The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Andrea Harston, CERP, CEIA, Curriculum Director of Content, Infosec.

Andrea Harston is a cybersecurity, training and risk management professional with over 20 years of experience in the IT field. Andrea oversees curriculum strategy and technical review at Infosec, leveraging her past experience as an ISSO, ISE and SCA in both public and private sectors to ensure all Infosec curriculum is accurate, role-relevant and engaging. Andrea’s areas of expertise include security awareness and training, compliance and regulatory law, and risk management using the NIST Framework. Andrea is a Barry University graduate and a talented artist specializing in watercolor paintings and graphic design.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was born in the Midwest in a very small town called Brazil, Indiana. My family moved to Florida when I was 10 years old. My dad had just landed a job at Kennedy Space Center working on the Atlas program. One summer, he took me out to the launch complex for a behind-the-scenes tour of the launch facility. I was fascinated by all the control panels in the launch control room and thought it looked like something out of a movie. That began my love affair with technology. My family would take us out to the Indian River to watch every single launch and my grandfather would always bring me photos signed by astronauts to hang on my wall.

I knew from a young age that I wanted to work at Kennedy Space Center. My hard work eventually paid off and I landed my first job in tech with Computer Sciences Corporation (CSC). I was working with Atlas launch documentation on an AS400 — in the very same building my father had worked in! It is funny how life brings you full circle!

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I was a big Cyber Work Podcast fan long before I became an Infosec employee. They touch on a diverse number of interesting topics like “What does a digital forensic investigator do in the government” but also have a large quantity of content that focus on really important topics like “Supporting economic advancement among women in cybersecurity.” This resonates with me so much because I am acutely aware of the low representation of women in the cyber-workforce. It is inspiring to hear industry leaders like Christina Van Houten speak about the challenges that women are facing in the industry.

If I go further back in time, the 1983 movie “War Games” was a big influence as well. When you look back on the clip where Matthew Broderick dials into the school network the technology looks — ancient. However, remember when he says, “They change the password every couple of weeks, but I know where they write it down”? People still do this all the time, and it is still a major security concern. I think it resonates with me to this day because even as technology advances, you will always have to continue to train humans!

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My answer here is twofold. When I was working for CSC, my boss told me to get a career in cybersecurity. Honestly at the time, I didn’t really have a direction for my career and just knew I wanted to work at the Space Center. That comment set in motion the next phase of my career. Fast-forward a few years when I was doing contract work for NASA. I had been hired to write cybersecurity documentation: policies and procedures for the contract’s information systems. I enjoyed writing the documentation, but as I started working more closely with the security team, I knew that was where I wanted to be.

It was at that time I met a brilliant woman named Shelby King. She was the IT security manager for the contract. Meeting Shelby really solidified that women had a place and could make a huge impact in the world of cybersecurity. Shelby was a senior assessor, who was managing and auditing a dozen information systems and running the security awareness program for the entire contract. She had a knack for communicating with the system admins, the network engineers and the technicians and helping them understand their part in securing our IT systems. It was like each role spoke a different language and she was the interpreter.

My position went full-time, and my boss asked me if I wanted to become a systems analyst and start working under Shelby as an assessor. She was an amazing mentor. She first taught me about risk management by giving me the very simple analogy of a house that needed to be secured from an intruder. That led to introducing concepts like confidentiality, integrity and availability of the CIA triad and the NIST framework. She made cybersecurity interesting and accessible. Shortly thereafter, I obtained my first certification as a Federal Information Systems Auditor (FITSP-A).

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

When I first started assessing, I thought it would be “helpful” to print out a full copy of the entire NIST SP 800–53 document to give to the engineers that were operating one of our IT systems. If you have ever looked at NIST 800–53, you know that it would be very overwhelming to be handed a printed copy of that document. I learned that I needed to create a tailored, role-based training plan when trying to teach someone what they need to implement and why. The operators of these systems were not cybersecurity experts, just as I was not an expert in the functional operations of their systems. I had to learn how to break down cybersecurity concepts in a way they could understand and implement. I learned how to mitigate risk with minimum impact to functionality of the system. There is always a delicate balance you have to strike in the world of cybersecurity between function and system security.

Are you working on any exciting new projects now? How do you think that will help people?

Last year I transitioned from the federal sector to the private sector and now work as a Cybersecurity Curriculum Director for Infosec. I am fortunate to be involved with many exciting new projects. One of the coolest projects is Infosec’s partnership with Chooseco, publishers of the best-known gamebook series in the world, “Choose Your Own Adventure.” I used to read those books as a kid and loved them. Infosec’s Choose Your Own Adventure Security Awareness Games are really fun to play! Any time you can make training into a fun and engaging game, people are more likely to learn and retain that knowledge. The more well-trained our workforce is, the safer our data and information systems will be.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

I am really excited about the advancements in home technology. I am definitely a “gadget girl” and it seems like everything has a “smart” component to it these days; fridges, washing machines, vacuum cleaners, toilets and so on. Of course, the smarter your devices are, the more potential risk to your home network, but the geek in me thinks it’s really cool that your fridge can tell you when food is expiring, or you can start a load of laundry from an app on your phone.

