Print Page      Email Page
< Back to Article List

Laura Taylor, Security Hero
By: Stephen Northcutt | February 8, 2008

The SANS Security Heroes project is to help introduce you to people that have made a difference in information security. We believe there are a lot of people contributing to make security work, and we want to introduce you to them.

Kathleen Lynch, Security Hero - August 31st, 2009
Paul Henry, Security Hero - May 12th, 2009
Anthony Giandomenico, Security Hero - February 18th, 2009
Craig Wright, Security Hero - April 4th, 2008
Peter Giannoulis, Security Hero - March 19th, 2008
Suzanne Novak, Security Hero - February 13th, 2008
Laura Taylor, Security Hero - February 8th, 2008

Please allow the Security Laboratory to introduce Laura Taylor and her unlikely career in Information Security.

S.N. Laura, we certainly thank you for your time! How is it that you ended up where you are today? Was information security on your radar screen at the onset of your career?

L.T. At the onset of my career Stephen, I was not even thinking about information security. When I was in college, my career plan was to end up in the petroleum industry. I loved the outdoors, so I decided to major in geology. I wrote articles for my college newspaper on OPEC and the petroleum industry and spent a summer in Boulder, Colorado working on a geology-related independent study project at the University of Colorado.

During the early 80s, oil companies were hiring geology majors a dime-a-dozen with great starting pay. However, by the mid 80s, the oil industry had a huge falling out - similar to the IT industry in 2000. By the time I graduated, it was nearly impossible for someone with only an undergraduate degree to get a job in the petroleum industry. By the mid 80s, you couldnít get a job in the petroleum industry even if you had a Ph.D.

S.N. So where were you in the country during this time?

L.T. Right after college, I decided to move away from the safe confines of my parentsí house in suburban Chicago. Chicago is a great part of the country, and my parents are wonderful people, but I had an itch to be out on my own and spend some time in places that were still unknown to me. Looking back, it seems like a risky way to start a career, but, at the time, I was naÔve enough to have few worries. Since Chicago was in the middle of the country, I figured Iíd move to either Boston or San Francisco. I figured Iíd live off of a meager savings and find a job doing something exciting and challenging once I got there. I had visited Boston while in college and fell in love with its old world charm. I also figured I could continue to play womenís ice hockey, having played on my college team. At the time, Boston had the best womenís ice hockey teams in the country that were post-collegiate. So I moved to Boston, and holed up with some friends in Brighton. Looking for jobs back then was a bit more challenging because the web didnít exist. I really didnít have any industry connections and all of the companies that I sent resumes to I had to find in the Yellow Pages. (Does anyone remember when people used to use the Yellow Pages - the paper edition?)

S.N. Er, uh, I actually still use the paper edition of the Yellow Pages, but I can see there is not much future in that business. Interesting, I guess life change number one happened, so what did you do?

L.T. I had to find a job quickly, and I had little savings to be picky about it. The first job I found was as a Telex operator. A lot of people probably donít even know what a Telex machine is since I donít believe theyíre used much anymore. Being a Telex operator is not too challenging and is hardly stimulating, but it offered me a meager living ... enough to squeak by, just barely. Sending a Telex is about as difficult as sending a FAX, and no more exciting. In the office where I worked, people would come by my desk with handwritten messages and a transit number of where the Telexes should be sent. I would type in the messages and press "Send." And thatís it.

Lesson Learned: Survival first, excitement and challenges second.

S.N. Great lesson, I teach a leadership course at SANS and we cover Abraham Maslow's Hierarchy of Needs, it is always good to be reminded of that. So you are a Telex operator, how long did that last?

L.T. One of my career principles early on was to always work, even if the position I had was less than ideal. I never felt that just because I was doing something that was not super exciting that I should just not work. Iíve always had a strong work ethic and have worked since I was in high school. Any time a job I have had appeared less than ideal, I figured I would keep on doing it until something better came along.

