Interview with Ron Woerner: What Is Cyber Security in Today’s World
Ron Woerner is a seasoned IT professional and cyber security expert from which a lot can be learned—so it’s a good thing that he is the Director of Cyber Security Studies and an assistant professor at Bellevue University. An early interest in computers and a desire to find out what makes things work started him on what would develop into an impressive career as a cyber security expert and IT educator.
Woerner began his college education by earning a Bachelor of Science degree in Computer Science from Michigan State University’s College of Engineering. He then went on to earn his Master of Science degree in Information Resources Management from Syracuse University’s School of Information Studies & Technology. He also holds several certifications such as Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH).
As his experience and capabilities have expanded, Woerner has been deemed an expert in the field of cyber security, publishing articles in industry publications on hot topics such as “4 Challenges to Address Corporate Cyber War” and “Educating Employees to Build Better Cyber Security.” He is often a featured speaker at conferences on cyber security and risk management, presenting a “Human Hacking” talk at the US Cyber Crime Conference and a “Security in the New World” presentation at the Armed Forces Communications and Electronics Association (AFCEA) conference.
So what is it like to work in cyber security in today’s ever changing technical world? We are pleased to share Ron’s thoughts on that topic.
Please give a general definition of cyber security for someone interested in Information Technology but may not be familiar with the field.
The practice of cyber security is preventing, detecting, and responding to threats to the confidentiality, integrity, and availability of information systems and data.
Tell us more about your background and education. What brought you to work in IT and cyber security?
I’ve always been interested in computers. I started using them in middle school in the early 1980’s and bought my own computer in 1982. It stems from always being curious on how things work. I studied computer science in college with a full-ride AFROTC scholarship to Michigan State University
After college, I worked for a year at AT&T Bell Labs in New Jersey in their archives researching the history, patents, and technologies. Once active-duty, I was an Air Force Intelligence Officer. That taught me many of the fundamental concepts of cyber security. I gravitated toward that topic as a Master’s degree student in the mid-1990’s, since it merged my computer science and intelligence backgrounds. I started working cyber security full-time in 2000 when I created a security program for a major billing company.
Your professional IT work experience has been in many varying industries, from TD Ameritrade Bank to Nebraska Department of Roads to a food packaging company. Can you tell us a little about how cyber security varies from industry to industry?
The basic cyber security concepts and philosophies don’t change from industry to industry. What’s different are the compliance requirements and the organization’s risk management approach. TD Ameritrade is both a publically-traded company as well as an online brokerage. They have many more regulatory requirements than organizations not in that industry. Regulatory and legal requirements often make a security professional’s job easier, since it sets the goals for a security program. For other organizations I worked for, I had to sell the reasons for security technologies, policies, and procedures to ensure they fit the organization’s business model.
The other difference is how the organization manages risk. Financial organizations and publically-traded companies are much more mature in their understanding and handing of risks. Government and private organizations have a different risk tolerance and therefore the security program must be able to work within their risk framework.
Cyber security is really a component of risk management and a function of the organization’s business. Cyber security professionals need to use sound risk management processes to ensure IT and cyber security risks are identified, assessed, and appropriately managed based on the business model.
Can you talk about your dual role as an educator at Bellevue University and as the university’s Cyber Security expert?
The Bellevue University Cyber Security programs are designed to meet the high demand for cyber security professionals in both the public and private sectors. Combining theory with active learning, the program provides a framework for protecting an organization’s information and technology assets. The program is designed for professionals who want to build and expand their knowledge of protection and risk management techniques in the realm of cyber technologies. The program focuses on network and software security, risk management, protection mechanisms, business continuity planning, disaster recovery, and governance of information systems.
As the program director, I need to convey to my student and colleagues the skills, abilities, knowledge, and behavior required of security professionals. I am often asked by people both internally and externally for my expert opinion on a particular security issue, breach, or vulnerability. This requires continual study and research to be able to answer questions accurately and intelligently along with keeping my technical skills up to date.
As an Cyber Security professor, what concepts are you teaching students that are new for even you, a veteran of the industry?
