there were more diverse groups making decisions that affect a wide range of people, different decisions would be made. Also, words matter. When you use the word “female,” it almost loses its edge. Why can’t I just be a boss? Not a female boss. A boss.

Inspiration: I assume other people know what I know. My mother used to say, “Just because you know it, doesn’t mean others do.” As I began to break out of my shell, I got an overwhelming response from other women: “You inspired me to go to school for this, pursue a career in technology, in cyber,” both men and women. I would get so many different messages about the impact on their lives and how I made them think about things differently or forge into areas they wanted to pursue.

Mission-driven: I am blunt. I am mission-driven. I like to cut out the fluff and focus on mission. While the work is important, the journey is just as important. We want to make sure we’re having fun, making progress, and setting the stage for people coming behind us.

Mentoring is a big part of your life. You created the non-profit JOURNi.

My co-founders and I met at an event teaching kids to code and exposing them to different areas of technology. We wanted to bring a program to Detroit, specifically to educate and create exposure for the underserved demographic. I’m the first in my family to graduate from college. If you have two parents in your household and they are both engineers, you will likely be an engineer. Exposure is key.

We’re teaching entrepreneurship, programming and other foundational elements that add to success, and everyone is eating it up; but there are fundamental issues that create challenges our communities don’t necessarily face. Instead of starting with technology fundamentals, we had to start with accessibility and transportation. There are students who are incredibly smart, dedicated and willing to do this work, but are unable to get to a learning center from one side of Detroit to the other because they have no bus money.

How did you grow at each job to take on the responsibilities you have now?

In each of my jobs, I’ve developed different sets of skills and different ways of thinking about risk management and working effectively.

Federal Reserve, July 2007–January 2013, Operations Supervisor & InfoSec Analyst, National Incident Response Team: I amassed knowledge and discipline, monitoring threats, incident response, managing a 24-7 operation. I got my feet wet in all areas.

City of New York, Deputy CISO, Threat Management, October 2017–Present: Coming to the City of New York opened my eyes. I look at everything differently. I appreciate the work that goes into running a city, especially one as large and dynamic as NYC. When we’re investigating a cyber event, we’re not just thinking about the technology, the money that could be lost, or the brand reputation; the most important thing is the potential impact it could have on the people who live here. Think about the services the city provides like clean drinking water or automated benefit checks to underprivileged parents. If those systems are tampered with, the outcomes can be life-impacting.

Barclays, VP Cyber Security Operations, Incident Response, Sept 2013–Oct 2017: At Barclays, I worked with colleagues in different parts of the world. This provided an interesting perspective, not only from a cultural optic, but also from a regulatory one.

City of New York, Deputy CISO, Threat Management, October 2017–Present: Coming to the City of New York opened my eyes. I look at everything differently. I appreciate the work that goes into running a city, especially one as large and dynamic as NYC. When we’re investigating a cyber event, we’re not just thinking about the technology, the money that could be lost, or the brand reputation; the most important thing is the potential impact it could have on the people who live here. Think about the services the city provides like clean drinking water or automated benefit checks to underprivileged parents. If those systems are tampered with, the outcomes can be life-impacting.

What is your biggest achievement personally and professionally?

I never really look at it like the “biggest achievement.” I do a lot of small things that add up to something great. Although I live in a “response” kind of world, I focus a lot of time on preventative work. If you don’t prevent, then you will be stuck in a cycle of responding to the same events.

The biggest achievement from a leadership perspective is to help people see and be the best versions of themselves. It is rewarding to help others achieve their goals while we make strides together to achieve the mission.

Personally, and within this industry, I would say my Securing-Your-Path initiative is pretty important. I’ve been able to touch women who are interested in the field and “secure their path” and make it a little bit easier for women coming after me. I’d like to see more women in the field. Those are my biggest achievements, besides my son!