While working as a Telex operator, it occurred to me that since I could not really find anyone to hire a geology major, perhaps I could find someone who still respected the physical sciences and take my career in that direction. I soon obtained an internship across the river in the meteorology department at MIT. There is some crossover with geology and meteorology, and I was open to learning about the commonalities of the two fields.

Lesson Learned: If your first career choice doesnít work out, maybe itís because Plan B is a better idea. I then worked part-time as a Telex operator and part-time as an intern. I really enjoyed learning about meteorology - it was certainly more interesting than sending Telexes. While working at MIT, I found out about a weather database company that the MIT meteorology department used regularly to "dial-up" (we didnít download back then) meteorological data. Eventually, I ended up getting a job as a Customer Service Rep at the weather database company, and that is when I first really starting using computers.

S.N. I love your lesson learned points! OK, that works for me, I too had a different trade and then started using computers, and one thing led to another! So, how was life at the weather database company?

L.T. I was rather intimidated by all the formally trained computer savvy people at the weather company. I remember reading a book shortly after I started working there called How to Get Over Your Fear of Computers. All the computer jargon seemed like alien science to me. My first duties were to respond to customer account problems. Sometimes Iíd get calls from TV weather meteorologists with complaints like, "Itís raining over Cape Cod and your satellite image isnít showing any clouds." When the programs werenít showing images correctly, Iíd take a Colographics Light Pen and draw in some clouds, load up the image into the system, and then tell the TV station to dial-up a new image. I also wrote travel advisory reports and Monthly Weather Almanacs which were part scientific and part folklore. Iíve always enjoyed writing and have tried to work that into almost every job Iíve had. I remember that while at the weather company, I bought a book on databases to try to learn more about the company infrastructure. One of the head geeks told me that I probably wouldnít understand the book and that it probably wasnít a good book for me to read. I read it anyway.

Lesson Learned: Never, ever, even entertain the idea of listening to someone who tries to discourage you from learning.

S.N. And you have to wonder where that geek is today while you are running your own company! I can relate to meteorology, I do some of that here on Kauai: today will be 72 with mauka showers, tomorrow will be 72 with mauka showers, pretty good, huh? So, what happens next?

L.T. Meteorology seemed interesting, so I thought Iíd learn more about it. I applied to the University of Michigan department of Atmospheric Science to attend graduate school. I was accepted and almost went there. However, by the time I was accepted, I had started really enjoying learning about computers. I deferred my admission to University of Michigan for a year so I could think about which direction was best for my career.

S.N. OK, so you are still searching for your niche in life . . .

L.T. I have been faced with many choices and decisions to make over the course of my career. And itís funny, at the beginning of the journey, I never really expected to end up in information security. I didnít start out in information security, yet ended up here because one thing led to another, and I often had to revert to Plan B because Plan A did not come to fruition. Iíve had to rely heavily on my own personal contingency plans and have lived by the principle, "Stick all your oars in the water and see which one pulls the boat."

S.N. So, do we get an oar to stick?

L.T. Computer projects seemed to be giving my career the most forward momentum, so I figured Iíd stick with it. A friend of mine had been working at Bolt, Beranek, and Newman (BBN) in Cambridge, MA and she convinced me to submit my resume to work in the Arpanet Network Operations Center at BBN. At the time I figured I didnít have a chance of getting a job there. I had no idea what an "Arpanet" even was. Much to my surprise, they wanted to hire me. Working at BBN was hugely challenging. I had to quickly learn UNIX and was immersed in the intricacies of Wide Area Network Operations. It felt like information overload, and everyone who worked there seemed light years ahead of me. In trying to learn UNIX, I brought home volumes of the BBN UNIX manuals and studied the commands. At the time, I had no idea that reading a UNIX manual from cover to cover was a ridiculous way to learn UNIX. I soon realized that there had to be a quicker way to learn the material, so Iíd ask the senior NOC staff questions like, "Can you tell me what are the 20 UNIX commands that you use most often?"

