I'm Douglas Brush and you're listening to Cybersecurity Interviews. Cybersecurity Interviews is the weekly podcast dedicated to digging into the minds of the influencers, thought leaders, and individuals who shape the cybersecurity industry. I discover what motivates them, explore their journey and cybersecurity, and discuss where they think the industry is going. The showlets listeners learn from the expert stories and hear their opinions on what works and doesn't in cybersecurity.
Hello and welcome episode 120 of Cybersecurity Interviews. This is another episode in my Rising Star series and we're speaking with Simone Wright-Hamor. Simone works at Pacific Northwest National Laboratory as a Cybersecurity researcher while pursuing a PhD in computer engineering at Iowa State University. She has spent the last decade of her life in turning
out a variety of organizations. She has 10 internships in more than six different organizations, including public and private industries, ranging from Fortune 500 companies like Microsoft to successful startups such as Smart AG, State Government, and National Laboratories. Simone has spent the last five years of her career working in the cybersecurity field. While completing research, she has helped protect the infrastructure for the state of Iowa and ensure that startup
companies are developing software with security in mind. In this episode, we discuss getting started in information security due to responding to an incident, an early upbringing which prepared her for cybersecurity, bridging theory to engineering, teaming with Dev and security teams the importance of project updates, increasing diversity in the industry, and so much more. I hope you enjoyed this episode as much as I did. Thanks for listening.
Alright Simone, thank you for joining me in Cybersecurity Interviews. How are you today? Are you? Doing great. It's actually a mountain boulder right now. It's one of those days where we were half prepared for snow and half prepared for 80 degrees weather. As with Cybersecurity, we have to adapt and overcome to the weather much. Where are Bachelor you looking at? I am located in the Tri-Cities, Washington, so the Richland, Kinwick, Pasco area.
Oh, very nice, very nice. So for the listeners that might not know too much about you, how did you get started in cybersecurity? I actually felt in cybersecurity. My background is in software development. I was working for a company and they had a breach that cost them a lot of money. And that was the first time that I considered cybersecurity my problem up until that point. It was someone else's job. And I was lucky that it wasn't my code, but it was so close that I took a step back
and said, you know what? I think I need to start thinking how the code I'm developing could actually be causing problems. And so I decided that I needed to learn more about cyber. Interesting. So was there anything, you know, it's funny, you know, sometimes when people get their first incident or breach or things like that that happen to usually run away
from the fire, but it seems like you kind of leaned into it. Was there something about that moment a bit or looking at in that perspective that says, hey, this is something I actually wanted to get more involved with. I actually contribute that to my upbringing. So I actually come from a low income background. And so being in that type of environment, you learn
to think critically and use your resources to get what you need. And just coming from that background, there's a general assumption that if you need help, you're probably going to have to make it happen for yourself. So that mindset and growing up in that environment carried over to my career naturally. Even though I was no longer struggling to just basic
survival, that process of thinking had been naturally ingrained in me. So when the security breach happened, I naturally thought, all right, what resources do I have to make sure this is never me? God, you was there anything that might have surprised you about it?
You know, when you talk about application security and all these other things that, you know, I think a lot of folks have this vision of incidents being these very overly technical things, but I was wondering if in this case it was something that might have been more simple or simple, or things that you said, hey, wow, look, here's some of the basics that could have been done in the lessons learned phase that you were surprised might not have
been part of the whole process. I would say I made a rookie mistake of believing that everybody wanted security. And that it was, you know, if I could mathematically show a company, here's a potential loss, that they would just buy in and be like, here's all this money goes off the world. That didn't happen. But what I did do, again, coming from my background, I just had this natural inclination to manage risks. So when you're coming from
a low income background, almost everything you do is a risk. It's a trade off. You don't have the basic resources. So it may be that this month your lights got cut off. Or you're always having to balance the risk and decide what's going to be best for you in the moment. So that part of cybersecurity actually came naturally to me. Yeah, it's interesting. I often tell folks, you know, it's the constraints build innovations
at times. You know, it's kind of learning to fight with one hand behind your back. You can come, come very adept at it in a certain way because it's almost the opposite I've seen with with folks where they have almost too many resources than then it's like analysis per analysis. Sometimes it constraints can help guide you. Yes. So in your education, what were some of the things, you know, again, we were talking
just to record you, I've been doing this for quite some time. And when I started the industry in the 90s, there wasn't things like, you know, there's very basic kind of computer stuff. There was a bit heavy focus on mainframes and things that were, frankly, were really not the focus of most computer science or education degrees today. What were some things that drew you towards computer engineering and computer science?
