Last time, I had the pleasure of speaking with Susan Ballestero. She taught me a lot about what it’s like to work in a security operations center. This time, I got the opportunity to speak with Rebecca Herold. She’s been in the cybersecurity field for quite a long time now. She founded SIMBUS, LLC, a thriving information security, privacy and compliance firm. Kim Crawley: Hi, Rebecca! Please tell me about what you do and how you got there. Rebecca Herold: Cybersecurity, and then privacy, actually chose me. An opportunity presented itself, and I took it; and no one else, men or women, were even vaguely interested at the time in taking it on. And I’ve followed the path of taking on things others have never done ever since. I started my career as a systems engineer at a large multi-national financial and healthcare corporation in 1988. I identified a vulnerability in how one of the major back office systems was designed and had an idea for how to mitigate it. I went to my new manager at the time, described my idea and sketched it out on the whiteboard in his office. He wasted no time telling me that it was a horrible idea, that none of the business unit heads would ever agree to do something so drastically different, that it had never before been done and that they would likely view it just as more work for them. So, I explained how it would actually be less work for them, after which he literally yelled at me, “Stop! Your idea is bad! Quit wasting my time!” I considered quitting that day but didn’t. Two months later at the IT-wide quarterly meeting, the IT Director announced a great new innovative idea that my manager had proposed to the business heads, who embraced the idea and were already doing actions to get it implemented. They also announced my manager had been promoted and would be moved to a different department for his fabulous idea, which they described…and it turned out to be my idea, right down to the drawings I made on his whiteboard. I learned many valuable lessons from that situation. I have often wondered since then how often similar types of situations have occurred. I actually got onto the information security, privacy and compliance pathway back at the beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare organization. The programs were all housed in an IBM 390 mainframe divided into four regions for each of the several business unit regions. My change control system was used to move a program from the development region to test region to the pilot or beta region and finally to the production region within each of the applicable business unit regions. It was an online system that required authorizations for each of the moves. A manager had to approve, through the online system, of the move from development to test to pilot. A director had to approve of the move of a program from test to pilot and from pilot to production through the online system. The documented procedures required the managers and directors to carefully review the change documentation and proof of thorough testing as signed off by the program team leader or manager, respectively, before they would provide their approval within the system. The concept was good. The system was good. The procedures were good. Unfortunately, many of the individuals using my change control system were not so good. It was a real frustration for me to walk through the many different programming areas on Thursdays, the last day of the week for directors to approve of program changes to be moved into production on Friday. We’d see so many of the directors with their terminals logged on and open to access and not even at their desks or in their offices, so that the programmers could go in and make the online approvals on the directors’ terminals themselves! That bothered me for a couple of reasons. At a personal level, I wondered why I put so much time and effort into creating a sound, tightly controlled change control system only to have the people authorized to use it defeat those controls. Many of you may think, “Whatever; get over it.” Fair enough. At a business level, I saw how dangerous this was. As a result of these managers and directors not really doing the reviews, each week we had a large number of production moves that had to be backed out on Friday afternoons because of the problems they caused. Many were very minor problems, but some brought the system to a standstill or even messed up the customer databases significantly before the problems were noticed. After being responsible for this online change control system for almost two years, there was an opening in the IT Audit area. Working on the change control system helped me to see firsthand the importance of controls, so I applied for, and got, the IT Audit opening to learn more about how controls impact business. After I went to the IT Audit area, the common practice for leaving unattended terminals and PCs logged in and unsecured, allowing others to use them, changed due to my initiative. In 1990 and 1991, I performed an enterprise-wide information security audit. I reviewed a very wide range of departments and went deep into the details. It took around 7 months to complete. As a result of that audit, I recommended that an information security department be created. The executives were impressed with the audit report and assigned me to create the Information Protection department in 1991. I’m so happy I took that opportunity! I’ve been addressing privacy within business since 1994 when I was given the responsibility of establishing privacy requirements for what my business indicated was the first online bank. This was in addition to my responsibility for creating the information security requirements for the bank. There were no privacy laws at that time applicable to online banks, so the lawyers in the large organization where I worked said they were not obligated to determine privacy requirements when I asked them if they could get involved. However, I strongly believed it was important, so I convinced my senior vice president at the time to have privacy addressed. He indicated that since I felt so strongly about it, that he gave me that privacy responsibility. Another great opportunity