With the highly technical appearance of information security, entering the field may seem daunting. What does it actually take to work in information security? In this series, we’ll cover WashU’s information security professionals and how they got to where they are now. Let me introduce you to my boss, Quint Smith.
What is your current role and its responsibilities?
I’m Assistant Director of Information Security, leading the Awareness, Behavior, and Culture (ABC) team. I have had the privilege of building a talented team of folks, and I develop strategy for our department by doing what I can to empower the team to do great work in various areas of behavior change and culture building.
What was your career path?
I began my career as a marketing and media development manager for an heirloom seed company. That was a wild ride that took me all over the world. After a few years of doing that, I left the company and moved to St. Louis to be closer to the person who is now my wife. I shopped employers more than roles when I came to St. Louis, and I found myself set on working for WashU. I was hired to be a communications specialist for the Office of the Chief Information Officer (OCIO). When a position opened up to be the first dedicated training and awareness person for the Office of Information Security, I took it. I had no idea of the scope and importance of that role at the time, but I know now! Working alongside our Chief Information Security Officer (CISO), Chris Shull, I have been able to strategize and build a team and the ABC program. We have the distinction of being leaders in this area, and I am grateful every day that our team, our leadership, and our institution understand the value of working to prevent social engineering attacks.
What schooling or training did you take to get where you are now?
I actually studied Journalism at Mizzou. Specifically photojournalism with an emphasis on multimedia and video production. The skills I learned there about finding and telling important stories with sensitivity to the medium and message have translated well to a career in cybersecurity.
What skills are needed in your area of infosec?
I believe in the power of diverse teams with a range of backgrounds and skills. I think different educational backgrounds keep our perspectives fresh and help us come up with good solutions to the challenges we face in the ever-evolving cybersecurity landscape. One necessary capability for working in this area is empathy, which helps us know how to deliver important information to the WashU Community without interrupting their work and helps us tell stories that resonate with our audience. Also, strong writing skills are a big plus in our work.
How does your personality lend itself to your role?
I think being naturally social, curious, and optimistic works well for a role in which we are working to increase awareness, teach good behaviors, and build a resilient security culture. Cynicism is the enemy. Believing in people is the right approach to this work.
How do you keep up to date on the industry?
There are so many great ways to stay connected to the trends in our industry. There are specific things like training and certification through reputable organizations like SANS, ISC2, CompTIA, ISACA, and InfoSec Institute. And there is cybersecurity-focused media like the Cyberwire podcast network. But something really interesting about cybersecurity, and social engineering in particular, is how you begin to notice connections everywhere once you tune in to it. You start seeing stories everywhere that have to do with people using social engineering tactics, both factual and fictional. It’s a really fun thing about working in this field. It feels like what we do is so vital and relevant. And, of course, look out for our SECURED newsletter in your inbox and read it each month. It is our mission to provide you with relevant and helpful information about the trends in cybersecurity and to help you avoid falling victim to attacks without wasting your time. We are so appreciative of our readers and our great institution.
What’s your take on getting certifications? Which, if any, would you recommend?
See the answer in the previous question for organizations with reputable certifications. And ideally, get your foot in the door with an employer who will pay for training and certifications for you. I think your overall strategy depends on what you want to do. If you want to lead and be something like a Chief Information Security Officer (CISO), a wide variety of well-known and broad certifications might really benefit you. If you prefer to be a member of a team doing a specific task, you might be better off targeting a more narrow set of trainings, certifications, and professional organizations. In the latter case, the acronyms after your name may be less important than the knowledge you obtain to help you do the work, regardless of possessing a long list of certifications. I think general leadership training or other things that are adjacent to cybersecurity, rather than directly focused on it, can build the well-rounded skillsets that talented and creative people need to succeed in this field.
What career advice would you give your younger self?
I’d tell myself to keep an open mind and buckle up because you have no idea where this is all heading. Say yes to opportunities, and hone skills that you know are generalizable; you can always train up on the more specific ones. Most importantly, everything is about people and relationships, so always act like a professional, stay curious, and ask a lot of questions. People will appreciate the interest.
What advice would you give to someone who wants to start in your area of infosec?
Don’t be afraid to connect with people working in the field and ask them questions. We need a lot of people with a lot of different backgrounds working in this field. Don’t count yourself out if you don’t have specific cybersecurity experience, and know that a lot of specific things can be learned on the job. A willingness to be brave, to learn new things, and the ability to apply what you already know to novel situations are some of the most valuable things you can bring to this table.
Do you have any questions for Quint Smith? Leave a comment, and we’ll reply when we can.
I used to be in charge of information security, but I am not an information security major. If I want to know more about the knowledge of this domain , where should I start? Like cryptography?