Cybersecurity challenges pros to keep ahead of sinister minds
“In addition to technical depth, there’s no small amount of psychology involved in figuring out how people will attack.” – Kevin Greene, DHS
“I hired more people in one month than in the rest of my career combined. These are very exciting times.” – Angelica Collazo, Air Force Civilian Service
By Arthur Schurr
Cybercrime is mushrooming. And it’s nearly impossible to quantify the loss with an exact figure. Some call it “the greatest transfer of wealth in human history.”
According to “Estimating the Cost of Cybercrime and Cyber Espionage,” a study conducted by the Center for Strategic and International Studies (CSIS, Washington, DC) and sponsored by computer security software company McAfee (Santa Clara, CA), cybercrime costs the American economy as much as $100 billion and 508,000 job losses each year. Globally, the estimate jumps to as much as $500 billion per annum. The report cautions that these are only estimates. But one thing is clear: cybercrime has made cybersecurity one of the most important disciplines in IT.
“Without question, cyber threats are increasing,” explains Dr Douglas Maughan, director of the Department of Homeland Security (DHS, Washington, DC) cybersecurity division within its science and technology directorate. “In the recent Target breach, 110 million credit card numbers were stolen. A number of banks have been under fairly constant denial-of-service (DOS) attacks over the last year and a half,” he says. “Obviously government systems are also under regular attack. It is a comprehensive and expanding problem.”
President Obama released the executive order “Improving Critical Infrastructure Cybersecurity,” along with several presidential policy directives, a year ago, Maughan notes. “There’s been a lot of activity governmentally, in the private sector, and among critical infrastructure providers that’s designed to advance cybersecurity. But we’re still in a cat-and-mouse game. The attackers have no rules or laws and we do. It’s a difficult situation. We’re getting better, but the question is, are we getting better fast enough?
“Software once came from reputable companies and those companies stood by their products. Today, people download software from who-knows-where made by individuals they don’t know. And they run this software on everything from smartphones to laptops without thinking about it,” Maughan laments.
“Add to that the commercial pressure to be first to market with a product or service. That also leads to cutting corners and increased vulnerabilities.”
George Smirnoff is chief information security officer for Comerica (Dallas, TX). He notes a significant shift in cyber defense strategy.
“The Target breach is a symptom of an elevating risk environment. Cybersecurity is migrating from what used to be a very tool-based system to a highly risk-based discipline that includes much more than just technology,” explains Smirnoff. “The pervasiveness of risk correlates to the increased number of touch points for cyber interaction. That has increased with the increased use of technology. The bad guys go where the money is. Today, that means where the data is.”
Balancing security with usability
“There is no one technology solution that can protect us. We can’t just flip a switch,” Smirnoff says. He stresses that users must be smart about information technology and security. And, he adds, usability is a must. “I know how to secure our bank perfectly, but that would mean we would have to shut down. So it’s about usability as well. It’s always going to be a tradeoff among security, usability and risk.
“Right now,” he says, “cybersecurity is about a concept we call defense in depth: multiple layers of controls and awareness.”
The importance of software skepticism
DHS science and technology directorate program manager Kevin Greene focuses on a unique aspect of defense in depth: software assurance. Maughan labels software assurance as “one of the top five cyber concerns,” and believes Greene’s work is at the cutting edge of cybersecurity.
“Software is everywhere. To do business today you’ve got to leave certain communications ports open. That gives an attacker an opportunity to exploit weaknesses in software,” explains Greene. “Software assurance is one of the most important challenges we face.”
Greene recently launched the DHS Software Assurance Marketplace (SWAMP), a state-of-the-art open resource developed in conjunction with the University of Wisconsin-Madison. It’s designed to help software developers, software assurance tool developers and software researchers improve software assurance and integrity.
Greene believes that widespread adoption of SWAMP could have a profound and positive impact on software systems and applications. “Better assurance practices lead to better security. It’s that simple.”
Well-rounded cyber experts sought
Given the shifting landscape, do the experts see a need for different expertise in the field?
“The government always had a mindset that we needed someone with a four-year degree in electrical engineering, math or computer science. But that’s changing. Now we want people with more hands-on experience, as well as people who understand risk management,” Maughan reports.
He cites a nationwide DHS program, the Secretary’s Honors Program Cyber Student Volunteer Initiative (dhs.gov/secretarys-honors-program), which gives students hands-on experience. “There is also the National Collegiate Cyber Defense Competition (nationalccdc.org), which teaches cyber defense. It’s like March Madness for cybersecurity.”
Comerica’s Smirnoff sees a similar trend in hiring in the private sector. “Technical skills are still foundational. But a multidisciplined person tends to be best at security.” Critical skills, he says, include problem solving and process skills, knowledge of a variety of software methodologies and frameworks, and a broad understanding of risk. “Also, you really have to understand how a business operates in order to protect it properly. We’re looking for a very broad skill set with a technology foundation.”
