At Veris Group, I build and run security assessment programs to help customers assess their security postures and meet regulatory requirements in a way that is cost effective and repeatable. At NBISE, I extend that work into a community effort to define competency models for security testers with the goal of enhancing education.
Why did you get into IT security?
I got into IT security while in the Marine Corps because breaking into computer systems seemed cool. I ended up as a technical lead for a large Department of Defense Red Team and decided to stay in the field because being a part of the solution for securing our critical IT systems is a rewarding experience.
What was one of your biggest challenges?
Many of the organizations we work with are high-security environments with a large number of regulatory requirements, but constrained IT budgets. Our greatest challenge is designing assessments and training programs within these environments.
What keeps you up at night?
We are facing an increasing number of cyberattacks. Yet, our ability as an industry to assess systems against these threats is not keeping up.
Approaching security assessments with a methodical framework-based model is the way of the future. I'd like to think we play a role in this changing mindset.
For what would you use a magic IT security wand?
The maturity level of security assessments as a whole is relatively low. Our first, and biggest, step would be to have the community (both providers and customers) come to an agreement that we must tackle security assessments in a structural, industry-wide way, instead of the piecemeal approach we use today.