How do you describe your job to average people?
“I work in IT security” usually elicits a polite ‘oh'. If someone maintains interest beyond that, I usually tell them: When I'm not investigating a potential intrusion, I'm building systems to give our small team as many advantages as possible when it comes to detecting malicious behavior on our little piece of the internet. I'm writing code to make our processes complete more quickly and integrate more seamlessly into daily work. I'm educating myself and trying to encourage those around me to push past ‘good for today' to the better long-term solution. Most importantly, I'm trying to build the relationships and trust that allow us as an organization to make the right decisions in the face of constant change, resource contention, and constantly evolving external threats.
Why did you get into IT security?
I enjoy the constant learning, the challenge and playing in everyone's backyard. The IT field in general moves very quickly in terms of the technologies available and in use. Everyone of those new technologies comes with risks and flaws that may be discovered and leveraged to our detriment. The balancing act we're engaged in between maintaining technology we're familiar with and adopting new technology provides a constant challenge. In IT security, you have a role to play across all the technology specialties – from building servers or web applications all the way to non-technology aspects, such as providing input for institution-wide policies.
What was one of your biggest challenges?
Learning to properly balance security findings with the business costs. Properly assessing risk versus business costs and recognizing that timing is everything. Discovering an issue or weakness in a process or technology is exciting. The first time it happens your excitement leads you to expect that people will drop whatever they're doing to fix the issue immediately. It takes some time and perspective, however, to realize that there are generally at any one time 1,000 other things that need to get done, and it takes a lot of organizational knowledge, focus and perspective to put this one item in the ‘to-do' queue at the right position. We can never eliminate all risk to our networks, our data or the other elements which we try to protect. Therefore, our ongoing challenge is to correctly prioritize the application of limited resources – especially time and money – to reduce risk in the ways which most effectively support the organizational mission.
What keeps you up at night?
Discovering an important computer intrusion six months too late, believing I had the chance to catch it early. Incidents WILL happen, but my goal is to catch them as early as possible to prevent real damage to the business or reputation of the university. I am constantly in a struggle to prioritize the multitude of things that need to be done within the context of what provides the most benefit to the most important functions, while keeping a long-term perspective.
Of what are you most proud?
In my career, I'm most proud of the relationships I've built among my co-workers and the IT security community. It is invigorating to work with people passionate about their jobs, and enjoyable to learn from people who've spent the time to master a specialty. I'm especially proud of the influence I've had on some individuals just starting in the IT security field. I've watched them mature into bright, creative and highly skilled analysts and researchers and I fully expect that they will surpass my own contributions to the field.
For what would you use a magic IT security wand?
I've often come to the conclusion that ‘good security' is really nothing more than optimization, a move from ‘working' to ‘robust'. Far too often, the issues we face are the result of choices made while facing the fire of an external deadline or service issue. The time and energy to optimize a service or process is often seen as an unaffordable luxury. I would use my magic wand to grant our coders, system admins, network admins and business analysts the extra time it takes to go from good to great. In the long term, I believe we would all benefit from that extra attention. “A stitch in time saves nine,” as they say.