I had a conversation with a friend of mine a few months ago. He wanted to get into the cybersecurity field but he “didn’t want to be a programmer.” It is amazing to me that this mindset exists. There are many, many other career paths that one can take in the cyberfield. To get an idea, check out any of the 52 NICE Workforce Framework for Cybersecurity Work Roles. It is exciting to see all of the available options for someone who wants a career in the cybersecurity world.

I love that the federal and private sector are both adopting NICE Work Roles in their hiring practices. This will lead to a standardization of the educational requirements to perform the job functions of a certain role. Of course, there are unique organizational considerations, but I would have loved to leverage something like this when I was first getting started in my career. Infosec is unique too, because they map all of their Infosec Skills educational content to NICE Knowledge and Skills statements. This makes it really easy for a student to get the education they need to obtain the role they want or advance in their career.

Another thing that is really interesting and exciting to me is that you have so many options these days when it comes to cyber-education. There used to be a mindset that you must have a degree from a four-year university to begin a career in cybersecurity. This is no longer true with all of the certification paths available to students these days. Certifications are less expensive than traditional degrees and are more focused on specific skill sets required to perform a specific job. There is a certain standardization of knowledge and skills that come from certifications. With this mindset shift, the knowledge and skills you need to be successful in the field become more accessible and available to everyone.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

First and foremost, women are really underrepresented in the cyber-world. It’s unfortunate that much of society still views security as a field that is reserved for men. Women will make up approximately 25% of the cyber workforce by the end of 2021, according to WiCyS.org. It is apparent that we all have work to do to increase that number and build a more diverse workforce. We can continue to address these issues by introducing girls to cybersecurity concepts and technologies from a young age. We should support more nonprofits like Girls Who Code. Their mission is to “close the gender gap in technology and change the image of what a programmer looks like and does.” Women in Cybersecurity (WiCyS) is another great nonprofit that helps women build “a community where recruiting, retaining and advancing women in cybersecurity HAPPENS.”

Next, the rate at which the threat landscape constantly changes is a concern, specifically in regard to critical infrastructure. The cybersecurity industry is the first line of defense for the private and federal sectors. We need to be vigilant in addressing these threats quickly and we need to adapt and change in tandem with the emerging threats.

This may mean adjusting how we train our employees. We need more hands-on technical training that provides employees with the most current skill sets to mitigate the most current threats. Here at Infosec, we have really powerful hands-on cyber ranges that provide this type of training. We need to proactively offer engaging and unique security awareness training so we can effectively address the human element and protect our organizations from cyber threats.

Cybersecurity literacy is important for everyone, regardless of their career trajectory. We all should take a more active role in protecting our own information and data and be a part of the solution, rather than part of the problem.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

I think the recent attack on the Colonial Pipeline is indicative of the type of critical threats that are on the horizon. These threats to our nation’s infrastructure are already here and have been a concern for a while, but I think we will start seeing a lot more of them over the next decade.

Companies need to start by auditing their existing infrastructure and identifying security measures that they can implement quickly. These include things like multi-factor authentication (MFA), automation, improving security awareness training for employees and solid identity and access management (IAM) policies and procedures. I know this sounds simplistic, but so many attacks happen because of the simplest reasons: an admin doesn’t change the default password on a router; a user clicks on a link in an email; a company hasn’t implemented MFA, and on and on.

Additionally, companies need to start budgeting and planning to implement Zero-Trust Architecture (ZTA). This is especially important now, with the recent executive order that focuses on improving our nation’s security posture.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

In one of my previous jobs, we experienced a ransomware attack on one of our networks. I worked with the system admin on staff to mitigate it. My role was to perform a lessons-learned analysis after the incident to evaluate our incident response call tree and also to identify any security awareness training gaps.

My training up until that point had focused on training the user to be wary of any email solicitation that they were not expecting. It turns out that the user had received an email at work about a package delivery from a company who they were expecting something from! I updated my training to instruct employees to not use their work email addresses for personal transactions and also to be suspicious of every email that contained a link — even if they are expecting it. The main takeaway is that you have to train people to be suspicious about every single correspondence, including phone, email, text, SMS, etc.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I don’t currently use any cyber-tools in my job, but when I review the cybersecurity curriculum I do get a chance to walk through some really exciting technical content that showcases some interesting tools. For example, I just reviewed our Infosec Skills Digital Forensics Concepts Learning Path and the author, Denise Duffy, did a walkthrough with Autopsy. Autopsy is an open-source digital forensics tool that is used in computer forensics investigations. It allows an individual to investigate the hard drive of a computer that may have been used for criminal or malicious activity.

