Joey Smith, Information Security Analyst III, works in the OIS Clinical Operations team, focusing on the School of Medicine and the Medical Campus. Joey uses tools to identify and monitor unmanaged devices on the WashU network. This effort assists in ongoing projects like asset management and network asset control (NAC). Joey enjoys IT and security architecture, design, and project management. This enthusiasm is vital in his day-to-day work here at WashU. Joey enjoys the intricate conversations about planning and designing new things and working to understand our tools, network, and how to map everything out in a concise way. He notes that these conversations “often need to be cross-functional, and as is the case anywhere else I’ve ever worked, the conversations are 80% of the work.”
After working in InfoSec, Joey has found that people may not understand the delicate balancing act of medical security. He wants people to know that infosec “can be a function to manage safety or operational risk, as much as systems and data privacy risk.” There is risk that “has been understood as impact to healthcare operations of the availability of patient-facing systems such as MRIs, bedside monitoring or ventilators.” Joey notes that sometimes, “the safety risk outweighs the privacy risk.”
Joey did not start out in infosec. Instead, he began as a high school IT hobbyist. While he attended Saint Louis University (SLU), he also worked at the SLU Service. After graduating from SLU, Joey landed a security role in Big 4 consulting. After a year, he moved on to a job at SSM Health in their Clinical Engineering department. There, he started his career in medical security. The Clinical Engineering department “was proactively seeking to address the security risk of their medical devices, clinical operations system, and dependent operation workflows.” He worked in a mix of technical operations and project management. This experience opened his eyes to “how fraught the security risk landscape was for medsec.” While Joey started his career in IT, he chose to stay with infosec because “of the need for security professionals in medsec who can communicate across technical, non-technical, clinical, and legal audiences.”
When Joey isn’t working behind a screen, he does his best to not look at any screens at all. That is, unless he is gaming! In the past year, Joey has picked up dancing, learning to tango and the Lindy swing (so far). In addition, Joey likes to spend his free time volunteering in the “city and north St. Louis to try and build up the community and combat gentrification.”
When asked what makes his life easier, Joey said using his Apple wallet and virtual credit cards. He notes that it is “easy to set up and configure and virtual credit cards are ephemeral when used, so even if that “card” number gets disclosed in a breach, it can’t be used by bad actors, so you can greatly limit your personal attack surface.” Another recommendation Joey has is to use a password manager.
If you want to learn more about infosec, Joey recommends looking at the “SANS Reading Room for their research papers published by the infosec community.” If you are not as technical, Joey recommends ArsTechnica. He notes that “their writers are often industry experts and academically accomplished, and they do a great job of bridging technical writing and layperson’s accessibility.” In addition to those more security-focused resources, Joey likes to “follow conflict journalism, which sometimes crosses into the cyber domain.” If you are interested in that area, he recommends “following Popular Front and journalists like Geoff White or Joseph Cox.” Joey also serves on the board for the (ISC)2 St. Louis Region/Scott Airforce Base Chapter. This group meets monthly, usually over Zoom. These meetings are open, and the “presenters discuss various topics such as Apple device security or the latest threat trends.” To sign up, visit: https://www.isc2chapter-stl.com/.
Finally, Joey wants readers to have a personal disaster recovery plan. He acknowledges that “we are so dependent on technology and automation; we are often caught off guard when these dependencies aren’t available.” It is important to have a plan if something like that happens. He asks, as an example, “If you were to lose your cell phone today and had to call someone up in an emergency, do you know the phone number for a friend or family member?” He encourages you to “think proactively about how dependent you are on the tools you used and what you would do without them.”