#120 – Cimone Wright-Hamor: Cybersecurity Is An Applied Field

[00:00:01] I'm Douglas Brush and you're listening to Cybersecurity Interviews. Cybersecurity Interviews is the weekly podcast dedicated to digging into the minds of the influencers, thought leaders, and individuals who shape the cybersecurity industry. I discover what motivates them, explore their

[00:00:27] journey in cybersecurity, and discuss where they think the industry is going. The show lets listeners learn from the expert's stories and hear their opinions on what works and doesn't in cybersecurity. Hello and welcome to episode 120 of Cybersecurity Interviews. This is another episode in my Rising

[00:00:54] Star series and we're speaking with Simone Wright-Hamor. Simone works at Pacific Northwest National Laboratory as a cybersecurity researcher while pursuing a PhD in computer engineering at Iowa State University. She has spent the last decade of her life interning at

[00:01:08] a variety of organizations. She has 10 internships in more than six different organizations, including public and private industries, ranging from Fortune 500 companies like Microsoft to successful startups such as Smart AG, State Government, and Natural Laboratories. Simone

[00:01:24] has spent the last five years of her career working in the cybersecurity field. While completing research, she has helped protect the infrastructure for the state of Iowa and ensured that startup companies are developing software with security in mind. In this

[00:01:36] episode we discussed getting started in information security due to responding to an incident and early upbringing which prepared her for cybersecurity, bridging theory to engineering, teaming with dev and security teams, the importance of project updates, increasing diversity

[00:01:51] in the industry, and so much more. I hope you enjoy this episode as much as I did. Thanks for listening. All right Simone, thank you for joining me in Cybersecurity Interviews. How are you today? How are you?

[00:02:04] Doing great, doing great. It's actually a mountain boulder right now so it's one of those days where we were half prepared for snow and half prepared for 80 degrees weather so we as with cybersecurity have to kind of adapt and overcome to the weather much. Whereabouts are you located?

[00:02:18] I am located in the Tri-Cities, Washington, so the Richland, Kenwick, Pasco area. Oh very nice, very nice. So for the listeners that might not know too much about you, how did you get started in cybersecurity? I actually fell in cybersecurity. My background is in software development.

[00:02:39] I was working for a company and they had a breach that cost them a lot of money and that was the first time that I considered cybersecurity my problem up until that point it was someone else's job

[00:02:53] and I was lucky that it wasn't my code but it was so close that I took a step back and said you know what I think I need to start thinking how the code I'm developing could actually be causing problems.

[00:03:07] And so I decided that I needed to learn more about cyber. Interesting, so was there anything particularly, you know it's funny you know a lot of sometimes when people get their first incident or breach or things like that

[00:03:20] that happen they usually run away from the fire but it seems like you kind of leaned into it was there something about that moment of it or looking at in that perspective that says hey geez you know this is something I actually want to get more involved with?

[00:03:33] I actually contributed that to my upbringing. So I actually come from a low income background and so being in that type of environment you learn to think critically and use your resources to get what you need.

[00:03:53] And then just coming from that background there's a general assumption that if you need help you're probably going to have to make it happen for yourself. So that mindset and growing up in that environment carried over to my career naturally even though I was no longer

[00:04:10] struggling to just basic survival that process of thinking had been naturally ingrained in me. So when the security breach happened I naturally thought alright what resources do I have to make sure this is never me. Gotcha, was there anything that might have surprised you about it you know

[00:04:29] when you talk about application security and other things that you know I think a lot of folks have this vision of incidents being these very overly technical things but I was wondering if in this case it was something that might have been more simple or

[00:04:43] things like you said hey wow look here's some of the basics that could have been done in the lessons learned phase that you were surprised might not have been part of the whole process. I would say I made a rookie mistake of believing that everybody wanted security

[00:05:06] and that it was you know if I could mathematically show a company here is a potential loss that they would just buy in and be like here's all this money go solve the world. That didn't happen but what I did do

[00:05:26] again coming from my background I just had this natural inclination to manage risk so when you're coming from a low income background almost everything you do is a risk it's a trade off you don't have the basic resources

