This month, for Cybersecurity Awareness Month, we asked Latashia Mccormick, Risk Team Lead with the Information Security Office (ISO), to share what it’s like working in cybersecurity and what she brings to the job.
A native of Kinston in eastern North Carolina, Mccormick has worked in information security for 14 years, including the last eight years at UNC-Chapel Hill. Before coming to Carolina, she worked for more than six years in the Information Security Office at UNC-Wilmington. Mccormick holds a degree in computer science from Fayetteville State University.You lead risk assessment and compliance activities for the team and provide support for Qualys. What does that entail? As the lead of the Risk Team in the Information Security Office, I am responsible for providing support for my team members, delegating risk assessment requests and other work, and representing our team at various meetings and engagements with departments across our campus community. Additionally, I am responsible for leading our Vulnerability Management program by developing and delivering roadmaps and making recommendations that support University policies and standards regarding Vulnerability Management. Describe one of your projects that exemplifies what you do. One project that I worked on that would be a great example of what I do was the Return to Campus COVID-19 Assessment Project for the Renaissance Computing Institute (RENCI). I worked with RENCI IT staff to conduct a risk assessment on a homegrown application built to support the research study used to determine the effectiveness of UNC-Chapel Hill community standards, guidelines and practices for limiting the impact and spread of COVID-19 on the University’s research community. What is an average day like? The average day for me is always a little different. However, there are constants like delegating risk assessment requests, meeting with customers and vendors to understand business needs, technology requirements, and security controls for various applications and vendor software. Also, providing consultancy support to campus departments concerning various compliance-related questions or issues and working with system administrators across campus to ensure mission-critical and sensitive data systems comply with University policy. Finally, working on projects, as they are assigned to my team. What are your goals for the team? Our goal is to work with our campus community to provide support with reducing information security risks for the University’s information and information systems. What part of your job do you find most satisfying and challenging? I think the most satisfying part of my job is also the most challenging part. Each day is different. Technology is constantly evolving, and attackers are continually finding new ways to infiltrate networks and systems. So, as an information security professional, it’s crucial to keep abreast of these emerging threats. How and why did you get into information security? I began my career in information security because of an IT reorganization at my previous job. First, I worked in the Enterprise Systems department as an ERP security analyst, and under the direction of new leadership, my position moved into the Information Security Office. After the move, I continued to work as the security analyst for the University’s ERP system; however, additional responsibilities were added to my role that fit more into the purview of Information Security. For example, I performed security log analysis to identify copyright infringers, assisted with investigations related to violations of University policy and conducted security awareness training sessions for new faculty members. Thankfully, my new responsibilities allowed me to delve further into the world of information security. The more I learned about this world, the more it captured my interest. What are your passions? My number one passion in life, on a personal level, is my family. Spending time with my family, my daughter and my fur baby is invaluable, and I am grateful and blessed for each moment we get to share. Has your work changed during the pandemic? My work hasn’t necessarily changed during the pandemic; however, the way I work and my workload have changed. For example, I have been teleworking since the height of the pandemic in the spring of 2020. As a result, I’ve had to utilize Zoom and Microsoft Teams video-conferencing tools quite a bit to stay connected with my colleagues and the campus community. In addition, our team experienced an increase in our risk assessment requests from departments that wished to utilize technology to conduct COVID-19 related research studies and departments looking for ways to improve and streamline their business processes. How has ISO improved risk assessment of late? The Risk Team and ISO recently improved our risk assessment process by implementing the Risk Assessment Partner Program (RAPP). We created the program to provide campus departments the opportunity to collaborate closely with the Risk Team in conducting risk assessments for their respective units. Essentially, we train our risk assessment partners on our risk assessment process, which empowers them to perform assessments on vendor products that their departments wish to use. This collaboration not only helps campus departments learn more about performing assessments, but it also helps reduce the amount of time required to drive some of our assessments to completion. We currently have about eight departments participating in the program and hope to continue to add more participants. What would most people be surprised to know about information security? I think most people would be surprised to learn that there is no such thing as 100% when it comes to information security. Data cannot be 100% secured 100% of the time. The basic tenants of information security are confidentiality, integrity and availability. Therefore, the ultimate goal of any information security program is to ensure control measures are in place to reduce and mitigate risks that could negatively affect these three basic tenants. What do you wish the campus community understood about risk assessment? I wish the campus community understood that not all risk assessments fit into a one-size-fits-all box. Many factors involved when conducting a risk assessment may affect the time it takes to complete the assessment. For example, the sensitivity level of the data the vendor will have access to, contractual, regulatory and legal obligations that are required to protect that data, and vendor responsiveness. Ultimately, our goal is to understand a vendor’s security posture so data owners can decide whether they are willing to accept the risk of sharing their data with a particular vendor. How have you seen the field change? Throughout my career in information security, I’ve seen a lot of changes, from big data to cloud computing. More and more data is being collected and shared, which means there’s more data available for adversaries to access. In addition, organizations are moving more computing resources to the cloud, and attack techniques have gotten more sophisticated over time with phishing, spoofing and social engineering. On a positive note, people generally seem to have a heightened awareness of information security and potential security threats, likely due to media coverage of high-profile attacks. Also, organizations seem to be taking information security more seriously by “buying into” information security awareness training for their employees. Why is diversity in cybersecurity important? I believe diversity in cybersecurity is essential because it allows organizations to employ people with different viewpoints, backgrounds and experiences that bring different ideas and perspectives to the table to help with the common goal of fighting cyberattacks. Additionally, attackers are comprised of individuals with diverse backgrounds from all over the world, so having those defending the security of an organization’s network and assets reflect the diversity of attackers can help protect against a broader range of attacks. What changes do you anticipate in the next few years? Over the next few years, I anticipate seeing a shift in the methods information security organizations use to secure computing devices as more people move from connecting to secure organizational networks to potentially unsecured home networks due to the pandemic and as more organizations move their resources to the cloud.