Last time, I spoke with Nitha Suresh. She's written IEEE papers and knows her stuff when it comes to pentesting and aircraft data networks.
This time, I had the pleasure of interviewing
Victoria Walberg. She has a lot of ideas when it comes to IoT and the cloud.
Kimberly Crawley: Please tell me about what you do, Victoria.
Victoria Walberg: I'm a freelance security consultant. I tend to do interim roles, such as where a company is going through a permanent hiring process or they need someone to work on specific projects. The roles tend to be with enterprise clients and cover matters like information security manager, security consultancy, security architecture, or technical project management.
KC: How did you get into cybersecurity?
VW: I originally started out in network engineer and sysadmin roles over 17 years ago. Those roles encompassed security, so I was configuring, managing and designing policies for firewalls, RBACs, AV, and backups.
There weren't so many dedicated security roles back then, especially in smaller organizations. One of the things that really set me off was when I moved from an 80-person company to an organization with about 1,000 users. How did you know the person phoning through a password reset request was really the person they said they were?
KC: Were you interested in computing as a little girl?
VW: Yes, I was!
KC: Do you remember your earliest experiences with computers?
VW: Aside from what I'd seen on TV shows, such as
Tomorrow's World, which had me fascinated in all things tech, the primary school I went to got an RM Nimbus at some point. My cousins also gave us a computer that had belonged to my dad (a VIC 20) when I was about seven or eight years old. I remember getting a book out of the library about programming on it, but I didn't really get that you had to write all code. I think I managed a "Hello World" on it. I moved schools for my final year of primary school, and they had a BBC Basic with Turtle! At secondary school, there were dedicated computer rooms, and I spent most of my lunchtimes in there.
KC: What are some misconceptions people have about the work you do?
VW: That I'm not technical!
KC: Seriously? People don't think you're technical?
VW: Yes. One client I worked with said "I only see you as a project manager,” and that was meant in the British sense for an IT project manager. I worked in Switzerland for about five years. IT project managers there had generally earned their spurs doing technical roles before being promoted up to Project Managers to make use of other skills, such as communication skills and planning. I find it very different back in the UK, with the exception of Engineering Project Managers.
I also think there's a disconnect between the research community and those who do enterprise IT. Not just red versus blue team but generally a misunderstanding about how technical some enterprise IT folks get. I've worked with some great architects and consultants who really get the tech they're working with.
KC: What do you think could improve things?
VW: I think researchers should work on gaining a better understanding of who their consumers are and how organizations manage risk. For instance, why does it sometimes take weeks to patch, if it's even possible? It's important to illuminate the grey areas of doing business, what an organization's risk appetite is, and the trade-offs made.
As someone who is in the enterprise IT world and misses being a techie at times, I like to go to conferences and meet-ups to hear about the research going on. What additional risks are there, how much of it is a real-world risk, and what forms part of the service that various security solutions companies offer. Are there things which could be applied to the organisations I work with?
KC: What do you think are the biggest problems in cybersecurity right now?
VW: I think the biggest problems are with IoT, security for SMEs, and home users. They don't have the resources and technical know-how. Also, shadow IT and cloud.
Regarding IoT, there are lessons that haven't been learned from the past, the cost of baking in security is high, a lot of devs aren't taught secure coding and design, and ultimately people have a "cool idea" and want to build it!
As far as SMEs are concerned, they rarely have the headcount and budget to have a security team or person. It still often falls to infrastructure or someone with an interest. However, they can have lots of customers and lots of data that needs securing.
Onto home users. They rely on ISPs and vendors to provide them with secure access and systems. They aren't aware of the risks, and everyone shouldn't have to be an IT expert. People have all this amazing technology in their homes and at their fingertips. I think it's really hard to make that usable and secure!
When it comes to shadow IT, people love what they can do with their home systems, and they don't understand why they can't have it at work either as quickly as they'd like or at all. I see this more in SMEs or those with disparate departments. Lack of measuring means this tends to go undetected.
KC: Is there anything else you'd like to add before we go?
VW: I think a lot of cloud systems have great controls, more than some internal IT teams can manage. However, there still needs to be someone understanding what controls can and should be put in place. Systems still need managing.
KC: Thanks for talking to me today!
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