What drew me towards computer engineering versus computer science was the fact that computer science is very heavily based on theory. And there wasn't very much application. So the reason I stray away from that is it leaves people to believe that just because you understand how computers work, you can do everything. And I know based on my upbringing, that just because you were taught something in the class, doesn't mean it transfers over directly
to real life. Again, that goes from that low income background, trying to apply the things I learned immediately in school from how to count knowing that one plus one equals two. Okay, how does that transfer to my life right now? I know I have two dollars. I know this, you know, I may know that the Mac and cheese costs 250. Now I got to weigh some options
here. So that low income background has always played into my career. Having to take the skills that I'm learning today in the classroom and turn around less than 20 minutes later and do it in real life has propelled my career. I took that to my undergrad. So the computer science focused on a theory, but the computer engineering is where you're bridging the gap
between the theory and the application. So now I can push the frontier of science from an application standpoint, which in my mind, cybersecurity is an applied field. Definitely. Are you starting to see two more of the integration, you know, as we talk about some of this with that mindset of, you know, really kind of pushing more of the cybersecurity, you know, as we say kind of an application security development was pushing
laughter, putting it more into the process is there more openness that you're seeing now for folks willing to really kind of put either security people at the table have the discussions look at it from a process flow as opposed to, hey, we're going to deal with this after the fact. It's very hard to get people to buy into that idea. I've definitely been pushing that, but getting them to buy into the process flow, he's the assumption that they had a process to begin with.
Yes. I offer that folks. Hey, what's definitely if you want to look at abstract, what's your process documentation? I'll take a look at it and be like, oh, yeah, we don't have that. Yeah. So that I found a lot of organizations. And I've definitely used a lot of that pain in various organizations, but they don't have that. Then, okay, we need
to take a few steps back. But it's funny. I mean, it's sad at the same time. It's, it feel like there's a lot of fundamentals of when you look at engineering, particularly around application development that some of these things, some of these problems have just translated from one flip platform to the other. So when we were looking at things and very, you know, pre-adjile, very waterfall client server applications, a lot of these
things were still there. Now we're seeing it, you know, when I look at everything from containerized applications, like, wow, we're still doing a lot of things that the process is not well defined in the process doesn't have security gating controls. So I would argue that again, I come from a software background. So when I came into cyber, I'm off. I'm like, where's the process? How do you fit into my picture? So in my mind,
there needs to be an agile development process that incorporates security earlier. And we seen these issues with the cloud where we had software developers who were fairly new and companies would go to them and say, hey, I want you to put everything in the cloud. However, the people who would make those decisions didn't necessarily understand the processes that happened in the background and the separation of duties. They didn't
understand that there was, or they may not have been cognitive. It may not have been at the forefront of their mind that we have a separate team doing the networking, setting up the physical ethernet cables, putting, you know, the server in the server rack. We have a separate team that is doing the setting up of the software, installing the OS, installing the web server, giving it external access. We have a separate team doing security. We
have a separate team doing the software development. So when they went and asked that young junior developer to put everything in the cloud, who has no background on security, networking, or how to set up a web server, they usually turn to the internet because there's kind of a bit of shame there that they don't know. They get a stack overflow and then they do what stack overflow says, which again, may have ignored all of the controls. Now you just
put all of your stuff public facing and boom, there's a breach. So software development needs to incorporate these other duties because we're not, they're not separated anymore. Those methodologies that we had in the past worked because they're with separation. Now we need something that exists that incorporates everybody because there is no separation. Yeah, often we try to say, well, we've been saying for some time now, you know, security
really is a team sport. Everybody has to have their kind of saying it. But you know, for me, I'm probably horrible application developers for, you know, hands on keyboard coding, better understand the process flow and security part of it. But I could definitely see where, you know, I've been a little bit felt maybe outside of my comfort zone when talking to
developers who might be the smartest person in the room when it comes to that area. And I feel there's always this, I kind of this river to cross between the two of us, you know, when I'm talking application people about security because they look at it as very much, well, I don't really understand what you do. And I'm like, well, I don't understand what
