IN THE SPOTLIGHT - Rebecca Herold, our finalist in the "Cybersecurity or Privacy Woman Law Professional 2020" category of CSWY Awards 2020

Nothing makes me happier than shining the spotlight on someone changing the world!

That is my “why” for creating the Cybersecurity Woman of the Year and Ally of the Year Awards. There are so many courageous women and men making sure we are safe and secure who rarely get the attention they deserve. These awards bring us together to celebrate all the talent in our cybersecurity community.

Last year, I mentioned in my opening statement that we need more women in cybersecurity, not only because we look at things differently, but also because we are the ones that make light out of the darkness. We are the creators of life we bring into this world to thrive and survive. We are also the subtle but strong protectors of our families, our communities, and each other. The world needs us – perhaps now more than ever!

Before we get to who won this year’s awards, I wanted to share more about all the people our judges considered as deserving nominees. Here is a look at another spectacular woman saving the world every day, our 2020 Cybersecurity Woman of the Year nominee Ms. Rebecca Herold:

What is your “why” for being in the cybersecurity or privacy field?

RH: The short answer is that I have been working in both cybersecurity (actually the larger information assurance) field since 1988, and simultaneously in the privacy field since 1993. And it was not be design or plan, but I am very happy that my career path opened up and developed to go in these directions, basically as a result of my request at my corporation for them address information security and privacy. I started my corporate career as a systems engineer for a Fortune 100 multi-national corporation in 1988. After I earned my Master’s degree in Computer Science and Education I was hired at that large multinational financial/healthcare organization and told to create and maintain the organization’s change control system. The programs were all housed in an IBM 390 mainframe (where the basic core programs I created, but updated here and there throughout the years, still are used today; mainframes now seem to be high-speed application servers) divided into four regions for each of the many business unit regions within the corporation. My change control system was used to move a program from the development region to the test region to the pilot/beta region, and finally to the production region within each of the applicable business unit regions. It was an online system that required authorizations for each of the code moves. A manager had to approve, using the online system I built, of the move from development to test to pilot. A director had to approve of the move of a program from pilot to production, through this online system. The documented procedures required the managers and directors to carefully review the change documentation, and ensure validated proof of thorough testing existed before the request could be signed off by the program team manager or director, respectively, before they would provide their approval within the system. I didn’t realize it at the time, but this was a basic and critical type of cybersecurity control: change control management.

After being responsible for maintaining this online change control system for almost two years, along with creating JCL and creating and supporting some back-office COBOL and Assembler programs, there was an opening in the IT Audit area. Working on the change control system helped me to see firsthand the importance of cybersecurity controls, so I applied for, and was awarded, the IT Audit opening to learn more about how a wider range of controls impact business.

In 1990 – 1991 I performed an enterprise-wide information security audit. I reviewed a very wide range of departments, and went deep into the details of the computer operations. Keep in mind that this was before any cybersecurity or privacy laws or regulations applied to my corporation. It was also long before ISO/IEC 27000 series standards, and even before BS7799 standards. I had to go to the physical corporate library and review the US DOD/military rainbow books to get insights and understanding of the information security concepts being used at that time. It took around 7 months to complete. As a result of that audit, I recommended that an information security department be created. The executives were impressed with the audit report and basically said, here, since you spent so much effort and time in doing the audit, we want you to go create the core of the Information Protection department in 1991. I’m so happy I took that opportunity! I’ve been learning ever since, and I still apply the lessons learned from the beginning of my career to my work today; those same types of risk domains and associated issues still exist, along with many new risks, requirements, and issues.

I’ve been addressing privacy within business since 1993, when I was given the responsibility of establishing privacy requirements for what my business indicated was the first online bank. This was in addition to my responsibility for creating the information security requirements for the bank. There were no privacy laws at that time applicable to online banks (why would there be if ours was the first?), so the lawyers in the large organization where I worked said they were not obligated to determine privacy requirements when I asked them if they could get involved. However, I strongly believed it was important. So I convinced my senior vice president at the time to establish privacy requirements for the bank. He indicated that since I felt so strongly about it, he would give me that privacy responsibility. Another great opportunity to do something that had never been done before within the organization, or at most other organizations. Because of no privacy laws in the US governing online commerce privacy, I did more research, found the OECD privacy principles, and used those as the starting point for my long and widening work in addressing privacy within business processes, and building privacy controls into technology, administrative activities, and physical controls. Since 1993 I’ve welcomed many opportunities to identify privacy risks in new technologies and practices, in the absence of any laws or regulations, in a wide range of industries and also identify the cybersecurity controls to mitigate those risks. And, I’ve been gratified that my work, and the work of the teams I’ve been on to do that research resulting in recommendations to mitigate cybersecurity and privacy risks, has been used in many locations and in many ways to establish legal privacy requirements. For example, I led the NIST Smart Grid Privacy team from 2009 to 2016, and the recommendations from the resulting NISTIR 7628, original publication and Rev 1, have been used as a basis for numerous smart grid laws throughout the world, probably starting with California Smart Grid Privacy Law AB-1274.

