What do you do on a day to day basis?
Every day is different, which is one of the reasons why I love the field. At a high level, my core role is to assess the risks to our organization and to work with our leaders and care givers in treating those risks to acceptable levels. A key component of this is to understand the organization’s strategy and to position the information security strategy to enable our mission and vision. In doing so, I lead a team of information security professionals that occupy roles from leadership (Director, Program Managers) to architects, engineers and analysts. My role is to enable them to do their roles effectively by providing them with the tools, resources and support to carry out their daily functions. More often than not, I’m in meetings with various areas of the organization partnering with them to deliver on their goals without introducing unacceptable levels of risk. At times, I’m reviewing contracts, doing budgets, working through system selections for our security tools, developing and communicating policies, generating awareness and working to create a culture of information security across the organization. At a micro level, I’m working with all areas of the organization to ensure that our people, process and technologies are working effectively. Outside of the day to day, I also spend a lot of time keeping up with the news, the emergent threat landscape, new regulations, etc so as to keep pace with the times. I also work closely with industry peers in collaboration to assist each other in problem solving and moving the maturity needle forward for the industry as a whole. I do so by volunteering for working groups, serving on collegiate and industry advisory boards and networking.
What attracted you to information security?
I was lucky enough to progress into a role as a project manager for large, international, infrastructure jobs for a large global organization. I was a pretty hands on project manager and got to experience a wide array of areas of information technology. Each project had an information security component to it and I found myself gravitating towards the field. When it was time to move on, I had made the decision that my next role would be focused on information security. At that time, the HIPAA Security Rule was a few months from coming law. A large local hospital was hiring for an Information Security Officer and I got the job. The rest is history.
Do you have a degree and/or certifications? Do you think that they are necessary to work in information security?
I have a BS in Electrical and Computer Engineering as well as an Executive MBA. I also have the Certified Information Security Manager (CISM) certification. I will most likely seek cloud certifications in the near future. I don’t think that certifications or degrees in this area are necessary to work in information security but I also don’t think that they can’t hurt. I would not rule out someone without a cert or degree for a job or promotion if the individual can demonstrate competency, skill and the knowledge to do the job. What I do tell people who are starting in infosec without a comparable degree is that working towards or having a certification, demonstrates a desire and commitment to the discipline and a willingness to work for it. It may be the differentiator for an entry level role.
What are some of the biggest challenges that you have faced in your career and how did you overcome them?
My challenges came early. I had to change from full time to part time after my second year in college and had to pay for college on my own. For many years, I worked as a full time intern and had 2 bartending jobs. I took classes at night as I could afford them. I watched all of my friends graduate and begin their careers. It frustrated and discouraged me at the time to watch everyone else succeed while I struggled to move forward. It took me 9 years to graduate but I kept pushing. What I didn’t realize at the time, is that my challenges helped to develop and mature me into the professional that I would someday become. Once I graduated, I hit the ground running. I was hired into the company that I had interned for, got several promotions and after 5 years from graduation, left the company to become an Information Security Officer for a large healthcare system in Philadelphia. Just 5 years after graduation! The adversity that I experienced, prepared me for a high stakes, high pressure role that I have since fulfilled. Since then, most of the challenges have been around being able to balance my passion for information security with the constraints that most organizations have in making the resources and finances available to build a strong program. In my current role, the biggest challenge I face is keeping up with the threat landscape and moving at a pace that is achievable without putting the organization at risk. In terms of overcoming existing challenges, I believe being a good communicator and a strong partner to the organization has enabled me to gain the trust of our leaders and caregivers and to build the necessary relationships to move forward.
How do you achieve a work life balance to avoid burnout?
I think work life balance is essential to good performance at every level. Although I work extremely hard, I also find the time to do things that I love outside of work. I used to work 15 hour days and found that the work never stopped. When I went for my EMBA, I was forced to stop working after hours so that I could tackle my course work. What I soon realized is that no one noticed that I wasn’t working as hard. No one complained about my productivity. Once I graduated, I made a commitment to myself to avoid going back to working as much. As for what I do to avoid burning out, I do non security related things to strike that balance. I am an extreme extrovert. Being around people is important to me and I enjoy spending time with my family and friends (this includes my strong CISO community). I love to travel and do so regularly with my husband. (I could do a better job of disconnecting when away) I’m a huge sports fan and spend a lot of time going to games. Lastly, I am a long distance runner and enjoy doing half and full marathons which is actually a stress reliever.
What is some advice that you would like provide to girls participating in STEM?
STEM opens up a world of opportunities. As technology becomes more integral to everyone’s lives, we are going to need talented professionals to keep pace with advancements and to foster innovation. There are not enough women in STEM. The unique skillsets and perspectives that we bring to the table can add an incredible amount of value. In information security specifically, there are not enough people to fill open jobs currently. That void is expected to grow exponentially in the future. As far as advice, some folks believe STEM field are difficult or intimidating. I think STEM fields are challenging and push us to be better versions of ourselves. Additionally, folks think that information security is super technical. The field is vast and includes a variety of non-technical areas such as risk management, education and awareness, strategy and communication to name a few. For those that choose STEM, I suggest you embrace the fields, be bold and confident in your abilities. Never listen to anyone that tells you that you may not have the ability to do something. I strongly believe that if we set our minds to do something, each one of us has the ability to do so. We just have to want it and work for it. Surround yourself with champions, find a mentor who wants to help and invest in you. Lastly, have fun learning, it’s the best part.
What resources do you recommend for women who are interested in breaking into your specialty area?
Sites: SANS.org, ISC2, cybersecurityeducation.org,
Blogs: Krebs on Security, Schneier on Security
Women specifically: WiCys.org, womenscyberjutsu.org, https://cybersecurityventures.com/list-of-women-in-cybersecurity-associations-in-the-u-s-and-internationally/