you do. Is are there ways that you've, that you've helped kind of bridge that divide? So people say, okay, maybe there's a commonality in what we're, we're kind of moving towards. I have helped bridge that divide by being on both teams. So a good example is I worked for the state of Iowa during the election season and they had to come up with these last minute websites that displayed updated results every so often. There's pushback from security
team like, hey, nope, we didn't have enough time to go vet this. There's pushback from the, from the software development team like, I don't really have enough time to deal with all your controls. So by sitting in the middle where I'm sitting down with the coder going through, I'm like, okay, I see how you architected that. Can you put this, this, this, this, and this right there? Can you extract this part out, make it an interface
and then use this interface for everything you do that does this? Then go back to the security team and say, okay, cool. I saw and made sure they had these, these, these controls did you like anything else? So by sitting with both parties and separate meetings, I kind of decreased that, that back and forth time to development to launch because we just didn't have it. And the CISO at the time, Jeff Franklin, it was very receptive to this and understanding
and he was like, you know what, I have pressure to make this happen. I will give you rains to go, but you know, as long as you report back to me and let me keep me in the loop. Yeah, and I think that's a really important observation and point that I've seen when I've served in that capacity, you know, with the security leadership is, I think a lot of folks think, oh, you know, the CISO or security leaders going to want to be really hand
on the weeds and disrupt the process flow. And for me, it's like, no, I just want to know the right things are being done and that there's visibility. The big thing is like saying, hey, is there visibility? Are there right, you know, reasonable security controls in place? Yes. But again, when this whole situation came about, I stepped forward and suggested
this. It wasn't somebody come to me and said, hey, someone can you do this because it's not, and it's not like they have my resume sitting in front of them and they're saying, oh, she has this background, she's in security. Why don't we just have her do this? They usually don't. I had to identify that need for both parties and fill that gap. So, it sounds like at least if not a huge degree of self advocacy for that, say, hey,
look, you know, really have to assert yourself into that a little bit. Did you find that challenging with folks in the room that might not be willing to just have an outside voice come in? So, this goes back to this background of, you know, having a low income background, there's, you have to learn to advocate for yourself to get your resources. So, naturally, I grew up in an environment where I always had to barter, right?
So, when we were in the room, we were presenting this, by the way, I was an intern. I sat down with them and I'm like, hey, can I make a suggestion? Everybody's like, yeah, what is it? Because at this point, they have been arguing back and forth. You know what? I have a software development background. Here are the companies I worked for. I want to remind you of that.
I'm on the security team. How about we do a trial where you create the first website and I sit down and work with you and the software development team to understand your processes and make sure that we can add enough checks into, you know, make everybody feel comfortable and still meet our deadline. And they were like, you know, at first, Jeff was like, okay, well, I think about it. Less than five minutes later when we walked out the room, he goes, you know what? I really need to
meet this deadline. The governor's pushing it. I'm going to give you some rooms. I'm going to take you off these three projects and I want you to focus on that. I'm like, I got you. No problem. I literally took it upon myself to send him a weekly detailed update and an email. I knew he was busy and then I just told him, hey, I'll send you an email every Friday by 5 o'clock detailing what
I did for this week in the security control. To that, I commend you on that because it's an interesting thing that I think it's lost and I'm curious to where you developed this, but the communication skills of keeping people up to date because again, for me, when I've delegated certain things, it's like, again, I want to know immediately if there's a problem and if there's
some solutions, other than that, yeah, like a weekly check in would be great. Where did that come from in your mindset to develop that because I feel that still a very lacking trait with a lot of folks in our industry? To the two parts of this, one my mom worked in customer service for 20 years and so she had this model that in order for your customer to be happy, they need to be in the
solution loophole and they need to be aware of what's happening. So if a customer calls right now and says, hey, myself on broke, even though you're working on getting them a new one, you do not go three weeks without contacting them. You need to send them an update periodically to let them know, hey, I haven't forgot about you. Here's where I met with that status and I will keep you posted. I'm trying to push for this deadline, but do not make it sound like you're guaranteed to hit that
deadline. Let them know that you're pushing for that deadline, but there's no guarantee you'll meet that deadline. That's all people want. They want to know that they're heard, they're seen, and you're keeping them updated on the progress. So that and being the oldest of my siblings, I always had to check in with my mom when she had to go to work and I had to wash my siblings.
