The Long Way Around – from Software Engineering to Cyber Security

Margaret white is with Bank of America I want to thank Bank of America for being second year higher ground sponsors thank you so Margaret and I have known each other a few years one of the other volunteer things that I do is I work with the women in cybersecurity conference that is put on by Tennessee Tech and the National Science Foundation and I had an opportunity to hear Margaret's presentation a few years ago and I asked her if she would do this presentation so before we get started can I ask a guide point guide point

thank you without further ado my Margaret white from Bank of America Thank You Kathleen thanks for having me today I know you guys are probably already getting a little bit tired being the afternoon already on day one but I imagine that all of you who are in this room are here because you're interested invested in your careers wanting to know perhaps what you can do next what you can do with what you've done and what you know and maybe feeling a little overwhelmed by all the possibilities for what's out there and so hopefully I can help you with that a little bit and so I've been with Bank of America for 15 years I'm an info

security engineer and our operations side which is a new role for me I'm very new to suck-ups kind of uncharted territory for me but I'm one of a team of over 2100 employees who serve to protect our more than 46,000 consumer and small business customers from the bad things that can happen to them and to their money and these these are the customers like you each of you and me and our ability as individuals to take care of our livelihoods and to live our lives and do the things that we want to do and so it's very proud to be part of an organization that serves to protect us all of us who are here so

that's a daunting task but it's it's been a long path and I want to explain to you a little bit how I got to where I am because I did not start on this path I stood growing up and my mother was a primary influence on me going into tech she she always talked about stem stem stem so I had a lot of opportunities with camps and whatnot I participated in Science Olympiad even went to Nationals four times as a kid which I was kind of proud of and still very passionate about and excited about as far as an opportunity to introduce kids to stem and get them interested in what the things are that they can do out there

and my mom was actually a physics major and she worked in the semiconductor and aerospace industries and her last role before she was retired was as a software engineer working on interface control systems for satellite command software so my um ultimately I ended up majoring in computer science with a focus in software engineering I didn't like hardware I didn't like networks and back then that's where security was I was adamantly opposed to doing anything with security as well I said I want to I want to build things I want to make things go that's what I was interested in and you might wonder how I ended up at a bank of all places when I

wanted to work in tech and that was just a matter of that period of time there weren't many entry-level jobs for computer scientists at that time missed my classmates were staying on for grad school and and getting Department of Defense grants and I knew I needed to pay my bills I needed to pay my student loans I wanted to get out into industry as soon as possible and and it just so happened that Bank of America was one of the companies that was recruiting on campuses then for technologists and and i--i it was ironic at first I turned down a couple of opportunities that were within our networking group because I said no I really want to do software

thankfully my naive self got a phone call a few weeks later from a couple of guys named Dave that wanted to interview me and ultimately wanted to hire me and at the time I thought it was would have been only slightly more ironic had it been two guys named Bob who had wanted to talk to me and funny enough one of my first roles working for these guys my first week on the job I was actually reading TPS reports which are actually a real thing when you're doing performance testing of systems so that was that was kind of funny and ironic I enjoyed that um so so starting out I was involved in this campus training program with 45

other campus graduates we were on training together got to learn all about corporate culture working for a big company being part of the financial services institution and then started my job I've been with a company now for 15 years and I have had many many different roles over that time I've only been truly in security roles for the last four years so sometimes I feel at some of you may and your roles and and there was some talk about this this morning there's some imposter syndrome once in awhile related to that but what I want to talk to you about because I don't regret my career path and that's because I have learned how to connect the dots

it's when the things I've done the things I've learned and what that means from the security implications perspective and that's what I want to talk to each of you a little bit about is how to connect those dots for yourself how to draw upon your own experiences and how to connect that together so then the three things that we're gonna consider are what we try to protect why on earth we need to protect it and how to actually protect it just three simple questions so anything you work on anything that you've done you apply these points to that and you can connect all the dots together on really how to be a successful security professional so when you consider

