Guest Lecturer BSU CS 498 Presentations. Discussion to show the different type of roles in cyber security and the value of a team with diverse experience with diverse talent.

1. SKILLS &
CAREERS IN
CYBERSECURITY
WE NEED MORE THAN HACKERS WITH LEET SKILZ)
Sandy Dunn, CISO BlueCross of Idaho
March 9, 2018 12:00 – 1:00 pm

2. Outline • Who am I
• What is my role in Cyber Security
• Career path / different perspective
provided value
• Diversity more than XY or XX
• Security roles at _________
• Finding opportunities
• Skills / Resumes / Interviews

3. Jobs I’ve had
• Waitress
• BarTender
• Pushed cows sales yard
• Filled doughnuts with jelly at bakery
• Rodeo crew
• Radio Sales
• Office Manager
• Software Sales
• Computer Sales
• HorseTrader
• Competitive Intelligence
• ACTTeam
• PSOTeam
• Information Security Officer
• Cybersecurity Product Security Strategist
• IT SecurityArchitect
• Chief Information Security Officer (CISO)
My best skill: saying “I don’t get it”
Goal of Diversity:
Build a culture that celebrates and encourages each employee to be open and bring their best selves and best ideas.

4. What is a CISO ?
• Senior executive responsible for establishing and
maintaining the enterprise vision, strategy, and program
to ensure information assets and technologies are
adequately protected.
• Identify, develop, implement, and maintain processes
across the enterprise to reduce information security risk
• Respond to incidents, establish standards and controls,
manage security technologies, and direct the
establishment and implementation of policies and
procedures.

5. Top Priorities
Top Challenges
My Perspective on
where the security
industry is going
• Ensure our organization is ready for Smart
Healthcare, protecting information, any
where, any time, on any device
• Technical debt, increased availability
expectations, increased threats
• Just like airplanes and cars it took us a long
time until we understood what safe is

6. What do
they need
to
protect?
Who do
they need
to protect
it from?
How do
they
protect it?
• What do they do?
• Who are their customers?

7. Questions
Compliance or
regulatory requirements
?
How is technology used
?
Where are their
customer’s located
How are transactions
made? Invoices, credit
card?
• How do they get paid
• Who pays the business, how?
Do they do
development? What do
they develop?
How do they engage
with 3rd parties?
• Supply chain
• Hosting / Cloud

8. CSO /
CISO
Security
Operations
Incidence
Response
IT Security
Architect
Developer /
Security
Quality /
Security
Risk
Management
IT Audit Compliance
Car
manufacturer
• PSIRT /
Bug
Bounty
• Network
• IP Leak
• Internal
domain
• Cars
Define Security
Requirements
• Security
functional &
non functional
Supply Chain
Software • Red team pen
test
• Red team pen
test
• Supply Chain
• Over seas
development
• ISO – manage
business vs
security
• Privacy
• GDPR
• Fraud
detection
• PCI
• Red team
pen test
Insurance • Respond
to board
• Budget
• Strategy
• Malware /
defense
• WAF
• Network
Firewall
• IAM / AD
PHI Data
Breach
• Application review
• Third party risk
• Security
Awareness
• Business
Continuity
• Disaster Recovery
• Control
review
• Validates
Operational
standards
• HIPAA
• DOI
• FEP
• Medicare
University • SEIM • Forensics • Secure configs • Policy

9. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

10. Tasks
Knowledge
Skills
Ability

11. • Finding opportunities
• Skills
• Resumes
• Interviews
Caitlyn
• Figures out how she can add value
• Works HARD
• Super Positive
• Great Communicator
• Always FollowsThroughhttps://sites.google.com/view/thoughtsoncareerbuilding
BSIDES Idaho Falls
September 15, 2018
bsidesidahofalls.org
bsidesidahofalls@gmail.com

12. Summary
• Many different path to achieve your career goals
• Having different career experiences brings value
to each role
• Many different opportunities in Cyber Security
field where your strengths are a value
• Networking, networking, networking

13. Articles
The HPWeigh: Diversity and the Hardy-Weinberg Principle http://h20435.www2.hp.com/t5/HP-Labs-Blog/The-HP-Weigh-Diversity-and-the-Hardy-
Weinberg-Principle/ba-p/295220
TenThings toThink About ForYour Security Awareness Program https://www.sans.org/security-awareness-training/blog/ten-things-think-about-
your-security-awareness-program-guest-blog
Cyber Security AreWe Winning?
https://www.linkedin.com/pulse/cyber-security-we-winning-sandra-sandy-dunn/[linkedin.com]
Papers
The Scary andTerribleCode Signing ProblemYou Don’t KnowYou Have https://www.sans.org/reading-room/whitepapers/critical/scary-terrible-
code-signing-problem-you-36382
Defending Against theWeaponization ofTrust: Defense in Depth Assessment ofTLS https://www.giac.org/paper/gsna/4623/defending-
weaponization-trust-defense-in-depth-assessment-tls/116997
The BusinessCase forTLS Certificate Enterprise Key Management ofWeb Site Certificates: https://www.giac.org/paper/gccc/210/The-
Business-Case-for-TLS-Certificate-Enterprise-Key-Management-of-Web-Site-Certificates-Wrangling-TLS-Certificates-on-the-Wild-Web/116997
Superfish andTLS:A Case Study of BetrayedTrust and Legal Liability https://www.sans.org/reading-room/whitepapers/certificates/superfish-tls-
case-study-betrayed-trust-legal-liability-37532

14. Questions ?