to do something that had never been done before within the organization, or at most other organizations. Since then, I’ve welcomed the opportunity to identify privacy risks in new technologies and practices in the absence of any laws or regulations in a wide range of industries and also identify the cybersecurity controls to mitigate those risks. So that is how I got started. I started my own information security and privacy consulting business in 2004 out of necessity. The consulting business that I was working for called me 1 hour before a meeting I was having in person with a potential client. The owner said the business was closing down, and so I went ahead to the meeting, told them that I was no longer with the organization they thought I was with, that it had just shut down, but that I could do the work for them. So they hired me. They loved my work, I loved doing the work for them, and so I decided I would continue being my own boss. I got my LLC and have never turned back. I’ve made it a success ever since. I was doing the same type work for my clients and had an idea to automate all the repetitive and analytical and math work so that I could deliver such things as risk assessments in a fraction of the time. But I needed someone with the investors and programmers to partner with me. I finally found a business partner in 2014, and we’ve been working since, continuing to build out SIMBUS, LLC, which is an information security, privacy, IT and compliance management services cloud business. KC: Do you think digital privacy issues are only getting worse? RH: Yes. There are more privacy, as well as information security, risks than ever before. As more technologies emerge, more big data analytics are used, and more artificial intelligence systems are deployed, cybersecurity and privacy risks grow exponentially. There are also increased motivations for privacy crimes. Personal data is worth more than ever before to crooks, and they know that most businesses do not adequately secure access to personal data on all their systems, networks, applications and endpoints. Plus, the general public is also growing in popularity as favorite targets because of all the smart devices they use, most of which do not have sufficient, if any at all, privacy and security controls built in. KC: What are some misconceptions people have about what you do? RH: There are many misconceptions about what I do. In my career, I’ve been a mathematician, teacher, systems engineer, privacy researcher and leader, cybersecurity tester, university adjunct professor, inventor, consulting business owner, cloud services business owner, and other roles. I had one of my Master’s program students several years ago call me the “Renaissance Woman” of information security and privacy. Cool! Wearing so many hats of capabilities and doing them for business, though, can be confusing to those who were considering me for employment positions back before I had my own business. And also when potential clients for my Privacy Professor consulting business, or for my SIMBUS, LLC business, need the types of services I provide. Some examples of comments made to me over the years. “So, you are a computer security expert, really? I thought you only did privacy!” Or, “So you also do privacy and compliance? I thought your specialty was data security!” So many career advisors give advice that you should focus on one specialty; maybe two. While that may be best for some, I can testify that it does not apply to everyone! While many folks love to have one primary area of focus to work within, I personally crave that wide range of experiences, topics and always learning new things. You can be successful doing so. So I have found ways, through owning and running my own businesses and being my own boss, to be able to do this. I encourage others to also follow their dreams of working with and within diverse areas, if those are their passions. KC: Do you have anything else that you'd like to add before we go? RH: In the past year, I’ve gotten increasingly more questions from women who are making a career change after having a completely different other career—women whose children have grown and left the home, women who have gotten divorced and now need to find a career, and even women in their 60s and older who want to keep working because they like to work and are very interested in data security and privacy. They often ask if they can work for me, or they ask me for advice getting into the information security and privacy fields. Some, even in their early 40s, have contacted me asking if they are “too old” to learn a new career, such as privacy and information security. My advice to all of them is if you love the work and love always learning new things while building upon long-standing standards and concepts, the privacy and information security areas are perfect for anyone of any age! There are always new areas to go into and new risks to discover. I personally plan to continue working throughout the rest of my life, maybe someday cutting back to primarily speaking gigs because I love traveling, meeting new people, and experiencing different cultures. Anyone, any woman—gender does not matter, and no one should let any of your readers convince them of otherwise—can be successful in privacy and information security if they have the passion for learning and enjoy what they do. I also get many questions from all genders from those still in high school and college and others just entering the workforce. Largely through LinkedIn and Twitter. I spent the last several weeks doing a very technical data security project, physically and technically testing actual devices within the electric grid for cybersecurity vulnerabilities. I knew nothing about the equipment before I started, so I was a bit worried, but then after speaking with PhDs in electric engineering, I realized they didn’t know anything about those devices either from a cybersecurity perspective! So I was the first to do this type of work. It is always exciting, and fulfilling, to be the first to discover breakthroughs and new security and privacy risks within any area. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
