Ethical Hacker Talks Importance of Cybersecurity, Diversity in Security Industry
In this month’s SECURE Perspectives, Valerie Thomas discusses her role as an ethical hacker, gives advice for women looking to enter the security industry and more.
SECURE Perspectives is a monthly column by the Security Industry Association (SIA) in association with Security Sales & Integration profiling women in the security industry. This column is part of SIA’s Women in Security Forum, an initiative to support the participation of women in the security field through programs, professional development and networking events.
For this edition of SECURE Perspectives, SIA spoke with Valerie Thomas, an executive information security consultant for Securicon LLC specializing in social engineering and physical penetration testing.
At the inaugural Cyber:Secured Forum in June 2018, Thomas spoke on a panel — “The Hacker’s Perspective: Building Cyber Resiliency” — about the value hackers provide to organizations by securing connected products and services and how the security industry can benefit. Additionally, she will be a keynote speaker at Securing New Ground 2018, taking place Oct. 25-26 in New York City; learn more and register to attend.
Prior to joining private industry, Thomas led information security assessments for the Defense Information Systems Agency; her unique defense and civilian background provides her with a solid understanding of intrusion detection, data loss prevention and endpoint security.
As an ethical hacker and consultant, she holds multiple industry certifications. Thomas is the co-author of Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats with Bill Gardner.
Throughout her career, Valerie has conducted penetration tests, vulnerability assessments, compliance audits and technical security training for executives, developers and other security professionals. She has provided briefings and workshops for DEF CON, DerbyCon, Black Hat and multiple BSides events.
How did you get into the security industry?
My entry into the security field was originally driven by the job market. Not many places were hiring engineers after I completed my undergraduate degree in electronic engineering, but many places were hiring for computer networking positions.
I entered a U.S. Department of Defense internship program for network engineers and was drawn to cybersecurity; however, this was before cybersecurity was mainstream, so there were not as many formal programs as there are today. I sought out those who could educate me and worked my way into cybersecurity testing, which eventually led to a career as an ethical hacker.
How does your organization serve the industry?
Securicon provides physical security expertise to the marketplace. To that end, we have created a free physical access control systems (PACS) security checklist designed to provide guidance in hardening the PACS environment from network and computer-based attacks. Securicon helps customers cost-effectively manage risk by serving as their trusted advisor and operating as an extension of their internal information and cybersecurity teams, without bias toward any product, vendor or service.
What is your current role?
I am an executive security consultant, which equates to the lead engineer of the consulting services testing group at Securicon. The majority of my time is spent performing penetration testing, vulnerability assessments and reverse engineering of various software and hardware. My niche areas are physical penetration testing and social engineering, which means that I get paid to legally break into buildings. It is a very fast-paced and demanding role, but it’s also very rewarding.
What types of job functions do women fill in your company? Is there diversity of roles in your company, or do women gravitate towards certain job functions?
Our female workforce at Securicon is very diverse. We have women in a number of technical roles, such as consultants and engineers, in addition to business development and management positions.
With more and more data that shows diversity makes a better workforce, what opportunities do you see for women in the security industry? What impediments do you see for achieving this? What could remedy some of these impediments?
The current workforce shortage in the security industry leaves a lot of growing room for women who are looking to make career changes or for those who are already in the industry to try new roles. One of the biggest hurdles is lack of knowledge about the types of career paths that are available in security. There is a stigma that working in security means being either a technology wizard or a security guard.
The industry is full of positions that don’t fit a typical security role — such as instructors, graphic design specialists and writers. And don’t forget about managers — a manager who can effectively run and grow a team of security professionals is a rarity these days.
What do you see as important technology trends in the security industry?
The gap between cyber and physical security is rapidly decreasing. Physical security systems and components historically did not integrate with enterprise computer networks, but now that they do, organizations must learn to manage these systems differently.
Physical security vendors and integrators also must adapt to a new type of dynamic support approach in order to address discovered vulnerabilities in their products and provide patching solutions to their customers. This paradigm shift requires a different way of thinking and culture of integrating teams of people who do not normally work together or speak the same technical language, so there is much work to be done.
What do you hope the Women in Security Forum can achieve for the security industry?
My hope is that the Women in Security Forum can act as a haven for women who are in the security industry or want to get into the industry to network and learn about opportunities that are available to them while also getting candid advice and feedback from those who are more senior in the industry.
What advice would you give women who are in the industry?
Never stop learning. The security space is ever changing, and to be successful, one must be able to adapt. Interested in ethical hacking or industrial control systems? Go learn about it! Many online and local groups exist for the sake of learning and networking.
Who or what was the strongest influence in your career (e.g. a mentor, an event that inspired your career decision)? How do you define success?
I wasn’t aware that ethical hacking was a career option until reading The Art of Deception by Kevin Mitnick. Over the years Kevin and I have become good friends, and we often exchange concepts for new approaches to hacking and securing systems.
How do you define success?
I’m a firm believer that the definition of success is unique to each individual. For me, success is having a career that pushes me to learn and do more than I ever thought that I could while still loving the work that I do.
How do you achieve work/life balance?
My key to balancing work and life is to remind myself that there are often days to weeks that aren’t balanced — and that’s OK. The idea of achieving a perfect work/life balance every day or every week often adds excessive pressure to squeeze more than 24 hours into a day. As a mother, I try preparing my children for periods of time that are extra demanding at work by discussing what is going to happen as far in advance as possible and completing family tasks together. This approach helps them anticipate my late nights in the office or travel while also teaching them planning skills.
What would you say to new upcoming women in the industry?
Welcome! This industry needs people just like you who are ready to change the way the world sees security. My biggest piece of advice is to never underestimate the power of saying “I don’t know.” Many people in this industry tend to think that they should know everything about everything, and it simply isn’t possible. So, don’t be afraid to answer with “I don’t know” as long as it is followed with “but I’m going to find out.”
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!