How do you describe your job to average people?
Not only do I help protect my organization (a university), but I also teach students about the security profession. There are so many aspects to information security that it's a challenge to determine what's critical for them to know in order to succeed. It's quite similar to security awareness training where there's only a finite amount of time and attention and you need to make the most of it.
Why did you get into IT security?
Like many, I fell into security. As a military intelligence officer, I learned about data classification and safeguarding sensitive information. As a UNIX systems administrator, I learned how to apply controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The variety of activities required of a security professional is what keeps me interested. That and the many great people I've gotten to know in the security field.
What was one of your biggest challenges?
Security is often a constant battle, not only against the “bad guys” but also with management who may not “get” security as well as end-users who bypass controls for their own convenience.
What keeps you up at night?
After 20 years, [computer science professor Eugene] Spafford's Law of Security is alive and well: “If you have responsibility for security, but no authority to make changes, then you're just there to take the blame when something goes wrong.”
For what would you use a magic IT security wand?
It would be used to influence those that take undue risks without understanding the consequences. All security pros need the ability to lead those around them to develop and implement controls to assure protection. The technology is easy compared to having this ability. The support of other security pros is what keeps me jazzed.