The more I learn, the more I realize just how much more I have to learn. This is true in almost any field, not just IT. A good security professional needs to be well-versed in a multitude of subjects including economics, business management, psychology/human factors, legal studies and project management along with technology.
Within technology, the newest area is mobile and cloud computing. Many organizations are moving to cloud technologies and using mobile devices like smartphones and tablets. This requires a slightly different mindset than traditional technologies. So, I’m continually learning the technologies in use such as virtualization, mobile app development, and big data.
Bellevue University is partners with numerous large companies like IBM, EMC, and Cisco. I’m taking advantage of the great training that comes with those partnerships.
It sometimes boggles my mind how much more there is to learn. A philosophy I live by is to always be learning.
How has cyber security changed since you entered it? Where do you see it going in upcoming years?
We will continue to see anytime/anywhere computing grow. Mobile and cloud computing enable this. The Internet of Things (IoT) is also a great change where more devices are made network-accessible. This means we’ll need to identify the threat, vulnerabilities, and risks associated with those technologies and apply security accordingly.
We are slowly migrating away from passwords. They are a very poor security control, yet they are very simple and cheap to operate. We will continue to see a growth in two-factor or multi-factor authentication, which requires users to use something they know (like a password) along with something they have (like a cell phone) or something they are (like a fingerprint). It’s much more common-place and user-friendly today, which is great because of the additional layer of security it provides.
Many companies from varying industries have been featured in the news recently for having their company and consumer information stolen by hackers. How does the field of cyber security contribute to preventing these kinds of hacker attacks and security breaches?
The recent breaches are causing many (if not most) organizations to re-prioritize cyber security. They don’t want to be the next headline, so they are hiring cyber security professionals to improve their technologies, policies, and procedures to reduce their risks. Cyber Security professionals understand threat vectors and the threat landscape to better anticipate potential security problems and hopefully stop them before they occur (aka prevention). They also understand how to detect issues to reduce the impact or probability of damage occurring. Lastly, they can help the organization respond appropriately when there is a breach.
There is no silver bullet to security. It takes dedicated security personnel along with universal participation of all employees to keep risks at a manageable level.
In your opinion, is it an ideal time to go into IT or to become an IT specialist? If so, why?
IT continues to be one of the hottest career fields. Computers are now ubiquitous and we need people to program, maintain, manage, and secure them. There are way more jobs than there are workers.
What qualities or skills do you think are necessary for pursuing a career in IT and cyber security?
We need students who know more than just how to point and click, but understand the underlying technologies. They need to be consistently curious about the technology with a passion to learn the many different facets of the career field. To be successful cyber security also takes maturity. Things rarely go as planned. The professional needs to be able to handle adversity and implement contingency plans to meet organizational goals.
Other skills needed for not only IT / Cyber security, but all career fields are the ability to (1) communicate and (2) work with people. Being a successful IT or cyber security professional means more than just the technology, but the ability to interact with the people who use that technology.
What advice do you have for students pursuing a degree in IT or cyber security? How can students prepare themselves for the challenges?
A-B-C: Always Be Curious. There’s so much to learn (see my quote above) that you can’t get it all in the classroom. You need to do your homework even when you’re out of school to stay up to date. The real tests aren’t in the classroom, but in the workforce.
Ask questions. If there’s something you don’t understand, it’s your job to ask intelligent questions to learn.
CYA: Check Your Assumptions. Don’t assume that things are as they appear. Also, don’t assume that people understand what you’re talking about.
What do you find is the most exciting thing about the work you do?
The students. I love interacting and learning with them.
The experts interviewed for this article may be compensated to provide opinions on products, services, websites and various other topics. Even though the expert may receive compensation for this interview, the views, opinions, and positions expressed by the expert are his or hers alone, are not endorsed by, and do not necessarily reflect the views, opinions, and positions of EducationDynamics, LLC. EducationDynamics, LLC make no representations as to the accuracy, completeness, timeliness, suitability, or validity of any information in this article and will not be liable for any errors, omissions, or delays in or resulting from this information or any losses or damages arising from its display or use.