[00:05:42] so it may be that this month your lights got cut off or you're always having to balance the risk and decide what's going to be best for you in a moment. So that part of cybersecurity actually came naturally to me. Yeah it's interesting I often tell folks

[00:05:58] you know it's the constraints build innovations at times it's kind of learning to fight with one hand behind your back you can become very adept at it in a certain way because it's almost the opposite I've seen with folks where they have almost too many resources and then

[00:06:14] it's like analysis per analysis sometimes the constraints can help guide you. So in your education what were some of the things you know and again we were talking just to record you I've been doing this for quite some time and when I started

[00:06:26] the industry in the 90s there wasn't things like basic kind of computer stuff there was a heavy focus on mainframes and things that frankly were really not the focus of most computer science application degrees today what were some things that drew you towards computer engineering and computer science?

[00:06:46] What drew me towards computer engineering versus computer science was the fact that computer science is very heavily based on theory and there wasn't very much application. So the reason I stray away from that is it leaves people to believe that just because you understand

[00:07:06] how computers work you can do everything and I know based on my upbringing that just because you were taught something in the class doesn't mean it transfers over directly to real life. Again that goes from that low

[00:07:18] income background trying to apply the things I learned immediately in school from how to count knowing that one plus one equals two okay how does that transfer to my life right now? I know I have two dollars I know this

[00:07:30] you know I may know that the mac and cheese costs 250 but I'm not going to waste some options here. So that low income background has always played into my career. Having to take the skills that I'm learning today in the classroom and turn around

[00:07:46] less than 20 minutes later and do it in real life has propelled my career. I took that to my undergrad. So the computer science focused on a theory but the computer engineering is where you're bridging between the theory and the application.

[00:08:06] So now I can push the frontier of science from an application standpoint which in my mind cyber security is an applied field. Definitely are you certain to see too more of the integration as we talk about some of this with that mindset of

[00:08:22] really kind of pushing more of the cyber security as we say kind of an application security development is pushing left or putting it more into the process is there more openness that you're seeing now for folks willing to really kind of put either security people at the table

[00:08:38] have the discussions look at it from a process flow as opposed to hey we're going to deal with this after the fact. It's very hard to get people to buy into that idea. I've definitely been pushing that but getting them to buy into the process flow

[00:08:56] he's the assumption that they had a process to begin with. I offer that folks. Definitely if you want to look at what's your process documentation I'll take a look at it and they're like oh yeah we don't have that. Yeah so that I found a lot of organizations

[00:09:12] and I've definitely used a lot of that pain in various organizations but if they don't have that then okay we need to take a few steps back. But it's funny and sad at the same time it's it feels like there's a lot of fundamentals

[00:09:29] of when you look at engineering particularly around application development that some of these things some of these problems have just translated from one flip platform to the other so when we were looking at things and very

[00:09:41] pre-agile, very waterfall client server applications a lot of these things were still there and now we're seeing it when I look at everything from containerized applications I'm like wow we're still doing a lot of things that the process is not well defined

[00:09:53] and the process doesn't have security gating controls. So I would argue that again I come from a software background so when I came into cyber I'm like where's the process how do you fit into my picture? So in my mind there needs to be an agile development process

[00:10:13] that incorporates security earlier and we've seen these issues with the cloud where we had software developers who were fairly new and companies would go to them and say hey I want you to put everything in the cloud however the people who would make those decisions

[00:10:29] didn't necessarily understand the processes that happened in the background and the separation of duties they didn't understand that there was or they may not have been cognitive it may not have been at the forefront of their mind that we have a separate team

[00:10:45] doing the networking setting up the physical ethernet cables putting the server in a server rack we have a separate team that is doing the setting up of the software installing the OS, installing the web server giving it external

[00:11:01] access we have a separate team doing security and we have a separate team doing the software development so when they went and asked that young junior developer to put everything in the cloud who has no background on security networking or how to set up a web server

[00:11:17] they usually turn to the internet because there's kind of a bit of shame there that they don't know. They go to Stack Overflow and then they do what Stack Overflow says which again may have ignored all of the controls now you just put

[00:11:33] all of your stuff public facing and boom there's a breach so software development needs to incorporate these other duties because we're not they're not separated anymore those methodologies that we had in the past worked because there was separation now we need something that

