31 Aug Privacy Professor: Cybersecurity Chose Me, And I Accepted
The adventures and career of Rebecca Herold
– Di Freeze, Managing Editor
Northport, N.Y. – Aug. 31, 2021
Rebecca Herold, aka “The Privacy Professor,” loves discovering new security and privacy risks and then determining mitigations for those risks, and how to implement those mitigating controls.
“It is always exciting, and fulfilling, to be the first to discover breakthroughs and new security and privacy risks within any area,” she said.
So how did Herold get involved in this exciting field?
“Cybersecurity actually chose me,” she said. “An opportunity presented itself, and I took it.”
Herold was born and raised in a rural area of north-central Missouri, where her parents farmed. She loved growing up “out in the middle of nowhere.”
“I spent most of my hours when I wasn’t at school or school functions outside, helping with the gardening and farming, and also spending a lot of time going on adventures into and exploring the woods with my dog and at least a dozen cats tagging along,” she recalled. “We lived next to a railroad track that was one of the lines frequented by Jesse James and his gang. That track had not been used for many years, so I was always on the lookout for some remnants of the legendary loot from the many train robberies that the James Gang committed. I found a few extremely old coins during my adventures, which I choose to believe came from some of those robberies.”
As a child, Herold wanted to be a veterinarian, but she also had an affinity for math.
“My father was a high school math teacher when I was in K through third grades,” she said. “My mother worked the night shift at the hospital, and my father would sit me on the dining room tabletop, where he was also grading his students’ papers, and he’d keep me busy by having me do the math problems that he was grading. I remember especially enjoying doing binary (base 2), octal (base 8), and hexadecimal (base 16) math; they were like puzzles!”
Her father, who also taught science, became a superintendent of a rural school district when Herold entered fifth grade.
“He was a superintendent for three school districts in nearby rural areas until he retired,” she said.
Herold’s father taught the advanced calculus class as well.
“When I was a junior and senior in high school, he would sometimes have a meeting or some other event he would need to attend upon short notice, so he would often get me out of whatever class I was in at the time and have me sit in for him to be a substitute teacher for that class,” she said.
Herold still wanted to be a veterinarian, but after she scored 99 percentile for the ASVAB exam, and equally high for the ACT, some people from MIT and the Naval Academy visited her to discuss getting mathematics and computer science degrees at their institutions.
“I was intrigued!” she said. “But also a bit intimidated. I’d never been out of the state away from my family for more than a week at a time — just to band camps, basketball camps, etc. The thought of going to large metropolitan areas on the East Coast was a bit scary.”
Family circumstances led Herold to decide to go to a university closer to home.
“During my senior year, I started noticing some developing problems my mother was having,” she recalled. “I decided I didn’t want to be that far away from her.”
They eventually learned her mother was in the beginning stages of early-onset Alzheimer’s.
“I was able to spend a lot more time with her by staying close by,” she said.
Herold received a B.S. in Math and Computer Science from the University of Central Missouri in 1983. She originally wanted to do LISP programming on robots but couldn’t find any nearby opening for that after graduation. Instead, she went to work at AT&T in Overland Park, Kansas. When they wanted to transfer her to Bell Labs in New Jersey a few months later, she declined, choosing to stay near her family.
She taught math and computing (seventh through twelfth grade) for two years at a nearby town and then got her M.A. in Computer Science and Education from the University of Northern Iowa.
Principal Financial Group
In 1988, Principal Financial Group (PFG) offered her a systems analyst engineering position and she moved to Des Moines, Iowa, a two-and-a-half-hour drive from her parents. PFG was her introduction to security, although she didn’t realize it at the time. As a systems engineer, she was tasked with creating and maintaining the change control system.
“The programs were all housed in an IBM 370 mainframe, soon ported to an IBM 390 mainframe, divided into four regions for each of the several business unit regions,” she said. “My change control system was used to move a program from the development to test to pilot/beta region, and finally to the production region within each of the applicable business unit regions.”
The system required authorizations for each of the code transfers. Through Herold’s change control system, a manager had to approve the move from development to test to pilot. A director had to approve the move of a program from test to pilot to production through the system. The documented procedures required the managers and directors to carefully review the change documentation. The program team leader or manager respectively signed off on proof of thorough testing before providing their approval within the system.
Herold said the concept, system, and procedures were good, but many of the individuals using her change control system weren’t.
“We had around 800 programmers at the time,” she said. “It was frustrating to walk through the many different programming areas on Thursdays, the last day of the week for directors to approve of program changes to be moved into production on Friday, and see so many of the directors with their terminals logged on and open to access, and not even at their desks or in their offices. The programmers could go in and make the software transfer approvals — of their own code — on the directors’ terminals themselves! No PCs were used in the programming area at the time; that actually didn’t change until the mid-1990s.”
