I am Cassie, also known as Cassie Cage (@akolsuoicuaqol on Twitter and Instagram). My first blog post is dedicated to you, the reader. I would like to tell you a little about myself, what I do, and my journey into information security.
I currently work in Governance, Risk and Compliance. I work with various teams within the organization (i.e. IT Risk, Infrastructure, Third-Party Risk Management, etc.) to identify and treat risk, act as a Subject Matter Expert (SME) and ensure compliance with a plethora of regulations. My day-to-day responsibilities include performing third-party vendor risk assessments, vulnerability management, and regulatory and audit reporting. It's not as sexy as offensive security (i.e. red teaming or penetration testing), but it does play an important role in the development and continuous improvement of an effective information security program that is supported by executive management.
Third-party Vendor Risk Assessments (RA): It takes approximately 12-16 hours to perform a third-party vendor RA. Organizations typically require their third-party vendors to complete a questionnaire and provide documentation (i.e. policies, standards, SOC2 Type 2 reports, etc.) as part of the assessment. Vendor responses are documented and issues are identified accordingly. There are a few things that I take into consideration when assessing the adequacy of a vendor's security controls:
-The criticality of the service being provided;
-The data classification of the data being accessed, transmitted, processed, or stored; and
-Whether the data will be hosted by the organization or the third-party vendor
Vulnerability Management: Organizations perform periodic vulnerability scans as part of their vulnerability management program. Vulnerability scans include servers, workstations, databases, and other network devices. Devices with vulnerability scores that exceed a pre-defined threshold present risk. Risk treatment includes both mitigation (i.e. patches, updates, decommissioning) and risk acceptance from the risk owner. My job is to identify risks (devices exceeding the pre-defined threshold) and facilitate treatment (patches or updates) by reporting them to risk owners. Vulnerability management also includes the continuous monitoring and reporting of risk to senior management.
Regulatory and Audit Reporting: Information Security is the interface between auditors and regulators. As such, one of my responsibilities includes gathering evidence or "items" for audit and regulatory review. I actually wrote my first regulatory report last year. It was intimidating to say the least, but there were some valuable lessons learned:
1) Develop objectives: This is SO important, I cannot even begin to emphasize how crucial it is to create SMART (Specific, Measurable, Achievable, Realistic, and Timely) objectives. If it's your first rodeo, you should plan ahead. Not days, not weeks, I am talking about months ahead. Budget your time wisely, you will thank yourself later.
2) Develop a methodology: It is also important to be able to explain to auditors and regulators what you did, how you did, and why you did it. Document everything. Documentation will save you so much time and you will avoid numerous headaches, trust me. If you are going to be sampling, you need to be prepared to explain what security controls were tested, how they were tested, and provide sampling methods.
3) Do not be afraid to ask questions, ever. You need to understand what you are doing and why are you doing it. Unsure of what is being asked of you? Ask for clarification. Unsure about a requirement? Ask your colleague or manager for guidance. Do not blindly agree to perform tasks, especially if you are uncomfortable or unsure of what you are being asked to perform. You will waste your time and will most likely be asked to perform the task again.
My journey into information security started after my sophomore year of college. I dropped out of high school, graduated "adult high school" with a diploma, then attended community college for criminal justice. I took most of my pre-requisite classes, had a baby, and graduated with an Associate's degree. I transferred to a for-profit college (DO NOT recommend/endorse) and started the Database Administration program. I learned about programming, networking, website development, and of course databases. Databases do what you tell them to do, which is cool and all, but I wanted more of a challenge.
My courses were a hybrid of online and on-campus, so I had a few colleagues that were in a lot of my classes. One day, my classmate introduced me to an operating system as we were bored in class. I asked him what he was doing and he said he was going to set up a fake Wi-Fi Access Point for our classmates to connect to. I was intrigued. After a few minutes, we had our first victim and I had the yearn to learn much more about the wizardry that I had just witnessed.
I switched my major to Information Security Assurance and to my disappointment, the program only offered four information security courses. A couple of months before I graduated, I started applying for entry-level IT positions. A month before graduation, I landed a help desk position with a small company that offers hosted desktop solutions. I was so excited yet nervous to embark upon this adventure.
I am going to keep it real. Really real. Help desk sucks. It really sucks. But it's where I learned troubleshooting and networking fundamentals that are crucial for any information security practitioner to know. I also learned a lot about customer service. I have been yelled at, cursed at, hung up on and belittled countless times. The key is to keep your composure. Don't take it personally. You have a job. Isn't it frustrating when you can't get your job done? Right, so just put yourself in the other person's position and empathize.