Lesson Learned: If you ask the right people the right questions, you can learn new things more quickly.

S.N. Awesome, just awesome! So you were at ground zero for the birth of the Internet, those were very exciting times. I worked for a laboratory that was node 13 on the Arpanet, and that was a lucky number for me! How was BBN during the glory days?

L.T. When I first started working at BBN, I really didnít realize that they were an industry leader in networking and that they basically invented the Internet. I soon became so fascinated by computer networking that I gave up the idea of getting a graduate degree in meteorology and decided to stick with the computer industry.

After working at BBN for a few years, a friend of mine from BBN encouraged me to apply for a position at a desktop publishing company called Interleaf. (Interleaf has since been acquired.) I knew nothing really about desktop publishing because, back then, everyone at BBN used "nroff" and "troff" for document formatting. (Does anyone remember nroff and troff?) I didnít even know what desktop publishing or word processing was. Why would anyone need a computer to process words?

S.N. Gracious Laura, the early days of desktop publishing were also pretty awesome, I still remember writing input filters for Framemaker. What did you do at Interleaf?

L.T. I knew from my prior experience that, if I could look up information, read books and ask the right questions, I could probably figure out how to do the job once I got there. I obtained the job at Interleaf and began working as a Configuration Management Analyst. It was hard to figure out what they wanted me to do because, at first, my job assignments were not well defined.

Lesson Learned: An employer may not even know what it is they want you to do ... they just know they need help.

S.N. Amen, the best employees at SANS fall into that jump in and swim category; configuration management was not very mature at that point either, so what did you do?

L.T. In time I came to understand that figuring out what the disk partition recommendations should be for the development software was something that was sorely needed. I spent time reading the AIX installation and configuration manuals and sought out the geekiest and smartest person I could find within Interleaf to answer all my questions. Poor Chip Hitchcock ... Iím sure he grew weary of all my questions. While Iím sure I was an annoyance to him, Iím forever grateful to him for being an invaluable resource.

Lesson Learned: Always find someone who knows more than you do and ask them as many questions as you can get away with.

S.N. So, Interleaf was fun and you were learning the guts of Unix as fast as you could go; we can start to see the security pieces falling into place, what happened next?

L.T. I loved working at Interleaf. I have to say it was probably the most hip and cool of all the companies I had worked for so far. I really started becoming comfortable with UNIX while at Interleaf. However, after close to four years, Interleaf appeared to be heading for hard times. Adobe was proving to be a formidable competitor with Framemaker. Lay-offs appeared to be looming on the horizon, and I couldnít afford to be jobless. So, I left Interleaf to become a senior systems administrator at Sun Microsystems.

When I went to Sun I was amazed at how well organized the company was. Everything seemed to work, and resources for learning new things were bountiful. There were so many people available to answer all my many questions that I didnít have to worry about annoying any one person with too many questions. I was able to increase my knowledge of UNIX at a tremendous rate, primarily due to being surrounded by people who were so much more knowledgeable than myself. Sun was very cutting-edge, and Scott McNealy has always been a CEO who knows how to inject fun into the workplace. I think I stayed at Sun longer than any place Iíve worked.

Lesson Learned: Having fun and smart people to work with helps retain employees.

S.N. Well, you certainly had a knack for being in the right place at the right time; from what I understand, the pre-layoff days at Sun were pretty cool. While working at Sun, there was a huge corporate wide security break-in.

You probably cannot tell me, but was this when they used a dial-in to nail Sunís source code? I sense we are getting closer to the security phase of your career; a break in or similar breach is how a lot of us got our start. What happened next?

L.T. This was the early 90s and Sun had modem servers everywhere. Iím sure that today this is not the case. All of the sysadmins had to stop everything they were doing and focus 100% on getting the intruder out. This defining event is the catalyst that piqued my interest in computer security. I later volunteered to write my departmentís Security Standards Guide, which was well received by the corporate security group.