And so that became just a natural part of my environment, is keeping the people who are in charge aware of what's going on, the situations, give them key details only and then move on. I always say, you know, the best thing you do is tell me in bullet points, lots of white space, I have to read something quickly, you know, the executive summaries work great.
With that too, it sounds like you know, you find yourself in these positions, at least as one we need to, of kind of doing that translating of concepts from one party to another, from one team to another. How do you, how have you figured out how to do that at scale? Like are there a lesson from that you have to say, hey, if I had a better way to course on this and really kind of teach, but are there the executive summaries of how you can do that? Because that's again,
somebody where I feel so lacking in industry at times. It's like there's such a focus on the hands-on keyboard, but these types of things of project management and communications is lost. How would, is there a way to even develop that so more folks can learn from an orther key takeaways? Yeah, so I have bridged the gap between the communication and customer service part that I learned from my mom and how to talk to people. You can disagree and be respectful,
but I also took the software development's con-bon boards. So this is how I track what goes on in my life, as I actually have a con-bon board for different parts of my life, including my work projects. I totally don't have two white boards with that in front of me right now. And then when I'm communicating with people, especially via email, short to the point. So I have like bold short phrases that I'll put before my subjects. For example, if this is just for
information purposes only I'll say in bold info, colon, whatever it's about. Yeah. Or action or requests or urgent. Let them know what they need to do, what the information they're about to read. And that's as simple as that, right? And I think people have this fear of like, well, I have to over-complicate it. No, please don't. And then let people be in the loop. So for example, I have a project right now that I just submitted a proposal for. There were two proposals they got merged.
And what did I do? I sent an email out and cc the other co-PI to everybody saying, hey, here were the two names of the projects we are now merging into one to be this new name. Here is our new focus. Monday, five o'clock, we will send you guys out a new draft of the proposal. And then on Wednesday, we will have a meeting. It will be coming forward.
That's it. Now, as you, I guess what, what is your day to day look like now? How much of it is actually doing different parts of this process flow project management workflow as you start take on more? To be honest, most of the software or most of the cyber security hands on applied stuff is done with my home infrastructure. So again, I believe cyber security is an applied field. I do not believe that as cyber security quote unquote personnel or experts, we should ask our
employer to invest in us because it's too much of a risk. So if you're on a business, you got to do your risk management, right? And it's unlikely that you can go to a job and say, hey, can I just set up PF sense to see, you know, on your network, if I can make it work or not? The answer is probably going to be no. That's the polite way to say that. But again, since cyber security is an applied field, it has a lot of risk associated with it.
I tell anybody who wants to get a cyber go buy your own stuff and do it at home. You don't have to ask anybody. If you bring it down, guess what? It's yours. That's how you learn to fix things. Right. If you take it down and it's a business, that business loses money based on your mistake.
That's unlikely they're going to let you do that. Yeah. And really today, I would have to say is, I couldn't agree more and I really have my, hey, kids get off my lawn, I'm no man's security because you know, back back in the day, you know, in the 90s or really 2000, we didn't have a lot of virtualization. We had to go scrap Big Bar on steel, you know, bare metal, put it together. Hopefully it would work. And then when that thing went down, it was a lot of, a lot of operating
system reinstalls. You know, you just can't go back to a snapshot. It's an expensive mistake. Yeah, it is. And how do you, how do you kind of code people on saying that up now? Because it's, again, with so much of the technology that's out there now, the accessibility to me seems almost a no brainer. But yet, I still get young people trying to get into cyber and they get mad when this thing like, you know, ask my, I asked my job, if I can do this, and they said no,
or I asked them to pay for the certain they said no. Okay. So I go back to them and I always ask, when you went to college, did you have a company paying for it or did you front that money? Oh, well, I paid for it. Cool. You paid for your own knowledge that will continue in life. Yeah, you have to invest in yourself because again, it's one of those, what does this word nobody else really is and it's sad as it can be a time, but it's reality.
