The 'Privacy Professor' Teaches the Industry About Privacy and Security
By Roy Urrico
Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security to protect data and transactions at credit unions and other financial institutions.
It is safe to say that Rebecca Herold is one of information security’s true originals. She promoted privacy in financial services at a time when customers’ only protection from shady onlookers was covering up as they filled out deposit slips at a bank counter.
Over three decades, Herold has worn many hats: owner and CEO of Rebecca Herold and Associates (aka The Privacy Professor); CEO/co-founder of Privacy & Security Brainiacs; co-founder/president of information security, privacy, technology and compliance management cloud service firm SIMBUS; and information security, privacy and compliance consultant, author, expert witness, and university professor.
In her roles, Herold helped a broad range of organizations of all sizes to implement and sustain infosec, privacy and compliance programs. In addition, Herold led the National Institute of Standards and Technology’s (NIST) Smart Grid Privacy Subgroup for eight years, served as a founding member and officer for the Institute of Electrical and Electronics Engineers (IEEE) P1912 - Standard for Privacy and Security Framework for Consumer Wireless Devices Working Group, and served on advisory boards of numerous organizations.
Growing Information Security Awareness
Now residing in Des Moines, Iowa, Herold was born and raised in a rural area in north central Missouri. As a high school student, Rebecca occasionally filled in for her school superintendent/teacher/farmer father as an advanced calculus instructor. She received a Bachelor of Science in math and computer science from Central Missouri State University, and Master of Science in computer science and education from the University of Northern Iowa. She entered the workforce as a systems engineer for the Des Moines-based Principal Financial Group and was assigned to build a change control system on an IBM mainframe.
“I didn't realize at the time I was doing security. But as I built it and rolled it out to the business, I noticed we would still have software erroring out in production,” she said. Herold observed people in the organization defeating her proactive technical controls. It was a system that required management authorization after different phases of testing. “Some of them would just go to meetings and leave their old mainframe workstations logged in. And the programmers who created a change would approve their own code. That kind of bothered me, because I had very well-built change control system, but yet the humans were defeating those controls.”
She then accepted an internal auditor position so she could further explore organizational weaknesses. “It doesn't do any good to have the most secure system in the world if you have humans defeating it.” In 1990, she spent seven months reviewing the company’s systems for vulnerabilities and then headed up a new department created to addressing information security throughout the corporation. “We called it information protection, because we wanted it to go out beyond just something that sounded like security.”
Becoming Known as a Privacy Advocate
Herold noted, “The reason (executive management) asked me to do a security audit was because of intellectual property; they had no idea about privacy.” One of the problems she investigated was the use of illegal software within offices scattered around the county. “People were using floppies to exchange programs.”
Then around 1993, the Principal Financial Group started to put up its own website. At that time, there were no legal requirements for privacy. “I was given the task of establishing the security for the web server that we were putting up for what would be the first online bank.”
There was no Googling then. She studied at the company library. She recommended to the company hierarchy to address privacy based on her research of the international privacy advocacy group called The Organisation for Economic Co-operation and Development (OECD), which developed privacy principles. “I said, ‘We need to make sure that not only is our website secure, but, that the people who come to use the bank online are going to feel their data is safe because it is their privacy. That was a very new concept at the time.”
Even though there were no legal requirements for privacy at the time, the CEO asked Herold to take care of the privacy issues, too. She recalled, “That’s how I got into privacy and security and ever since it has kind of evolved.”
Herold relayed a conversation she had about two years ago with an Australian Ph.D. candidate, who identified Herold as an infosec innovator in the early 1990s. “He said, ‘You actually implemented the first anti-virus program in a large corporation.’” While Herold could not confirm or deny that, she did acknowledge antivirus programs were a new concept at organizations back then. “It was kind of cool to be a pioneer at a time when people didn't even realize there were viruses that much, and also providing remote access, when everybody had a floppy drive.”
Out on Her Own
After leaving Principal in 2000, she worked for a few consultancy firms during the tech bubble before heading out on her own in 2004. “I created my LLC, with no prior intent to do so, just to get the business. Ever since, I have been running my own business and have started other businesses along with my consulting company that I still do.”
Herold added, “You can probably tell I've always loved doing things that have not been done before.” Such as teaching organizations in financial services, healthcare and government how to identify and mitigate risks. She also wrote books about building a training awareness program.
In 2009, Herold took on the lead role of NIST’s Smart Grid Interoperability Panel (SGIP) and became part of NIST’s cybersecurity working group. From 2018 through January of 2020, Herold was one of the original core subject matter experts who created the NIST Privacy Framework; and since January of 2020, Herold has been part of NIST’s Internet of Things (IoT) Development Working Group. She is now in her third software-as-a-service (SaaS) business company, Privacy & Security Brainiacs, which she cofounded with her 24-year-old son, Noah.
In between everything else, Herold served as an Adjunct Professor for Vermont’s Norwich University master's degree information security and assurance program for nine years, starting around 2004, where she also created the school’s program curriculum. “I tend to go into professor mode, because I am used to talking for hours giving lectures.”
“I'm happy to help organizations of all sizes and certainly their training. I want to focus on providing training for people who are actually doing specific jobs, like the call center for a financial institution,” Herold pointed out. She added, fraudsters sometimes try trick call center staff into giving up access to personal data and credentials.
Keeping Financial Institution Management Alert
Herold emphasized training and awareness are at the core of any business. “Unfortunately, most business management, at least in my experience, do not oftentimes dedicate enough resources to making sure that the businesses are aware (of security risks).”
Herold noted in her chats with credit union management, especially small ones, frequently their attitude often centers on size, countering her warnings with responses such as “We're so small. Why would anybody target us?” The Privacy Professor pointed out financial institutions need to realize the size of an organization is really not the key. Like famed bank robber Willie Sutton, digital fraudsters target anything that looks like it is a source of money. “Cybercrooks, they just are looking for anyone that is vulnerable. They know the websites that belong to financial companies, they know the email addresses that at financial companies. They are going to attack anything that they think might be a financial organization.”
Not only do organizations need to worry about cybercriminals penetrating the security perimeter cashing in phishing schemes through malware, but also having their intellectual property stolen or locked up by ransomware. “If the controls aren't there within the financial companies, to look for small idiosyncratic changes, they're going to miss it and, and people are going to be getting rich off of that.”
New technology is another huge object of cybercrooks’ attention, noted Herold, because too many organizations simply have not started addressing new tech, such as the use of Internet of Things (IoT) devices within their work environments. “That's a huge issue for credit unions and banks and other financial companies.”
Herold emphasized the need for organizations to scrutinize their supply chain management. Because so many different organizations are involved in building technology, hardware, software, firmware, it is very easy for a cybercriminal organization to plant ways to track or to infiltrate the customers’ products during the development process. “We need to raise our awareness and start looking more critically at the supply chain and ensuring there was proper security mitigation done at every step of the way through any type of technology created, so we don't have these hidden back doors and malicious code.”