The first two months I was working in the trenches as a help desk technician, I studied for two certifications. I felt that the taking the CompTIA Security+ and ISC2 System Security Certified Practitioner (SSCP) certification exams would provide the most value and they certainly did. Although there was no formal established security team, I was given the opportunity to learn and train with the security professionals at the company. I learned basic security skills including how to identify anomalous network traffic and analyze e-mail headers for spoofing indicators.
In the meantime, I also decided to pursue a Master's degree in Information Security and Assurance. This is where I believe I got the biggest bang for my buck. I took classes on e-business security, network security, business continuity, incident response, data privacy and security, and physical and operational security. I use a tremendous amount of what I learned in these classes on a daily basis including: third-party vendor risk assessments, threat risk assessments, and vulnerability reporting.
I spent about nine months in the help desk position before I became bored. The work was monotonous, boring, and unfulfilling. I had had enough of resetting passwords, provisioning access, and resetting printer spools. I was told there was no room for advancement. I had to attain the Cisco Certified Network Associate (CCNA) certification although there were employees already working in networking that had not even taken the exam. I began studying.
After a year, I started going on-site to troubleshoot networking issues with various networking devices including: switches, routers, wireless access points (WAPs), and local area networks (LANs). I received my raise and to my bewilderment, it was a measly extra $1,200 a year. I felt unappreciated and inadequate. I worked so hard, yet had no opportunity to grow. I decided to look elsewhere for a job.
A couple of months later, I got an interview for an IT Specialist position that I found online with a small healthcare company that provides a variety of services. I would be the IT Director's protege, but I would also be responsible for information security initiatives. The caveat was there was no information security program. There were no information security policies. There was no asset management. Vulnerability management was non-existent. It was bad. It was a hot freaking mess and I was literally given the keys to the castle. I was overwhelmed but determined to get this company on the right track.
The struggle to develop and successfully implement a security program without senior management's support is too real. If information security and operations could get married, lack of senior management support would be one of the many reasons for divorce. If C-level executives are leaving their offices with their computers unlocked, employees will follow suit. I have seen it happen and it is certainly disappointing to say the least. Developing policies can be challenging. Enforcing policies in an organization with no security culture or awareness is wizardry that, I imagine, would require the patience of a saint and/or rendering the services of a therapist (probably both).
Imagine giving those same C-level executives Domain Admin rights. The ones that require security training that they don't attend. The ones that click on links in phishing emails. Oh yes, this can all be yours if you decide to work with a company that leads from the bottom-up. I DO NOT recommend. However, I did learn a lot about Active Directory, how to develop policies, performing risk assessments using industry standards (i.e. NIST and ISO), network administration, and conducting security awareness training.
I created a security strategy. I had spoken with vendors and demoed dozens of products and tools. I had performed a cost-benefit analysis. I even started conducting a business impact analysis to no avail. I did attend my first information security conference though.
Last year, I began engaging with members of the information security community both online and at local meetups and conferences. I lurked, but you know, that imposter syndrome will get you. I was really inspired by members of the information security community and all their accomplishments. I began studying for the Certified Information Systems Security Practitioner (CISSP) exam after completing my Master's degree.
After passing the certification exam, I began job searching again. At this point in my career, I just wanted to work for an organization with an existent information security program. Unfortunately, I also had no real opportunity for growth.
I always wanted to go to Def Con, but it wasn't financially feasible for me at the time so I asked my boss if the company would pay for the conference ticket and travel/lodging expenses. The company agreed, but I was required to stay with the company for a year. I had no intentions on staying, but I had already paid for the flight and hotel so I was going. I also wanted to meet this really awesome guy that I was talking to for quite some time on Twitter :D
Ultimately, I went to Def Con. Big shout out to Women In Security and Privacy (WISP) who awarded me with a scholarship, which included a Def Con badge and a $500 stipend! I also had the opportunity to attend BSides Las Vegas too. Everyone's experiences are different, but I personally had a lot of good experiences with great people.
A few months later, I was contacted by a recruiter on LinkedIn for a position with an international bank with headquarters in New York City. I was thrilled! I thought a lot about the job requirements, the culture within the organization, and the opportunities for growth and decided to accept the job offer. I started my current position in September 2019.
I know this was lengthy, but I hope I was able to give you a glimpse into the adventures and experiences that brought me here. I wouldn't be here without so many of you and your encouragement and support. I hope I can give back to the community what so many have selflessly given to me.
If you enjoyed this blog, please buy me a coffee. https://www.buymeacoffee.com/cassiecage