Tag: Cyber Security Career

Cyber Security Issues

Posted on by venessa Regali

Interview with Michael Meikle: Challenges of Working in Cyber Security

Michael Meikle has witnessed the profound transformations within the Information Technology (IT) sector during his extensive two-decade tenure. The landscape that initially revolved around combating viruses and fortifying passwords in the 1990s has since undergone a substantial shift towards safeguarding data in our wireless, mobile-device-dominated world. Holding the pivotal roles of Chief Operating Officer and partner at the cybersecurity consultancy firm secure HIM, Meikle enjoys an unobstructed view of the ever-shifting terrain of data protection and risk evaluation within the IT domain.

Michael Meikle pursued coursework at Virginia Commonwealth University before embarking on a journey with a startup, where he gained invaluable hands-on experience. He furthered his education by earning a Master’s certificate in International Business Management and subsequently pursued multiple certifications, including the coveted Project Management Professional (PMP) and the esteemed Certified Information Systems Security Professional (CISSP).

Thanks to his profound expertise in the field, Meikle has been called upon to share his insights in articles addressing topics ranging from security breaches to effective business strategies. His contributions have graced esteemed publications such as the Los Angeles Times, the Chicago Tribune, and PC World Magazine. Additionally, Meikle is a sought-after national speaker on technology and cybersecurity, regularly delivering talks at diverse industry events, including those hosted by the Medical Society of Northern Virginia (MSNVA), the Intel/McAfee FOCUS Conference, and Secure360.

Meikle emphasizes that many of his early positions played an instrumental role in shaping his current career trajectory. He points to pivotal roles such as a system and network administrator at an engineering startup, a project manager within the US Department of Health, and a security architect at Capitol One as vital stepping stones in his professional journey.

A significant milestone in his career was achieved when he received the prestigious Governor’s Technology Award from the Virginia Department of Social Services. This recognition was bestowed upon him for his exceptional contribution to the implementation of the Division of Licensing Programs Help and Information Network (DOLPHIN) System. Notably, this marked his inaugural software product implementation intended for statewide use, marking a momentous achievement in his professional portfolio.

Our interview with Michael Meikle explores the challenges currently facing the field of cyber security and the importance of continuing education in order to stay current and informed in the IT industry.

Tell us more about your background and education. What led you to work in IT and cyber security?

I have always had an affinity for computers and technology, so when I joined an engineering startup in college, I naturally fell into a system/network admin role. From there, I leveraged my experience and gradually shifted my career toward software development project management. After completing some large enterprise projects, I saw that information security was becoming more crucial and so I sought out more opportunities that would take my career toward the cyber security discipline.

Please describe cyber security and what your company does for someone who may not be familiar with the field.

To boil it down to its most basic essence, cyber security is the protection of data. All the processes, technologies, and people involved are all concerned with confidentiality, integrity and availability of that data.

Our company, secureHIM, is a security consulting and education company. We provide cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. To facilitate these services, secureHIM has partnered with the Information Institute and its founder Dr. Gurpreet Dhillion. This partnership provides an accredited information and security framework for these programs.

Our consulting programs include security program evaluation, HIPAA & HITECH security assessments, strategic social media programs, and IT security planning services.

What is the most exciting thing about the work you do? Or the most rewarding?

Developing and delivering security training programs for companies are two areas that are the most exciting for me. I really enjoy interacting with folks and providing some great material that can be interesting, helpful, and contribute a great deal to the security of their company.

The other area that is most exciting for me is incident response. While stressful, there is a thrill of tracking down the origins of a phishing attempt or successful malware infection and then crafting the appropriate solution to protect against such an incursion in the future.

Can you tell us about your different roles in the IT industry (security consultant, risk consultant, author, trainer, voice in social media)?

I’ve held quite a few different roles in the IT & Security Industry. I’ll list a few of these below:

Security Consultant – I have provided security consulting services for around 15 years across multiple industries (Financial, Healthcare, Government, etc.). Projects I have led include Data Loss Prevention (DLP), endpoint encryption, intrusion detection/prevention, risk assessments, and data breach response.

Risk Consultant – As part of my security consulting practice, I have provided a wide assortment of risk consulting services, primarily in risk assessments. These assessments include HIPAA, HITECH, application security, and enterprise security environment.

Author – I have a significant body of published work across various publications, including a recent article about the Affordable Care Act in Social Work Today.

