As you’re probably aware, the job titles and accompanying responsibilities that fall into the information security spectrum run the gamut—from threat analysts and network engineers to penetration testers and chief information security officers. While there may be "magic" quadrants that define each role and the unique functions that fall into them,Infosec Insider decided to reach out to these subject matter experts themselves to get a better sense of how their professionals journeys have evolved to earn them their professional role today.
Currently the Senior Manager of Security Tools at Charles Schwab, a multinational investment firm, Kristy Westphal has worked her way through myriad job functions, giving her direct visibility into what it takes to succeed at every stage of a security professional’s career. While it’s not always been easy, especially as a woman in a principally male-dominated field, Kristy’s smarts, extraordinary work ethic, and approachable demeanor have been the keys to her achievements. Infosec Insider sat down with Kristy to learn more about her path thus far, and hear her thoughts on where the industry is—or should be—headed.
I tend to gravitate towards a good challenge. I have repeatedly taken roles that no one wanted to do, and then done my best to perform them well. I started my career as a LAN administrator in the office because literally no one wanted to do it.
As I’ve moved up the ladder over the course of my career, I’ve realized that leadership in security is pretty daunting to do well. It takes a lot of trial and error, but I am determined to do my best to help wherever I work succeed in their security goals.
I think the biggest difference is the vast amount of regulation in financial services. It takes a lot of effort and persistence to keep up with it to best safeguard our customers’ data.
Being the best leader for my team that I can be. It’s difficult to keep everyone happy at work and give everyone equal time. There are so many competing priorities and sometimes one group or person needs more attention than others, but that could mean someone else who is working on something important to them might feel left out at that point in time.
I am constantly looking at how we can do things better, how we can grow as a unit. If we can work well together as a team then we can accomplish great things and provide an awesome, supportive work environment for our employees.
There really is no such thing as a typical day! (Which is one reason I love this profession!) My day can revolve around anything from working on administrative tasks, to helping support my team, to coaching, to analyzing a complex incident and deciding on the best options, to supporting audits requests. There truly is never a dull moment.
We need to make sure that those of us already working in the industry are visible and reachable to those who might be interested in learning more about security and what it entails—from the day-in-day-out to potential long-term career paths. I have seen many great efforts to expand the visibility of women in tech in general lately, which I find really encouraging. However, we need to keep up the effort, reach out to new groups of girls at an earlier age and continue mentoring and supporting them throughout their education, to make sure it pays off in the long run.
Recruiting for open positions is still a huge challenge. Matching the desired skills with qualified candidates is a daunting task. We need to do more as organizations to reach out and provide insight into skills and training that are necessary to help shrink the gap. This can mean partnering with schools, engaging in work/study programs, or even offering more internships. We can’t sit back and complain about the lack of skilled workers in security and the staggering number of positions that will be open in 2020; we need to stand up and tackle this head on or it won’t get any better.
Other than making sure you provide a good environment for your people, make sure you fully take advantage of the tools you buy. I see this time and time again, where companies buy security tools to “fix” a problem but never totally implement or use the tools to their full potential. When this happens, the organization doesn’t realize the entire value of the tool and can start to question the decision to allocate budget to new tools acquisition. As a result, the company either spends more money on another tool to accomplish what the first tool could, had it been properly configured, or they choose to not invest at all, which can be a problem when or if some new technology truly does become necessary.
When looking at your tools arsenal, make sure to build in the resources you need to successfully implement/deploy/maintain what you have! You can probably do a lot more than you think with the people, tools, and processes you already have.
This is part 2 of Infosec Insider's "Day in the Life..." series. Click here for part 1.