#WeCyberToo: Krista Theodore, Security Engineer

Editor’s note: #WeCyberToo Talent Spotlights cover women of color in cyber so our daughters can see women who look like them thriving in the field.

 

Meet our 3rd #WeCyberToo Talent Spotlight: Krista Mikaele Theodore, IT Security Engineer.

Her role involves “wearing many hats” such as:

  • Consulting with and advising internal departments
  • Educating and training faculty, staff, and students
  • Performing in-depth security assessments
  • Developing IT policies, procedures, guidelines, standards
  • Vulnerability Management
  • Supervising security interns

How did you end up in cyber security?

When I was starting college, I never even thought about cybersecurity as a field, let alone to consider it as a career. I started my path wanting to work as a business analyst to convince the business that IT was a strategic partner and how the two could work hand in hand. I could act as a “translator” of sorts.

That was my plan until my academic advisor recommended I take a security class for an elective course. After the first class session, I knew I was onto something. Rather than change majors, I ended majoring in both. Now, I realize that was one of the best decisions I’ve made thus far.

In my experience, some people are intimidated by the security team and when we reach out to them, the first thought that often pops in their head is “uh oh, we’re probably in trouble”. I want to change that so that there’s more of an open communication from both sides. Using my “translation” skills, I can try to change that perception to help users achieve their goals, securely.

What is the most difficult challenge you have faced as a woman in a male dominated field?

One of my biggest challenges I’ve faced as a woman in cybersecurity is getting opportunities to strengthen my technical skills. Many of those tasks, such as working with tools, are assigned to my male counterparts, while I am placed in more of a “facilitator” role.

How did you overcome said challenge?

I quickly realized that those opportunities wouldn’t come to me willingly and I would have to work harder to prove that I can get my “hands dirty” too. Thus, I took advantage of “orphaned” areas. For example, PCI was an area that no one wanted to volunteer for, but I saw it as my big break. I used the requirements of PCI to open doors for me. That led to other opportunities, such as vulnerability management.

It’s about taking lemons and making lemonade.

Editor’s note: PCI, NERC-CIP, and other compliance mandates are the bane of most technical people’s existence. It is a lot of paperwork and collaborating with other people, which most A-type personalities hate doing. Add this to your list of back doors into cyber careers to look into. Remember, security is not just hacking.

A reader of Danyetta Magana’s #WeCyberToo profile profile suggested asking future interviewees to share failures because those have a bigger impact than just feel good stories. Do you have a failure that you would like to share?

During my master’s program, our class was assigned a project to present for our security course. I put added pressure on myself since I was one of few security professionals in the class and wanted to prove that I was passionate about the field. Additionally, I am already my biggest critic. I spent all night rehearsing my presentation. Every time I would mess up, I would start over. You could say I took it very seriously.

That next day, I started to present like I practiced, and a team member interrupted me mid-speech. I immediately lost track of my thought and nerves got the best of me. My team finished the presentation and afterwards, I just started to cry.  I thought I had failed the course and worried myself sick about it.

How did you turn that failure into an opportunity?

I took that experience and used it as an opportunity to grow. First, I accepted that life doesn’t happen the way I plan it to happen. I was so focused on the plan that I let that stumble affect me. You can prepare as much as you want but there are some things that are unforeseen. “Go with the flow.”

Secondly, I need to carry myself confidently. It’s not that I didn’t know the subject. I knew it well but I was absorbed in how I would be received that I forgot to take a breath and just speak. I don’t need to prove to anyone how passionate I am. I know what I know and by sharing my expertise, the audience can tell.

Editor’s note: I have also suffered from public speaking paralysis in front of groups. This is very common. However, I keep getting up and doing it again because the only way to succeed is to keep trying until it becomes second nature.

What advice would you give someone looking to enter the information security field?

Information Security is such a large field and there are so many different roles. Take some time figuring out the things you like or, more importantly, the things you dislike. Once you’ve narrowed it down enough, research how to get there, including networking with individuals in the industry.

For those that are in college and about to enter the industry, please consider applying for internships. It gives you a quick insight to the field, helps apply classroom concepts to real-world scenarios, and could led to a full-time opportunity in the future.

Those looking to transition, I would recommend starting a relationship with your current company’s security staff. You can “pick their brain”, and if they see enough interest, they can consider you for upcoming roles. Oftentimes, the skills you’ve developed in other roles could be considered an asset to their unit.

What formal education, skill sets, and/certifications do you recommend that people start with to stand out among other candidates in the cyber security field?

In regard to formal education, I would say do a lot of research and take a good look at the academic program for the school of your choice.

I chose Penn State for my undergraduate studies because the school is designated as a national Center of Academic Excellence in Information Assurance and Cyber-Defense Education by the National Security Agency and the Department of Homeland Security. This designation resonated with me because I knew I would be learning about the industry in its current and future state.

Certifications are important as well. Many job descriptions will request some form of certification based on your current level. The COMPTIA IT Security Certification Roadmap is a great resource to use to see what certifications are available by expert level.