[00:11:53] exists that incorporates everybody because there is no separation Yeah often we try to say and well we've been saying for some time now security really is a team sport everybody has to have their kind of saying it but

[00:12:09] for me I'm probably a horrible application developer as far as you know I'm not really getting better at the process flow and security part of it but I can definitely see where you know I've been a little bit felt maybe

[00:12:21] outside of my comfort zone when talking to developers who might be the smartest person in the room when it comes to that area and I feel there's always this kind of this river to cross between the two of us

[00:12:33] when I'm talking to application people about security because they look at it as very much well I don't really understand what you do and I'm like well I don't understand what you do that you've helped kind of bridge that divide so people say okay maybe there's a commonality

[00:12:45] in what we're kind of moving towards I have helped to bridge that divide by being on both teams so a good example is I worked for the state of Iowa during the election season and they had to come up with these last minutes websites that display

[00:13:05] updated results every so often there's pushback from security team like hey nope we didn't have enough time to go vet this there's pushback from the software development team like I don't really have enough time to deal with all your controls so by sitting in the middle

[00:13:21] where I'm sitting down with the coder going through I'm like okay I see how you architected that can you put this this this this right there can you extract this part out make it an interface and then use this

[00:13:33] interface for everything you do that does this then go back to the security team and say okay cool I saw and made sure they had these these in these controls did you like anything else so by sitting with both parties in separate meetings I kind of decreased that

[00:13:49] that back and forth time to development to launch because we just didn't have it and the CISO at the time Jeff Franklin was very receptive to this and understanding and he was like you know what I have pressure to make this happen I will give

[00:14:05] you reigns to go but you know as long as your report back to me and let me keep me in the loop yeah and I think that's a really important observation and point that I've seen when I've served in that capacity

[00:14:17] with security leadership is I think a lot of folks think oh you know CISO or security leaders going to want to be really hands on the weeds and disrupt the process flowing for me it's like no I just want to know the right things are being done

[00:14:29] and that there's visibility and the big thing is like saying hey is there visibility right you know reasonable security controls in place yes but again when this whole situation came about I stepped forward and suggested this

[00:14:45] it wasn't somebody come to me and say hey someone can you do this because it's not like they had my resume sitting in front of them and they're saying oh she has this background she's in security why don't we just have her do this

[00:14:57] they usually don't I had to identify that need for both parties and fill that gap so it sounds like at least if not a huge degree of self advocacy for that to hey look you know really have to

[00:15:09] assert yourself into that a little bit did you find that challenging with folks in the room that might not be willing to just have an outside voice come in so this goes back to this background of you know

[00:15:25] having a low income background there's you have to learn to advocate for yourself to get your resources so naturally I grew up in an environment where I always had to barter right

[00:15:37] so when we were in the room we were presenting this by the way I was an intern I sat down with them like hey can I make a suggestion everybody's like yeah what is it because at this point they have been arguing back and forth you know what

[00:15:53] I have a software development background here are the companies I worked for I want to remind you of that I'm on the security team how about we do a trial where you create the first website

[00:16:05] and I sit down and work with you and software development team to understand your processes and make sure that we can add enough checks in to you know make everybody feel comfortable and still meet our deadline and they were like

[00:16:21] at first Jeff was like okay well I think about it and less than five minutes later when we walked out the room he goes you know what I really need to meet this deadline the governor's pushing it I'm gonna give you some

[00:16:33] room I'm gonna take you off these three projects and I want you to focus on that I'm like I got you no problem I literally took it upon myself to send him a weekly detailed update and an email

[00:16:45] I knew he was busy and then I just told him hey I'll send you an email every Friday by five o'clock detailing what I did for this week in security controls with that

[00:16:57] to that I commend you on that because it's an interesting thing that I think it's lost and I'm curious to where you developed this but the communication skills of keeping people up to date because again for me when I've delegated certain things it's like

[00:17:09] again I want to know immediately if there's a problem and if there's some solutions other than that yeah like a weekly check-in would be great where did that come from in your mindset to develop that

[00:17:21] I feel that's still a very lacking trait with a lot of folks in our industry there's two parts to this one my mom worked in customer service for 20 years and so she had this model that

