Rebecca is CEO of The Privacy Professor®, a consulting business she founded in 2004. Rebecca is a co-founder and President of SIMBUS, LLC, a technology, information security, privacy and compliance cloud services business. Rebecca has been an Adjunct Professor for the Norwich University Master of Science in Information Security & Assurance program since 2005. Rebecca has been providing information privacy, security and compliance services, tools and products to organizations in a wide range of industries since 1988. Rebecca was one of the first practitioners to be responsible for both information security and privacy starting in 1994 in a multi-national insurance and financial organization that was establishing the first online bank. Rebecca has authored 18 published books, hundreds of published chapters, has provided hundreds of industry event speeches, and is a monthly guest on Iowa’s morning TV show, CW Iowa Live, helping viewers understand the latest security and privacy threats and issues and how to protect themselves. Rebecca has led research groups for the IEEE, the U.S. NIST, and is an Advisory Board Member for dozens of businesses. Rebecca has received numerous awards and recognitions for her privacy and information security work. Rebecca is based in Des Moines, Iowa, USA.
Four questions for every featured person on the website:
- Why did you choose cyber-security?
Cybersecurity actually chose me. An opportunity presented itself, and I took it; and no one else, men or women, were even vaguely interested at the time in taking it on. I started my career as a systems engineer at a large multi-national financial and healthcare corporation in 1988. I identified a vulnerability in how one of the major back office systems was designed and had an idea for how to mitigate it. I went to my new manager at the time, described my idea and sketched it out on the whiteboard in his office. He wasted no time telling me that it was a horrible idea, that none of the business unit heads would ever agree to do something so drastically different, that it had never before been done, and that they would likely view it just as more work for them. So, I explained how it would actually be less work for them, after which he literally yelled at me, “Stop! Your idea is bad! Quit wasting my time!” I considered quitting that day, but didn’t.
Two months later at the IT-wide quarterly meeting the IT Director announced a great new innovative idea that my manager had proposed to the business heads, who embraced the idea and were already doing actions to get it implemented. They also announced my manager had been promoted and would be moved to a different department for his fabulous idea, which they described…and it turned out to be my idea, right down to the drawings I made on his white board. I learned many valuable lessons from that situation. I have often wondered since then how often similar types of situations have occurred.
I actually got onto the information security, privacy and compliance path way back at the beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare organization.
The programs were all housed in an IBM 390 mainframe (where most of them still are today; mainframes now seem to be high-speed application servers) divided into four regions for each of the several business unit regions.
My change control system was used to move a program from the development region to test region to the pilot/beta region, and finally to the production region within each of the applicable business unit regions. It was an online system that required authorizations for each of the moves. A manager had to approve, through the online system, of the move from development to test to pilot. A director had to approve of the move of a program from test to pilot, and from pilot to production, through the online system. The documented procedures required the managers and directors to carefully review the change documentation, and proof of thorough testing as signed off by the program team leader or manager, respectively, before they would provide their approval within the system.
The concept was good. The system was good. The procedures were good. Unfortunately many of the individuals using my change control system were not so good.
It was a real frustration for me to walk through the many different programming areas (we had around 800 programmers at the time) on Thursdays (the last day of the week for directors to approve of program changes to be moved into production on Friday) and see so many of the directors with their terminals logged on and open to access (no PCs were used in the programming area at the time…that actually didn’t change until the mid-1990s), and not even at their desks or in their offices, so that the programmers could go in and make the online approvals on the Directors’ terminals themselves!
That bothered me for a couple of reasons…
- At a personal level, I wondered why I put so much time and effort into creating a sound, tightly controlled change control system, only to have the people authorized to use it defeat those controls. Many of you may think, “Whatever; get over it.” Fair enough. But then…
- At a business level, I saw how dangerous this was. As a result of these managers and directors not really doing the reviews, each week we had a large number of production moves that had to be backed out on Friday afternoons because of the problems they caused. Many were very minor problems, but some brought the system to a standstill or even messed up the customer databases significantly before the problems were noticed.
