a NIST blog
This blog is part of a larger NIST series during the month of October for Cybersecurity Awareness Month, called 'Staff Stories Spotlight.' Throughout the month of October this year, Q&A style blogs will be published featuring some of our unique staff members who have interesting backgrounds, stories to tell, and projects in the world of cybersecurity.
This year’s Cybersecurity Awareness Month theme is ‘Secure our World.’ How does this theme resonate with you, as someone working in cybersecurity?
Everyone has the power to protect information. Like safety – where everyone’s responsibility is to protect oneself and others from harm – security depends on the collective efforts of IT users to ensure information is protected. Such protection is critical as we live in a digitally connected world where threats to information know no boundaries. As a cybersecurity professional, my goal is to help ensure individuals and organizations are empowered to protect information. NIST’s powerful core values – perseverance, integrity, inclusivity, and excellence – and our continued adherence to them are reflected in everything we do at NIST, making us a reference to the Nation, the cybersecurity community, and the world regarding security and privacy. Thus, our contributions to cybersecurity go beyond our support of U.S. federal agencies; it has the potential for global reach.
Describe your career pathway and how that led you to the cybersecurity field?
When I found out the amount of mathematics involved in engineering, my initial academic discipline of choice for a career, I turned to computer science as I was always bad at math. With a CS degree, I secured an IT position with a federal government agency. As a federal IT professional, I was responsible for protecting servers that required maintenance and information assurance. I quickly learned the importance of security to ensure those servers were cyber resilient and the information handled by those servers remained protected. But it was an enthusiastic graduate school professor teaching an enterprise security and privacy course, and a former manager who encouraged me to take the Certified Information System Security Professional (CISSP) certification exam that most influenced my decision to pursue career in the cybersecurity field. I make an effort in remembering the enthusiasm of the professor and the support of my manager when I talk about the work I do. Our passion for our discipline can be contagious and empowering to the point it can define careers.
Describe the role(s) that you play at NIST. What are some interesting projects you’ve worked on recently?
I am fortunate to work with a wonderful and capable team at NIST, and for a superb, forward-looking and empowering project leader. Our team is responsible for the development of standards and guidelines that are used by all federal agencies to help them meet legal requirements for managing security and privacy risks. The NIST methodology for managing security and privacy risks goes beyond compliance: it prepares and enables organizations to actively manage risks versus check a compliance box. This is empowering. Having a standard and effective methodology sets the bar for the entire federal government. This methodology has also been adopted by non-federal organizations on a voluntary basis including state and local governments, foreign governments, and the private sector. The tasks and activities I am engaged in leverage my previous operational experience as system administrator, compliance manager, information system security engineer, information system security officer, and control assessor. I am currently working on guidance for developing testable controls in support of continuous monitoring security capabilities. I am also supporting the development of international standards related to security controls and control assessments.
What is your favorite part about working at NIST?
By the time I joined NIST, I had clocked over 20 years of federal IT and IT security experience as a contractor, and yet I have been learning so much for the past five years I have been at NIST. In addition to the opportunity to learn and to sharpen skills, my favorite part about working at NIST is being able to empower cybersecurity and privacy practitioners and organizations at a national level. It is knowing that the guidance we publish, the tools and supplemental materials we make available, and the support we provide can contribute to an individual’s and/or an organization’s success. Another aspect of the work at NIST that I like is being surrounded by very smart people. It is such a humbling experience to be among experts in their respective fields. Some of them have even been recognized and awarded with Nobel Prizes (NIST has produced five Nobel Prize laureates so far). Finally, the team I work with every day. They are my second family.