, I got to speak with Leanne Williams. As a pen testing professional, she knows there’s a lot more to penetration testing than pointing a network vulnerability scanner at an IP address.
This time I had the pleasure of chatting with Jen Fox
. She’s all about cybersecurity in the very challenging compliance space.
Tell me a bit about your cybersecurity role and how you got there.
I am a Senior Security Consultant. I mainly work in the GRC space, doing compliance/gap/risk assessments, security awareness training, and social engineering pen testing.
I have been in IT for over twenty years, often in consulting. My background is in tech writing, training, usability design, and requirements definition, so people and process have pretty much always been my thing. When I became interested in moving into information security about 10 years ago, governance-risk-compliance made sense as an area. Social engineering and awareness training have always been attractive areas to me, as well.
What drew you to cybersecurity after having worked in other areas of IT for a while?
I had gotten bored with business analysis and was looking for a new way to make things better for end users and add value to the companies I work with. I started looking in the direction of security and signed up for a graduate certificate program to start educating myself about the different areas of security and to get the additional foundation knowledge I needed.
As you started to learn about cybersecurity, did anything surprise you?
I think a lot of my previous experiences had prepared me for some of the things that seem to surprise people. I knew that businesses keep old technology and old code around for a long time for a variety of reasons. And I definitely knew that "process in theory" is not necessarily how things happen in practice, leading to all kinds of shortcomings. And people have been letting me into places and telling me amazing information for a very long time.
I was pleasantly surprised to see how broad a field cybersecurity is. So many amazing things to learn about! I also didn't expect how much there is in the way of learning opportunities. So many meetups and conferences as well as formal avenues.
Have you ever faced sexism in your career?
Probably the most overt thing I've experienced has been at conferences. I speak regularly at conferences, but it tends to be assumed that I'm a “plus one” rather than an actual security professional. (My husband is also in cybersecurity, and we sometimes attend the same conferences, sometimes both as speakers.) I'm sure it's because our numbers are fewer, but it doesn't make it any less annoying when it happens.
Oh my gosh, I don't like that either. What do you think are the biggest problems in cybersecurity these days?
There is plenty to choose from, but based on the work I do, two things come to mind.
Understanding the value of the information you have access to. I believe people tend to take for granted the information they have ready access to in their jobs and don't understand that it doesn't have to be a bank account number to have value to a malicious party. I think this is reflected both in social engineering exploits (willingness to share information) as well as the difficulty in getting buy-in from business counterparts on security measures. This seems to be especially true when there isn't a compliance driver to put security measures in place.
Determining where you're at security-wise and how to move forward in a meaningful way. I work with small and medium-sized businesses, and their staff are usually completely busy simply keeping things going. Figuring out what their gaps are from a broader perspective and what they should work on next can be a difficult thing for them to figure out. There is so much news and noise, so many products competing for attention. They don't necessarily correlate to controls that are the most protective. This is one of the things that make me love the Critical Security Controls when working with clients.
You've got excellent insight. Is there anything else you'd like to add before we go?
I think this is an interesting and huge field with a ton of opportunity. There are all kinds of ways to contribute. If you want to get started, get yourself out to meetings, meetups, and so on. Introduce yourself, and try learning something from someone else or presenting on something that interests you. If you meet some jerks, just keep going. (Cybersecurity doesn't have the market cornered on those.) Be excellent to each other.
Thanks for talking with me, Jen.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.