Last time, I spoke with Stephanie Vanroelen. She's an OWASP contributor who specializes in web penetration testing. She also organizes BruCON, Belgium's largest cybersecurity convention, and volunteers at CyberSKool, an information security camp for kids. This time, I have the pleasure of speaking with Tiffany Gerstmar. Working with the US Navy taught her a lot about cybersecurity policy! Kim Crawley: Hi Tiffany! Tell me about what you do. Tiffany Gerstmar: Hi Kim! My technical job title is "Cybersecurity Policy and Compliance Analyst," which is a lot of words that means I help develop and implement infosec policies and processes for clients. I have always worked as a contractor supporting the Navy throughout my career, so I've gone from using those processes to assess and validate systems to now helping the Navy understand, train, document, and implement those processes, in this case NIST's Risk Management Framework (RMF), across the enterprise. When I started, it was DITSCAP, and then Navy transitioned to DIACAP, and now we're in RMF, which I actually really like. KC: Do you think your experience with the Navy made you a better cybersecurity professional? TG: I think it's provided a different viewpoint than supporting commercial clients. I've certainly been exposed to a lot of different types of systems and seen the complexity of implementing security in extremely large networks. I actually think one of the best things I've learned from the Navy is the benefit of having actual defined and documented policies as guidance for infosec implementation, as well as everyone knowing and working towards the same mission. KC: How did you get into cybersecurity in the first place? Were you interested in computers when you were a kid? TG: I was! Well, I was interested in computer games. I started out with a Vic 20, and then a Commodore 64, and then we moved into PCs as a teenager. I was on BBS starting with my 2400 baud modem and have the "accidentally spent $200 on my mom's phone bill" story to go with it. I replaced hard drives and RAM in my PCs for better gaming, but I never considered getting into IT. I got into cybersecurity in a roundabout way -- I was an anthropology major, but I didn't want to be a teacher, so I picked up a technical writing certificate before I graduated. I started working for a tiny company, seven people when I joined, as a tech writer, and a few months after I started, they asked me if I wanted to do DITSCAP assessments since it was "just like tech writing." That wasn't entirely true! Although the things I learned as a tech writer have been incredibly valuable. Everything technical or infosec-related I've learned I have learned on the job or via extracurricular training. KC: What sort of tech writing did you do? That's a pretty broad category. TG: My first tech writing job was an intern for San Diego Child Support Enforcement. I started out documenting how to use one of their in-house developed financial applications, which then expanded into putting together a plan for documenting all processes and applications within the organization and starting work on that. I remember we used Framemaker extensively. When I moved to the small engineering cybersecurity company, they brought me on initially to develop and document their internal processes and policies and provide technical editing for work they were developing for clients. KC: What do you think are some of the biggest cybersecurity problems these days? TG: Generally speaking for every organization, it's the difficulty of defending against so many bad actors while new threat vectors are opening up constantly due to IoT and interconnection of systems that didn't always talk to each other before. Bringing everything online certainly increases convenience and utility, but it brings with it a commensurate level of risk, too, that I don't know that orgs are always aware of or care about. I think a lot of orgs also are building on bad foundations because they never had a chance to set up security baselines as an integral part of their business from the beginning, and so cybersec teams are stuck patching over leaks in the sides for a boat that's missing planks in the bottom. I wish we could get more organizations to take a breath and build things a better way, but hackers aren't going to call a timeout to let us do that. We have to find a way to work both angles at the same time, which means money and people. KC: Excellent! Is there anything else you'd like to add before we go? TG: I think our field needs to stop promising perfect security, and orgs need to really embrace the reality of that. Breaches are going to happen. But I don't mean that in a pessimistic "why should we bother?" way. It's why I'm such a fervent believer in actual, honest risk assessment, so that we can not only pinpoint and defend those things that need the most defense but also plan for how to respond and recover and protect the people who might get hurt in case of a breach there or elsewhere. Thank you for the opportunity to participate in an interview! KC: Excellent. Thank you Tiffany.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