knowing what you're trying to protect and this one is probably the most challenging for a whole lot of us it's certainly the one that I most often have to remind myself of and this is where it comes down to knowing something inside and out knowing it instrumentally know what the business is if you work in a security organization within a larger company or even if you work for a company that solely focuses on security you still need to know what on earth it is that you're trying to protect um and so I talk a lot to college students and high school students about what to do with their their educational paths and their career paths and what to look at and I like to

share a couple of basic examples related to that um one is the friend of mine Carla who she's a a prolific seller online of high-end clothing to the point where she actually she qualifies to pay taxes on what she does with that and she's an IT professional full time day job but this is something she does on the side but if you if you think about Carla as an individual much like us I mean that the things that we have to protect her who she is think about her identity her her authentication credentials for her online profiles um how she purchases the merchandise that she sells how she purchases her own groceries and pays her bills and the

things that she needs to do for her only livelihood and and then even her reputation as a seller online if she's going to have an ebay profile or an Etsy shop she needs to have a solid reputation in order to attract and keep more business keep repeat customers etc and have people trust her with their with their money for the goods that she's selling a corporate example um and bear with me with this example a corporate example would be a major motion picture studio if you think about that for a moment we know some examples the the things to think about from that perspective are though their business is their intellectual property they have supply and demand related to creative

projects that they put out there in the marketplace for entertainment that is their what that's their business that's that's their bread and butter their livelihood to do that they have complex business operations and they have to be able to have the the technology infrastructure to support that the operations to be able to create these projects in the first place the ability to do their distribution and their marketing and internal communications paying their suppliers paying their staff a lot of complex business operations that go into that and then the last part of that is reputation for them to be able to continue that business of what they do they need to be able to attract financing they need to be able to

attract top talent they're not going to be able to sell their movies if they don't have the biggest stars and so they need to be able to do that these are the examples of what we're trying to protect if you think about the Y the Y is all about knowing the worst-case scenarios of which unfortunately there are many many examples in the security industry of worst-case scenarios that happen to anybody individual customers corporate customers so these worst-case scenarios are the things that you want to prevent happening so in Carla's example clearly we don't want Carla to have a loss of income because she's no longer able to sell her merchandise online but then there's also the fact

that she's doing online payments there's the potential for fraud to be perpetrated against her um she could suffer identity loss which not only impacts her ability as an online seller but that impacts her personally ultimately it could affect her credit report - not just her ability to spend funds but if if you get a bad credit report that can impact your ability to get a job it has nothing to do with what she's doing online it could affect the rest of her life as well if if she were compromised if worst case scenario came to fruition for her from the the corporate example for a major major motion-picture company we know what that can look like when

worst case scenario happens it's incredibly difficult to recover from suffer you can suffer huge financial losses for long periods of time simply because you've had a perfect storm a tragedy of errors if you will when those things are aggregated together and are realized and compromised which in this particular example it impacts their ability to have a big demand for their intellectual property for new movies coming out if you don't have the anticipation anymore for a big blockbuster movie coming out then how do you make money on it it's not going to happen and also the potential to lose their investors and to lose the the talent that they want to have be part of their projects long long term

ramifications ultimately that can come from that

so when we go to the next point so we've talked about the what with these couple of examples we've talked about the why and now we talk about the how and the how is something that everybody who's here at besides a lot of us do a really awesome job at the how I mean we have a whole lot of smart people in the industry who know exactly what to do how to prevent these things how to recover from these things the entire kill chain so so there tends to be a laundry list of things that you apply to to prevent and recover from any of these things happening and how to respond to them I

mean in Carla's example use of multi-factor authentication would be a huge step for one thing that helps prevent a lot of those implications for the corporate example I mean better network protections are huge obviously educating companies employees about phishing is a huge step as well and then email encryption to to protect the reputation of individuals who represent that company so to share my example and what I've done that helped me connect these dots and hopefully this is an example that you can use in your own careers so I look at every role I've had as being a different cog on the wheel all these things that work together and if you know what that next cog on the