Describe one of your achievements that you are most proud of and why

RH: For a professional achievement, I’m most proud of turning what I could have allowed to be a very stressful situation, possibly derailing my career, into my first business I founded, and that I still run. I was in the city of a potential client of the consulting business I worked for in late 2003. I was an hour away from meeting with the client when I got a call from the owner of the consultancy. He said that after struggling for a year or two to meet his revenue goals, he decided he was closing down the business. Well, this was quite a shock! Here I was getting ready to leave the hotel to go to the meeting to let the potential client know how I would perform a combination information security and privacy assessment. I was looking forward to working for the client. I loved (and still do) doing those types of projects. So, I went to the meeting, told them that the consulting business was closing. But, that I wanted to do the work for them, and I would do an exceptional job for them. I explained my experience. Said I’d create an LLC (to meet their vendor requirements) if they’d give me the chance, and that if they felt I didn’t live up to their expectations, I’d not charge them. They were so happy with my work, they hired me back for five more years to do similar work, until they were acquired by a much larger entity; and it really was the frosting on the cake when they told me that my work helping them to meet their obligations for HIPAA, CA SB1386, and the other regulations and laws that applied to them, that was a significant factor in their lucrative acquisition. Since creating my LLC at the beginning of 2004, with no previous planning, but out of necessity and taking the leap to incorporate, I’ve done work for hundreds of clients through my Privacy Professor consultancy.

I must do a quick mention for a personal achievement I’m very proud of; my sons. They’ve seen me work hard their entire life, they’ve helped me do war-driving, dumpster diving, and many other activities since they were old enough to hold their Macbooks on their laps in the back seat of my car. And now they have an innate sense of equality-for-all based on capabilities, not on gender, race, religion, or any other factor that is not valid for determining work excellence. Oh, did I also mention they were both brilliant, took all AP classes, and each graduated high school at the top of their 465 person and 500 person classes? ??

If you were a queen of the world and could change one behavior to make everyone safer, what would it be?

RH: I have long advocated making “Responsible Computing” (including information and cyber security, and privacy) the 4th “R” in our education systems’ curriculum; starting at preschool…as soon as a child can hold or interact with a computing device. We must ensure that our children learn from the earliest ages about how to secure their personal data, and their privacy, and that of others. This cannot be a one-off type of activity that gets done, and then is forgotten. Responsible computing practices must become woven into our education systems in everything that our children learn and do, just as speaking and wRiting well, understanding aRithmetic, and Reading at levels that will help them to truly understand STEM, the arts, history, civics, and every other topic that will help our children to be most successful. So, to put it more succinctly: Make information/cyber security and privacy education curriculum integral parts of all lifelong learning, by default. If this is goal is accomplished, I know the resulting knowledge and associated informed behavior changes would make everyone safer online, and with all forms of information.

Name one person, alive or dead, you’d like to collaborate on a project with?

RH: I’ve always wanted to collaborate with someone who is smart, is well known, and can reach millions of people worldwide on a project to help raise information/cyber security and privacy awareness and understanding in an immersive and wholly entertaining way. Someone who could write, or even more fabulous co-author with me, a series of technically-accurate, and fact- and legally-based references, novels where a team of sleuths are of all ages (children to post-retirement), genders, colors, religions and no religion, take on the task of catching the hackers and privacy invaders of the world. Each team member of whom has a special skill, talent, or super power. I think JK Rowling would be the perfect person to collaborate with on such a series, and just imagine the reach that such stories would get worldwide!

If selected for the award, how do you envision that impacting your mission, reach, sustainability, and results?

RH: If I was fortunate enough to be chosen for this award, it would demonstrate to those who are pursuing a career in cybersecurity, law and privacy, along with students at the colleges and high schools where I am on the curriculum advisory boards that a career in cybersecurity and privacy, with a focus on legal compliance or technical research, or whatever their passion, is something that anyone can achieve. I just spoke recently with a group of high school graduates at a California college where I’m an advisor, and I was so happy to get follow-up questions from several of the young men and women in attendance. Gender was never brought up; I would love to see the day when we are each viewed as competent, and exceptional, professionals, and see equity in gender numbers within cybersecurity professions. I would also use it to support validation of my expertise in the expert witness cases for which I participate, which I am finding more and more involve the use of IoT devices, and exploitation of bad or non-existent laws, and also of cybersecurity and privacy vulnerabilities and threats, to stalk victims, or sell personal data that results in destroying people’s lives and/or livelihoods. It is very gratifying to take my technical and cybersecurity expertise, experiences and knowledge, and testify to how actions violated, or did not support existing laws and regulations.