Here are some cybersecurity experts who possess that critical mix.
Joseph Natarian of AFRL protects U.S. Air Force weapons systems
From his office at the Wright-Patterson Air Force Base (OH), Air Force Research Lab (AFRL) program engineer Joseph Natarian oversees the integration of multiple technologies to advance warfighter capabilities. He also serves as a bridge between researchers at other Department of Defense (DoD) labs and operations centers, as well as with other government organizations and contractors.
“I develop solutions for the timely transition of technology to operational weapons systems. And I lead the formulation and execution of research programs to develop and evaluate technologies,” he explains.
Natarian got a double BS in electrical engineering and computer science from Wright State University (Dayton, OH) in 2008. He specialized in electromagnetics and communications technology. He finished his MS in electrical engineering at the University of Dayton in May, and holds many DoD-specific certifications.
Other skills fill out the package
Though he’s well armed with broad technical training, Natarian also believes technical capabilities alone are not enough.
“The most important skill is the ability to effectively communicate complex problems and details to teams in written and verbal form. It’s also very important to be willing to learn and relearn new approaches and technologies, particularly when it comes to problem solving.”
Natarian cites hard work and flexibility among his strengths. “When I face obstacles, I work hard to overcome them by identifying opportunities and bettering myself, particularly through technical development. I think my commitment to continually adapt to evolving trends and technologies has resulted in a fulfilling professional career.”
Ash Khan keeps Citigroup’s global consumer banking secure
Managing director Ash Khan leads a team of information security professionals in global consumer information security at Citigroup (Citi, New York, NY). His role is to ensure the security of applications, products and services that make up Citi’s worldwide consumer banking.
“The technical aspect of my work includes making risk-management decisions that require a thorough knowledge of the consumer business, emerging risks, mobile/Internet/ATM/voice technologies, software development and regulatory requirements.”
Building up to a career in innovation
Khan graduated from University College London (London, U.K.) in 1989 with a BS in pure and applied physics. He followed that with a 1995 MS in computing from Imperial College London. He has many IT certifications in information security, and has participated in a variety of management and leadership courses. He finds his training and certifications help feed his hunger for cutting-edge work.
“What I find most interesting is working on innovative products – industry firsts – that present a new information security and risk-management paradigm. A good example is how to handle mobile e-commerce, mobile wallets, cloud computing and so forth.”
Khan credits Citi with providing an open and diverse work environment. “I’ve been fortunate to work in organizations, including Citi, that provided equal opportunities regardless of ethnicity, status or color. As a result, I’ve never really experienced the potential negative aspects of being a minority.
“Citi recognizes and embraces diversity through affinity-based employee networks. And due to the global nature of my role, I interact and engage with colleagues from all over the world. My diverse background has helped me connect with, and understand, the many different cultures and perspectives of my colleagues and clients.”
Diversity at Citi
Citi consumer operations and technology human resources managing director Corey Woods supports Khan’s assessment.
“Diversity is a key source of Citi’s strength. We have a presence in more than 160 countries, so it’s a business imperative. Our employees reflect the diversity of the communities we serve.
“We have a robust recruiting program that targets schools with a diverse mix of students. As soon as they’re on board, our new hires attend programs about diversity and inclusion. We have diversity councils and dozens of employee diversity networks, including ones for people with disabilities, Asian Americans, African Americans, military veterans, LGBT employees, and more. We also have a dedicated IT intern program, an IT leadership development program, and mentoring programs like Women Leading Citi. All these things help make Citi a great place to work.”
Arnold Bell protects and delivers government intelligence for GE
At General Electric (GE, Fairfield, CT), cyber relations senior manager Arnold Bell fills a multifaceted role for the information security technology center (ISTC) in Glen Allen, VA.
“I have three main focus areas: relations, legislation and policy. I’m the initial liaison between the GE IT risk organizational and governmental bodies, industry partners and trade associations, including DHS, FBI, DoD, the Richmond Technology Council and the U.S. Chamber of Commerce. Through these relationships, we deliver government intelligence to GE’s intelligence team and combine our knowledge and resources to inform our executive leadership about the cybersecurity threat landscape. I share our cyber issues, threats and concerns with these partners and bring back helpful information to our teams at the ISTC.”
Bell also keeps GE in the loop on pending legislation, and provides a private sector perspective to the government agencies he encounters.
Bell earned a BA in criminology from Saint Leo University (Saint Leo, FL) in 1986. He worked for many years in the FBI prior to joining GE, where his cyber training came from real-world, on-the-job cyber investigative experience. He has several cyber certifications and has participated in executive leadership and management training.
