Interview with Gregory Towers of SRA (Security Risk Advisors)

TUsec
TUsec
Aug 27, 2017 · 3 min read

1) What department do you work in, what’s your title?

GRC & Strategy

Information Security Consultant

2) When did you first get into Cyber Security /Information Security / InfoSec?

Knowing some folks who were in the field, I was vaguely driven to work in IT. After getting to Drexel, I realized the growth in the field and focused on taking InfoSec courses (InfoSys Major, Business Minor) which allowed me to land a Co-op position in InfoSec.

3) How did you first get into InfoSec, what was your first InfoSec job?

I was lucky enough to get a Co-op with Towers-Watson (no relation) in their Sec department. I levered my experience (2yrs) in IT, as well as a strong interview which landed a role in their 5 person team. In this position I helped develop a DLP (Data Loss Prevention) program policy, as well as conduct 3rd Party Risk Assessments.

4) What does your typical day look like?

Can’t say I have one, my routine is atypical. I spend as much time “away” from computers as I can aside from work. Consulting at SRA means that often I’m traveling, and have the capability of working from home when required so my schedule vary greatly.

5) What is your favorite “war-story”/ project you’ve worked on (Client names will be redacted)?

While working in at a fairly sizable legal firm in Philly as their primary IT staff, I had found out in my 3rd week that their entire business continuity and IT admin passwords were stored on a sharable, unkept Google Docs sheet. I brought this up with stern vigor at the next days meeting.

6) What is your favorite part of your job?

Without a doubt — the most enjoyable part about my job is the people I work with. Everyone is brilliant, and on a similar technical page. No one “knows” vastly more than everyone else, and the entire office is constantly seeking new information and skills. It’s a refreshing place to work.

7) What is your least favorite part of your job?

Project crunches. The anxiety of having to have X done by Y time, and realizing that there has been a vast underestimation of how much work something would be.

8) From your experiences what kinds of people excel in InfoSec?

One of the interesting parts about InfoSec is the diversity of skillsets. It’s implied that you’re technically minded and exceptionally literate, but apart from that GRC (Governance Risk and Compliance) differs greatly from Red/Blue guys, especially in the consulting field.

Communication and having an inquisitive personality both are valuable traits to hold.

9) What would you suggest to any students who may be interested in getting into InfoSec?

Internships are key, and maintaining solid relationships with people in the field. It’s very difficult to reconnect and rebuild a bridge that you’ve left to decay.

10) What are your favorite resources?

People. Other professionals spend a great deal of time reading and honing their craft — and it’s quite often not particularly relevant to the work that I do in GRC and in personal ventures. However, there’s something valuable to be had from everyone. Frequently asking about pertinent topics in a way that distills down someone elses experiences is the BEST way to derive the most important information. Plus, it triggers the Ben Franklin Effect.

“That’s interesting. What are your top two concerns in [your field or specialty?]” — and then expand into their talking points. This question is GOLD when it comes to extracting the most valuable information out of as many people as possible.

Youtube, LinkedIn groups, InfoSec Twitter

11) Would you recommend any specific certifications?

Experience > Certifications.

Things like having a home lab, explaining a small WireShark project, or related IT/Sec experience is a far, far more productive way of slipping into the Sec field simply because I’d rather hire someone with experience (that I can send for certs) than someone with certs (that may or may not be able to acquire experience, which takes longer). The experienced, uncertified professional is the more valuable pick in almost any relevant situation.

In terms of valuable certs, Sec+ and Net+ may be of a benefit to new folks, but after that it’d be moot to chase specific certifications as your likely role will A: train you and B: quite often won’t be relevant to the past, specific certifications.

)
TUsec

Written by

TUsec

TUsec is @TempleUniv's student organization for information security. We tweet TUsec announcements and occasionally InfoSec news or good reads.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade