Security Expert Interview Series: Heather Hall
We are happy to have had the opportunity to interview Heather Hall. Heather is an Information Security Leader and in her current role, she designs and delivers security services solutions leveraging Threat Management portfolio, consisting of Application Security, Attack and Penetration, Enterprise Incident Management, and Vulnerability Management and Remediation. Heather has a tenacity for fixing issues that need to be remediated and perseverance to mitigate difficult threats.
1. Firstly, thank you for taking part in this campaign, Heather. Can you tell us about your professional background and areas of interest?
At the heart of my passion for cybersecurity is my eagerness to help people grow their knowledge of security; that passion started when I was offered to take a last-minute CISSP Bootcamp. After achieving the CISSP certification, I took on a role as an information assurance manager for the Nevada National Guard.
Shortly after, I was selected to attend a Department of Defense Cyber Protection Warrant Officer course and was among the 100 graduates and the first female National Guard member to complete the course. After challenging and passing seven SANS certifications, I was hooked. My training landed me a role as the Nevada National Guard’s first computer network defense team chief, leading and developing an eight-person team.
Cyber years should equal three normal years, as the stress of the work can put a toll on mental health and personal relationships. To combat the oh-so-real cyber burnout, I started Gloria’s Pottery Barn and created functional ware during my off-time. I found nothing comparable to the mind-clearing abilities of molding clay.
2. How difficult was it for you to break into IT security industry and develop yourself?
Cyber chose me, but I did have to give up a career in public service to develop and hone the skills. Networking is how I was able to see a career outside of public service. Tony Rucci offered me my first true cyber role, and I am forever grateful. My role as the director of operations for an SMB cyber company was short. Since then, I have helped secure the physical and logical environments for the current largest privately owned company in the U.S., a nationwide casino, a private wealthy family, and a nationwide insurance company.
Each role offered different obstacles and learning opportunities that grew my cyber chops and soft skills.
3. In your current role you design and deliver security services solutions leveraging threat management portfolio. What are the most common threat management challenges today?
Not to get too philosophical, but I think the greatest threat we face is ourselves. Cybersecurity isn’t a new term, but people and businesses are still making rooky mistakes; not changing default settings or setting short-simple passwords.
People are inconvenienced by and lack knowledge about security, and it shows in breach reports and assessments that are conducted daily.
4. What are the best practices for effective threat management to succeed and grow rapidly?
In my opinion, get back to the basics and get a strong cyber partner to guide the journey. The CIS Top 10 has a wealth of knowledge on how to harden a business. It is a free resource and businesses should use and apply the guidance.
Additionally, the enterprise border no longer exists. Employees have left the confines of their workspace and moved into their homes, libraries, and coffee shops. Each device needs to be configured in such a manner that defenses do not rely on corporate firewalls, data loss prevention, and physical locks.
5. What are some new threats you have recently noticed cyber criminals pose?
Criminals haven’t changed – they still must get inside the preverbal bank to steal the money. Today, that bank is in our back pocket, purse, or backpack and we, the user, are letting them in. The ploys, phishing emails and fake websites, are getting more sophisticated. The fake PayPal notice, student job site, and online shopping scams are what is hot this week.
Once someone activates the links in these scams, the threat actor could have access to your PayPal account, SSN, and family information.
6. You have over 26 years of proven experience as an IT Security Leader. What advice would you give an IT generalist who is thinking of pursuing a career in information security?
I’m working on the research for this talk, “Networking to break into Cyber”. I have had six security roles since 2014. Each role was due to meeting the right person who wanted me on their team. I wasn’t shy about voicing my strengths and weaknesses. I shared how I am a sponge and am open to growing and learning while improving the security of the business and those we support.
Learn about security any way you can and let your friends and colleagues know that you are interested in breaking into the business.
7. How do you stay up to date with industry news and updates regarding information security and technology? Feel free to share your top 5 sources with us.
Identity Theft Resource Center is a great place to learn about what is happening in the wild right now.
SANS Internet Storm Center is led by volunteers that are the best in the biz.
Optiv, which is the cyber advisory and solutions leader, has a wealth of information on cyber trends and tactics. Since joining Optiv, I have been granted access to hunting reports, trends, and malicious activity at my fingertips. Prior to Optiv, I used the two referenced centres on a regular basis.