Cybersecurity “appealed to my passion for doing the right thing.”
This series aims to demystify careers, challenge stereotypes, and inspire connections. Today we talk with Sarah Roberts, Enterprise Security Executive at Microsoft.
Sarah Roberts is an Enterprise Security Executive serving the US Federal Government. Previously, she was a Cybersecurity Consultant on Microsoft‘s Detection And Response Team (DART). Sarah earned a dual Bachelor’s degree in Security and Risk Analysis, and Spanish Language and Literature from Penn State University.
Sarah, can you tell me about how you became interested in a cyber security career? What keeps you interested?
I first started my IT journey when I decided to go to Penn State, where I chose the cybersecurity track. During college, I also had an internship at the Nuclear Regulatory Commission in DC, which made me fascinated in cyber diplomacy.
I was excited by all the TV show and movies about cyberterrorism that created a sense of an epic battle between good and evil. The idea of being a spy, hunting down the bad guys, and taking down malicious networks really appealed to my passion for doing the right thing while exposing me to a new world I hadn’t seen before. I love feeling like I’m on the front lines of this secret world, where we are fighting the good fight.
I love feeling like I’m on the front lines of this secret world, where we are fighting the good fight.
When I joined Microsoft six years ago, I knew I wanted to get into a technical cybersecurity role. My first manager really set me up for success by introducing me to Microsoft’s DART team, and I’ve been here as a cybersecurity consultant and now, as an Enterprise Security Executive. I’ve been lucky to have supportive female mentors and cheerleaders on my journey, but also team members in general who are extremely encouraging and supportive.
What have you learned about effective teaming from your experience on Microsoft’s DART team?
Mastering intergenerational communication is so critical, because we work on a diverse team made of up of people who’ve been in the industry for 25 years, as well as people who have just started in their careers. As a team on-site in front of a customer, our diversity of experiences shows that we’re bringing the best of all perspectives. My recent educational background and fresh perspective, mixed with another teammate’s deeply high-tech experience, is all valuable to the problems we solve.
As a team, we also have to communicate well with one another and find new ways to explain things; we can’t simply rely on the same buzzwords to get our point across. Coming together despite any differences is how we give the customer what they need.
How do you continue learning?
Cyber security is an overwhelming space. I tell newcomers to our team that every day is true learning opportunity. I do have a few techniques to continuously develop:
- I keep a learning journal. At the end of each week, I write down the things I learned, definitions for new jargon I’ve picked up, or new insights. I try to make the time — otherwise the overwhelming-ness of all there is to learn builds up, and it’s not fun anymore.
- I find mentors and peers skilled in different areas. For example, one mentor of mine is very strong in security infrastructure and can break concepts down for me in simple English. I’ll find another teammate who can tell me about APT groups.
- I watch educational videos on flights. I’ve been using Pluralsight, LinkedIn Learning, and our team’s internal training videos to catch up on concepts I want to learn more about. It’s a good way to use the time on a long-haul flight from Australia, for example, instead of just watching movies.
What are you learning about lately?
I’m constantly learning about the cloud. As everyone migrates to the clouds, bad actors are moving there too — and are often a few steps ahead.
On every incident response case, we discover a new technique by bad actors, but often they wreak havoc through very simple means. I’ve recently written a blog on Password Hash Sync (PHS) — I find that customers don’t know they have this built-in feature which can help enhance their security. Implementing multi-factor authentication (MFA) is also a good start. Start simple and use what you’re paying for!
Start simple and use what you’re paying for!
What advice do you have for friends looking to secure their consumer devices and accounts?
My advice for consumers is also to start simple:
- If you’re traveling, don’t connect to just any free WiFi. Just because it’s free doesn’t mean it’s secure. Use your data, or don’t use anything. Or, if you have to connect, be smart about it and don’t log into your bank account to pay your rent
- Be mindful of your surroundings. Pay attention to where you have sensitive conversations and what (or whom) may be around you. Just last week, I stayed in a hotel room with an Alexa device and had to unplug it before having a sensitive work conversation.
- Don’t use the same password for everything. And definitely do not write them down and put the Post-It note on your computer! I recommend using a password manager, even if you have to pay for it.
- Mind what you post on social media. I’ve seen friends post photos of their wedding invitations, which contain addresses, their mom’s maiden name, and other details that might double as security questions for resetting their password.
You don’t have to censor everything, but you do need to be aware of the risks.
Sarah, you changed roles recently — congratulations! What are you excited about, as you begin working with Federal Government customers?
I am excited to learn and experience a new side of the cybersecurity world. The work I did in incident response was reactionary — I came in after the attack to put the pieces of the puzzle together and to ensure customers were capable of recovering themselves. Now, on the sales side, I will hopefully be able to help customers prevent attacks before they occur. I have the unique advantage of knowing the attackers’ tactics, techniques, and procedures and thus what security measures need to be in place in order to detect and prevent them.
Overall, I’m excited to explore a new side of the field I am passionate, meet new folks, and build my skillset and experience.
Best of luck in your new role, Sarah! For more, read Sarah Robert’s latest blog on Password Hash Sync. Check out other profiles of people making a difference in cyber security and their career journeys here.