I probably would have stayed at Sun forever if it were not for the fact that, shortly after my son was born, I started being asked to fly to different cities around the U.S. to install servers. It just wasnít a good time in my life to be traveling. My son was born with some medical problems and needed many surgeries during his early years. I tried to find a position with less travel at Sun, but, at the time, there just wasnít a good fit.

S.N. OK, now you have street creds so you can start to be selective about your work environment. This must have been a major step in your career, what did you do to find the next ideal job?

L.T. I read the USENet newsgroups and noticed a systems administratorís job at BBN. So I went back to my familiar stomping grounds in East Cambridge. I like to think of BBN as a classic technology company. Itís been around since the get-go and, had it not been for BBN, the Internet as we know it today might not exist. I worked on various systems administration projects while at BBN and volunteered to help with any security projects that came along. I remember a particular manager telling me that I likely was not knowledgeable enough to work on security. But, I didnít listen and continued to volunteer to work on security projects. I was soon co-managing BBNís security with a very knowledgeable person named Richard Silverman. (Richard has co-authored several OíReilly books.)

Lesson Learned: Many people along the way may discourage your career interests, and, if that ever happens, you shouldnít listen to any of them.

S.N. Hanging with Silverman at BBN doing security works, do you still keep up with him? What was your next step?

L.T. Richard and I exchange email from time to time. He is truly brilliant and Iím fortunate to have had the opportunity to work with him.

The last position I had before leaving BBN was working on special projects for BBNís CIO. While I was doing that, I noticed an ad in the paper for a CIO position whose location was almost 45 minutes closer to home. I applied for the position, accepted their offer, and I began working as CIO of Schafer Corporation. Schafer is a systems engineering and defense contractor. They were having all kinds of problems on their network when I arrived. I wasnít sure how Iíd get them all fixed with the small staff that I had, but I knew that technology problems were all fixable. Prior to coming to Schafer, their executive management team had already concluded that the existing staff was not knowledgeable enough to work on the existing problems. But, once I got there, I found that the staff was very willing to do anything. They just needed someone to believe in them. We had terrible router and firewall problems. I helped one member of my staff realize that she could easily become a router expert if she asked the right questions and found the right person to answer those questions. She had no idea who to call. I told her to start with the vendor. In no time she was an ace router support person, and it was much to her own surprise. I turned another staff member into an ace firewall support person. She had never installed a firewall before so I had her sit next to me while we did it. Before long I had developed the perfect staff. The network started running so smoothly that the Help Desk phone was ringing less and less.

Lesson Learned: Your staff is probably more capable than you realize - you just need to get them to believe in themselves.

S.N. I agree Laura, I certainly agree, people rise to your level of expectations; give them a chance and they will do more than surprise you. How was the CIO gig? I donít think that would be an ideal match for me, I like hackers and crackers and malware, oh my.

L.T. While the CIO position was challenging at first, I really wanted to be working primarily in information security. A headhunter called me out of the blue about a Director of Information Security position at a web hosting company that was very close to where I lived at the time. I had pretty much resolved all of the troublesome issues on Schaferís network to the point that they could really get along with the staff that I had trained. The possibility of working much closer to home - and being focused 100% on information security - was very appealing, so I jumped at the chance. I then worked as Director of Information Security at a managed service provider and then later as Director of Security Research of an industry analyst firm. The analyst firm eventually closed all of its U.S. offices, and thatís when I started putting a lot of effort into Relevant Technologies - developing the website, defining the services, and creating a newsletter. While working as an industry analyst I had learned that readers were always interested in fresh new content on security topics and, thus, my interest flourished in publishing articles on information security market trends, products, and technologies.

To me, writing about something is a way to share information. We all have a certain set of knowledge about things in our brains. If you can write it down and explain it so that others can understand it, you are really helping pass on the knowledge so that society as a whole can benefit. I guess for me itís a way to make a difference. Everyone at Relevant has to have excellent writing skills.

