1. What was your journey and/or catalyst that led you to cybersecurity? Why did you decide to be in this field? Tell students why you chose this career
What is my cyber-superhero origin story?
After completing my bachelor’s degree in Criminal Justice, I started my career in retail and hospitality management. (I know... criminal justice and hospitality management have nothing in common).
I worked as a store manager for a coffee company and as a hotel manager. I then worked for a software company that made software for hotels where I was a Customer Care Manager and led high-profile customer relationships and escalated support teams. This is when I became more interested in tech and actually wanted to work in tech.
From there moved over to Best Western Hotels & Resorts where I worked as an IT Business Analyst. I supported the interface that connected all of our individual hotels to the corporate office. I also helped hotels with connectivity issues and discrepancies between their local property management systems and HQ. If you booked a reservation with Best Western, your reservation went through the interface/connection that my team supported.
I got to work with our corporate help desk and IT Operations. I learned about ITSM (ITIL), computer networking, and enterprise-level network operations. I learned about software development and what all goes into “making the sausage.” I also learned about PCI and all of the security requirements that support PCI-DSS.
At that point, I was 10+ years post-university, and I had a good job that I should have been happy with. I was doing good work for a company that I supported and believed in. But I was unsatisfied with my career and career outlook. Put another way, I still had no idea what I wanted to do when I grew up. I just knew that it wasn’t what I was currently doing.
I was taught “the ways” of Servant Leadership early on in my career, and one of my early leaders told me, “It is never a waste of time to invest in another human being.” From that point on, I knew I needed to do something where I could train, coach, and mentor others. I just didn’t know what specifically I wanted to do.
I had studied psychology a bit in college, and I had always been interested in human behavior. So my first thought was Human Resources, but I also studied Criminal Justice, and many times growing up I dreamed of leading special forces teams and/or doing investigations and detective work.
While doing career research for jobs in tech that I might be interested in, I came across Information Security. I had never heard of Information Security before, let alone the possible career opportunities.
I quickly realized that Information Security seemed to check all my boxes. This is an area of “the tech world” where I can do good in the world to help keep people safe. I could respond to incidents, do investigations, build “safer” stuff, and I could even maybe break into companies’ facilities and/or networks just to see if it could be done and it would be legal. That all just sounded like the coolest thing I had ever heard of!
So I started to work with our corporate Information Security team where I could, and I set out to learn everything I could about information security.
I learned basic programming stuff online, as well as, A+, Net+, and Security+. I also did the SANS Cyber Aces (https://www.cyberaces.org/) free courses, as well as, learned about Social Engineering and the "human" side of security. Once I earned my Security+ certification, I was able to get a job on our Information Security team as an Information Security Analyst.
After a year or so as a “general” security analyst, I decided that I wanted to focus my career on helping builders build more secure stuff. Specifically, I want to help software developers build more secure applications, and I want to help cloud engineers & architects build more secure cloud-native systems.
At that point, I started learning everything I could about AWS, cloud, and application security... and I haven’t looked back.
2. Please share professional experiences/skills outside of the classroom that shows your expertise in the subject you teach. Why are you uniquely qualified to teach for SANS?
I have been working as a Cloud and Application Security Analyst/Engineer for about three years, almost completely in AWS and other SaaS applications. During this time, I also created governance, risk management, and audit/compliance programs. Prior to that, I worked as an Information Security Analyst for a top hotel brand. I’ve studied and worked in almost every domain of information security.
In addition, over the last 10 years, I’ve worked side-by-side with software developers, network and system engineers, IT Operations, and support. And I’ve also worked with business operations, sales and marketing, finance, and leadership. Throughout my career, I’ve been working to really understand the perspectives of all these different business units and understanding how they all need to work together to achieve common goals. Common goals being the overall success of the organization.
I understand that “Security” needs to be an enabler for “business”, not a roadblock. I coach people to look for more secure ways of doing things, versus telling people “no”.
With Cloud Security, in general, but specifically with DevSecOps, culture and collaboration must be a part of the program in order to achieve success. I understand the different perspectives and goals for each of these groups and what is important to each of them to succeed. I bring that perspective to my teaching.
3. What has been the highlight of your career so far? Speak about an experience(s) that validated you chose the right career ( success in cracking a case, former student success you were part of as an instructor, etc)This is it…. the opportunity to teach for SANS is the highlight of my career so far. The ability to make an impact in Cloud and Application Security on a global scale. It’s kind of a big deal. :-)
That said, I believe that I am still in the early stages of my career, and there’s a lot that I want to do.
4. What made you decide to become a SANS instructor? When? Tell your students why you chose SANS.I don’t think there was one thing that made me decide to become a SANS instructor. Once I had identified Security was where I wanted to focus my career, I think it was always the “thing” that I would aspire to be. Regardless of whatever career path I chose, I always kind of had the idea of being a SANS instructor.
