So I started off as a systems engineer, and was working with server technologies. Some applications and then, progressed to network engineer, and I spent some time doing that. And this was back before security was a common part of the IT industry. And it was a pretty natural step if you were working in systems and networks to start working with firewalls and eventually intrusion detection capabilities to put access controls in place, you know, passwords and accounts, that kind of thing. And so, um, it was something aware the need was there. And I was working for a bar on the east Coast of the time in the United States and, um, ended up heading up their security program within the bar. I was on the engineering side, and I had ah, coworker who worked on the marketing and sale site of it, and eventually the team grew, and we got into everything from, you know, deployments of security equipment to incident response to audits and assessments. I did that for quite a while, and, uh, eventually our family decided to move west because of my wife going back to school. And, When I did that, she had sent out some resumes for me in advance. I didn't even know she had done it. And I ended up getting hired at at the Church of Jesus Christ of Latter Day Saints. And it was a pretty big surprise there was, You know, there was 100 some candidates and they ended up picking me. But, you know, information security, working with risk management, risk management. It's something that it's it's often not a first job. Um, you can't you can do it is the first job if you want to get into, like, the operational side of it. But, um, you know, working with the technologies, it really helps if you understand some of the technologies that are underlying what you're trying to secure and uhm at certainly early in information security networking was very important. You know, the security around networking and the security around servers and services was very important. It's certainly migrated now. You know, much higher in the stack. We have a lot more tools now for managing things, but it helps to understand those underlying technology. So if you've done development, if you've done engineering work, if you've done operations work, that's that. That's a big help

my former work before I came to work at the church. Um, I spent a lot of time traveling. I was a consultant. I'm working for, ah, Value added reseller of Are on the East Coast, and I traveled up and down the Atlantic Coast and during parts of my work, I was probably gone three out of four weeks. Um, on the calendar, that was really hard for me and for basically everybody who did it. If you were single, it was awesome. You know, you could make lots of money and go a lot of new places, but for those that wanted to have a you know, boyfriend girlfriend, they wanted to have a family. They wanted to have kids. It's impossible. You can't. You can't work that kind of schedule and maintain relationships. It's it's not possible. So one of the reasons why I was excited to get the position with the church is that in a large organization you have the opportunity to work within that organization. Whereas when you're working for a smaller company, more often than not your contracting out to lots of different locations, um, the reason why is because small companies can't afford to pay for, um, such a specialized position has, you know, like a senior information security person we're seeing is is that's a lot of that's going up into the cloud. It's going into large corporations, large organizations. The Church of Jesus Christ, Latter Day Saints is a global organization. I know that sounds funny when you talk about churches. A lot of people are used to churches being small. But if you think about, you know, the largest church in the world is the Roman Catholic Church and, you know, you think about something that scope and they have I t systems and they have networks and they have a need for software applications. So they have to have people that help maintain that, just like any corporation does. And so it doesn't really matter whether they're a private or public organization. Those larger organizations are going to be able to keep ah, specialized person like that busy. Otherwise, you're probably going to be working for ah, you know, if not a large corporation, then something like a cloud service provider really need that. Those kinds of resource is, um so there's two sides to information security. Um one side is the technical engineering side, and the other side is the business risk management side. Um, my current job is more on the business risk management side than the technical operations engineering side. And so what that job includes is I'm so we have multiple departments inside the church, you know, in a corporation, it might be sales and HR and things like that inside the church, it's things like missionary and temple and meeting houses. We also have, you know, hr as well. And, ah, I get to work with, um, the areas out in the field around the world I get to work with, um are publishing groups and I So we have different people that are my peers that work within those departments. We have things we call portfolios within our I t group. That service those departments and we partner with those were the equivalent in my work of a C i o for a moderate sized company. And so, just like, um, a large corporation would have multiple sub companies within it. Multiple departments. Um, it would be like a c i o for each of those and so I help I work with those departments to help them build plans to implement security controls. Um, I like to think about my job as, um if you look at ah, I t risk management. It's like trying to defend your I t infrastructure against the hordes. Great. And so if you've got hordes of Mongols, you know, think of Mouland coming in to attack your city. How do you defend your city? Um, operations and incident response are the ones that air. There's the shook, the soldiers on the front line. You're the one that's in charge of construction of the castle and the moat and the outer walls and the watchtowers. Right? And so you're the one that's working with the business to help them build, Um, systems that are defensible, and then operations and incident, response and engineering. They're the ones that help may actually maintain that defense. So that's that's That's a high level, what my job is. And I do a lot of teaching. I dio I'm a diplomat. I have to, um, work out where their differences of, um, goals. They might have conflict ing purposes, and so I have to work with upper management to help them understand, You know, we need to make an investment here. It might hurt this group for a period of time, but, you know, over time their ability execute is always going to be improved. And that's what risk management is all about. Information securities about securing risk management is about making sure the business can achieve its goals. So, um, right now with the cove it pandemic, I I work from home. But prior to that, I worked in a local office about half an hour, 40 minutes from where I live. Um, at the church is really great. They they try really hard to allow us to prioritize our family time. And so I would typically work between 40 and 45 hours a week. That's probably not typical for ah seaso Ah, position in corporate America. Um, they will tend to have longer hours kind of the yes, the, uh, in a corporation there. And I hate to put it this way, but when you're in that kind of position, you're kind of the scapegoat, right? You're the you're the sacrifice in case a major security problem happens. Um, it's it's your responsibility to make sure it doesn't happen. So the the key thing that you have to do and that kind of a role is to make sure that you have the resource is necessary to be successful If you're not getting support from the organization to put in appropriate controls than you can't, um, you can't and, well, so see, due to travel, I travel for training. Um, I don't There was a time when we traveled around the world to see the different offices, but honestly, with Web conferencing getting better, we just don't do that as much anymore. So because I cover the remote areas around the world, I sometimes have meetings at weird times because of the local time zones around the world. But other than that, I think that's about it, okay?

we talked about some of the challenges. Um, there's kind of two approaches to implementing security in a. In an organization, there's the gorilla and there's the top down. Guerilla warfare requires you to interact with the individual contributors and their managers and try to get them to adopt security. And if they care it about what they're doing and they understand the risks to not implementing those things, they understand that they will fail. Right, because if you put an unprotected application out under the Internet, it's going to die. It's It's not a question of if it's a question of when, so you can approach it from the uhm I'm going to teach you about how bad things can be if you won't secure your stuff or you can approach it in the now that you've got a smoking hole in the ground, I'm going to come in and help you build it right the next time or recover from the incident. Um, both of those air hard to do, they're expensive. They damage the organization's reputation in the second case, which is never thing you want to dio. Um, it's a lot easier if you've got leadership support and the top down approach is, ah, much easier thing to do. But it depends on the maturity of the organization as faras processes. And, um, you know, risk management. Some organizations air gonna be super mature that way. Like finance organizations, they all understand that you know, not securing their applications means lost dollars. And to them, the dollar controls everything. If you're dealing with, like a nonprofit where it's not so clear, you might be doing a lot of education, right? You might be teaching a lot of people about what that means, and there's There's regulatory environments that require, um, compliance with regulations that compliance is a good driver for budget. But it's not security. You can totally comply with all the laws and still get breached in a heartbeat. So you've got to be able to focus on what's important to the organization, and you've got to build your whole plan about what you do around the organizational goals if you don't have, especially for the top down approach. If you don't have a good understanding of what the business does and what their pain points are you, I don't feel you can be successful they have to understand what you're doing and that you're supporting their goals and you have to understand what their goals are and what their languages. If you come in and you talk information, security or I t to a bunch of business folks, they're gonna look at you cross eyed.