Security Laboratory
- Sec Lab - Security Heroes
The SANS Security Heroes project is to help introduce you to people that have made a difference in information security. We believe there are a lot of people contributing to make security work, and we want to introduce you to them.
Kathleen Lynch, Security Hero - August 31st, 2009
Paul Henry, Security Hero - May 12th, 2009
Anthony Giandomenico, Security Hero - February 18th, 2009
Craig Wright, Security Hero - April 4th, 2008
Peter Giannoulis, Security Hero - March 19th, 2008
Suzanne Novak, Security Hero - February 13th, 2008
Laura Taylor, Security Hero - February 8th, 2008
Kathleen Lynch, Security Hero
August 31st, 2009
By Stephen Northcutt
I met Kathleen at SANS Boston and feel "Kathleen's Story" is worth telling, She is one of the people that took us up on our training program for the recently unemployed during the great recession. Kathleen feels she benefited by being exposed to SANS state of art training; her own words,"It is a rush. Your wonderful teachers provide education, hands-on training, but most importantly, they inspire hope and an ability to compete in today's labor market." And, of course, our industry needs trained people. We feel that her story is so important because it illustrates how hard it can be to find a career in information security during a recession. And, by the way, Kathleen's resume (Kathleen Lynch, PhD, CISSP, CISA) can be made available upon request.
Kathleen, thank you for being willing to participate in the Security Hero program. Can you tell us what happened to your job?
My group's work was shipped to India and I was "outplaced," with three months severance, in February 2009. I had been working for EMC's Global Security Office in Risk Management shepherding Business Units' outsourced work and Mergers and Acquisitions (M&A) through the Third Party Access ( TPA) process.
Third Party Access (TPA) sounds quite crucial to security, did you have pretty much the whole ball of wax?
My group attended to the complete IT Risk life-cycle of TPA / M&A from the first initiation requests, to creating a project, credentialing the site, and the workers identity (most carried a TPA id number, as opposed to suppliers ID, partner ID, employees ID, customers ID, etc) which made identification easier on the networks. We provisioned the network resources and vetted their TPA access architecture; monitored issues with operations/ SOC (vpn, port/ protocol requests) but, best of all from a security perspective, TPA was an automatic DE-provisioning process. If the project was not renewed, the firewall rules began to erase themselves, identities zzz-ed out, and all access shut down -- automatically. There were no orphan accounts left behind.
Whew, I like that, access control is crucial, this sounds like an awesome system, did it run automated, or did you check up on it?
De-provisioning was totally driven by the End Date workflows. Only once was I able chase around the globe fast enough to prevent de-provisioning from happening. With global synchronizations and replications, it took all my time and knowledge of systems to intercept the over-writes. The business unit had a couple of reps with me as I chased through the systems. They must have shared their experience because there were few instances of business units forgetting to renew their projects, with the attendant loss of revenue and effort to re-create the project with approvals, but for the most part, projects were renewed well ahead of time. Of course, some business units forgot to request resources early enough and were caught by the "no firewall changes" rule during the End-of-Quarter Moratoriums (SEC regulations), necessitating an exception process.
In short, my group was responsible for the complete life-cycle of Third Party Access projects, from the beginning until the end, for projects large and small. Some projects had thousands of network resources, and thousands of people in them; while other projects had a handful of people accessing a few network resources. On any given day, I could be talking with the Security Operations regarding a vpn issue, the EMEA escalation manager, or the EMC eCommerce manager, or a Bratislavan contractor who couldn't access the network in Bratislava, or to Risk analyst in the Indian data center questioning an ip leading to China, or a new external project person trying to create a TPA project for newly acquired company: (EMC acquires a company a month. Well known examples are RSA, VMware, ConfigureSoft, Iomega, etc.)
Of course, in a global enterprise where bonuses are important, I could come across the occasional out-of-scope/out-of-band issue which necessitated an exercise of Corporate Chicken (often involving millions of dollars) and which would result with me writing a Risk Letter, and sometimes correspondence from the Legal Department. My other activities included maintaining the Theater Threat databases, writing up Threat analyses (PESTELI analysis), blogging on behalf of GSO Security Awareness and Training. And, of course, the usual committee and staff meetings. Oh, I almost forgot, as a SME, participating in the writing of Policies, Procedures, and Enterprise Standards.
Sounds like a fun job!
It was an interesting job that engaged many aspects of my background, but it was not well paying one. However, in this century's economy, it is any port in the storm and EMC was a quick commute, just minutes from my house. TPA was a great experience and, I will say, an experience that clearly impressed upon me the career risk that people in IT Risk and in IT Security take on a daily basis; and, it also highlighted the vulnerability and internal conflict that can arise from within, as they carry out their duties. It is no wonder that, in some companies, "Ignorance is bliss" and inconvenient truths are overlooked.