That bothered her for a couple of reasons.
“At a personal level, I wondered why I put so much time and effort into creating a sound, tightly controlled change control system, only to have the people authorized to use it defeat those controls. At a business level, I saw how dangerous this was. As a result of these managers and directors not really doing the reviews, each week we had a large number of production moves that had to be backed out on Friday afternoons because of the problems they caused and the errors within them discovered in production. Many were minor problems, but some brought the system to a standstill or even messed up the customer databases significantly before the problems were noticed.”
After being responsible for the online change control system for almost two years, Herold took a position in the IT Audit area to learn more about how controls impact business. Due to her initiative, the common practice of leaving unattended terminals and PCs logged in and unsecured changed.
During 1990-1991, she performed the first enterprise-wide information security audit at PFG, which took seven months to complete.
“I reviewed a wide range of departments and went deep into the details,” she recalled. “As a result of that audit, I recommended that an information security department be created.”
The executives assigned Herold to create the Information Protection department in 1991.
Herold recalls joining the Electronic Data Processing Auditors Association (EDPAA), which ultimately became the Information Systems Audit and Control Association (ISACA), in 1990, when required to by PFG.
“I also was required to obtain my CISA,” she said. “That got me hooked on the great organization that EDPAA/ISACA is, and also of the value of their certifications! When CISM was established and offered in 2002, I jumped at the opportunity to be grandfathered in to that certification!”
In 1992, she designed and established an organizational anti-virus program for a Fortune 500 corporation, which was recognized by researchers in Australia as the first identified implemented corporate anti-virus plan.
“We looked at a few possible solutions, including McAfee and Norton, but ultimately decided upon F-Prot Professional Antivirus,” Herold said. “It was first released in 1989, making it one of the longest-lived anti-virus brands on the market.”
Herold recalled that in 1986, there were seven viruses circulating. She said there were 12 in 1987, 200 in 1990, and almost 1,000 in 1992.
“Back then, virus infections occurred largely through hard drives sold by PC stores, infected disks sold by software companies, and through sneaker-net — people loaning others their discs with the malware, unbeknownst to them.”
She was asked to write about that anti-virus program in 1995.
“I still have one of the three different magazines showing me on the cover holding that 5.25-inch floppy disk that contained the anti-virus program that everyone was instructed to use,” she recalled.
During 1993-1994, Herold designed and implemented a remote working / dial-in program for PFG, which she subsequently spoke about in various security conferences, along with writing articles that described the process. She also documented a proposed information security peer group, which was ultimately started by the Computer Security Institute (CSI).
In 1994, she was given the responsibility of establishing privacy requirements for what her business indicated was the first online bank. She was also responsible for creating the information security requirements for the bank.
“There were no privacy laws at that time applicable to online banks, so when I asked the lawyers where I worked if they could get involved, they said they weren’t obligated to determine privacy requirements. I strongly believed it was important, so I convinced my senior vice president to address privacy. That was another great opportunity to do something that had never been done before within the organization, or at most other organizations.”
The Privacy Professor
In February 2000, Herold left PFG and began work for Netigy, an information security consultancy that was ultimately acquired by QinetiQ, a British multinational defense technology company.
“Then, after a short while, they decided to split up their USA acquisitions, and I was briefly at the acquirer, Thrupoint,” she recalled. “But I wasn’t happy with all the changes.”
She decided to join some of her former Netigy co-workers at a small, boutique consulting firm called DelCreo. When the owner called Herold a year later and told her he was shutting down the business, she was just about to meet with a client.
“I went to the meeting and said there was no longer a DelCreo, but that I wanted to do the project for them,” she said.
They told her they’d hire her if she established an LLC. She established Rebecca Herold, LLC (dba The Privacy Professor Consultancy), in January 2004.
“That first client loved my work, and they have continued contracting me for a wide variety of work ever since,” she said.
Her activities during the early years of her consultancy included writing for various publishers, writing books for large tech organizations on specific topics, and creating online classes for a variety of organizations, including ISMG, the umbrella for bankinfosecurity.com. She was an adjunct professor at Norwich University for 10 years and provided two-day training classes, along with conference presentations and sessions, for the Computer Security Institute for 21 years.
She was also a writer and blogger independently for Realtime Publishers for three years, focusing primarily on information/data security, cybersecurity, privacy and compliance. To date, she’s published 19 books and has been working on number 20 for the past year.
National Institute of Standards and Technology
In 2009, cybersecurity expert Gal Shpantzer asked Herold to get involved with a new research group that the National Institute of Standards and Technology (NIST) was putting together for privacy within the smart grid.