wheel is responsible for the next one down it teaches you more empathy for what those rules do it helps you anticipate what they need from you and what you can do to contribute to those and I and I mentioned that I didn't want to do anything related to networking and security and that I wasn't interested in that back then because I was a little naive and had no idea that they were all interconnected but a couple of things about that so you can see here kind of a list of some of the different experience I had so I spent 11 years in our customer data space so all the things that an individual customer like you and

me does to interact with our finances with a company is where I spent my time for quite a number of years and so a couple of the examples here after I got done reading and creating TPS reports I got into a role where I was doing database analysis so we needed to be able to reap platform our systems to keep them scaleable to be able to do new things I was very so so let me clarify from a software and nearing perspective my bread and butter was sdlc that is what I was focused on was the entire lifecycle for delivering new software security was the furthest thing from my mind so in this database analyst role I built

data dictionaries figuring out how we were using our data how it was flowing so that we could build new better faster more scalable systems more reliable systems have better data integrity and and that was a really eye-opening experience but the and I put a note here about least privileged as well because there was there was also part of that responsibility I had to load new lists of values to our customer databases for for products and accounts and there was an instance where I wiped out a pretty important table in our test environment that was used in our integrated testing and I pretty much single-handedly brought down all integrated testing for individual customers by wiping out a table

inadvertently because I had direct update access to the database and I messed up it was a mistake thank goodness I was not in the production environment when I did that because it was the same script it was the same commands it was simply a different place to run my script and I just as easily could have had that kind of impact in the production environment and so even back then there was a need to be protecting protecting me for myself and that that's something that any of us who are part of a security organization inside a larger company we're protecting us from ourselves in a lot of cases and and that's just one of many examples

from there I moved on to a role where is an application design lanes so anytime we had technology projects where we were innovating creative creating new functions and products and services for our customers and I played a role in that and one of my first projects I was actually part of the project where we first rolled out security and fraud alerts to our customers and in my mind even though the project was called security and fraud alerts I was not working in security I was delivering software I was delivering a project and my role in that case actually was building out every single use case for every customer interaction with the with their bank accounts and

with the company and I had to think through every possible scenario of what a customer would do and build out the use cases without the functional test cases and test plans to be able to ensure that any time a customer is doing something with their accounts that maybe somebody else could do in a nefarious way we needed to be able to inform them and make sure that they knew what was going on with their accounts and with their their online profile from a banking perspective so these were some of my early forays into security that I didn't even realize were going on in my head but it was it was part of my day job it was integrated into what I was

doing um and from there went into a number of other roles but ultimately they all revolved around knowing the data knowing what it was doing knowing how our customers needed to interact with us and how to take care of them and protect them and eventually moved into an application manager role so I I told you how I worked on alerts and ultimately ended up managing that application and even to this day that function since six million alerts every single day to our customers so I told you we have more than 46 million individual consumer and small business customers we send them six million alerts every day now those aren't just security and fraud alerts but it's its

event management it's information about what they're doing what their accounts are doing what their transactions look like but managing that application included a lot of other roles I had to keep the lights on with this application we needed to ensure that that we were delivering notifications to our customers not just because it's nice to have and compressive prevent fraud for them but also from a regulatory perspective some of these alerts include things like statement notifications and their there are laws that require customers to be given their their banking statements and so that that delves kind of into compliance requirements that we don't often talk about in the realm of security but it's very closely related to security as well

as risk so from an operational risk perspective I had to know how to recover my app if there was a smoking hole in the ground guys the data center no longer existed I had to have a plan for that I had to know hey how are we going to get the system back up and running if the data center is out so how to recover for that from that and also implementing change I told you my focus had always been SDLC well how do you change systems that provide services to customers 24 by 7 how do you change those and touch those without impact so being able to implement change without having negative impacts to the customers was a huge part