OK, knowing that nobody knows the future, what do you feel is ahead of you?
I am aware of a time horizon and, rather than reinventing myself, I feel a need to exercise some of my IT Audit/Compliance credentials. I find the thought of being a HIPAA auditor appealing (1) BUT, ...would need an "inservice training" opportunity or a friendly employer. Or, IT Regulatory Compliance Specialist has a certain cache; again, there is likely a need for an "in-service" to land the job. Both are emerging areas, so the employers might get desperate, and/or I might get lucky. But, given the current market, employment seems unlikely without some direct experience.
Are you interested in working into information assurance?
When I was first laid off, I thought I would move easily and swiftly into InfoSec Assurance/Compliance/FISMA and I would not have to deal with unemployment. Time was a problem because there was so much to do before I started working. My thought was to fire up my trusty LLC, Specialized Communications, go to the DC area, and start contracting. Or, better yet, work for a DOD contractor and have them pay for the move.
But first, there were some updates I wanted to get for my skill set. And, with that in mind, during my severance period I took myself down to NIST a couple of times to hear the sermons first hand, and even paid for a FISMA course. I papered the MD/DC/VA area with my resume thinking the federal/DOD sector would be my salvation and future.
So you would be interested in working for DoD?
I had warm fuzzies for the area, in part, because at the very beginning of my career, at the dawn of time before there were any personal computers, I worked for DOD - Army Aviation Systems in St Louis, MO as a Branch Chief, and had been classified as a "scarce resource," with a Secret Clearance. Knowing what I now know, I should have stuck with them and gone to Fort Huachuca. However, that is not what I did.
Fast forwarding to the present, my Secret Clearance expired decades ago, and without a clearance I cannot work in many Federal /DOD environments. The classic "Chicken and Egg problem." From my perspective, if there ever was a poster child for a broken process, the Secret Clearance process and IT Risk/Security employment, is it. What a disconnect.
OK, it is a tough economy, have you been thinking about a plan B?
Yes, as a plan B, I have moved on to considering more esoteric forms of Infosec Assurance / IT Audit/ Internal Audit in the private sector. Enter the aforementioned HIPAA auditor, IT Regulatory Compliance Specialist / Internal Auditor roles. Nonetheless, I still have "the Chicken and Egg" problem: This time it is called "No direct experience" but it's the same problem and a show stopper. It is true, I have no "direct experience" as a HIPAA auditor, as an IT Regulatory Compliance Specialist, or with FISMA. But, it is also true that I do have experience and certifications with InfoSec Assurance Methodologies and IT Audit. And, it is also true, in this period of Economic Crisis and unprecedented unemployment in modern times, that there are plenty of people with THE EXACT experience and the connections necessary. My take is that I need help with the experiential piece. I need a short stint of "in-service" training.
Up till now, my approach has been somewhat agricultural: many resumes need to be sent for a few to take hold and grow. Unfortunately, my database of job descriptions seems to be the only thing growing. Most of the jobs require a geographic relocation, and I am open to moving. In fact, I welcome moving, if it means more daylight hours and a milder winter. The first thing I did upon being laid off, was to start downsizing, packing, and getting the house ready for sale. Dreaming of a snowless winter. That was February and I am still waiting -- and living with a lot of boxes. :- )
The courses I took with SANS have helped me in a variety of ways. Aside from learning new skills, and brushing up on older skills, they have provided a focus, and an opportunity to "try on" occupational cloaks -- and see how they fit. Certainly, the SANS courses are a way to get new perspectives. They have extended the breadth of my knowledge and have given me an opportunity to think about my future in new ways. I have special memories and insights as a result. The pleasure of creating a packet, then sending and receiving it in Mike Poor's 503 course, Intrusion Detection course; meeting Mr. Snort himself; the horror of seeing IOScat and IOSmap work. Or, how about Rob Lee's 508, Computer Forensics, learning to carve data using dd or Foremost? Or, using those nifty "Cables to go," and leaving the class with the SANS Forensic toolkit. How cool is that? Or, what about 557, Virtualization Security, when you can use two lines of code to break VMware 3.5 security. And, discuss Cloudburst, the Red Pill, the Blue Pill? Or, what about 553, a day with Eric Conrad and Metasploit, evil reified. Lets not forget 517, a day of Cutting Edge Hacking with John Strand. I could go on. Each course is unique, but what they have in common is a drive for excellence and a skill base in common. Moreover, I have met people who will be friends of a lifetime. Somehow it would seem there was a certain amount of serendipity, or perhaps synchronicity, when I met you at SANS Boston.
summary:
Kathleen Lynch tells the story of trying to find gainful employment in the information security field in the Great Recession. If you are willing to tell your story, we would love to hear from you, stephen@sans.edu