Last time, I had the opportunity to speak with Carrie Roberts. She's a red team engineer at Walmart with lots of penetration testing experience. This time, I had the pleasure of speaking with Glenda Snodgrass. She's a founder and the president of The Net Effect, a cybersecurity services company that's based in Alabama. They must be doing something right, because they've been in business for over twenty years so far. Kim Crawley: Please tell me a bit about what you do. Glenda Snodgrass: My work is primarily network security assessments and training, software implementations, and technology project management. I do a lot of public speaking on cybersecurity, as well as conducting regular Cyber Self Defense workshops. In addition to corporate security awareness training, I work with organizations to develop their employee training programs and their security policies and procedures. Information security is always a top priority in my work, even for projects that aren't strictly security-focused like new software implementations or business expansion. KC: Tell me a bit about the company you're the president of: The Net Effect. Your company's work sounds very interesting. GS: Oh, it is interesting! I started the company in 1996 with my partner Geoff Peacock. Our first subcontractor, Mitch Adair, became a partner a few years later. We started out building firewalls for small- and medium-sized businesses using open source software on PC hardware because at that time the only commercial firewall software options on the market were too expensive for SMBEs. Our business has grown over the years, and we've evolved into strictly consulting and project management. We've never limited our work to any particular vertical market, which makes our work even more interesting. I may visit a manufacturing facility, a wholesaler, a restaurant, a shoe store, and a financial planning firm all in the same week! KC: Have you learned anything while conducting your Cyber Self Defense workshops? GS: I learn something every time I speak to a group. The level of interest in and understanding of information security is so varied among individuals, and I can read so much on their faces. That's why I enjoy public speaking so much more than doing webinars, videos, or other remote training. I love reading the body language of people in the audience and adapting my talk to the feedback they are giving me in real time. Every time I do a presentation, there is some adaptation I picked up from the last time that I apply. Even though I reuse a lot of material, my presentations evolve every single time, both in terms of the changing circumstances of infosec and what I learn from my audiences. KC: Have you had any difficulty in being taken seriously as a cybersecurity expert because you're female? It was a challenge for me. GS: Yes, definitely. As a relatively young, female, small business owner, I had trouble being taken seriously for many years. Being in a technical field was just added difficulty. Fortunately, the march of time, changing attitudes, and over 20 years of experience have overcome those prejudices for the most part; it's rarely a problem for me these days. KC: I find that for myself, as well. I haven't knowingly faced any misogyny in the cybersecurity news industry in years. Hopefully, all of these initiatives to promote women in tech, such as Ladies Who Code and The Diana Initiative, have influenced our industry for the better. What would you say to a young girl who's curious about pursuing a cybersecurity career? GS: First and foremost, determine your interests and your strengths and then figure out how best to use those in a professional capacity. The field of cybersecurity is huge! Some areas are very technical and require long hours on a computer, like malware analysis and digital forensics, while others require a lot of interaction with people, whether training, developing policies and procedures, or working incident response. The field is constantly growing and evolving, and there are opportunities in many different areas. KC: What do you think the biggest cybersecurity problems are in 2017? GS: Lack of awareness is number one, in my opinion. So many people truly don't understand the risks of the Internet of Things, for example, and they are putting these "smart" devices into their homes and their businesses without taking even basic precautions, like changing default passwords upon installation. The bad guys want to use your stuff! Whether to steal your personal information or to attack bigger targets. That's why I focus so much on training and awareness. All the best technology available can only do so much to protect your network from unaware users. KC: Speaking of IoT, do you think many consumer toys and gimmicks are being put on the internet unnecessarily? GS: Absolutely! My mama always told me, "Just because you can doesn't mean you should." No one is thinking about that these days, though. We fear that which we don't understand – except technology! We embrace new technology with open arms, with no understanding of how it actually works. That is a growing problem. KC: What do you think it'll take to encourage manufacturers to make their consumer products more secure? Lawsuits resulting from cyber attacks? Government regulation? GS: Those things, and pressure from consumers. Possibly some cataclysmic event that hits some manufacturer's bottom line hard enough to scare the others. KC: I recently spoke to IoT researchers who are surprised that the first cyber attack driven car accident hasn't happened yet. Has some of your public speaking about cybersecurity been at big industry events like DEFCON, Black Hat, or BSides? Tell me about some recent talks you've given. GS: My specialty is explaining technical information to non-technical people, so my public speaking is primarily at conferences for professionals in other fields – attorneys; accountants; financial planners; physical security people; project managers; public relations; human resource professionals, and so on. For example, in July, I spoke to the Mississippi State Bar Summer School, OPSEC Day at Redstone Arsenal, and the Louisiana-Mississippi Labor Management Conference in Biloxi. In October, I'll be speaking for my third year at itenWIRED, which is a tech conference in Florida. KC: That's really cool! Is there anything else you'd like to say before we go? GS: As my favorite professor Mad-Eye Moody would say, "Constant vigilance!" KC: Ah, you're a Harry Potter fan. It was great speaking to you, Glenda!
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
