Why did you get into IT security?
I liked the idea of working to keep the bad guys out of things. I also enjoy learning about the really novel, creative ways bad guys have discovered to circumvent security controls. Studying the offense gives me a better understanding and appreciation of defense and, for me, it never gets stale.
How do you describe your job to average people?
Most of my job right now is focused on ensuring that the people who are responsible for protecting critical infrastructure, particularly in the electric sector, have the information they need to do their jobs effectively.
What was one of your biggest challenges?
It's a continuing challenge: figuring out how to provide security for emerging technologies within critical infrastructure.
What keeps you up at night?
I know we have really good folks working on this problem set, and losing sleep would make me less effective.
Of what are you most proud?
I'm proud of the dedication I see among my colleagues who are in critical infrastructure security. I'm proud of the way we've come together to share and help each other within the utility space. I'm also proud of the projects I've been involved in – from helping develop our industry information-sharing organization to my role in creating the first situational awareness system for monitoring anomalous security events, and correlating those events with malicious activity.
For what would you use a magic IT security wand?
I'd use it to find the balance between confidentiality and openness. I believe that security is often used not just as a means to deny access to information that is not sensitive, but where it's easier or more politically expedient just to say “no.” This misuse destroys trust, making it harder to apply controls in cases where their use is legitimate.