You know, you really have to, you have to advocate, fight and invest for yourself. Yeah. And so I tell people, sit, you know, set aside a little bit of money to invest in yourself and set aside some time. Yeah, it pays back, you know, as you think. So what are some of the things that you're investing into yourself now? So right now, we bought a house and there's a window
that bothers me because I can't have immediate access to food without a ladder. So I've started to jump into IoT things like programming blinds to open and close, programming LED lights to light up the flooring as the sun goes down. And then segmenting off the network and studying some of the traffic that's coming in from those devices. Am I seeing some spikes or something weird going on? So there's a, there's the
software development piece where I am not buying these things ready. I'm piecing them together with a Raspberry Pi. And then there's a security part where, okay, now I need to segment up my network. What kind of firewall rules do I want to put in? Do I want it to be able to phone out? Do I want it to be, do I want to be able to talk to it through other subnets? So that's, that's how I keep current on what's happening. It's just buying little devices
and setting them up at home. And then from the research side of things, how I keep current is reading the technologies that are out there and going to conferences. I can't stress this enough. I don't really care how much the conference costs. If I think that it's going to be valuable and
give me new insights, I'm going. Yeah, and it's, I think that's one of the things that I've probably missed the most in the past year with the pandemic is, and it was really was the impetus of this podcast was the sidebar conversations, seeing people on stage and then say, hey, I got a question for you and then driving deeper into it over maybe lunch, a beer or just just, just, just sitting there talking to somebody about something that I hadn't even dawned on me. I totally missed
that these days. Yeah. And then the management side of things I kind of fell into. So my technical thought I'm a cybersecurity researcher at Piano Nell Pacific Northwestern National Lab. I am not a project manager. But I kind of unofficially ended up orchestrating a lot of it. Just because they thought I was good at it. So just because you don't have the technical title of like a project manager or maybe a sector lead or software developer doesn't mean you won't be doing
those duties. Yeah, I think often most, most people in cyber that do well are often the ones that kind of raise their hand or just get something kind of put on their lap and you just have to say, okay, I'm going to have to dig into this. Yeah. Do you see yourself moving towards, you know, I always look at things and kind of very simple to simplistic buckets at certain points of, you know, kind of doing some stuff that could be at the analyst to management,
level management, to leadership. Where do you see your career going, you know, in one, three, four, five years from now? Where would you want to be? Funny story, my. I just had this conversation with my manager. I would like to stay bridging the gap between very technical, senior level folks and management. I seem to have a knack in a sweet spot for communicating information to both sides. Especially people who are not down in the weeds and they don't understand that
5G has seven deployment options. They just understand 5G versus the techno folks are like, is it standalone or non-standal? I love that because I get to interact with people but not get overwhelmed by it. So for me, that's where I would like to stay but maybe move up into doing that also for sponsors. So kind of helping sector leads interface with sponsors and ask the questions to pull out the sponsor's technical needs because you got to be technical to be able to
ask those questions the right way. Yes. It's a tough thing I think in our field is again, it's like staying relevant enough fresh enough to be able to have the conversations without getting almost pulled too far into the weeds. And I find that's quite frankly the biggest challenge I have on my day to day is I'll see these new things come out and I want to dig into the IOCs all day
but the end of the day could be 50 people to say, hey, I just need the summary of it. I'm like, okay, I have to know enough but I don't have to get too far into the weeds and it's a challenge. Oh yeah. So one of the things I've seen too, as I said, I've been really trying to look at the podcast and have different discussions about different things and did a series on diversity, equity, inclusion in our industry. I find that it's extremely lacking, things about mental health.
