Last time I spoke with expert in social engineering Jenny Radcliffe.
This time I was allowed to talk to a cyber security-minded customer manager Tricia Howard. I got to learn more about social engineering from her plus quite a bit about the importance of user education.
Kim Crawley: Tell me about yourself and what you do.
Tricia Howard: Hello Kim! I am a NYC-based Client Manager for Optiv. I work with customers in the city and New Jersey throughout the security lifecycle to create, maintain, and manage their security programs.
I graduated in theater, became technology in an accident and fell in love with safety, both personal and business.
KC: What accident did you get into with technology?
TH: I was completely ready to get my MFA in lighting design … and was not chosen for the program at the time. I didn't have a backup plan and I graduated without any idea what I was going to do, so I went looking for work and wasn't very lucky. I posted a status on Facebook about how hard it was to find a job, and one of my friends worked for a technology company and asked if I would be willing to go to Connecticut (originally from Texas) to do this training program . I learned about the job on Tuesday, had an offer in my hand on Friday, and went upstairs two weeks later.
KC: That is amazing. Not many people are so lucky. You have certainly proven your work ethic and skills. But how you got your foot in the door was incredibly lucky. Just like how I am able to write about cyber security for a living is also amazing luck. Our jobs are not easy to find.
TH: Yeah right! Happiness and timing are big factors, just like networking and taking opportunities, you know?
KC: I believe that having a background in the humanities probably helps your approach to cyber security. Did you find that to be true?
TH: Very much. My entire job is communicating with people, solving problems and being creative. All three that in fact summarize my diploma. Being able to think, connect with people, and so on, it's all part of the game. Not to mention it's a nice icebreaker!
KC: Has sexism ever been a problem for you? Or people who underestimate you because you do not have a computer science degree?
TH: Certainly sexist issues, but not really with colleagues, thankfully. It is very unusual and when it happens I just don't work long with that person. I have been very happy that way. More often than not, the ageism that affects me instead of sexism. I have been told some terrible things, but I am a bit of a hothead and I tell them where they can go.
I'm actually underestimated because of my role. Because I am in the sale, people assume that I just & # 39; the smart guys get the word & # 39; will have it done, and that's why I actually started blogging.
Sexism was no problem at all with Optiv. They don't tolerate that.
KC: That's good to hear.
TH: Yes, it is unusually certain. It is so rampant in our industry that it is disgusting.
KC: Entering cyber security, what surprises you the most?
TH: How many people have fallen by accident. They worked in telecom or something and when security was taken seriously, they were recruited.
Also how big the gap between IT and security is. Some of those teams don't even talk to each other. Add to this and so on, and it is even more incoherent.
KC: Are you involved in a lot of user education?
TH: Yes, usually on the personal side of the house, but it is one of the greatest things that I preach to customers. And in speaking engagements or Twitter, etc.
KC: Are you trying to harden them against social engineering attacks?
TH: Absolutely. That is the most important case of awareness of the end user, in my opinion.
KC: Do you think people are often overconfident about their ability to detect phishing because they don't fall for the Nigerian Prince scam?
TH: Ha, yes. I think some people are, but it depends on the maturity of the organization. The truly mature organizations know how sophisticated phishing campaigns can be.
KC: Have you come across phishing campaigns that would fool people like us?
TH: I think everyone can be fooled if they are advanced enough. My mother came across one that looked like an internal e-mail. Her company had the letter & # 39; w & # 39; in it and the email address they used had two & # 39; opposite each other & # 39; instead of the & # 39; w & # 39; pressed down. She saw it on her phone and didn't even think about it. I think the biggest concern with phishing personally is that it is just negligence. We are all busy; we make mistakes.
They were socially developed that it was credible. She is in accounting, so they sent her a bill with malware on it.
KC: Wow. Probably file bound to an attachment or embedded image. Yes. That is a common way to fool email addresses and URLs. Do you think that grassroots organizations spend enough money and time training their employees to prevent attacks on social engineering?
TH: No not at all. Many companies have some sort of "program", but it is once a year and it is perceived as annoying from the employee's point of view. It must be an ongoing program and not just a compliance activity. I think phased phishing attacks are very useful, especially since an immediate "oh no, you failed!" Aspect is.
KC: What can we do to encourage more C-suite types to invest in cyber security education for users?
TH: I think action is always better than words. Perform an internal test (such as a phased phishing attack) and bring the results to them, including estimates of what might have been lost if this had been a real attacker. Not even necessarily only in terms of turnover, but also intellectual property. We need to talk to the entrepreneurs instead of just the technical teams, because that's what will resonate.
KC: Excellent. What have you been working on lately, Tricia?
TH: Many appsec. There is still a battle between safety and innovation, so I have worked a lot to bring them together. And of course, attack and pen, remote breach sims, tabletops and so on. Ooh, and integration! So many tools out there, ensuring that the technical stack matches the business needs and is valuable rather than just shelf-ware.
KC: I learned a lot from you today. Do you have anything else you would like to add before we leave?
TH: Thanks! This was fun! The latter is just collaboration. Internally, with third parties, we are all safer with knowledge sharing. Security turns into an impulse, so being as proactive as possible is the long-term goal. Thank you so much for chatting with me!
Publisher's note: The opinions expressed in this article about the guest authors are solely those of the author and do not necessarily reflect those of Tripwire, Inc.