How do you describe your job to average people?
I usually describe my job as a computer security and a quality control assessor. I tell people that I evaluate security. It's less of getting into the computer system's bits and bytes as it is reviewing IT auditees' security policies and procedures.
Why did you get into IT security?
IT security is a field that just isn't boring. Technology changes almost daily, and as an auditor who examines entities numerous times, there's always new things to learn about the network, applications, operating systems and web technologies.
What was one of your biggest challenges?
Sorry, I have no stories to tell here. But, I do have an ongoing challenge wherever I audit: Convincing senior management that controls over IT are mission critical. Their buy-in is paramount to maintaining/strengthening a sound IT security program. If the big boss doesn't think it's important, will anyone else?
What keeps you up at night?
Not knowing who gets in, accesses information, and gets out without being detected, or who gets buried deep in voluminous audit logs. Another concern is the thought that accessed data will someday be used to discredit or financially damage our organization.
Of what are you most proud?
I'm proud anytime an auditee contacts me and asks my advice on a security issue or control procedure. It's not unlike having your teenage son or daughter come to you for advice: It doesn't happen very often, but when it does, it's a great feeling.
For what would you use a magic IT security wand?
I'd use it to detect every unauthorized access attempt on our systems and then send a command to the intruder's computer that both disables it and reports the intruder to the authorities. Yep, that'd do it!