Continuing our series featuring women in technology at Imperva, I caught up with Candice Carter, a security engineer who in her spare time writes and talks about cybersecurity. She has completed one master’s degree in cybersecurity intelligence and forensics, and is working on a second graduate degree in cybersecurity unmanned aircraft systems (UAS).
Tell us how you got into cybersecurity.
CC: It’s quite the story. When I was working on my undergraduate degree in political science, I didn’t own a computer and only used the computer lab to type papers.
My first job out of college was working as an analyst for Guilford County Audit Department in North Carolina. As the department moved their operations from paper to computer, my career shifted to roles in different computer help desks. This was around the time the modem was introduced, computers had 4Mb of memory, and the biggest security worry was your AOL password.
My career evolved from different help desk opportunities to becoming a network administrator. To be honest, I “liked” my career, but it was not something I was passionate about.
I was working at Bank One/Chase in application development when 9/11 occurred. After that, laws began to change to allow for data mining and regulated the banking industry. For example, the Sarbanes–Oxley Act of 2002, the USA Patriot Act and the landmark California S.B. 1386 mandates that consumers must be alerted when their personal data has been breached.
My director Mike Zbranak, now current CIO of Chase Consumer and Community Banking, had an open-door policy. I was able to pitch him the idea of dealing with the new and established regulations. He embraced the idea and said with my confidence he believed I would be successful. Mr. Zbranak not only supported the idea, he gave me other opportunities in various areas of information security. This included managing the security of a project that consisted of a multiplatform infrastructure configuration and migrating the second largest credit card portfolio totaling over $72 billion.
Long story short, the project exposed me to a number of once-in-a-lifetime security situations. After the three-year project ended, I knew this was the career for me. I was hooked!
I went on to earn master’s degrees in cybersecurity forensics and cybersecurity intelligence. In addition to working at Imperva, I teach forensics at Wilmington University. I am also part of a team that conducts research and gives high-level presentations on counter-terrorism and counter-intelligence that are combined with beta technologies.
What do you love about your job?
CC: I love the cybersecurity industry for several reasons. The people are all unique, and each has a special skill. The skill might not necessarily be considered “technical” but more of an intuition or a sixth sense. The forensics side of the industry is very exciting and rewarding. It is different every time, researching different industries and identifying vulnerabilities. Every day is always a different day, and there’s never a dull moment.
What do you find to be the most challenging aspect of your job?
CC: The challenge for me is the lull between events. I have learned the best way to combat that is to stay involved in research. Watching trends of Asia and Europe are key in predicting what we will be experiencing on this side of the globe.
Who was one of your biggest mentors and why?
CC: One of my biggest mentors is Randall Nichols. His background is extensive from starting cybersecurity programs across several universities, authoring leading books in the industry and being a cybersecurity advisor. He is not one of the founding fathers of cryptography, but he is the closest living person to those legends you can get to. Prof. Nichols has brought my cybersecurity game to the next level and continues to challenge me. Currently I am working with him at Kansas State University in a new program for cybersecurity unmanned aircraft systems. It is an exciting experience at the next frontier of technology.
Another person I follow closely in the industry is Iftach Ian Amit. He is straight and to the point, no nonsense – I respect that. Ian has the ability to think outside the box on several levels. He gets it, that the industry is not just electronic. It is physical and social. I love his theme of bringing sexy back to security! If more industry leaders adopted Ian’s philosophy of red teaming, they would be able to separate the people who do security for a paycheck versus people who are passionate about making a difference. In a red teaming exercise, an organization can see how all aspects of its security can withstand an attack from a real-life adversary, thereby helping tighten controls and being better prepared. I do my best to push this message when I give a cybersecurity talk.
How has the cybersecurity industry changed over the course of your career?
CC: The industry has changed dramatically. In the beginning, information security focused on passwords that are changed every 90 days, escorting 3490 tapes, pentesting, application scans, virus software and firewall. The industry went through a transformation after 9/11 and was renamed cybersecurity. The industry and public eye were opened to a whole new world of espionage, intelligence gathering, spoofing and sock puppets.
People began to realize that they had a blind trust when dealing with whomever they were talking or doing business with. As companies became less loyal to employing a person for a lifetime, employees turned on them to survive. It wasn’t about stealing pencils to use as school supplies. It was about selling the information or idea the employee possessed to a competitor or nation state.
Changing the mindset of the public was not easy. However, over time everyone knew a friend or family member who had fallen victim to having their information stolen or experienced a security event themselves.
As technology has evolved security has matched its progress to keep up. This marked another shift in the mindset. In the past, the information security department never contributed anything to the bottom line of an organization. Therefore, funding to expand security coverage of company information and assets was minimal. After several security events, senior management realized they would rather spend the money than end up on the front page of The Wall Street Journal. In many instances, a company could have spent X amount of money and kept their information safe from an 18-year-old hacker. Preserving brand reputation is often priceless, and we still see some companies realizing the importance of cybersecurity today.
What advice would you give to someone entering the cybersecurity field today?
CC: People do ask me how can they get started. Normally the conversation starts with, “What certifications can I get, what do you have?”. I agree with Ian Amit who said certifications do not define you, your qualifications or your expertise. They mean nothing.
I recommend you read, learn and practice. The key is to pick an area of cybersecurity that interests you and go all out. Become a researcher, speaker, a trusted advisor on that area. Some people get into cybersecurity because they feel it is a hot area right now. They go and take a test, get letters by their name and claim to be an expert. Even the best cybersecurity person with several war stories is not an expert. A trait of an excellent cybersecurity person is being an asymmetrical thinker. This person can see outside the box, think creatively and exploit their adversary’s vulnerabilities.
What do you do in your spare time?
CC: When people ask what my hobbies are, I respond with different security activities. Then I get asked again, no, really what are your hobbies? It made me realize that cybersecurity is not just my job it is my passion. That’s why I think it’s one of the best jobs in the world!
Do you have questions for Candice? Leave her a comment below.