Last time, I got to speak with social engineering expert Jenny Radcliffe.
This time, I got to speak with cybersecurity-minded client manager
Tricia Howard. I got to learn even more about social engineering from her plus quite a bit about the importance of user education.
Kim Crawley: Please tell me a bit about yourself and what you do.
Tricia Howard: Hi Kim! I’m a Client Manager for Optiv based out of NYC. I work with clients in the city and New Jersey across the entire security lifecycle to create, maintain and manage their security programs.
I have a degree in theatre arts, fell into technology on accident and am enamored with security, both personal and corporate.
KC: What accident got you into tech?
TH: I was all set to get my MFA in lighting design.... and then wasn’t chosen for the program. I had no backup plan, and I graduated with no idea what I was going to do, so I went job hunting and wasn’t having much luck. I posted a status on Facebook about how difficult it was to find a job, and one of my friends worked for a tech company and asked if I’d be willing to move up to Connecticut (from Texas originally) to do this training program. I found out about the job on a Tuesday, had an offer in my hand on Friday and moved up two weeks later.
KC: That's amazing. Not a lot of people have good luck like that. Certainly you proved your work ethic and skill. But how you got your foot in the door was amazing luck. Just as how I'm able to write about cybersecurity for a living is also amazing luck. Our jobs aren't easy to find.
TH: Yeah for sure! Luck and timing are big factors as well as networking and taking chances, you know?
KC: I believe having a humanities background probably helps your approach to cybersecurity. Have you found that to be true?
TH: Very much so. My whole job is communicating with people, solving problems and being creative. All three of which basically sums up my degree. Being able to think on your feet, connect with people and so on, it’s all part of the game. Not to mention it’s a nice ice breaker!
KC: Has sexism ever been an issue for you? Or people underestimating you because you don't have a computer science degree?
TH: Definitely have had some sexist issues, but not really with colleagues so much, thankfully. It’s very uncommon, and when it does happen, I just don’t work with that person for long. I’ve been very fortunate that way. More often than not, its ageism that hits me rather than sexism. I have been told some awful things, but I’m a bit of a spitfire and just tell them where they can go.
I actually get more underestimation because of my role. Since I’m in sales, people assume I will just let “the smart guys do the talking,” which is why I started blogging actually.
Sexism hasn’t been a problem at Optiv at all. They don’t tolerate that.
KC: That's good to hear.
TH: Yeah it’s uncommon definitely. It’s so rampant in our industry it’s disgusting.
KC: Getting into cybersecurity, what surprised you the most?
TH: How many people accidentally fell into it. They were working in telecom or something like that and when security was taken seriously they were recruited in.
Also how big the divide between IT and security is. Some of those teams don’t even talk to each other. Add in compliance and so on, and it’s even more disjointed.
KC: Are you involved in a lot of user education?
TH: Yes, mostly on the personal side of the house, but it’s one of the biggest things I preach to customers, as well. And in speaking engagements or Twitter, etc.
KC: Do you try to harden them against social engineering attacks?
TH: Absolutely. That’s the most important use case of end user awareness, in my opinion.
KC: Do you think people are often overconfident about their ability to detect phishing because they don't fall for Nigerian Prince scams?
TH: Ha, yes. I think some people are, but it depends on the maturity of the organization. The really mature orgs know how sophisticated phishing campaigns can be.
KC: Have you encountered phishing campaigns that would fool people like us?
TH: I think everyone can be fooled if they’re sophisticated enough. My mom actually encountered one that looked like an internal email. Her company had the letter “w” in it, and the email address they used had two “vs” pressed together in lieu of the “w.” She saw it on her phone and didn’t even think about it. The biggest concern with phishing personally I think is just carelessness. We’re all busy; we make mistakes.
They had social engineered enough that it was believable. She’s in accounting, so they sent her an invoice with malware on it.
KC: Wow. Probably file binded to an attachment or embedded graphic. Yes. That's a common way of spoofing email addresses and URLs. Do you think mist organizations spend enough money and time on training their employees to avoid social engineering attacks?
TH: No, not at all. A lot of companies have some sort of “program,” but it’s a once a year, and it’s looked at as a nuisance from the employee’s standpoint. It has to be an ongoing program, not just a compliance exercise. I think staged phishing attacks are very useful, especially because there’s an immediate “oh no you failed!” Aspect to it.
KC: What can we do to encourage more C-suite types to invest in user cybersecurity education?
TH: I think action is always better than words. Run an internal test (such as a staged phishing attack) and bring the results to them, including estimations of what could have been lost had this been an actual attacker. Not even necessarily just revenue-wise but intellectual property, as well. We need to be talking to the business holders rather than just the tech teams about this because that’s what will resonate.
KC: Excellent. What have you been working on lately, Tricia?
TH: Lots of appsec. There is still a struggle between security and innovation, so I've been working a lot to bring them together. And of course, attack and pen, remote breach sims, tabletops and so on. Ooh, and integration! So many tools out there, making sure the tech stack matches the business needs and are valuable rather than just shelf ware.
KC: I've learned a lot from you today. Do you have anything else that you'd like to add before we go?
TH: Thanks! This has been fun! The last thing is just collaborate. Internally, with third parties, we’re all more secure with knowledge share. Security changes on a whim, so being as proactive as possible is the long term goal. Thanks so much for chatting with me!
Previous Interview
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