[00:17:33] in order for your customer to be happy they need to be in the solution loophole and they need to be aware of what's happening so if a customer calls right now and says hey my cell phone broke even though you're working on getting them a new one

[00:17:49] you need to not go three weeks without contacting them you need to send them an update periodically to let them know hey I haven't forgot about you here's where I met with that status and I will keep you posted I'm trying to push for this deadline

[00:18:01] but do not make it sound like you're guaranteed to hit that deadline let them know that you're pushing for that deadline but there's no guarantee you'll meet that deadline that's all people want they want to know that they're heard they're seen and you're keeping

[00:18:13] them updated on the progress so that and being the oldest of my siblings I always had to check in with my mom when she had to go to work and I had to wash my siblings and so that became just a natural part of my environment

[00:18:29] is keeping the people who are in charge aware of what's going on the situations give them key details only and then move on I always say you know the best thing you do is tell me in bullet points lots of white space I have to read something quickly

[00:18:45] you know the executive summaries work great yeah with that too it sounds like you know you find yourself in these positions at least as one we need to of kind of doing that translating of concepts from one party to another from one team to another

[00:19:05] how have you figured out how to do that at scale like are there lessons from that you used to say hey if I had to write a course on this and really kind of teach the are there the executive summary of how you can do that because that's

[00:19:17] again somebody where I feel so lacking in our industry at times it's like there's such a focus on the hands-on keyboard but these types of things of project management and communications is lost how would is there a way to even develop that

[00:19:29] so more folks can learn from an order key takeaways yeah so I have bridged the gap between communication and customer service part I learned from my mom and how to talk to people you can disagree and be respectful but I also took the software development con bond boards

[00:19:53] so this is how I track what goes on in my life as I actually have a con bond board for different parts of my life including my work projects I totally don't have two white boards with that in front of me right now

[00:20:05] and then when I'm communicating with people especially via email short to the point so I have like bold short phrases that I'll put before my subjects for example if this is just for information purposes only I'll say in bold info colon whatever it's about

[00:20:25] or action or request or urgent those let them know what they need to do with the information they're about to read and it's as simple as that right and I think people have this fear of like well I have to over complicate it no please don't

[00:20:49] and then let people be in the loop so for example I have a project right now that I just submitted a proposal for there were two proposals that got merged and what did I do I sent an email out and CC the other co-PI

[00:21:05] saying hey here were the two names of the projects we are now merging into one to be this new name here is our new focus Monday 5 o'clock we will send you guys out a new draft of the proposal

[00:21:17] and then on Wednesday we'll have a meeting it will be coming forward that's it now as you guess what is your day-to-day look like now how much of it is actually doing different parts of this process flow project management workflow as you start take on more

[00:21:41] to be honest most of the software or most of the cybersecurity hands on applied stuff is done with my home infrastructure so again I believe cybersecurity isn't applied field I do not believe that a cybersecurity quote-unquote personnel or experts

[00:21:57] we should ask our employer to invest in us because it's too much of a risk so if you're in a business you got to do your risk management right and it's unlikely that you

[00:22:09] can go to a job and say hey can I just set up PF since to see on your network if I can make it work or not the answer is probably going to be no that's the polite way to say that but again since cybersecurity

[00:22:25] is an applied field has a lot of risk associated with it so anybody who wants to get a cyber go buy your own stuff and do it at home you don't have to ask anybody

[00:22:33] if you bring it down guess what it's yours that's how you learn to fix things right if you take it down and it's a business that business loses money based off of your mistake that's unlikely they're going to let you do

[00:22:45] that yeah and really today I would have to say is I couldn't agree more and I really have my hey kids get off my lawn I'm no man security because you know back in the day in the 90s and early 2000s we didn't have a lot of virtualization

[00:23:01] we had to go scrap, beg borough and steal, bare metal put it together hopefully it would work and then when that thing went down there was a lot of operating system reinstalls you just can't go back to a snapshot

[00:23:17] it's an expensive mistake and how do you kind of coach people on saying that up now because it's again with so much of the technology that's out there now the accessibility to me seems almost a no-brainer