Trainer – I am an eLearning expert with dozens of online courses/webinars in my portfolio. I have provided these services for ExecSense/Financial Times, AtTask, Medical Practice Trends, and in person at various enterprises.

Social Media – I am an active participant in social media and I also provide security services for enterprise social media programs. I have spoken at national conferences on the topic of social media and I have designed several social media campaigns for regional companies.

How has your entrepreneurial spirit been a benefit to you in the cyber security field?

The drive to take a concept and create a viable business around it is very beneficial in several ways. It forces you to keep on top of your industry. You have to continuously educate yourself to ensure you have not missed a crucial opportunity or made potentially damaging missteps. 

It also provides a healthy reality check regarding business realities and forces a person who is oriented toward technology to manage the day to day operations of a business. This is invaluable experience and a definite step outside of the comfort zone of a typical technologist.

What are some of the key points you emphasize when training a company on risk, compliance, and security? What are some of the challenges of the profession?

Key points on Risk:

  1. Effective enterprise risk management requires a certain level of corporate maturity. This entails a managed and supported governance program.
  2. The concept of risk management itself must be driven from the executive suite with full support of those executives.
  3. With a new risk program, start small. Track no more than 10 critical business processes (KPI). Attach a Key Risk Indicator (KRI) to each.
  4. Risks must have executive oversight and business ownership.
  5. There is no technological silver bullet for managing risk.

Key points on Compliance:

  1. An effective compliance program is a component of a robust Governance, Risk, and Compliance initiative. This relies on a level of corporate maturity and support from the executive suite.
  2. The regulatory burden on multiple industries is continuously increasing. An enterprise needs to be educated on its local, state, and federal regulatory burden to ensure its program is covering its exposure.
  3. Beware of compliance by “checklist.” A checkbox compliance program may be tempting but many industry regulatory frameworks are incomplete or vague, which could lead to missing key risks. PCI compliance can be a good example of compliance by “checklist.”

Key points on Security:

  1. Security must become more of a priority at the executive level. Even with the latest breaches, corporate leadership mostly considers cyber security as a necessary evil with appropriate funding and visibility to match.
  2. The most unsophisticated security solutions still provide the most bang for the buck. These include patching your servers and endpoints, training your users on security risks, standard, updated antivirus/antimalware protection on servers and endpoints.
  3. Consider that nearly all of the recent major breaches have begun with a phishing campaign that lead to accounts becoming compromised and eventually stolen data.
  4. Monitor the tools you do have in place. All of the security solutions in the world will not protect you if they are not managed and monitored. Trained staff interpreting the data that is received by these solutions is very critical.

Challenges of the Security Profession:

  1. Staying current on the latest technologies, threats, and regulations is quite difficult. It requires continuous education.
  2. Communicating the need for training to leadership. Training in the enterprise today is not a priority for most companies. I have consulted for quite a few who do not invest at all in their employee’s ongoing education.
  3. Communicating the importance of security to leadership. It is an unfortunate reality that the security team of most companies becomes involved in a project near its completion when a security issue occurs. Proactive information security involvement in the enterprise is still in its infancy.

Companies from varying industries are desperately trying to safeguard their information from being hacked. What are some principle practices that you emphasize to companies trying to maintain security?

When considering your security program, remember it is about protecting the enterprise data. Data is the new currency and is increasingly important to the enterprise. In some industries, the protection of data has added federal mandates, such as healthcare Protected Health Information (PHI).

When protecting your data, review the Data CIA model. This stands for Confidentiality, Integrity and Availability.  Is you data confidential to unauthorized users? Do you know who has accessed, changed, or copied your data (integrity)? Can your data be accessed by authorized users when appropriate (availability)?

How has the cyber security field changed since you entered it?

The security field has changed tremendously since I first entered it in the 1990s. At that time, decent virus scanning tools, patching endpoints/servers when necessary, and a firewall were considered a viable security program. Security was usually an activity underneath the IT department that was managed by system administrator on an “as needed” basis.

Fast forward to today and the pace of security has become frenetic. New threats arise constantly and staying ahead of the curve is nearly impossible. In many cases, cyber security is still a subcomponent of information technology, but that is changing quickly. The basics of security still apply. Patching, monitoring, endpoint and server protection, employee training etc. are very critical.

The biggest change has been the arrival of consumer technologies into the enterprise (Consumerization). Gone are the days of corporate Blackberries, laptops, and desktops being the only devices an employee uses to access corporate information. Now a plethora of iDevices, Androids, and other mobile devices have knocked down the enterprise technology barriers. Managing how data is accessed, stored, and transmitted on these devices is one of the largest security challenges for security departments today.

