Interview with Michael Meikle: Challenges of Working in Cyber Security
Michael Meikle has seen the Information Technology (IT) industry change drastically in the course of his more twenty years in the field. What started as virus and password protection in the 1990s has evolved into a need for data protection in a wireless world of mobile devices. As the Chief Operating Officer and partner at the cyber security consulting firm secureHIM, Meikle has a front-row seat for the constantly evolving field of data protection and risk assessment in the IT industry.
Michael Meikle did coursework at Virginia Commonwealth University before joining a startup and gaining valuable on-the-job-experience. He earned an International Business Management Master’s certificate and went on to earn several additional certifications, including a Project Management Professional (PMP) and Certified Information Systems Security Professional (CISSP). Because of his expertise in the field, Meikle has been asked to contribute his opinion on articles about matters of security breach and business tactics for the Los Angeles Times, the Chicago Tribune, and PCWorld Magazine. He also speaks nationally on technology and cyber security at events for varying industries, such as the Medical Society of Northern Virginia (MSNVA), the Intel/McAfee FOCUS Conference, and Secure360.
Meikle says that many of his early positions contributed to the level his career has reached today, citing his roles as a system and network administrator for an engineering startup, project manager with the US Department of Health, and security architect at Capitol One as crucial to his professional development. He reached a significant milestone in his career when he was presented with the Governor’s Technology Award from the Virginia Department of Social Services for the implementation of the Division of Licensing Programs Help and Information Network (DOLPHIN) System, because it was his first software product implementation that was designed to be used throughout an entire state.
Our interview with Michael Meikle explores the challenges currently facing the field of cyber security and the importance of continuing education in order to stay current and informed in the IT industry.
Tell us more about your background and education. What led you to work in IT and cyber security?
I have always had an affinity for computers and technology, so when I joined an engineering startup in college, I naturally fell into a system/network admin role. From there, I leveraged my experience and gradually shifted my career toward software development project management. After completing some large enterprise projects, I saw that information security was becoming more crucial and so I sought out more opportunities that would take my career toward the cyber security discipline.
Please describe cyber security and what your company does for someone who may not be familiar with the field.
To boil it down to its most basic essence, cyber security is the protection of data. All the processes, technologies, and people involved are all concerned with confidentiality, integrity and availability of that data.
Our company, secureHIM, is a security consulting and education company. We provide cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. To facilitate these services, secureHIM has partnered with the Information Institute and its founder Dr. Gurpreet Dhillion. This partnership provides an accredited information and security framework for these programs.
Our consulting programs include security program evaluation, HIPAA & HITECH security assessments, strategic social media programs, and IT security planning services.
What is the most exciting thing about the work you do? Or the most rewarding?
Developing and delivering security training programs for companies are two areas that are the most exciting for me. I really enjoy interacting with folks and providing some great material that can be interesting, helpful, and contribute a great deal to the security of their company.
The other area that is most exciting for me is incident response. While stressful, there is a thrill of tracking down the origins of a phishing attempt or successful malware infection and then crafting the appropriate solution to protect against such an incursion in the future.
Can you tell us about your different roles in the IT industry (security consultant, risk consultant, author, trainer, voice in social media)?
I’ve held quite a few different roles in the IT & Security Industry. I’ll list a few of these below:
Security Consultant – I have provided security consulting services for around 15 years across multiple industries (Financial, Healthcare, Government, etc.). Projects I have led include Data Loss Prevention (DLP), endpoint encryption, intrusion detection/prevention, risk assessments, and data breach response.
Risk Consultant – As part of my security consulting practice, I have provided a wide assortment of risk consulting services, primarily in risk assessments. These assessments include HIPAA, HITECH, application security, and enterprise security environment.
Author – I have a significant body of published work across various publications, including a recent article about the Affordable Care Act in Social Work Today.
Trainer – I am an eLearning expert with dozens of online courses/webinars in my portfolio. I have provided these services for ExecSense/Financial Times, AtTask, Medical Practice Trends, and in person at various enterprises.
Social Media – I am an active participant in social media and I also provide security services for enterprise social media programs. I have spoken at national conferences on the topic of social media and I have designed several social media campaigns for regional companies.
How has your entrepreneurial spirit been a benefit to you in the cyber security field?
The drive to take a concept and create a viable business around it is very beneficial in several ways. It forces you to keep on top of your industry. You have to continuously educate yourself to ensure you have not missed a crucial opportunity or made potentially damaging missteps.
It also provides a healthy reality check regarding business realities and forces a person who is oriented toward technology to manage the day to day operations of a business. This is invaluable experience and a definite step outside of the comfort zone of a typical technologist.
What are some of the key points you emphasize when training a company on risk, compliance, and security? What are some of the challenges of the profession?
Key points on Risk:
- Effective enterprise risk management requires a certain level of corporate maturity. This entails a managed and supported governance program.
- The concept of risk management itself must be driven from the executive suite with full support of those executives.
- With a new risk program, start small. Track no more than 10 critical business processes (KPI). Attach a Key Risk Indicator (KRI) to each.
- Risks must have executive oversight and business ownership.