[00:23:29] but yet I still get young people trying to get into cyber and they get mad when they're saying like you know I asked my job if I can do this and they said no

[00:23:37] or I asked them to pay for the certain they said no okay so I go back to them and I always ask when you went to college did you have a company paying for it or did you front that money oh well I paid for it cool

[00:23:49] you paid for your own knowledge that will continue in life yeah you have to invest in yourself because again it's one of those one of the things where nobody else really is and it's

[00:24:01] sad as it can be at times but it's a reality you know you really have to advocate, fight and invest for yourself yeah and so I tell people set aside a little bit of money to invest in yourself and so decide some time

[00:24:17] yeah it pays back you know as do you think so what are some of the things that you're investing in yourself now so right now we bought a house and there's a window that bothers me because I can't have immediate access to it without a ladder so I've

[00:24:33] start to jump into IOT things like programming blinds to open and close programming LED lights to light up the flooring as the sun goes down and then I'm going to go into the network and studying some of the traffic that's coming in from those

[00:24:53] devices am I seeing some spikes is something weird going on so there's a there's a software development piece where I am not buying these things ready I'm piecing them together with a raspberry pie and then there's a security part

[00:25:09] where okay now I need to segment up my network what kind of firewall rules do I want to put in and out do I want it to be do I want to be able to talk to it through other subnets

[00:25:25] so that's that's how I keep current on what's happening is just buying little devices and setting them up at home and then from the research side of things how I keep current is reading the technologies that are out there and going to conferences

[00:25:41] I can't stress this enough I don't really care how much the conference costs if I think that it's going to be valuable and give me new insights I'm going yeah and it's it's I think

[00:25:53] that's one of the things that I've probably missed the most in the past year with the pandemic is and it was really was the impetus of this podcast was the sidebar conversations seeing people on stage and then say

[00:26:05] hey I got a question for you and then driving deeper into it over maybe lunch a beer just just sitting there talking to somebody about something that I hadn't even done on me I totally miss that these days yeah and then the management side of

[00:26:21] things I kind of fell into so my technical side I'm a cyber security researcher at PNNL Pacific Northwestern National Lab I am not a project manager but I kind of unofficially ended up orchestrating a lot of it just because they thought I was

[00:26:41] good at it so just because you don't have the technical title of like a project manager or maybe a sector lead or software developer doesn't mean you won't be doing those duties yeah I think often most people in cyber that do

[00:26:57] well are often the ones that kind of raise their hand or just get something kind of put on their lap and you just have to say okay I'm going to have to dig into this yeah do you see yourself moving towards you know

[00:27:09] looking at things and kind of very simplistic buckets at certain points of you know kind of doing some stuff that could be at the analyst to management level management to leadership where do you see your career are going

[00:27:21] you know in one, three, four or five years from now where would you want to be funny story my I just had this conversation with my manager I would like to stay bridging the gap between technical, senior level folks and management

[00:27:41] I seem to have a knack and a sweet spot for communicating information to both sides especially people who are not down in the weeds and they don't understand that 5G has seven deployment options they just understand 5G

[00:28:01] versus the techno folks are like is it stand alone or non stand alone I love that because I get to interact with people but not get overwhelmed by it so for me that's where I would like to stay but maybe move up into doing that

[00:28:21] also for sponsors so kind of helping sector leads interface with sponsors and ask the questions to pull out the sponsors technical needs because you got to be technical to be able to ask those questions the right way yes it's

[00:28:43] a tough thing I think in our field is again it's like staying relevant enough fresh enough to be able to have the conversations without getting almost pulled too far into the weeds and I find that's quite frankly the biggest challenge I have on my

[00:28:55] day-to-day is I'll see these new things come out and I want to dig into the IOCs all day but at the end of the day it could be 50 people say hey I just need the summary of it

[00:29:03] I'm like okay I have to know enough but I don't have to get too far in the weeds and it's a challenge so one of the things I've seen too I've been really trying to look at the podcast and have different discussions about different things

[00:29:19] and did a series on diversity, equity, inclusion in our industry I find that it's extremely lacking, things about mental health where have you seen changes in this that might be positive

