, I had the privilege of interviewing Fortalice Solutions founder Theresa Payton. Her combination of White House and private sector intelligence and cybersecurity experience gives her a truly one-of-a-kind perspective in this industry.
This time, I got to speak to someone else I’ve met in person in Toronto’s cybersecurity community, Jennifer Fernick
. Between her post-graduate studies and keeping a large financial institution secure, she’s got a hell of a lot on her plate!
: Hey, Jennifer! Please tell me about what you do.
: I'm a Director of Information Security at a large global bank where I run a team that focuses on all aspects of cryptography, as well as building enterprise-wide security platforms and tools, and designing security architectures. I'm also a PhD student in computer science.
: How do you juggle your private sector job with your post-graduate studies?
: I work basically every waking hour of my days. It can be very intense, but I love the different perspectives that I get by going between theoretical computer science research and the realities of private sector cybersecurity. Nothing in academia can really prepare you to deal with critical incidents on production systems in the middle of the night or on building massive enterprise systems at scale, and yet many of the scientific realities and computational techniques that academic computer scientists consider table stakes in our discipline are actually really innovative, too, and under-utilized by many verticals in the private sector.
: How did you start working in financial security?
: I met our former CISO at a conference, and we had a really exciting conversation about computer security.
: How is doing cybersecurity work in the financial services industry different from other industries?
: I will begin by noting that these perspectives are only mine and shouldn't be considered representative of my employer.
I'm not convinced that cybersecurity work in financial services is, at its core, very different from other industries. Across infosec, we are all fighting the same battles – and often even the same adversaries.
What makes financial services interesting is that the stakes are high; the budgets allow for the purchase of some truly awesome defensive tools; the institutions in which you work are often quite conservative and yet there is a big cultural push for innovation as banks try to evolve. This makes doing cybersecurity a balance between managing risk in a really calculated way and constantly learning new technologies that may be of interest to business lines across the organization.
I think the key to success in financial cybersecurity right now is in anticipating the strategic direction of the business as a whole, figuring out the technical tools that will enable them to excel, and deliberately building security platforms, tools and architectures that will enable developers to meet their business goals as securely as possible.
: Do you think your career will get a boost once you've acquired your PhD in computer science?
: This may sound strange to say, but I hope not. The disconnect between much of academia and much of industry can be massive, and I'm very skeptical when power transfers across contexts for no other reason than that people are impressed by titles and degrees. Just because someone has a PhD does not necessarily mean they can solve the problems that your organization (or the world) needs to solve or that they have the leadership or judgment to thrive in the uncertainty of complex environments. Having a PhD doesn't mean that these things aren't true, either. I just think that we need to de-institutionalize the way we view people's contributions and potential.
I hope my career is boosted proportionally to how much I contribute to the industry, to the people around me and to technology. I hope my career is boosted proportionally to how courageously I approach the problems that lay before me.
: How did you get interested in cybersecurity in the first place?
: I did my undergraduate work in cognitive science and artificial intelligence, mostly because the social and philosophical problems of AI fascinated me. I remember my first-year CS professor casually mentioning something about "things that cannot be computed before the heat-death of the universe" on the final day of our programming course, and I've never been able to shake the feeling of awe about physically non-computable problems.
I took a bit of a winding road, doing a master's in engineering, and there I met a group of students who built satellites in the university design labs at night. We made a very cool satellite. I eventually joined a lab on campus that was trying to do quantum key distribution from satellites, since I had scrappy but useful knowledge of satellite design, and from there, one thing led to another, and I started working on post-quantum cryptography (this time, without any satellites). When I finally arrived to work on cryptography, I was really interested in how the hardness of computational problems changes between running algorithms on classical computers and on quantum computers.
And then, things came full circle. I re-experienced the wonder of computability and complexity, as I had so many years ago.
: Do you have any advice for young girls who may want to pursue a cybersecurity career like yours?
: Be what you are. While you could waste your time trying to fit some stereotype of what you think this industry is about, you're better off finding your strengths. Make friends in the community because they will be your source of learning, opportunities and joy. Learn when and how to stand up for yourself. Sometimes the best way to practice this skill is by standing up for others. Don't be afraid to ask for opportunities or to introduce yourself to people whose work you admire. And finally, the only people you should date, build close friendships with, seek mentorship from or work for should be those who believe in your potential at least as much as you do. Anything else is less than you deserve.
: Excellent! Do you have anything else to add before we go?
: Thank you for inviting me to be a part of this wonderful series!
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.