- There is no technological silver bullet for managing risk.
Key points on Compliance:
- An effective compliance program is a component of a robust Governance, Risk, and Compliance initiative. This relies on a level of corporate maturity and support from the executive suite.
- The regulatory burden on multiple industries is continuously increasing. An enterprise needs to be educated on its local, state, and federal regulatory burden to ensure its program is covering its exposure.
- Beware of compliance by “checklist.” A checkbox compliance program may be tempting but many industry regulatory frameworks are incomplete or vague, which could lead to missing key risks. PCI compliance can be a good example of compliance by “checklist.”
Key points on Security:
- Security must become more of a priority at the executive level. Even with the latest breaches, corporate leadership mostly considers cyber security as a necessary evil with appropriate funding and visibility to match.
- The most unsophisticated security solutions still provide the most bang for the buck. These include patching your servers and endpoints, training your users on security risks, standard, updated antivirus/antimalware protection on servers and endpoints.
- Consider that nearly all of the recent major breaches have begun with a phishing campaign that lead to accounts becoming compromised and eventually stolen data.
- Monitor the tools you do have in place. All of the security solutions in the world will not protect you if they are not managed and monitored. Trained staff interpreting the data that is received by these solutions is very critical.
Challenges of the Security Profession:
- Staying current on the latest technologies, threats, and regulations is quite difficult. It requires continuous education.
- Communicating the need for training to leadership. Training in the enterprise today is not a priority for most companies. I have consulted for quite a few who do not invest at all in their employee’s ongoing education.
- Communicating the importance of security to leadership. It is an unfortunate reality that the security team of most companies becomes involved in a project near its completion when a security issue occurs. Proactive information security involvement in the enterprise is still in its infancy.
Companies from varying industries are desperately trying to safeguard their information from being hacked. What are some principle practices that you emphasize to companies trying to maintain security?
When considering your security program, remember it is about protecting the enterprise data. Data is the new currency and is increasingly important to the enterprise. In some industries, the protection of data has added federal mandates, such as healthcare Protected Health Information (PHI).
When protecting your data, review the Data CIA model. This stands for Confidentiality, Integrity and Availability. Is you data confidential to unauthorized users? Do you know who has accessed, changed, or copied your data (integrity)? Can your data be accessed by authorized users when appropriate (availability)?
How has the cyber security field changed since you entered it?
The security field has changed tremendously since I first entered it in the 1990s. At that time, decent virus scanning tools, patching endpoints/servers when necessary, and a firewall were considered a viable security program. Security was usually an activity underneath the IT department that was managed by system administrator on an “as needed” basis.
Fast forward to today and the pace of security has become frenetic. New threats arise constantly and staying ahead of the curve is nearly impossible. In many cases, cyber security is still a subcomponent of information technology, but that is changing quickly. The basics of security still apply. Patching, monitoring, endpoint and server protection, employee training etc. are very critical.
The biggest change has been the arrival of consumer technologies into the enterprise (Consumerization). Gone are the days of corporate Blackberries, laptops, and desktops being the only devices an employee uses to access corporate information. Now a plethora of iDevices, Androids, and other mobile devices have knocked down the enterprise technology barriers. Managing how data is accessed, stored, and transmitted on these devices is one of the largest security challenges for security departments today.
Security has gone from the moat, drawbridge, and castle model to building a multiple secure perimeters around crucial pieces of corporate data.
Do you think it’s an ideal time to go into IT or to become an IT specialist, and if so, why?
I believe it is a viable career choice with some caveats. You must realize that IT has been the target of downsizing, right-sizing, outsourcing, whatever euphemism you want to call it for over twenty years. You must be very flexible in your IT career and constantly aware of what trends are impacting the profession. Information security is relatively hot at the moment, but that could change quickly. Be prepared to shift your direction in your career and always have a few other IT skills you can fall back on.
Which skills do you think are necessary for pursuing a career in IT and cyber security?
General skills that may serve you well in IT and security:
- The ability to learn quickly
- Ability to troubleshoot problems while drawing on multiple sources of information
- Ability to embrace change
- The ability to communicate technical concepts to business users so they can make the appropriate decisions
- A love of technology
Valuable technical skills would be:
- Operating Systems
- Virtual Machines
- Software Architecture
What advice do you have for students pursuing a degree in IT or cyber security? How can students prepare themselves for the challenges?
To prepare for the pursuit of an IT or cyber security degree, I would earn an industry certification or two. Take a look at the various CompTIA certifications and see what fits your interest. They may be valuable for your resume but there is no replacement for experience. Experience in the industry will give you the best feel for what to expect in a degree program. Internships may be abundant for IT and security, so seek them out at your university.
The experts interviewed for this article may be compensated to provide opinions on products, services, websites and various other topics. Even though the expert may receive compensation for this interview, the views, opinions, and positions expressed by the expert are his or hers alone, are not endorsed by, and do not necessarily reflect the views, opinions, and positions of EducationDynamics, LLC. EducationDynamics, LLC make no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information in this article and will not be liable for any errors, omissions, or delays in or resulting from this information or any losses or damages arising from its display or use.