of that and this was a huge amount of overhead that I had as an application manager that every application manager has and it especially working for a large company there are a lot of rules you have to follow there there's a lot of governance there's a lot of check points to make sure that we're taking care of business and that was a big part of my job it took away from focus on innovating and I was really having to focus on a lot of governance but so were all my peers and because of that overhead I started to learn why we had to protect our system so as I had these programs coming to me saying hey you at

manager you have to do this I had to learn why I mean partly just because I wanted to know why the heck I was spending time on it and why my team was spending time on it but then I was asked to take on a new role because there was so much of this overhead and we were repeating ourselves day in and day out we had 70 customer data applications to worry about at that time and so so we said hey we need to have somebody who's running this stuff and making sure that we're keeping on top of security requirements and risk and compliance requirements and my boss at the time he actually he raised his hand and he said

hey you know what Margaret is the process Queen Margaret always asks the painful questions why does it work that way why are we doing this what happens if you do this and so I moved into a role where I was a bursting that whole portfolio for all these applications and and trying to make us like I say here safer and more secure and more compliance and following the rules but doing it in a way that made sense yeah we we have so little time and it's it's precious to us and we want to make sure that we're doing this in a way that makes sense we still need to service our customers at the end of the day they still need to

be able to bank we need to be able to deposit our paychecks and we need to be able to pay our bills as individuals right so you want that protected and you certainly don't want anything happening to you as an individual customer of a bank that would impact your ability to do that so so as I was doing this and trying to do this with my peers I needed to be able to tell them the story I needed to be able to explain the narrative why you have to do this what you need to be PCI compliant why do you need to do SEO hacking on your application what are all those things that could go wrong so to

learn more about that I started going conferences and talks and seminars to try and learn more so I actually had I had the opportunity to hear a couple of speakers early on in this sort of risk management role that kind of blew my mind one of them was a a post-mortem of an industry event related to a very small ATM card processing company that resulted in the largest ATM drawdown in history at the time and it was it was really interesting to listen to the post-mortem of his attack because they kind of told the chronology of what happened and and the first thing they talked about was that this company had grown through acquisition so they

struggled with asset management because they had data centers here data centers here they were they were spread out geographically and physically and that opened them up to having somebody being able to walk into a data center and plug into a machine and get on their network then what happened was with the the proliferates of social media I mean if you're a software engineer you want to brag about yourself on on LinkedIn and talk about who you are what's your technical prowess is and what the cool things are you've worked on from there it was easy enough to social engineering their way into knowing who the developers were on those card systems to be able to send an email and say hey Joe

I'm working on this project and I could really use those database schematics from you if you don't mind sending that over to me so sure enough of course you're gonna collaborate in that sort of environment and share that information from there they were able to get into the code repositories and change the code to remove the withdrawal limits on the ATM cards from there they were able to get into the database that had all the records for phone banking for this company's customers to call in and change their pens the other pins weren't encrypted probably not a great idea so when you think about worst-case scenario I mean this isn't yet another it's it's a tragedy of errors perfect school

perfect storm you a grenade all these things together that on their own they might not be a big deal you might get to it eventually you put those things together and you have a pretty crummy situation so all that that I just described took place in two weeks two weeks time that was it and from there that group spent an entire year creating counterfeit ATM cards and lining up people to stand at ATMs one Saturday morning all around the world and withdraw more than four million dollars all at one time I mean it was so listening to this example this story when somebody told this to me I was I was on the edge of my seat I was like

holy crap any of those things can happen at any company I mean that it just that's life that's how big companies involved that's how complex technology evolves there are all kinds of loopholes there that you could connect together and have bad things like that happen and to me I was like oh my gosh okay I know all this this what about banking technology now I have a really good example of why we need to be protecting it cuz oh my gosh I don't want that to ever happen anyplace where I'm working a second example um I have something I heard I had the opportunity wants to hear dan gear speak and he spoke about the trade-offs in cybersecurity and if

you haven't had the opportunity to speak I highly recommend that you take a chance to look him up and when he's talked about the trade-offs in cybersecurity it was a it was kind of about the balance between convenience of the data that we have and harvest and gather and the trade-off how to secure that and finding that balance somewhere in between that you can still have that convenience with the data you have but then not have those worst-case scenarios happen and so when I heard him speak he gave me goosebumps I mean I went home that night and I was like okay I think I just found a turn in my career path I I

