While researching our 119 InfoSec Experts You Should Follow on Twitter, Reciprocity noticed that while women make up a large segment of the information security population, they are generally underrepresented in the media discussions. With that in mind, welcome to the ongoing series, Wednesday’s Women. Wednesday’s Women is a new, ongoing series that will profile one woman in information security monthly to help add awareness to those women in information security that are working to keep businesses and the internet safe. This month’s profile is Magen Wu.
Currently a senior consultant at Rapid7, Ms. Wu has worked in IT since 2008. Her experience includes working at Protiviti as well as being a test engineer at Xversity. She is PCI QSA certified, holds three degrees from St. Petersburg College and a Master’s Degree from Southern New Hampshire University.
If you had to choose one event that led you to work in information security, what would it be and why?
The day that I found out that I faint at the sight of blood (about 13 or 14). I was going to study to be a forensic psychologist, but then found out that really important piece of information. Computers had always been a hobby for me and I volunteered at the veteran’s hospital where my dad worked (IT department). A few weeks after that incident, they had a major incident that took down the entire network. I got to see how he and his coworkers worked to respond to that incident and was really curious about what had caused it. I think that was what finally did it for me.
Why do you like working in the information security environment?
I love that there is always something new to learn about information security from someone. The team that I’m on now at Rapid7 is a great example of that as I get to work closely with some really smart people who I am constantly learning from.
If a n00b to the infosec world asked you for a piece of advice, what would it be?
Talk to people. Whether you’re standing in line for reg at a con, sitting in a DEF CON village, or just sitting next to someone at the hotel bar, just try and talk with the person next to you. It’s going to be awkward and not every interaction will lead to something, but you never know what you can learn from someone else unless you try and reach out. Semi-related would be to participate in mentorship programs. Jimmy Vo and Keith Hoodlet are breathing life into the InfoSec Mentors program and several cons are starting up programs that pair new speakers with well-seasoned ones.
What is the most important issue facing professionals in the information security landscape today? Why?
I think that the most important issue for information security professionals would be how the rest of the organization views us. Time and again it is said that the human element is the hardest to secure, but we aren’t exactly making our lives easier from that aspect. Information security teams are often somewhat isolated from the other departments they’re are supposed to be working with — and viewed by colleagues as a task force that’s out to get them for one thing or another. This is something that the community is actively trying to figure out, but there’s a ways to go. For example, Katie Ledoux on the Rapid7 infosec team gave a presentation at this year’s BSides San Francisco on this exact issue and how infosec pros can better integrate within their organizations – more effective communication and increased visibility were the two big takeaways. I think that we could make huge strides in user awareness and how quickly incidents are reported if we change this big brother image we have. Additionally, the language we use when we’re talking to our about users (usually derisive) needs to change. We are supposed to be here to protect the business — our users are a part of that. They can tell when someone projects animosity toward them. If you’re projecting animosity, it will be met with animosity in turn, and nothing improves. Users just go around your back to get things done instead.
What is the most important issue facing consumers in the information security landscape today? Why?
I think that it would have to be information overload. Consumers are inundated with so much data—logs, alerts, emails, blog posts, etc. — that it can be hard for them to know what needs to be acted on and what is safe to ignore or put aside. People have a finite amount of resources–both from a hiring/cost standpoint, but also psychologically. We as security professionals need to find ways to help consumers pare down data to what is actually important to them so that they can make sound decisions and act in a timely manner.
What are your three “guilty pleasures” that have nothing to do with information security?
Styx – I love them and have seen them live like 4 or 5 times
Taking way too many food pics on my Instagram
I have an “Emergency Happy” Spotify playlist I listen to every morning with stuff from Chaka Khan to James Brown to Duran Duran to RuPaul to who knows what else.
Star Wars, Star Trek, or “Umm, no. Just no”?
Babylon 5