In my previous roles, I used tools like ACAS/NESSUS to perform weekly scans of all IT systems. I have used various SIEM tools, like LogRhythm. These tools aggregate all the data from every event your system encounters and then analyze that data to help identify abnormal behavior or potential cyberattacks.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

You may notice your device slowing down, or your friends may start telling you that they are getting unusual emails or messages from you that you know you didn’t send. You should just assume that your data has already been compromised (because it most likely has), change your account passwords and proactively monitor your credit reports and financial accounts. Be on the lookout for unusual activity.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Step one is to communicate with investigators, your legal department and your system administrators. You need to gain a holistic picture of the breach and understand exactly what type and how much data was compromised.

Once you have approval to disclose the information to the public, send a clear and truthful communication to your customers. Communicate what kind of information was compromised and offer some kind of identity theft insurance free of charge to them. Have a plan in place that communicates how you will implement more or better security controls to prevent this type of breach from happening in the future.

My best advice to companies is to expect that an incident will happen and to be proactive, not reactive. Have a good incident response plan in place that you test quarterly. Also, have a good external communication/public relations plan in place before an incident occurs.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

I see many organizations try to continuously buy new solutions to fix security issues without fully implementing or understanding their existing solutions and challenges. I think really vetting a product during the procurement process is the first step. Will this product really do what you need it to do?

Next, be sure you are prepared to fully implement the product without taking any shortcuts. Automate when you can and also hire or train the appropriate number of people to do the job effectively. A good example of this is having a log management tool implemented and not automating any processes. A manager with no security background might believe they just need a different tool to do the job, when really you might need to hire someone to set up the right reports or alerts to notify you of any issues.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

Not really. It has gotten better, I see more opportunities for girls to take part in more STEM activities in grades K-12, and that is really incredible. However, I would love to see more employer-funded mentoring programs for adult women who may have wanted to be in a STEM career but didn’t have the opportunity or exposure to STEM when they were younger. Part of the issue is society itself and how women’s accomplishments are celebrated and viewed. Society needs to celebrate and acknowledge women’s contributions to science and technology, in the same way that we celebrate and acknowledge similar contributions from men. For example, have you heard of Ada Lovelace, Grace Hopper, Katherine Johnson or Margaret Hamilton?

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

One of the biggest myths in my opinion is that a woman has to be stereotypically techy to break into the cybersecurity industry. For example, I love tech and science, but I am also an artist and extremely creative. The creative side of my mind has allowed me to think outside the box when it comes time to problem solve. That skill has seamlessly translated to the world of cybersecurity. I believe that with the quality of tech educational resources available today, like the Infosec Skills platform, anyone can find their place in the digital world.

Another common myth is that you have to get a degree from a university to work in cybersecurity. Education is evolving and there are so many certification paths you can complete to gain solid foundational skills or a unique set of technical skills. There is nothing wrong with going the route of a traditional education from a university, but you can also go for a non-traditional education as well, and that can be just as effective, if not more.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

1. Make sure everyone’s voice is heard. Have an idea in mind of how you want to solve a problem but be willing to brainstorm with other people and really listen to their ideas. We all problem-solve in different ways and you may have some employees on your team who possess unique perspectives from diverse backgrounds and experience. These people offer unique and creative ways to approach a challenge. It is important that all voices are heard.

2. Don’t let fear drive your decision-making process. You may not have all the answers or solutions but be willing to try. Problem-solving is an iterative process and you can grow and learn through challenges. So many women I know are stuck and can’t move forward because they are afraid they aren’t smart enough or talented enough, and they let so many opportunities pass them by. Don’t let fear drive your decisions.

3. Present solutions over problems. Many people waste a lot of time complaining about broken processes, but rarely do you get that same level of energy when they are asked for solutions. It is much more impactful and motivating to present solutions over problems.

4. Don’t be afraid to change direction. Not happy in your career? It is never too late to learn a new skill or take a class. Really think about what your strengths are and think outside of the box on how you can use them. For example, you may love teaching but may not want to be a teacher in a traditional sense. I love teaching and cybersecurity, which is why I love my job so much now. I have the opportunity to be an influencer of some really exciting cybersecurity educational content, and I also can be a perpetual student!

5. Always be learning. Try reading several non-fiction books a month or take a class in a new skill. It is really important to stay humble and teachable.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I would love to meet Dr. Michio Kaku. I saw him speak at Rollins College several years ago and he was awesome!

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!