Security has gone from the moat, drawbridge, and castle model to building a multiple secure perimeters around crucial pieces of corporate data. 

Do you think it’s an ideal time to go into IT or to become an IT specialist, and if so, why?

I believe it is a viable career choice with some caveats. You must realize that IT has been the target of downsizing, right-sizing, outsourcing, whatever euphemism you want to call it for over twenty years. You must be very flexible in your IT career and constantly aware of what trends are impacting the profession. Information security is relatively hot at the moment, but that could change quickly. Be prepared to shift your direction in your career and always have a few other IT skills you can fall back on.

Which skills do you think are necessary for pursuing a career in IT and cyber security?

General skills that may serve you well in IT and security:

  1. The ability to learn quickly
  2. Ability to troubleshoot problems while drawing on multiple sources of information
  3. Ability to embrace change
  4. The ability to communicate technical concepts to business users so they can make the appropriate decisions
  5. A love of technology

Valuable technical skills would be:

  1. Operating Systems
  2. Networking
  3. Servers
  4. Storage
  5. Virtual Machines
  6. Software Architecture

What advice do you have for students pursuing a degree in IT or cyber security? How can students prepare themselves for the challenges?

To prepare for the pursuit of an IT or cyber security degree, I would earn an industry certification or two. Take a look at the various CompTIA certifications and see what fits your interest. They may be valuable for your resume but there is no replacement for experience. Experience in the industry will give you the best feel for what to expect in a degree program. Internships may be abundant for IT and security, so seek them out at your university. 

The experts interviewed for this article may be compensated to provide opinions on products, services, websites and various other topics. Even though the expert may receive compensation for this interview, the views, opinions, and positions expressed by the expert are his or hers alone, are not endorsed by, and do not necessarily reflect the views, opinions, and positions of EducationDynamics, LLC. EducationDynamics, LLC make no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information in this article and will not be liable for any errors, omissions, or delays in or resulting from this information or any losses or damages arising from its display or use.

Financial Aid Info

Cyber Security Career

Posted on by venessa Regali

Interview with Doug Landoll: Navigating A Cyber Security Career

Amidst the era of digitization, where reports of cyber security breaches make frequent headlines, Doug Landoll has consistently maintained a proactive stance. Functioning as an authority in security risk evaluation and serving as the Chief Executive Officer of a firm specializing in information security, Landoll boasts a wealth of years spent acclimatizing to the dynamic shifts within the realm of IT. This encompasses the diverse array of perils that loom over digital data, spanning the domains of public and private information alike.

Cyber Security Career | Doug Landoll

Fueled by a passion for engaging with computers, Landoll achieved his Bachelor of Science degree in computer science from James Madison University. Subsequently, he pursued his executive Masters of Business Administration (MBA) from the esteemed Red McCombs School of Business at the University of Texas in Austin. Alongside his academic accomplishments, Landoll obtained certification as a CISSP (Certified Information Security Professional), a premier credential within the information security arena.

Over the passage of time, Doug Landoll’s professional journey encompassed diverse roles within multiple companies. These ranged from serving as a Trusted Product Evaluator at the National Security Agency, to assuming the mantle of Practice Director of Risk & Compliance Management at an enterprise specializing in information security, and culminated in the establishment of Lantego—a firm comprising adept professionals in information security compliance—with Landoll at its helm as CEO. He crafted a comprehensive handbook for security risk assessment, a vital resource embraced by IT practitioners and learners alike. Owing to his extensive expertise, he has earned prominence in numerous publications addressing information security subjects, and he frequently delivers talks at prominent IT conferences such as the recent Information Systems Audit and Control Association conference.

Read our full interview with Doug Landoll to find out how he got into IT and the field of cyber security and how the navigates the ever-developing challenges of the digital age.

Tell us more about your background and education. What led you to work in IT and cyber security? 

I always loved working with computers and enjoyed the mathematics background and analytical aspect of it all, but I never really enjoyed programming. Back when I went to school, programming seemed to be the only option in the field. Somehow I just knew I would find something in this field so I kept on with my education. A BS in Computer Science allowed me to pursue work in this field and discover that there were a wide variety of positions. I was introduced to the field of computer security (which I really did not know existed) when the intelligence community recruited me in my senior year of college. Once I caught that bug, I have never looked back. I love this field of study.

