What do you do on a day to day basis?
Background on me: I run the Cyber Threat Intelligence Program for the Walt Disney Company. This isn’t just for Disney, but all our business segments: Lucas, Pixar, Marvel, National Geographic, ESPN, A&E, ABC, and most recently acquired, 21st Century Fox.
My job is to identify cyber threats to the company across a myriad of industry verticals. We have Media & Entertainment, Cruise Lines, Retail, Publishing… you name it we have it.
The first part of my day is spend reading a variety of daily intel reports from at least 40 sources (I can read very fast and after years of experience I know what to look for). The sources include private business reports from Federal and state agencies; Some others ArsTechnica, SC Magazine, Malwarebytes, Sophos, ThreatPost, and Crowdstrike, just to name a few. Then I head over to Twitter. I’m there several times a day looking for “breaking” cyber news.
Anything like a major data breach, significant ransomware attack, any significant industry attack, like GPS spoofing for example that could affect our cruise lines, or vulnerability such as Meltdown/Spectre, I write up an advisory to leadership and our trusted security partners across the Company. Afterwards, I work with our Anomaly (hunters) and Enhanced Detection teams to make sure we have the right alerting or other mitigations strategies in place to detect/prevent the same thing from happening to us.
Collaboration is an important part of my job. I’m very involved in several security Slack channels where members share cyber threat intel and other incident related information on a regular basis. “Street Creds” are important so get involved and in time, you will become trusted confidants to receive some of that type of information.
What attracted you to information security?
I actually fell into it by chance. I was working at an engineering firm as a temp doing some accounting and admin type work. After the person I was filling in for came back from an extended leave of absence, my contract was over. I like the company and they liked me so they hunted around for another position and the only one available was in IT. The IT department was very small, so I was into everything. I knew nothing about computers or security, but they started to teach me and I quickly realized this is the field I want to be in. What really got me interested in security were two incidents that occurred very close together.
- We got hit with the Anna Kournikova virus. It infected the entire company, from what I remember. So I was asked to clean it up. No one at the company had dealt with anything like this, so I really took the bull by the horns and remediated the damage and then worked to keep it from happening again… e. starting with anti-virus on all the machines (gasp!)
- We started running out of disk space on our servers at a rapid pace. We kept adding more and more storage as we assumed that being an engineering firm and working with CAD drawings that we knew took up huge amounts of space, we did not assume anything nefarious was going on. Well, I eventually ran out of $$ in the budget, so I decided to look into it further. Again, no one had dealt with this before, so I ran with it. I discovered rather quickly, that someone or group of people were using our servers to store music, movies, etc. After that was eradicated, I sought to find out how to keep that from happening as well. Decided on a firewall. This was back in 2000 and I don’t know if that is a valid excuse or not. 😊
Do you have a degree and/or certifications? Do you think that they are necessary to work in information security? I have an MCSA, Security+, CEH, and CISM. I have a Bachelor’s Degree in Computer Science.
I’m on the fence about certs. If you are just starting your career, I look at it like you are wanting to know more about security, so you studied and passed an exam. If you are further along in your career, I don’t think certs matter. Can it get you in the door? Absolutely… especially on the gov’t contractor side of the house. They are often mandatory.
Same for degrees. I think we all know people that have no degree and they are amazing and would hire them over a person with a ton of certs. I read an article that shows major employers are not requiring college degrees for their staff. I think that’s a great thing.
What are some of the biggest challenges that you have faced in your career and how did you overcome them?
There are a ton of them! I think one of the biggest for me, that I don’t really have control over and that is being married to an active duty service member. That involves a lot of moving from duty station to duty station every one to two years and having to change jobs and start off at the bottom each time for the most part. There are also challenges in finding work, since a lot of companies don’t want to hire military spouses because we aren’t going to be a long-term staff member. Whenever that was brought up to me or suspected that is a reason that I may not be considered for a slot, I would say “Would you rather have a go-getter, hard worker, hit the ground running kind of person for two years or have a mediocre employee that does the bare minimum for 25 years?” It seemed to help sway the hiring people most of the time.
How do you achieve a work life balance to avoid burnout?
This is really difficult because I can confidently say I love my job. I love what I do and would do it outside of the office even if I weren’t in the field. Currently my leadership is very cognizant of burnout, and regularly encourages us to pay attention to signs of burnout. Since I’m part of the Incident Response Team, we all know that we can’t just put an active security incident on hold until the next day, so we compensate for long days with a day off later or leaving early on a Friday or something. In fact, this week, I took 3 work days off and went to a spa retreat with my sister. I didn’t even look at my phone. The first day was super hard. It got easier pretty fast. It helps to recharge your batteries. My goal is to have zero vacation hours at the end of the calendar year or at least close. So I monitor it every month. This shows that I took the right amount of time off for myself.
What is some advice that you would like provide to girls participating in STEM?
I would say a couple of things: don’t let anyone tell you that you can’t do something or you won’t be able to figure something out. You are just as fully capable as anyone else in this industry. Right now there is a lack of diversity in our industry. Hopefully, by the time you get into the work force, these numbers will have shifted.
This is a very small field. Everyone knows everyone or knows someone that knows them. If you are a jerk, that reputation will follow you your entire career. Don’t be that person.
From a career perspective, I would recommend being very careful of what you post on social media. It can make or break a career opportunity and will be out there in cyberspace forever. Employers will almost always check that out before even calling you for an interview.
What resources do you recommend for women who are interested in breaking into your specialty area? Get plugged into women in tech/security type groups like Girls Who Code, Cyberjutsu, WISP. Get yourself a mentor. Don’t be afraid to ask someone you look up to.
If they are too busy or cannot for some reason, ask if they can recommend someone that might. If you show enough passion and excitement for cyber security / cyber intel, I bet you’ll be able to latch onto a good one.
Attend security conferences. There are a few free ones and those that don’t often have scholarships for those who cannot afford it.
Volunteer if you cannot land a position. Churches, non-profits, and others often have opportunities available to help them with security or computer-related jobs. This is a great way to get into the field if you don’t have direct experience. Plus it makes you feel good 😊