Working together, sharing a passion
Bell takes his mission seriously. But his greatest sense of fulfillment has more to do with the process and its people. “The interaction I have with my GE colleagues and the different government, industry and trade groups is by far the most enjoyable aspect of my work. I love the spirit and drive of the teams at the ISTC and the passion we all share for protecting GE’s intellectual property.”
Bell describes GE as a performance-driven company, so being a minority has not factored into his work in any way. And New York-based senior HR manager for GE IT Pam Halligan corroborates Bell’s experience.
“Diversity and inclusiveness are our competitive advantage and part of our core foundation. That’s demonstrated by the commitment of our leadership team and our internal processes. For GE, diversity is about the power of the mix: the strength that results from a team with varied backgrounds, experiences and styles,” Halligan says. “As a global company, our employee talent must reflect the communities we serve and those with whom we do business. Our diversity energizes teams, fosters teamwork and drives innovation.”
Jason Kelley gives KnowBe4 customers cybersecurity options
Customer retention manager Jason Kelley helps customers with everything from setup through operations for KnowBe4 (Clearwater, FL), a company that provides web-based security awareness training to small and medium-sized enterprises.
“I explain the setup and features of the management console to help orient users. I address support issues and provide continuous assistance for customers until they reach final deployment. I also do periodic follow-ups.”
Kelley began his cybersecurity career with an AA in communications from St. Petersburg College (St. Petersburg, FL) in 1995. In 2001 he earned a BS in information systems from the University of Phoenix (AZ). He followed that with a 2004 MBA, also from the University of Phoenix.
Kelley enjoys the technical aspects of his work. But that’s not where he derives his greatest fulfillment. “I get the greatest satisfaction from working with customers and explaining how to set up training, discussing cybersecurity concepts, and learning how to meet their needs. I like watching the light come on when customers completely understand how to use the training and features.”
KnowBe4’s Carol Montgomery approaches cybersecurity from a different angle
Carol Montgomery is a vice president at KnowBe4. She raises people’s awareness about cybersecurity and explains the need for security awareness training. She’s also responsible for the establishment and revenue growth for KnowBe4’s channel partners.
“I work directly with customers and take them through a variety of vulnerability tests to find holes in their security or opportunities for social engineering exploits. Security awareness training is essential. It’s gratifying to know the various vulnerability options and to recommend solutions. I know I am helping protect companies and their staffs.”
Montgomery has a nontraditional background for an IT professional. She graduated from Temple University’s Boyer School of Music (Philadelphia, PA) in 1979 with a BA in music.
Drawn to the changing landscape
“Like many in the security field, I have a burning interest in the subject matter. Many in this area are self-taught. You have to like the process and the rapid evolution of technology. This landscape is constantly changing. What works today isn’t necessarily going to work tomorrow or next month. I’ve also come to appreciate a good IT support team.”
Montgomery also offers some wisdom in dealing with discrimination. “This is a male-dominated industry. Ninety-eight percent of my partner businesses are comprised of males under fifty. And to succeed, you have to know your stuff. But if you do, you gain immediate respect and gender isn’t an issue. Like any other area, your difference can be an advantage, but in the end it is all about skill. Being a minority might help get you a job, but being good at what you do will allow you to keep it.”
KnowBe4 looks for the best person for the job
Montgomery and Kelley both believe KnowBe4 provides an equitable environment. And CEO Stu Sjouwerman takes pride in that belief. “We look for the best person for the job and the best fit and put no restrictions on background. As a successful entrepreneur, I have taken the approach of looking for productive people, and I often find minorities or those of a diverse background work very hard to get ahead and make a real impact. They are persistent, and that’s a quality we admire at KnowBe4. It takes persistence to be successful and get a result.”
First Lt Joshua Day assesses cyber vulnerabilities for the U.S. Air Force
First lieutenant Joshua Day is a cyberspace operator with the U.S. Air Force 92nd Information Operations Squadron (IOS). He’s stationed at Joint Base San Antonio-Lackland (San Antonio, TX). Joint Base San Antonio combines the operations of the U.S. Army’s Fort Sam Houston with the USAF’s Lackland and Randolph Air Force Bases. Day performs vulnerability, compliance and penetration assessments.
“When we get a mission to look at a given system, first we do different scans to determine what’s vulnerable. The compliance part involves scanning networks for multiple things, like determining if a system’s password complexity is out of compliance. Finally, we determine if a system can be successfully infiltrated.”
Essential training builds a solid foundation
In 2011, Day graduated from the Illinois Institute of Technology (Chicago) with a BS in electrical engineering. He joined the 92nd IOS and took the three-month intermediate network warfare training (INWT) course at Hurlburt Field (Mary Esther, FL) in the fundamentals of cyberwarfare.
“The INWT at Hurlburt gave me the best possible fundamental background. The best thing about cybersecurity is it’s never stagnant. I’m learning something new every day. And every time I go out on the road, it’s a different mission.”