After being responsible for this online change control system for almost two years, there was an opening in the IT Audit area. Working on the change control system helped me to see firsthand the importance of controls, so I applied for, and got, the IT Audit opening to learn more about how controls impact business.
After I went to the IT Audit area, the common practice for leaving unattended terminals and PCs logged in and unsecured, allowing others to use them, changed due to my initiative. In 1990 – 1991 I performed an enterprise-wide information security audit. I reviewed a very wide range of departments, and went deep into the details. It took around 7 months to complete. As a result of that audit, I recommended that an information security department be created. The executives were impressed with the audit report and assigned me to create the Information Protection department in 1991. I’m so happy I took that opportunity! I’ve been addressing privacy within business since 1994, when I was given the responsibility of establishing privacy requirements for what my business indicated was the first online bank. This was in addition to my responsibility for creating the information security requirements for the bank. There were no privacy laws at that time applicable to online banks (why would there be if ours was the first?), so the lawyers in the large organization where I worked said they were not obligated to determine privacy requirements when I asked them if they could get involved. However, I strongly believed it was important, so I convinced my senior vice president at the time to have privacy addressed. He indicated that since I felt so strongly about it, that he gave me that privacy responsibility. Another great opportunity to do something that had never been done before within the organization, or at most other organizations. Since then I’ve welcomed the opportunity to identify privacy risks in new technologies and practices, in the absence of any laws or regulations, in a wide range of industries and also identify the cybersecurity controls to mitigate those risks.
- What do you like the most in cyber-security?
There is always something new. Something new to learn, something new to research, something new to help businesses with. Always new types of technologies that need securing. I love the constant changes and challenges of information security and privacy. There is always something new to learn.
I really just stumbled into information security; it was not part of any grand plan. I took the road less travelled (actually not travelled by anyone in my organization at the time), and stumbled into a career I absolutely love.
I also love addressing privacy while simultaneously addressing cybersecurity. I firmly believe that if you wait until there are laws in place to protect privacy for specific types of technologies, information, etc., that can reveal information about people’s lives, you will be too late in being as proactive as necessary. Then, as a result, many individuals could be impacted by a wide range of privacy harms. It is important to remember that laws typically advance very slowly, often taking years to be established, while technology capabilities that bring significant privacy risks advance considerably during this time; allowing many privacy breaches to occur if appropriate privacy protections are not in place. I’ve been gratified to see this trend changing in some areas, though.
- What is the most exciting task in your daily activity?
Wondering what will pop up new. It could be a call from an existing client who is faced with a new cybersecurity and/or privacy challenge. It could a new client who read one of my books, or attended one of my classes, or read one of my articles or blogs who has a situation they need help with. I love having new issues to deal with every day, and learning something new every day.
I also love interacting with my clients, and also creating new cloud services to help any type of business to more effectively improve their information security and privacy environments.
- Why would you encourage other women to choose cyber security for their career?
There are many reasons! Here are a few:
- Cybersecurity is a quickly growing field. There will continue to be more and more job opportunities created as time goes on. The possibilities are endless!
- I’ve found the greatest success over the years in taking on new types of information security and privacy challenges that have not, to date, been addressed. I’ve also found that the majority of those who are in these fields typically want to stay within what they already know. By taking on the new challenges, you can be the trailblazer, and you will not have others telling you that you are doing things wrong (what I often encountered when I worked in the longstanding info sec areas). This not only eliminates unproductive and unnecessary noise from others, it also frees you up to create new types of solutions and businesses. No one can meaningfully tell you you’re doing some wrong for a completely new area of cyber security or privacy.
- The rewards can be lucrative. The more of an expert you become, the more valuable your work is to others.
- It is, quite frankly, so fun and interesting! If you love this type of work, it will not seem like work; it will be something you look forward to doing every single day.
- To have the opportunity to meet new and interesting people, many of whom will become life-long contacts, and in many cases friends.