Where have you seen changes in this that might be positive? Because I think for me it's like, I almost feel like gosh, we're not doing a good enough job but there has to be some silver linings of things that are progressing organizations that are working together. People that might not even see that are forming alliances to promote better diversity in our industry. So more voices and
more diversity that I think helps industry can come in. One of the awesome things I'm seeing and so is that a lot of the conferences that a lot of security conferences are now advertising that, hey, if you are a woman, we really want you. If you're a minority, we really want you. I don't care. If you're connecting with somebody else who's already doing a talk and you're going to split that
talk now, but they're pushing that agenda and they're making it clear. Companies are now reaching back into schools and saying, hey, we want to see more minority applicants which then encourages the schools to go into minority communities to recruit. So it's a trickle down effect. It takes a while to really start to see it gain some traction but it's happening. Right. Yeah, and that's a good point. Are there maybe mentor programs that you see that could be doing well? Because I feel
that for me, it's always been personally rewarding as a mentor to help folks. I love seeing people succeed, but I also find that I might get stuck in my little bubbles. Are there resources out there that if I was not in the traditional cis-white able-bodied male, that looks like 90% of my industry, that I can go out and try to find different people. Because to me, I think getting those different voices is so incredibly important. So I'm going to speak from my personal experience.
Goes back to my upbringing again about being resourceful. So part of living in a low income community is when you're resourceful, you have to ask the right question. You can't just go to people and say, look, I'm hungry. I'm going to food that doesn't work. You have to, it has to be a win-win. So there were, I took that to my career when I go to people and I need advice about something. I don't just say, hey, can you be my mentor? I tried that twice and it failed horribly. And then I
was just like, okay, how do I do this when, you know, I'm in a different situation? So instead of just going, say, can you be my mentor? I went with specific questions. I went and asked people specific questions about what are you looking for in a cybersecurity analyst level two? What's the difference between the level two and level one? And those questions were necessary for me to figure out if I'm meeting with criteria, if I want to go, if I want to convert from an intern
to a full-time, I need to know what this looks like. So I can say, I am indeed a level three. Yeah. Based on what you told me, I have done x, y, and z. I have to be able to advocate for myself, but I can't advocate for myself if I don't even know the rules. That is such an important thing. And again, it's why I like hearing almost the confirmation bias of what I think about things,
but also saying, you know, am I seeing things in a tunnel? But it was the same advice I gave to a young gentleman who's worked with me for a number of years and he's still a little company, and I'd hired him out of college, but he was saying, you know, I don't know if I should be saying, I'm at this level. I was like, well, did they tell you, yes, but it's not for me. I was like, get it in writing, put it, you know, advocate, again, you'll put for yourself. No, we're just going
to do something for you. You have to go out and stake your claim. That is beyond true, but a lot of people don't understand that. So what I like to tell people is everything's a business. People hate that. They're like, no, it's not yes it is. Yes it is. Now you have to figure out how that business works, where you fit in that business,
and how to get to your final destination. When I pull up my phone or Google Maps, and I need to go somewhere, Google can't tell me where to go if I don't tell them the final destination. Right. It's like take me somewhere or somewhere. Right. So when I put it in that final destination, it then can give me multiple routes. And I get to choose your career is the same way. You need to be able to articulate to people where you want to be before they could go advocate
on your behalf behind closed doors and get you there. So what I think my network is Google, I just have to give them the final destination. That is such sage advice. Well, someone I greatly appreciate you taking the time today. Where can folks find you online? Yeah, people want to reach out to me. You can go ahead and find me at Simone.write at gmail.com or you can reach out to me on LinkedIn at Simone. Right. Hammer. I'm not only right. Hammer. Actually.
And that's right. Hammer. WRIGHT-HAMOR. Awesome. Well, I greatly appreciate the conversation today. It was definitely insightful. And I'll be sure to put all that information in the show note so people can talk to you some more. Yeah. Thank you. Thank you so much for joining us today on Cybersecurity Interviews. I hope that you enjoyed this interview as much as I did. Please go to cybersecurityinterviews.com where you can find every episode including show notes and links
for each guest. There you can also find social media links and just sign up for new episode notifications. Thanks. We'll talk soon.