Did you hold any past positions that have played a significant role in where you are today?

I held several positions that influenced where I am today. I led several technical teams while serving in the intelligence community, analyzing security vulnerabilities of commercial systems. I led consulting practices within large organizations and grew them with additional services and members. But the most rewarding and influential positions I have held is founding and running my own company. I have done this four times now: founding, growing, and eventually selling information security consulting practices. I now enjoy working for myself and concentrating on information security risk assessments, policy development, and the education of others pursuing a career in information security.

Please describe cyber security and what your company, Lantego, does for someone who’s unfamiliar with the field.

Cyber security can be thought in two distinct missions: Builders and Busters. Builders design, assemble, configure, and operate secure networks and applications. Their job is to ensure that they create the most resilient and secure systems to protect an organization’s assets with the resources they have. Busters review, assess, and test these systems looking for any design, implementation, or operational flaws or vulnerabilities in the system. Their job is to find these vulnerabilities, prioritize them, and suggest how to fix them in the most efficient and effective way possible.

Lantego specializes in assessments. Gap assessments are a review of the current security controls with respect to an industry standard such as HIPAA (Health Insurance Portability and Accountability Act) security and privacy or the Payment Card Industry Data Security Standard (PCI DSS). Security risk assessments go one step farther and assess the likelihood that vulnerability could be exploited and the impact it would have on the organization. This allows us to prioritize our findings. Lantego also develops information security policies and processes for state agencies and commercial organizations when they are lacking appropriate administrative controls. Many organizations seek independent consultants for assessments and policy development because of the need for an independent review and the lack of specialized resources to create policy.

What keeps you excited and interested in the work you do?

I keep excited about my work because there is always something new to work on. Last year, I rewrote the information security policy set for the State of Arizona and worked directly with the State CIO (chief information officer) and State CISO (Chief Information Security Officer) in a project that affected all 145+ agencies in the state. At the same time, I performed HIPAA security risk assessments for hospitals in Virginia, resourcePageQuoteTennessee, Texas, and Arizona. The variety of environments, business models, system implementation, and security requirements keeps me on my toes and the work always interesting.

Expand on your different roles in the IT industry (risk assessment expert, author, voice in social media).

One of the most influential efforts I ever pursued in the writing of my first book: The Security Risk Assessment Handbook. I knew a lot about risk assessments at the time but the research I did to create a textbook expanded my knowledge beyond what I would have ever received from simply performing the risk assessments.

As a recognized expert on security risk assessments, I am able to provide some insight on the process, the state of security in the industry, and how we can continue to improve our security postures as the threat environment continues to mature. Just as regulations and threats continue to evolve so too does my own risk assessment process every time I perform another risk assessment.

I share my thoughts, findings, and experiences through social media and conferences. As a profession, it is important that we share our experiences and continue to mature our tools and processes to secure the infrastructure that protects data assets.

Is your book, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, used for students pursuing an IT degree? If so, what information do they find most helpful?

My book was written specifically for the practitioner. Anyone who intends to understand how to perform an information security risk assessment (or even use the results of one) will gain a practical understanding of how to conduct a complete assessment. The book is used in many colleges and universities as either required or supplemental reading. What the student will gain is practical advice on how to actually perform an information security risk assessment. Most students are surprised by the detail of instruction in the book. I wrote the book because there was no such instruction available elsewhere.

How has your entrepreneurial spirit helped you become an expert in the cyber security field?

My entrepreneurial spirit has allowed me to pursue business plans and offer information security services that my previous employers or “the big guys” did not see coming or did not see enough profit in. I am able to create new services quickly and effectively when I see a potential need. For example, last year I created a new class on the NIST Cyber Security Framework to coincide with NIST’s release of this new framework. I was able to gain several new clients who quickly adopted the standard and were unable to find training anywhere else.

I am also able to specialize in areas that I feel are most needed and underserved. For example, this year I launched my “Black Diamond Initiative”. This is what I call expert-only services. Most organizations have the expertise in-house to develop and deliver most of their information security program elements… with two notable exceptions. The first exception is an objective and independent review of the controls they put in place (i.e., an information security risk assessment). The second exception is education and training. When organizations reach out to consultancies for either an assessment or certification training the most important element is the expertise of the actual consultant that gets assigned. Assessing risk or educating your people is no place to cut corners, so organizations should demand an expert – that’s what Lantego delivers. We only provide experts in the field (i.e., someone who has performed scores of risk assessments or trained thousands of CISSP candidates).

