How do you describe your job to average people?
The main part of my job involves assessing the security risks around networks, applications and architecture design.
Why did you get into IT security?
I have a networking background, and it shifted to a security focus little by little until that's all I wanted to do. Being in a position that brings you face to face with emerging threats is awesome.
What was one of your biggest challenges?
Learning how to rapidly adapt to new technologies and address the security challenges that we all have. For instance, when responding to an incident from a client, they were using an application with which I had zero experience. Being able to quickly figure it out allowed us to identify that the out-of-the-box configuration from the vendor had a large hole that allowed unauthenticated access to all of the data. We were able to work with our client to add mitigating controls to fix that problem.
What keeps you up at night?
Let's be real, security is NOT easy and you can never do enough. Threats change faster than our ability to react. An attack that works today could be patched tomorrow.
Of what are you most proud?
Running point on architecting a secure design for our client's global data centers, and trying to solve their global security challenge. In the end, we designed a zoned security model that our client is now using as a revenue-generating business enabler.
For what would you use a magic IT security wand?
I'd give everyone a small dose of security paranoia, just enough to make people think about what they are doing when they interact with technology. A lot of security hangs on trust. We trust that the websites we visit haven't been hacked, we trust that online services will look after our personal data and we trust that the nice lawyer who wrote to us from Tanzania really does have $77.7 million just waiting for us to collect. A little voice in all our heads reminding us that even online trust needs to be earned would go a long way to keeping us all more secure.
Rook Security is an Indianapolis-based security process integration provider.