[00:29:31] I think for me it's like I almost feel like gosh we're not doing a good enough job but there has to be some silver linings of things that are progressing organizations that are working together people that I might not even see that are forming alliances to promote

[00:29:43] better diversity in our industry so more voices and more diversity that I think helps the industry can come in. One of the awesome things I'm seeing in Sonu is that a lot of the conferences that a lot of security conferences are

[00:30:00] now advertising that hey if you're a woman we really want you. If you're a minority we really want you I don't care if you're connecting with somebody else who's already doing a talk and you're going to split that talk now

[00:30:16] but they're pushing that agenda and they're making it clear companies are now reaching back into schools and saying hey we want to see more minority kids which then encourages the schools to go into minority communities to recruit. So it's a trickle down

[00:30:36] effect it takes a while to really start to see it gain some traction but it's happening. Right yeah and that's a good point are there maybe mentor programs that you see that could be doing well because I feel that that

[00:30:52] for me it's always been personally rewarding as a mentor to help folks. I just I love seeing people succeed but I also find that I might get stuck in my little bubbles are there resources out there that if I was

[00:31:08] not in the traditional cis white able bodied male that looks like 90% of my industry that I can go out and try to find different people because to me I think getting those different voices are so incredibly important So I'm going to speak from my

[00:31:24] personal experience goes back to my upbringing again about being resourceful. So part of living in a low income community is when you're resourceful you have to ask the right question You can't just go to people and say look I'm hungry and getting food

[00:31:40] that doesn't work. It has to be a win-win so there were I took that to my career when I go to people and I need advice about something I don't just say hey can you be my mentor. I tried that twice and it failed horribly

[00:31:56] and then I was just like okay how do I do this when you know I'm in a different situation so instead of just going say can you be my mentor I went with specific questions. I went and asked people

[00:32:08] specific questions about what are you looking for in a cyber security analyst level 2. What's the difference between level 2 and level 1 and those questions were necessary for me to figure out if I'm meeting the criteria

[00:32:22] if I want to go if I want to convert from an intern to a full time I need to know what this looks like so I can say I am indeed a level 3 based on what you told me I have done

[00:32:34] X, Y and Z. I have to be able to advocate for myself but I can't advocate for myself if I don't even know the rules That is such an important thing and again it's why hearing almost the confirmation bias of what I think about things but also

[00:32:50] am I seeing things in a tunnel but it was the same advice I gave to a young gentleman who's worked with me for a number of years and he's still in the company

[00:32:58] and I had hired him out of college but he was saying you know I don't know if I should be saying I'm at this level I was like well did they tell you yes

[00:33:06] but it's not formal I was like get it in writing put it you know advocate again you'll push for yourself nobody is just going to do something for you you have to go out and stake your claim That is beyond

[00:33:18] true but a lot of people don't understand that so what I like to tell people is everything is a business People hate that they're like no it's not yes it is Now you have to figure out how that business works where you fit in that business

[00:33:34] and how to get to your final destination when I pull up my phone or google maps and I need to go somewhere Google can't tell me where to go if I don't tell them the final destination It's like take me somewhere or somewhere

[00:33:48] Right so when I put it in that final destination it then can give me multiple routes and I get to choose your career is the same way you need to be able to articulate to people where you want to be before they could go

[00:34:00] advocate on your behalf behind closed doors and get you there So what I think my network is google I just have to give them the final destination I've never had such sage advice well someone I greatly appreciate taking the time today

[00:34:17] Where can folks find you online yeah people want to reach out to me You can go ahead and find me at Simone.right at gmail.com or you can reach out to me on LinkedIn at Simone Right Hamer I'm the only right Hamer actually

[00:34:36] and that's right Hamer W R I G H T H-A-M-O-R. Awesome. Well, I greatly appreciate the conversation today. It was definitely insightful, and I'll be sure to put all that information in the show nuts so people can talk to you some more. Yeah. Thank you.

[00:34:54] Thank you so much for joining us today on Cyber Security Interviews. I hope that you enjoyed this interview as much as I did. Please go to cybersacurityinterviews.com where you can find every episode, including show notes and links for each guest.

[00:35:09] There you can also find social media links and just sign up for new episode notifications. Thanks, and we'll talk soon.