What do you find are the most challenging aspects of cyber security as a field?

Keeping up with changes. No one can be an expert in the entire field of information security. You need to pick your areas of expertise and then be diligent about keeping up. There is always a new tool, regulation, technique, breach, conference, or threat that your customers expect you not only to know about but to have an opinion and a solution.

Has the field of cyber security field changed since you entered it? If so, how?

The field has expanded greatly and will continue to do so for the foreseeable future. It used to be that we all considered ourselves information security engineers. Now we are clearly divided as builders or busters, and then again in many different specialties such as forensics, web application code review, regulation compliance, and many more. The good news is that there is a lot of discovery yet to happen and this is a very exciting field.

In your opinion, is it an ideal time to go into IT or to become an IT specialist, and if so, why?

There are many types of jobs in both IT and IT specialties. If you have a desire to learn and push yourself, and if the thought of your field constantly expanding excites you, then I would advise you to pursue a specialty. It is not for everyone but for those that truly enjoy the challenge, you will find a career you truly enjoy.

Which skills do you think a person should build if they want to pursue a career in IT and cyber security?

Inherent skills include a thirst for knowledge, a desire to solve puzzles, and an analytical mind. If you have those, then throw yourself into the study of the basics: computer science, data analysis, programming, system design, privacy and security law. Once you understand the basics, pursue a position in a large company that allows you the freedom of lateral movement and encourages you to try new things. Pay attention to your interests and seek out experts. Let them know that you want to learn more about what they do. Continue this until you find your own special interest and then dig in.

What advice would you give to students pursuing a degree in IT or cyber security? How can students prepare themselves for the challenges?

Get involved in the cyber security community early. Many organizations such as ISSA (Information Systems Security Association), ISACA (Information Systems Audit and Control Association), and ISC2 (International Information Systems Security Certification Consortium) have student chapters; most security conferences have student rates and potentially even scholarships for qualified students. Attend meetings, go to conferences, even submit a paper. The earlier you get involved, the sooner you will be exposed to those areas that excite you and network with those that can help your career.

The experts interviewed for this article may be compensated to provide opinions on products, services, websites and various other topics. Even though the expert may receive compensation for this interview, the views, opinions, and positions expressed by the expert are his or hers alone, are not endorsed by, and do not necessarily reflect the views, opinions, and positions of EducationDynamics, LLC. EducationDynamics, LLC make no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information in this article and will not be liable for any errors, omissions, or delays in or resulting from this information or any losses or damages arising from its display or use.

Financial Aid Info

© Education Connection 2024. All Rights Reserved.

*https://nces.ed.gov/programs/digest/d20/tables/dt20_311.15.asp

Sources for school statistics is the U.S. Department of Education’s National Center for Education Statistics.

Disclosure: EducationDynamics receives compensation for the featured schools on our websites (see “Sponsored Schools” or “Sponsored Listings” or “Sponsored Results”).  So what does this mean for you? Compensation may impact where the Sponsored Schools appear on our websites, including whether they appear as a match through our education matching services tool, the order in which they appear in a listing, and/or their ranking.  Our websites do not provide, nor are they intended to provide, a comprehensive list of all schools (a) in the United States (b) located in a specific geographic area or (c) that offer a particular program of study.  By providing information or agreeing to be contacted by a Sponsored School, you are in no way obligated to apply to or enroll with the school.

This is an offer for educational opportunities, not an offer for nor a guarantee of employment. Students should consult with a representative from the school they select to learn more about career opportunities in that field. Program outcomes vary according to each institution’s specific program curriculum. Financial aid may be available to those who qualify. The financial aid information on this site is for informational and research purposes only and is not an assurance of financial aid.

1 You must apply for a new loan each school year. This approval percentage is based on students with a Sallie Mae undergraduate loan in the 2018/19 school year who were approved when they returned in 2019/20. It does not include the denied applications of students who were ultimately approved in 2019/20.

2 This promotional benefit is provided at no cost to borrowers with new loans that disburse between May 1, 2021 and April 30, 2022. Borrowers are not eligible to activate the benefit until July 1, 2021. Borrowers who reside in, attend school in, or borrow for a student attending school in Maine are not eligible for this benefit. Chegg Study® offers expert Q&A where students can submit up to 20 questions per month. No cash value. Terms and Conditions apply. Please visit http://www.chegg.com/legal/smtermsandconditions for complete details. This offer expires one year after issuance.

×

Sponsored Meaning Explained