Day credits the U.S. Air Force with providing a level playing field. He feels being a minority has not factored into his career in any way.
Civilian Angelica Collazo advises the U.S. Air Force on cybersecurity
Angelica “Angie” Collazo is a senior analyst and technical advisor with the U.S. Air Force Civilian Service (Randolph AFB, TX), also for the 92nd IOS at Joint Base San Antonio-Lackland. A career civilian engineer for the USAF, Collazo has been in cyber operations for eighteen years.
“I advise our commander on the deployment of military, civilian and contractor personnel for cybersecurity operations. I’m also a key player in the establishment of a program at the Air Force level that enhances the capabilities of the defense industry to safeguard information that resides in its systems,” she explains.
Collazo earned a 1988 BSEE from the University of Texas-San Antonio. In 2004, she received her masters in computer resources and information management from Webster University (St Louis, MO). She also has several key certifications from the Defense Acquisition University (Fort Belvoir, VA) including a level 3 certification in systems planning, research development and engineering (2005), information technology (2009) and program management (2013). She holds many professional IT and IA certifications as well.
In 2012, Collazo received a Distinguished Civilian Service medal, the highest medal awarded to a civilian in the DoD, for her efforts in cyber operations. She’s also an adjunct professor in the business college of UT-San Antonio in the department of information systems and cybersecurity.
Exciting times at the forefront of technology
Collazo’s passion for learning is matched by her commitment to cyber defense and the U.S. Air Force. “I really enjoy being at the forefront of technology in operations. I can’t think of a better place to work than Air Force cyber. I’ve enjoyed starting at the ground level and watching this evolve into the discipline that it is today. Cyber defense is growing by leaps and bounds. This past month, I hired more people in one month than in the rest of my career combined. These are very exciting times.”
Collazo remembers facing challenges at the start of her career, even in academia. But she believes the Air Force is committed to equality. “Being a minority isn’t really in my thoughts today. However, I was hired more than twenty-five years ago. And that was a very different time, particularly for a Hispanic woman electrical engineer. But someone took me aside and told me to forget about my ethnicity and make sure I was always the best qualified for the job. Early in my career, I sometimes felt I did twice the work for half the credit. But once you get a little more mature, you realize it’s not about the credit. It’s about service.”
DHS’s Kevin Greene: on a mission to make software more secure
Department of Homeland Security software assurance program manager Kevin Greene looks to discover gaps in existing state-of-the-art software and works with different industries to improve software security.
“What’s important to my work is understanding different techniques used to improve software, the different vulnerabilities, and the different types of attacks that can be mounted against vulnerable software. In addition to technical depth, there’s no small amount of psychology involved in figuring out how people will attack.”
A fearless problem solver
Greene earned a BS in information systems and an MS in management information systems from the New Jersey Institute of Technology (Newark). Greene finds his role at DHS in software a perfect fit.
“I really like solving difficult problems. And software is a huge problem right now. I want to be the one who helped improve software integrity and closed the gap in software issues. I like tackling seemingly insurmountable problems.”
Greene believes math, computer science and critical thinking are all vital skills for his work. He also cites problem solving, innovation and entrepreneurship as critically important to ensure that his work “has application in the real world, particularly the commercial world.”
Paying attention to diversity
Greene recognizes DHS’s commitment to diversity. Veronica Venture, DHS deputy officer for civil rights and civil liberties and director for equal employment opportunity and diversity, agrees. “We have a diversity and inclusion plan, one that was signed off on by Secretary Napolitano herself in 2012. The plan crosses all components and applies all the way from the secretary to the most recent entry-level hire. We want to make sure everyone understands the value of diversity. And we hold everyone accountable to ensure that diversity is an integral part of everything we do because we need a diverse workforce.
“In the cyber arena, as we build our workforce, we want to ensure that we are paying attention to diversity. We include diversity of thought and everything else, to be as inclusive as possible. We must reflect and represent the community we serve, which is extremely diverse.”
DIVERSITY-MINDED ORGANIZATIONS SEEKING CYBER EXPERTS
See websites for more information.
|Company and location
|Air Force Research Lab
(Wright-Patterson AFB, OH)
|Scientific research for the United States Air Force Materiel Command
|Citigroup (New York, NY)
|Multinational financial services
|Comerica Bank (Dallas, TX)
|Department of Homeland Security
|Protection of the U.S. and its territories
|General Electric (Fairfield, CT)
|Solutions in energy, health and home,
transportation and finance
|Kaspersky Lab (Woburn, MA)
|KnowBe4 (Clearwater, FL)
|Security awareness training
|Leidos (Reston, VA)
|Science and technology solutions for national
security, health and engineering
|U.S. Air Force (Washington, DC)
|Ensures security of the U.S. in air, space and
|U.S. Air Force Civilian Service
(Randolph AFB, TX)
|Civilian support for the U.S. Air Force
Back to Top