Lastly, I cannot stress how important is to have hands-on experience in any aspect of the security realm. Not every employer will give you that experience, and it’s up to you to do some homework.  If you’re aspiring to go into compliance, research different frameworks and practice implementing them, even if it’s for a fictitious company. If you want to go the more technical route, try building virtual labs or completing activities on the web from sources like Cybrary, Udemy, and SANS.

Editor’s note: many security technology companies offer free versions of their tools for download. Many of those same companies places engineers onsite at large companies. If you have a target company in mind, look at the security tools in their job descriptions. Google those companies and see if the technology is available for free download. YouTube may also have videos. Download the tools and teach yourself. Ongoing self education is a huge part of being in this discipline, so this is a great exercise regardless.

If you do not have a target company in mind, take some time to learn about security technology companies. Here is a list of the top 500 security companies to start your research.

Can you provide a high-level overview (5 bullet points) of your career path if someone wanted to pursue a similar route?

  • Academy of Information Technology in High School
  • Dual-Bachelor Degree: Information Sciences and Technology & Security and Risk Analysis, and Master of Science in Information Systems
  • Several Information Security and Compliance Internships
  • Worked for the Information Security Office for the past 3.5 years
  • Payment Card Industry Professional Certification and Certified Security and Compliance Specialist Certification (Plan to take CISSP later this year)

Why are you planning to pursue your CISSP?

I haven’t obtained my CISSP but will have it by the end of this year. I have decided to do so for two reasons. Primarily, it will help open doors for new opportunities.

The majority of new roles posted on job boards will prefer or require it. Seasoned recruiters have all told me that resumes with the CISSP listed have a higher likelihood of getting a second look. Additionally, research shows that CISSPs have a significantly higher salary than their non-credentialed counterparts.

Second, I consider the CISSP to be one of the “badges of honor” for our industry. It is a widely-recognized certification that demonstrates that the individual has working knowledge of information security and is committed to their profession.

What project(s) are you most proud of?

The phrase “Knowledge is Power” may be considered cliché but I am a firm believer in the potential knowledge brings.

The Digital Immigrants Project is an initiative that is near and dear to my heart. I am very passionate in serving my community and realizing that it is filled with individuals born before the widespread adoption of digital technology, I created the Digital Immigrants Project.

The project allows me to dedicate my time to providing education, training and awareness regarding security and identity theft free of charge.  Florida is the number one state for Identify Theft and Fraud. One day, I hope this project will assist in reducing those percentages by equipping our citizens with the information they need.

I am also major advocate for security awareness for everyone. I try to come up with projects that enhances security culture regardless of the individual. In doing so, I hope to create “cyber warriors” and together we can reduce the attack surface.

One of my greatest project accomplishments is the University of Miami, in partnership with the South Florida Information Systems Security Association, Cybersecurity Conference. The goal of the event was to educate and bring together Information Security professionals from various trades – as well as those interested in Cybersecurity – in an open dialogue to discuss issues facing the InfoSec industry.

Each organization may have different lines of business and data, but our hardships are typically the same. So, I felt it was important to provide a platform for industry professionals to discuss changes and prepare for the future. The event was outstanding with 2 keynote speakers (CSO from Uber and CISO from Hertz), 18 panelists, and many gracious sponsors, and welcomed hundreds of guests free of charge. Click here for video, presentations, and photos of the event..

 

Thank you so much for taking the time to share your insights! How do you want readers to contact you?

kristatheodore@gmail.com

https://www.linkedin.com/in/kristamtheodore/

About Krista Theodore

Krista Theodore is an IT Security Engineer for the University of Miami’s Information Security Office. As an IT Security Engineer, she is responsible for developing security strategies and consulting on best practices to maintain the confidentiality, integrity and availability of university data. Her specific areas of expertise are cybersecurity awareness and education, regulatory compliance, and risk management. She holds several certifications such as Certified Security Compliance Specialist and Payment Card Industry Professional.

Krista received concurrent Bachelor of Science degrees from The Pennsylvania State University in Information Sciences and Technology: Integration and Application, and Security and Risk Analysis: Information and Cyber Security. Additionally, she earned her Master of Science in Information Systems and Business Analytics at Florida International University.

Krista is the founder of the Digital Immigrants Project, a local organization which provides education, training and awareness to individuals born before the widespread adoption of digital technology. She serves as board member and role model speaker for ITWomen, a non-profit organization which strives to narrow the gender gap in technology and increase the potential for innovation and economic growth through gender equity. She is a member of Zeta Phi Beta Sorority, Inc., Project Semicolon, Healthcare Information and Management Systems Society, Miami Electronic Crimes Task Force, and Information Systems Security Association.

Editor’s note: Women of color were noticeably absent from most of the top women in cyber and top security bloggers lists in 2016. I applaud the work of those who were celebrated because the recognition is certainly well-deserved.

However, I want to expose students in my demographic to women who look like them. They need to know that we are out here ready to help them navigate the complexities of this field.

I also want to create our own “Top Lists” to celebrate our accomplishments just in case future lists exclude us, inadvertently or otherwise.

I’m also using these opportunities to present alternative stereotypes and build bridges.

We are not waiting any longer to be chosen. We are choosing ourselves as of February 2017 because gender diversity is not enough.