How can CSWY 2020 help you further your mission? 

RH: I would love to collaborate with CSWY 2020 for any of the activities I’ve mentioned earlier. Especially for the lifelong learning through cybersecurity and privacy curriculum integration for pre-schools through post-grad and adult learning programs. Perhaps through online courses to K-12, college and post-grad students. Or, to professionals in the field already. Especially for those who have faced challenges in their lives to be able to pursue a career in these industries.

What would you like to see happen for women in the coming year in the greater Cyber/Tech community?

RH: I would like to see more inclusivity within all areas of IT, cybersecurity, privacy, and related legal communities. We are now reportedly at 11% of the cybersecurity industry being comprised of women. When I started my career, that number was 16% - 18%, which was considered woefully low back then. We’ve gone backwards! 

I would like to see more names of women being stated as “Best [insert title here] in the Industry” when considered with others of all genders, instead of needing to put “Woman” as a qualifier. Don’t get me wrong, I sincerely appreciate the CSWY 2020 and previous years’ events! At this point in history we need the “Woman” qualifier. This is part of raising awareness for the great things that all of this year’s nominated women, and all other women working hard in the cybersecurity, privacy, legal and IT industries, need to recognize, that the talent women bring that too often are not considered in “Best Professional” types of recognitions. But, I would love to simply see, sooner rather than later, honors given to “The Best” that include all genders, without needing to have a separate event to recognize the women who were not considered for the overall honors.

It would be ideal for all talents to also be considered for recognitions, and not just what is traditionally considered to be a cybersecurity, or privacy, or legal, type of professional. I want to see more schools incorporating cyber security and privacy into all levels of education. Throughout all industries, I want to see women who are doing outstanding work to be referenced as, “Rebecca Herold is an outstanding cybersecurity legal expert“ instead of “Rebecca Herold is an outstanding woman in cybersecurity.” When we get to the point where we recognize persons, of all genders, without today’s need for the “woman” qualifier, that will signal a sea-change in how non-male genders are viewed.

Will this happen in the coming year? Probably not. Can we see forward progress to getting there in the coming year? It is absolutely possible!

Where do you find your inspiration?

RH: I often find inspiration in areas where I am not looking for it. When watching news reports, and seeing how cybersecurity and/or privacy issues were involved, I will often get an idea for how the associated risk can be mitigated, and various types of legal controls that be established in industry standards, regulatory updates, new laws at the local or state level, etc. I have also found much inspiration from my expert witness cases. Especially ones where IoT devices were used to stalk and track victims. There are revealed in these real cases the ways in which existing laws, regulations and organizational policies can be used, abused, or improved. And, of course, inspiration comes from every person in my project teams. I am grateful to work with so many greatly talented and smart people.

Anything else you would like to add? 

RH: I am deeply humbled, and sincerely honored, to be nominated along with so many brilliant and talented women! Every nominee has an inspirational story to tell. And everyone can learn from all their experiences. I also want to give kudos to the CSWY committee, and to Inteligenca, for holding this event each year. I believe your investment of time, money and human resource to provide these recognitions are beneficial to our industries!

More about me

Two of my favorite people:

Podcasts and local morning news shows:

PwC Luxembourg TechTalk (I gave the keynote at the PWC Luxembourg Cybersecurity Day conference in October 2019. I was asked to share my thoughts with the PWC Tech Talk hosts while there. "Ah, technology. To quote Steve Jobs, arguably the most famous disruptor of our time, “we have no idea how far it’s going to go”. Whether you’re the savviest techy around or a complete tech-dummy or somewhere in between, join Paramita Chakraborty, a novice at all things tech turned eager-to-learn journalist, during her weekly conversations with experts sharing insights on how far we’ve come and how far we just might go."

My monthly Privacy Professor Tips awareness messages I've been providing for free since 2007, that thousands of organizations use as part of their information & cyber security and privacy programs' training and awareness programs. I started archiving them in 2009 when I went from sending occasional tips to sending regular monthly tips. All can be seen here; it is interesting to track the ways in which the cybersecurity, privacy and legal issues concerns at the time of each publication have evolved over the years!

Giving a keynote at an IEEE chapter conference in Brisbane, Australia:

Find me on Social Media:

LinkedIn

Twitter: https://twitter.com/privacyprof

Facebook: https://www.facebook.com/rebecca.herold.1

Pinterest

"Our community is strong even during these challenging times and I find so much inspiration from all of you. You have done everything you can to focus on what you can do – protecting people so we can keep some normalcy in a world gone wild." Carmen Marsh

Please visit our CSWY 2020 site to cast your vote: https://leadmind.inteligenca.com/cswy2020/