Today’s interview is with Erin “SecBarbie” Jacobs. Arguably the “social butterfly” of the D-List, Erin can easily debate compliance issues, plan the nights party schedule, and argue gender issues in the field with a perfect stranger, all while ensuring everyone is involved and having a good time. I hear she can also leap tall buildings in a single bound but she can’t outrun trains like she used to.
Q: Tell us a little about yourself.
I often play a little Jekyll and Hyde on the internet. By day I am a CSO in financial services and have played this role for over 9 years in two different organizations, and by internet I am a security evangelist, apple fangirl, and social butterfly. If you follow my tweets then you would also know that I have 2 dogs and 1 parrot, and I would have more but with my hectic travel, they are enough!
Q: How did you get interested in information security?
Geek from birth, been programming since I was 7, and running social bulletin boards since I was 13. When I was in High School, a group of us used to make a game of defacing each other’s BBS’s ANSII pages. Fast forward through college, corporate software development, consulting, and IT Management and I ended up back in information security through a friend of mine. I was always just excited that there is actually a career track for doing what I used to do for fun.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
I have a Bachelor in Business Management with a minor in computer science, I have an alphabet soup of certs, and have relied heavily on self-learning. I feel the only thing that truly adds value is hands on experience. Too many people have advanced degrees, multiple certifications, etc, but can’t DO information security. They just don’t have the grasp of the actual functionality of security initiatives. There best lessons are often learned in failure, and academia cannot teach those. I find value in education, but taught by those who have actually attended a classroom called life.
Unfortunately, unless you have the schooling and certifications, you won’t make it past HR in most organizations!
Q: What did you want to be when you grew up? Would you rather be doing that?
I want to be a princess…. I think I am, but I really wish I had that snazzy castle with the moat around it, and a fire-breathing dragon would be nice too!
Yes, I would rather be doing that, but who wouldn’t. In the meantime, I have plenty of jesters on Twitter to keep me amused!
Q: What projects (if any) are you working on right now?
More Gender Panel talks, Compliance on Paper talks, some cute hacking project that involves gym equipment…. and a few other this and thats.
Q: Do you see the gender issue as being a barrier in the information security space? Why or why not?
Gender is a problem in the information security space, there are statistics showing that there are very few women-owned tech and high-tech firms, corporations such as Apple (Executive Management) don’t have a single woman in their management team. I don’t believe that this is because the men are scaring all the women away, I’m sure there is still some gender friction at times, but this is a bigger issue! As a whole, we are loosing young women from entering the Information Security field. The gender panels are held to start to answer the question of what we can do. The panels are never about ‘men bashing’ they are about the cultivation of women in the information security space.
Q: You deal with compliance on a daily basis. Do you think we’re any closer to seeing “compliance” as something more than a check box or a risk avoidance technique?
Oh-boy! I have to reference Avatar in this. Compliance is the human race, and nature is security. The humans have no connection to nature, and neither does compliance to security.
Just because we can check things off a list doesn’t bring us any closer to being less insecure. Perhaps if they no longer allow the loophole of “In Scope” and “Out of Scope” the two concepts might make headway. I could go into a tirade on this, but to sum it up with:
We need to wipe the slate clean and start measuring actual risks to organizations based upon their line of business against known threats and making realistic compliance metrics based upon solid framework.
Q: What is your favorite security conference (and why)?
Black Hat/Def Con – Sometimes this can be a stressful week, but it’s like a family reunion each year! The networking is great, talks are generally a lot of fun, very energetic, and I have always left with a great deal of new knowledge and less brain cells.
Q: What do you like to do when you’re not “doing security”?
I feel like I’m always ‘doing’ security, but when I am unplugged, I’m an avid motorcyclist, musician, amateur photographer, and social butterfly!
Q: What area of information security would you say is your strongest?
Social Media Information Leakage, Compliance, Management, and Regulatory Audit.
Q: What about your weakest?
Cryptography, it is on my list of side-project to learn how to decrypt more effectively, but I always bow to those who I know that are fantastic at the art of crypto!
Q: What advice can you give to people who want to get into the information security field?
NETWORK-NETWORK-NETWORK! The people you know are just as important as what you know! If you have a strong base of people with different expertise, you will have a vast resource of knowledge for when you need expert opinions! Also, never burn bridges in InfoSec, it’s entirely too small of a community!
Q: How can people get a hold of you (e.g. blog, twitter, etc.)