How do you describe your job to average people?
I offer options and advice on various business projects and initiatives from a security perspective. At the end of the day, what I do is risk management. It's about mitigating risk – to the business and our customers – to appropriate levels by ensuring effective countermeasures and safeguards are in place.
Why did you get into IT security?
When I was in high school, my dad brought home a copy of SC Magazine and I read it (I have no idea where he got it). I've been fascinated with IT security ever since. It is the constant change, acute contextual awareness, and the allure of the unknown that drew me to IT security. The challenge of marrying IT security with the rest of the business structure is something I enjoy immensely.
What was one of your biggest challenges?
Improving the security culture and attitude toward IT security. Since the value of security is difficult to quantify, measure and see in hard, cold dollars, it often falls by the wayside. By embarking on a security awareness goodwill tour, I've visited our branches and spoken to head office staff about the importance of security. I always wanted to be a stand-up comedian, so by incorporating humor into my speeches, I changed people's perception about IT security. The key to cultural change is always humor.
Of what are you most proud?
Being known as a strong communicator and proponent of improving security culture. People in the IT security realm are often perceived as being hyper-sensitive nerds who force unreasonable security measures that clash with business objectives. I'm very proud of the fact that I've broken that stereotype and that my colleagues now have security as a priority rather than an afterthought.
For what would you use a magic IT security wand?
If such a wand were to exist, I'd probably be unemployed.