Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NICE Framework in Focus: Connie Bragg

This Framework in Focus interview was featured in the Fall 2022 NICE eNewsletter.

Audio file

Title/OrganizationProfessional - Cybersecurity, AT&T

NICE Framework Categories: Securely Provision, Operate & Maintain, Oversee & Govern

NICE Framework Work Roles: Cyber Workforce Developer and Manager, Security Architect, Security Control Assessor

Academic Degrees:  BA, Women’s Studies, MPA Public Administration

Certifications: Cybersecurity, Azure Fundamentals

CBragg Photo
Credit: Connie Bragg

 


This issue’s interview is with Connie Bragg, Professional -Cybersecurity at AT&T. Ms. Bragg shares about how advocating for yourself can help when shifting careers into cybersecurity, how important networking and mentoring can be, and how the NICE Framework can help. Below is a summary of her conversation with Karen A. Wetzel, Manager of the NICE Framework.

KAREN WETZEL: Hello, my name is Karen Wetzel. I am manager of the NICE Framework at the National Initiative for Cybersecurity Education at NIST. The NICE Cybersecurity Workforce Framework, published as NIST Special Publication 800-181, establishes a taxonomy and common lexicon used to describe cybersecurity work. The NICE Framework is intended to be applied in the private, public, and academic sectors. In this edition of the NICE eNewsletter series, Framework in Focus, it is my pleasure to speak with Connie Bragg, Professional -Cybersecurity at AT&T.

Connie, thank you for letting us learn more about your career pathway and understand the NICE Framework from your perspective. Let’s start by learning a bit more about your role and responsibilities as Professional - Cybersecurity at AT&T.

CONNIE BRAGG: Thank you, Karen. I work within AT&T’s cloud environment to help bring about security architecture in a secure environment. I joined the team about 18 months ago, having no experience at all in cybersecurity or a technical capacity. I support the team to ensure that our workforce is trained in modern technologies and primarily in Azure, which is a Microsoft product. We work to ensure people who are migrating to the cloud do so using secure practices to protect people’s data.

Part of that is providing training for our workforce, and I also support other initiatives from the administration side of all the Azure accounts within the CSO organization for my VP.

KAREN WETZEL: Can you share a little bit more about the team you work with and what kinds of roles they fill?

CONNIE BRAGG: I work in cloud enablement, which is about 120 people. I support the entire organization keeping our Azure accounts lined up and subscriptions and the billing accounts organized, but my primary team is smaller— about 10 people—and we work primarily for infrastructure as a service for migrating applications.

KAREN WETZEL: We oftentimes hear about how cybersecurity requires professional skills like communication and being able to sort of translate across an organization. It sounds like that would be an important part of your work.

CONNIE BRAGG: Yes, it is, very much so.

KAREN WETZEL: I’m eager to hear about your career path. Can you share a little bit about how you got to this role?

CONNIE BRAGG: Absolutely. I always tell people if you need to watch a zigzag, you can watch my career path. I was one of the first women studies degree majors at UNC Chapel Hill back in 1995. People will say, “I’m not making the connection. You went from women studies to cloud operations in cybersecurity?” But in ‘95, women studies was just emerging in academia, and I was very passionate about it. I took one computer science class, and liked it, but it wasn’t a job opportunity for me at that time. I started as a social worker out of college through AmeriCorps. AmeriCorps had a program that would help you go back to school in exchange for your service, so I took advantage of that to earn a master’s in public administration with the goal of working on operational side within local town and city government.

So I went out for a role within a federal department, but at the very last minute the job fell through. I was set to graduate in two weeks and didn’t know what I was going to do. But somebody asked me to consider sales for the Yellow Pages. I said, “Who?” I didn’t realize that the ads cost money— I was very naïve. But I thought I’d give it a try for a year; that was 19 years ago. AT&T is a company that allows you to have multiple careers.

 After doing sales for about five years AT&T acquired what was then Bell South. Bell South didn’t have any affinity employee resource groups (ERGs); AT&T did, but not a Women of AT&T group. It goes back to that women studies degree —I was able to take on a leadership role in starting a Women of AT&T chapter for our area of North Carolina, which in turn introduced me to external affairs. It was a great transition opportunity, and allowed me to put my master’s in public administration to use along with the greater informational background about AT&T that I could bring to that work. I was in External Affairs almost 10 years. From there I began to see a path towards cybersecurity. I could see that there were going to be opportunities. I was in a privileged position because I knew how to network—I reached out to the only cybersecurity person I knew in External Affairs and he became a mentor to me, helping point me in the right direction. That led me to a certification program. I thought I was going to take the program and be done in 18 months, like it said on the description. Well, that was for somebody with a technical background. I had to start from the ground up, so what was supposed to be a year-and-a-half program took me about two and a half years.

Two things happened then in parallel. First, we have an internal program called the Opportunity Marketplace that allows people to crowdsource internal employees to take part in projects. It can also be used to post when you are looking for opportunities to learn about new topics. I posted to this forum that I was about to graduate and was looking for experience. Secondly, I also took part in another resource at AT&T, the continuous educational learning lab. The lab had series on threat intelligence that was in two parts: the first part was introductory and focused on how to write for cyberintelligence. The second part introduced the NICE Workforce Framework for Cybersecurity, and helped me learn more about the areas of cybersecurity work I might be interested in.

