Last time, I had the pleasure of speaking with Rebecca Herold. She’s a long time cybersecurity industry veteran and the founder of SIMBUS, LLC. This time, I got to talk with Roxy Dee. As a professional in vulnerability management, she knows that it takes a lot more work than just patching. She also has a habit of giving away cybersecurity-related books to her lucky Twitter followers! Kim Crawley: Please tell me about what you do and how you got there. Roxy Dee: I work as a vulnerability management service architect at Hurricane Labs, a Cleveland-based Splunk-focused MSSP. My specialty is in vulnerability management, but I also provide tier three support. That helps our clients get the most out of Splunk by setting goals with them and spending time focused on what we can develop and improve to go beyond expectations. Hurricane Labs has been very supportive of me and my career, but it took a lot of navigating to get to this point in my career. I started off as a newly divorced single mom working tech support for a large telecom. I was already interested in phone phreaking. I didn't realize how much it related to cybersecurity. I went to a 2600 meeting (after years of knowing they existed) and learned that most everyone there was cybersecurity. At first, I was not too interested, as my experiences with technology were not very exciting or interesting, although I did enjoy learning about networking and making websites with HTML. Tim, who to this day I remain forever grateful for being so kind and welcoming to me, encouraged me to join an IRC channel, and there I learned about Linux. I fell in love with Linux, and a whole new exciting world opened up for me. There was a whole world that opened up when I discovered computers were more than just Microsoft Office and making websites. My first cybersecurity job was as a network security analyst. I worked overnights, which gave me plenty of time to study. I passed the Security+ certification and began doing non-profit work. I founded a hackerspace. As I became more involved in the community, I also started to learn at a rapid rate. I was able to get a job as an infrastructure engineer (where I fell even more in love with Linux), and they then moved me into a position as a vulnerability lifecycle manager. Knowing nothing about vulnerability management and having to help build the program from the ground up, I became an expert just from the experience of starting a program from the beginning. From there, I worked at a large bank (and then moved briefly to a smaller bank) as an engineer developing methods to detect online banking fraud and finally convinced Hurricane Labs to let me work there. KC: Every so often, you'll give a cybersecurity book to one of your lucky followers. What inspired you to do that? How has that venture been going? RD: Before my big jump in salary (when I started working for banks), I had to figure out how to learn things for free and online. I couldn't afford to get books, and I didn't have time and couldn't afford childcare to go to college classes. When I saw Twitter user @cave_bill offering to use an Amazon gift card he had in order to buy a book for someone to learn something, I really loved the idea. I did the same thing, and then people started telling me they wanted to do the same but would like me to facilitate it. I started doing the free book giveaway regularly because I was getting enough gift cards. Towards the end of last year, it kind of dried up a bit, but I estimate that I've at least helped give 100 books away, and every time I get Amazon gift cards, I save it up until I reach at least $200 and do a giveaway. It's fairly easy to do if anyone wants to participate. They can either DM me a gift card code to my twitter account (@theroxyd) or they can ask me to retweet their Tweet explaining the amount they have to give. The way I send the books is by asking for a link to the winner's wishlist, so I don't have to deal with getting addresses. If anyone wants to read more, they can do so here. KC: Thank you for my copy of Defensive Security Handbook, by the way. Can you tell me more about Hurricane Labs? RD: At Hurricane Labs, we do a lot of work with Splunk. In addition to managing Splunk for our clients, we also do penetration testing, vulnerability management, and consulting. We work to customize our service and pay special attention to the needs of each of our clients. We’re not a one-size-fits-all type of service. We specialize in making Splunk work for the client instead of trying to adjust the client’s expectations or try to encourage them how to just deal with what they’ve got. Hurricane Labs is easily the best place I’ve ever worked, and I’m not just saying that to keep my job. I came here to work with experts; I read the blog posts on the website and was just amazed with the talent and experience. I noticed the employees were doing talks and writing books, too. Everyone had nice things to say about Hurricane Labs. I thought it had to be too good to be true, but after I started working here, it got even better. People treated me with respect, didn’t doubt that I knew what I was talking about, and worked with me without drama or too much ego. Everyone is so smart, it’s almost embarrassing sometimes when I have to ask what they’re talking about, but to this day, no one has treated me like a dummy, so I have no fear saying “I don’t know” as I have before. The level of quality in the work my co-workers produce is beyond normal expectations and pretty quick. I still wonder when the dream is going to end and I’m going to wake up. KC: What are some misconceptions people have about what you do? RD: The biggest misconception about vulnerability management which really gets to me is the "just patch it" attitude. You can't always patch everything. In fact, if you did, you'd take forever to finish patching. Not everything can be done automatically. You have maintenance windows, websites and services that could break, people that need to understand what they are doing (not everyone is fully versed in every type of vulnerability or fix), research to do to provide the best plan for either remediation or workarounds, and of course extremely large environments. Things take time. Prioritizing is where the magic is, not completely patching everything. KC: How do you think we can attract more women and gender minorities to the cybersecurity field? RD: Visibility and amplification make a huge difference. It's often said that there's a pipeline problem; I don't believe this to be the case, as I see plenty of non-binary folks and women at conferences and online. There's a lot of non-binary folks and women waiting to be picked up by a company and mentored in their first cybersecurity gig, which is a lot easier for men to get. Additionally, we need to focus on how we treat non-binary folks and women once they do get here. How often have we ignored the voices of those who are uncomfortable at conferences or lashed out at them when they ask that a simple thing be done to help them feel more comfortable? The thing that everyone can do right now is amplify and support the work of non-binary folks and women in cybersecurity. We're already here doing work, but it is often not supported or talked about as much as it is for men. When other non-binary folks and women see others in the field, it will also encourage them to join. I started a twitter account, @infosecwomen, to retweet and tweet what women and non-binary folks are doing in the cybersecurity field as well as help those that are wanting to seek advice or look for opportunities. Sharing and tweeting about this very series of articles that you are writing is something anyone reading this can do immediately. KC: That's excellent! Is there anything else you'd like to add before we go? RD: I just want to let readers know that we all have struggles and things we need to work through to become successful. Every. Single. Person. Don't be afraid to ask for help, to say "I don't know," or to even take a break to give yourself rest. Imposter Syndrome, in my opinion, is more about the people around you than you yourself. Surround yourself with supportive people who have no problem guiding you or answering your questions. Attend conferences, meetups, or find an online community (such as Twitter or IRC.) You deserve happiness and success! Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