S.N. What advice would you give any young people starting out in their career?

L.T. If you canít find what you believe is an ideal job, find the next best thing and see where it takes you. You may be surprised at where you end up and how much you end up enjoying your career. Whatever you do, donít just sit around doing nothing just because you couldnít find the perfect position. Be flexible and have faith in the intellectual curiosity development process.

S.N. I really agree! I just read the Obama book, Dreams From My Father, when he talks about going back to Kenya, and that the people who did not have a job the last time he went, still do not have a job. May such never be said of me. So, where do you plan to take your career in the future?

L.T. I hope to become more involved in teaching. Iím trying to pass on my knowledge of FISMA since there seems to be a dearth of C&A experts out there. C&A is actually not a very popular career niche within the information security industry.

My sense is that there needs to be a standard for C&A people, sometimes this is a bit of a paperwork exercise.

A lot of infosec people prefer working with products or implementing new technologies. C&A is really a type of methodical, yet cumbersome security audit - itís a health check. FISMA is starting to trickle into the private sector, so C&A is sure to grow.

S.N. How is FISMA trickling into the private sector?

L.T. When giving out contracts and grants to private organizations, the government is beginning to require that companies, universities, and other organizations comply with FISMA. It is a challenge for everyone because many people are still trying to figure out what it means to comply with FISMA.

S.N. Wow! That is only going to increase costs; I hope there is a security increase as well that matches the cost increase. Laura, you wrote the book on FISMA accreditation, tell us just a bit about the process and what impact do you think the book has had on your career?

L.T. I got the idea to write the book shortly after I started working on FISMA certification and accreditation projects. It was in 2003. I had looked through all of the NIST docs, and the other documentation published by federal agencies, and while much of it was insightful, there wasnít really any one thing that told you how to get through the process from beginning to end. It seemed like there should be. Since no one else had bothered to do it, it felt to me like a calling. I had written many articles, and some chapters of books, but never an entire book. I stayed up until 3am one night putting together a book proposal.

S.N. I think I even got to see that book proposal if memory serves; what was the level of effort it took to pop out the book?

L.T. Once I started writing the book, it took me two years to write ... thatís writing on the weekends and evenings. I had to keep my lights on, so I couldnít just stop working to write the book. Usually I would try to write 10 pages a week ... most often it was 5 on Saturday and 5 on Sunday. There were many beautiful sunny Saturday afternoons where I sat at my desk writing - it was sometimes hard to do.

S.N. Well, you got it done and that is to your credit. One of the traditions of the security lab is to offer a bully pulpit, a chance to share what is burning on your heart: with respect to security, what message do you have for our readers?

L.T. Among some industry experts, FISMA has received the reputation of being a meaningless paperwork drill. However, before FISMA came along, government information security was barely optional. Many of the agencies still have not perfected IT security, but at least they are now trying harder. I have seen vulnerabilities closed as a result of FISMA. If FISMA is not making a difference in your agency, or your organization, then the process is not being worked the way it should be. All of us in information security should be trying to make a difference. I donít have a lot of tolerance for whiners and complainers. Iíd rather hear about solutions and how we can make something work better instead of why we should not even bother with compliance. All of us should try to make a difference in everything we do, and that includes FISMA.

S.N. So, what do you like to do when you are not in front of a computer?

L.T. I enjoy doing outdoor things, and hanging out with my teenage son, Sammy. Sammy is on a swim team and water polo team so I spend a lot of time driving to swimming pools. When Iím outside I like hiking, canoeing, swimming, bike riding and just about anything that is not inside. I get stuck in office buildings too often, and I really think that weíre all suffering from some sort of nature deficit condition. It seems to me that office buildings should have windows that you can open to let the breeze in. Last summer I went white water rafting down the Lower New River in West Virginia - and it was probably the most exciting thing I did all year.

DHTML Menu By Milonic JavaScript