It was this time last year at SANS San Diego 2020, where I facilitated for the first time for Frank Kim and MGT512: Security Leadership Essentials. I got a behind-the-scenes look working and speaking with the instructors, the meeting coordinator, other facilitators, and all the students. And, I got to experience how all that works together to “make it happen” to be a great experience for everyone. That’s when I knew it was something I wanted to be a part of.
Then I took SEC540: Cloud Security and DevOps Automation last May, virtually with Eric Johnson. And that’s when I knew what I wanted to be an expert in for my career, and in turn what I wanted to teach.
Why SANS? I want to strive to be a great leader and excel in the security field. I want to work with some of the best folks in the field who share a similar passion for security training and education. And, I have a deep desire to help others succeed. SANS offers all of these things that are important to me. If I were playing baseball, teaching for SANS would be the “Big Leagues.”
5. As an instructor, what is your teaching philosophy? Tell students what defines you as an instructor. What makes you unique to teach this class?
I am a Servant Leader. As a Servant Leader, my primary responsibility is the success of my team. My primary mission is to help others achieve their greatest potential in whatever that is.
I like to take a coaching/mentoring approach to my teaching where I share all the knowledge, skills, and experiences that I have gained; and then act as a guide for the student, supporting them on their learning journey. I believe this approach lends itself to better critical thinking and creativity since there is often more than one way to do something and everyone brings a different and unique perspective to a given problem or topic area. In addition, students are empowered to own their experiences and success.
Security needs to be “baked-in”, not “bolted-on”, and I always try to instill “secure-by-design” values into my teachings.
6. Why do you enjoy teaching this topic? Tell students what makes you the best teacher in this subject.
There are two main reasons why I enjoy teaching Cloud Security and DevSecOps.
- The DevOps culture
- The speed and possibilities of the cloud
Cloud Security and DevSecOps is the intersection of all the best parts of working in tech, and the possibilities to create are limitless. My passion for all the subjects is contagious.
I want to help and inspire others to create amazing and secure things; whatever those things are.
7. In your opinion, what are the biggest challenges your students might face when learning about this topic and how do you as an expert address those challenges in a way that helps students in their day-to-day careers?
It’s interesting that the two things I enjoy most about teaching these topics are the same things that I think will be the most challenging for folks. In my opinion, I think the two biggest challenges students might face when learning Cloud Security and DevSecOps are: 1) the culture, and 2) the DevOps tools-of-the-trade.
The reason I believe these will be the big challenges is because they’re counter-culture for security folks. As security professionals, we think we know what’s best for being the most secure, so as a result, we naturally want to control everything.
And now we’re being told that we have to work with other non-security groups to help them “be more secure” in what they do. And if we do that, we’ll actually get a lot more done, a lot faster, and also reduce our overall risk to the organization? That is fantastic! It’s just backwards to the way a lot of security folks approach security.
How do I address these challenges?
If we embrace the DevSecOps culture and focus on continuous improvement, we will be successful in The Cloud. This is something we can implement on Day 1, with no technical skills or approvals required. Everything else can be developed and built-up over time.
- Breaking the mindset of “NO.” Security can’t continue to be the “big brother” or “department of no” if we want to be successful in The Cloud. Security will be left behind if we don’t start finding ways to help and support business innovations and evolutions that have security built-in
- There’s a lot of studies and psychology behind the benefits of making little, incremental improvements every day, versus trying to make big changes all at once. You end up making greater improvements overall when you focus on getting a little better each day.
Regarding DevOps Tools:
- Building on the first challenge, security professionals need to work side-by-side with developers and operations folks. We need to understand the tools and workflows that our partners are using and understand how we can maximize those tools and environments for baking security into everything we do
- This means that we need to learn the tools-of-the-trade, which in this space are the DevOps tools
- Learning how to use the various CI/CD tools for automating all the “security stuff” can be challenging because there are a lot of tools, and that’s in addition to all the security tools we’re also using. While they are different from what many security folks are used to using, we need to remember that it’s just a new set of technical skills we get to learn. Then take time to learn, practice, and strengthen them over time like anything else. Patience and persistence also helps here. Remember, continuous learning and continuous improvement. Always working towards getting better
8. In addition to being a SANS instructor and working in the field, I also work in the professional community as:
- SANS/GIAC Advisory Board Member
- Blogs and webcast provider for SANS
- Instructor for a Cybersecurity Bootcamp
10. What are your interests or hobbies? Tell students what interests you, inside or outside the industry.
- Social Engineering, human behavior, performance psychology, and social psychology
- Dog lover and all around animal lover
- I enjoy hiking and most outdoor activities
11. Book Recommendations
Pour Your Heart Into It, By: Howard Schultz
Start With Why, By: Simon Sinek
Wait, What?, By: James E. Ryan
Breaking and Entering, By: Jeremy N. Smith
The Phoenix Project, By: Gene Kim, Kevin Behr, George Spafford