I need to get into security because now that now that I spent my career learning about the what I'm learning more and more the why and it scares the heck out of me every time I hear another example of a worst-case scenario and then I said whoa what do I do I need to learn how to protect us from these things and that was kind of my next step and so that that evolution of knowing what that what was so rememorize that I was in a training program when I started at the company well one of the guys who was in my training class so this is like 11 years later I call him up and I'm like

hey John how's it going caught up a little bit and I said look I've been getting more exposed to some of these things and I want to learn more I feel like I need to learn more about how to protect things so that I can be better in my role in this technology organization because this is a big deal and this is scaring me and I want to be a part of this and we ended up we actually at the time we were creating a role of business information security or be so role a business information security officer that was kind of new in the industry at that time there weren't many and really the goal was to be a

security evangelist to the technology organizations to be able to take these stories these worst-case scenarios and apply it in context around the what to help influence my my colleagues on you know hey I understand your business I understand that this is what you do here's why you need to be protecting it and hey look I have this team of more than 2,100 of my teammates who could come and tell you how to protect it and help you protect it let me help you and so so I moved into that role in our security organization and what was interesting was I was not freezing off with the organization I'd come from which supported individual customers I

was now sporting a technology organization that worked with corporate clients so I had to be able to connect the dots and figure out well how does what I did before apply to this business context and connect the dots between that but I and I also had to be able to convince these other app managers who worked on totally different systems I had to convince them of the same thing that I'd convinced my peers of years earlier and by walking in and and some of the first conversations I had with these tech execs my business partner to sit down and gain some credibility with them I said look you're at managers have the hardest job in the world they

have the hardest job in the company that I get it I've been there we're asking them to do so much that it it almost it can paralyze them if we don't work together in a smart way to do it and that helped give me credibility because they understood that I'd been in their shoes and that helped them listen to me when I said listen you gotta care about this this story this worst-case scenario that that we've heard about and so working with other teams within cybersecurity it helped be able to tell those narratives so so what I ended up and so I mentioned at the beginning I'm new to SEC Ops as well so recently I

moved in to get a new role within our operations team and so cyber security defensive UO and and my role there I'm overseeing a transformation program that's taking a look at our existing operational processes from a security perspective and breaking those down into the processes the nuts and bolts what are we doing how can we do it better how can we anticipate what the the future threat landscape is going to look like so that we can be better smarter faster and so while I'm new to SEC ops and I haven't worked in that the experiences have had in the past so the ability to take a process or a system and deconstruct it and understand the nuts

and bolts it's directly applicable the time I spent as an app manager keeping the lights on so working production incidents working overnight to deploy change without impact those those were all directly relevant to the SAC ops world as well and being able to relate to my teammates in that space and understand their processes too so so I tell you all of this because what I want to reassure you of is you can look at your own experience and your future experiences it's a matter of looking at those ways that it ties together connecting those dots and looking at that that context so as we do like resume reviews and career coaching here over the next couple of

days I encourage you to consider how to draw on your past experience and how to connect those things together because it they really are connected and they all lead to cybersecurity you may even find that it makes sense take a step out of a security organization and do something with a security lens out in the business to be able to understand the what and then apply those three things together and see how the the what why and how tie together and the other thing that comes after that is really the one and where we operate very much in a we must protect all the things all the time everywhere that's not necessarily scalable or sustainable so the next step

with that is really to think about how can we provide the optimum protection from a security perspective and work smarter and be able to do that and as we look at the tools that continue to evolve to help us do that I mean the mitre attack framework is a great example that helps give us an an inventory at a matrix of hey these are the bad things that can happen in this context here are the things you do to protect it here's how you protect it and it can help us work smarter better faster from a a security perspective thank you for your time [Applause]