It was around this time that someone reached out to me to work on a project focused on industrial control systems policy. I was a part of that team for 18 months. After the project was completed, the internal network group Cybersecurity at Work was forming at AT&T. In its inaugural year they had nobody to help with logistics, which I was doing in my position at the time. It was an ideal opportunity for me to bring my skills into cybersecurity, and that’s what led me to my current role.

KAREN WETZEL: It sounds like it really was a lot of advocating for yourself. I love that you took advantage of your network to develop your career. Being able to see how your skills were translatable and useful in more than one place is great, too.

Given this experience, what are your thoughts on how degrees or certification requirements fit into getting a job in cybersecurity?

CONNIE BRAGG: Employers want to see that you’ve take the time to learn the areas you are going to be working in day in and day out. And if you haven’t been in school in a while, you definitely need to get up to speed with a certification. You want to demonstrate that you can be trained and, to me, a certification demonstrates that. Hopefully, employers take on the mentality of “hire the character, teach the technology,” and the baseline of a certification shows you’re teachable.

KAREN WETZEL: We’ve touched a little bit on the NICE Framework and how that played a role in your career path. Could you share a little bit more about how you used it to guide your own career, and some of your organizational efforts?

CONNIE BRAGG: When ask, “What area of cybersecurity do you want to go into?” the response that usually hear is, “I don’t know. I just know I want to be in cyber.” Well, the NICE Framework allows you to understand the categories of work and the variety of paths to the job you want. I also felt like it gave me insight into what work I would actually be doing, and what the requirements were for me to succeed.

I have also brought the NICE Framework to Cybersecurity at Work. We recently launched a peer-to-peer mentoring program and it is one of the first tools that talk to them about. It also helped me when I was initially placing people in the mentoring program, tying their interests to mentors in related roles.

KAREN WETZEL: That’s great to hear. You have mentioned the different affinity groups at AT&T; I wonder if this ties in with efforts to promote diversity, equity, and inclusion in the workforce?

CONNIE BRAGG: Having come from a women studies background, this is an area I love to champion. AT&T and the work we’re doing is setting the stage for how industry best practices are executed. One of our internal goals is around cybersecurity recruitment and retention for underrepresented populations. We do a lot of college recruitment programs and are working with HBCUs to try to recruit underrepresented affinity groups to get an interest in cybersecurity.

I’m really excited to see that our mentoring program numbers show involvement of underrepresented populations—it’s a great outcome that has come about organically, and I hope it continues to grow.

KAREN WETZEL: I love the language of “what’s lacking.” It’s a great way to think about bringing in different perspectives that are going to improve your work products.

You’ve done a lot of work translating your skills into your new work role. But how do you make sure that you are keeping current and apprised of trends in cybersecurity to continue growing your skills?

CONNIE BRAGG: If you want to stay sharp, I couldn’t think of a better area than cybersecurity because you do have to stay current on things. I mostly read a lot. I typically dedicate at least one hour in the morning and one hour at night to reading current articles, and not just from a cybersecurity perspective because you never know what will cross over into your vicinity.

I also try to refresh. If it’s been a while since I’ve reviewed a protocol or a concept I’m not very familiar with, I’ll go to LinkedIn or watch various YouTube channels that I have found to be helpful, particularly as I’m still learning cloud. I find a few different people that I follow that way.

AT&T has done a great job of building out its available courses, and we partner with a lot of third-party vendors, but I also tap into industry area programs. For example, in the last year, I went through a program that I found through my local (ISC)2 chapter on risk management for cloud. I try to make sure I get at least six to eight CPEs each year so that I’m staying on top of current events and current areas of issues.

KAREN WETZEL: It’s easy for things to get pushed to the side but, as you pointed out, cybersecurity is not a field where things stay the same for very long. I like the variety of approaches you take and the dedication you have to your field of work. What is the thing that you enjoy the most about your new position?

CONNIE BRAGG: Last week, one of the people in the mentoring program came to me and said, “You know, I never thought about a role in this field until I entered this mentoring program.” Seeing these programs work and seeing people succeed is so rewarding. They’re still doing the work, but it’s great to help someone get where they want to go.

KAREN WETZEL: I don’t think you could have chosen a better reason for enjoying your job. I love that you are helping people see find paths into this field, and it’s not as difficult if you know someone who can help you along the way.

My last question, then, is what one piece of advice would you give to someone who is considering a career in cybersecurity? That could be someone just beginning to look at career options or maybe someone looking at a switch into cybersecurity after having already developed a career in another field.

CONNIE BRAGG: My biggest piece of advice is to always have faith in yourself. No one will be your best advocate outside of yourself, and you should take advantage of what you’ve already got. I find that particularly to have confidence in yourself.

I came into this role without as much confidence in myself as I should have had. I was too afraid to apply for a job within cybersecurity because of my lack of experience. In hindsight, I would say “Apply for the job.” When I have talked to employers, they say, “I want somebody who has maybe 60 or 70 percent of the qualifying criteria.” I wish I had been more confident in myself and the skills I offer. Just believe in yourself and you will do well in a position.

KAREN WETZEL: That’s such an important piece of advice. I’m so glad you were able to share that with our folks here today. Thank you so much for your time today!

To listen to the full audio interview with Connie Bragg, click on the audio below:

Audio file

Download a full transcript of the interview.

Created October 26, 2022, Updated October 27, 2022