“It was part of their larger initiative that had gotten started at the beginning of 2009, the NIST Smart Grid Cyber Security Working Group (CSWG),” she said. “The IoT was starting to be talked about for more types of devices around that time, in addition to incorporating as smart meters within the smart grid. I joined, as a volunteer, and worked with Gal and Dr. Christophe Veltsos to establish the path forward.”
Herold suggested they perform a privacy impact assessment (PIA) on the smart grid plans that were in their infancy at the time. Since she had performed many PIAs prior to that, she led the effort.
“We performed the first known PIA on the ‘smart’ electric grid!” she said.
Herold led the privacy team as a volunteer for a couple of years and participated in a few of the other cybersecurity teams. She later transitioned to being a paid contractor and led the NIST SGIP Smart Grid Privacy Subgroup for seven years.
“At one point, our team grew as large as 30 members of volunteers, from private sector smart meter manufacturers, several state utilities commissioners’ representatives, lobbyists for utilities, representatives from utilities, electric grid professors from universities, and consumer rights groups, that put in literally thousands of hours of work throughout those years,” she said.
NISTIR 7628 Volume 2 was the model for the first smart grid privacy law in the U.S. in California. NISTIR 7628 Volume 2 Rev 1 also provided the basis for other laws, standards, and industry programs, such as the NAESB Model Business Practices for Third Party Access to Smart Meter-Based Information.
When there was a pause to determine the next steps, Herold left the team to build her second SaaS business.
“Since I left that project, I have done some very interesting proof of concept cybersecurity tests on actual electric grid equipment, for the distribution area of the grid, such as on solar inverters, reclosers, and others,” she said. “But NIST has continued the smart grid security and privacy work.”
Herold’s other work regarding the IoT includes serving as a co-chair of the Internet of Medical Things: Cybersecurity for Connected Devices Conference in 2016.
Herold partnered with the owners of Compliance Helper in 2009 to help healthcare organizations and their business associates meet their HIPAA, HITECH and other information security and privacy compliance and risk mitigation requirements. In 2014, she partnered with David Greek to create SIMBUS, a complete suite of HIPAA compliance privacy & security tools.
“He brought the money through investors, and I brought all my designs, specifications, content, and other details necessary to build such a SaaS system,” she said.
Data Security and Privacy with the Privacy Professor
In 2018, Herold started her own radio show, Data Security and Privacy with the Privacy Professor, on VoiceAmerica.
“I was contacted by a producer who had seen some recordings on my YouTube channel of some of my appearances on one of the local TV news programs. He said he liked how I explained complex security and privacy concepts in a way to help the everyday user understand them,” she recalled.
Herold focuses on a wide range of topics that involve data security, cybersecurity, other IT, privacy, and related legal compliance. Some of the most popular series have been on encryption and voting and election security.
Privacy and Security Brainiacs
In January 2020, Herold co-founded her latest SaaS services business with her 24-year-old son, Noah, who recently earned his computer science degree. Privacy & Security Brainiacs (PSB) is an online IT, information and cybersecurity, privacy and compliance training, and risk management SaaS services business.
“We’ve not made a formal launch yet, but we do have our initial offerings, with many free videos and other items available,” she said.
PSB is now signing up beta users.
“We want to have as many beta clients, from as many types and sizes of organizations, as possible, so we can make sure we are providing the best services. We’re also creating specific training modules, and soon policies/procedures, and then risk evaluations and risk assessments, specifically for the needs of our beta users, that we will then offer to others.”
Noah Herold began helping his mom with information/data and cybersecurity and privacy research when he was around 7 years old.
“He loves working with technology,” Herold said. “He manages our team of developers, and ensures that thorough testing is consistently performed, and proper change control processes are followed.”
Advice to others
A distinguished fellow at the Ponemon Institute since 2018, Herold also gets asked to be involved with many different boards and advisory groups covering a diverse range of topics. One opportunity was as an advisor to the Los Angeles City College Cybersecurity Certificate Program Advisory Committee.
“I provided input on the types of topics, curriculum and practices for that program,” she said. “I was happy to hear from many of the students as a result! It is a great initiative. They are providing a huge service to engage young adults in cybersecurity careers who may not have been able to get into the field otherwise.”
Herold gets many questions from those still in high school and college, and others just entering the workforce, about a career in privacy and cybersecurity. Her answer is if you have the intellectual curiosity and motivation, go for it!
She also gets questions from women with diverse backgrounds: young women who have listened to her podcast/radio show as part of their high school or college class, women whose children have grown and left the home or who have gotten divorced and now need to find a career, women in their 60s and older who want to keep working because they like to work and are interested in data security and privacy, and “even some in their early 40s who want to know if they are ‘too old’ to learn a new career, such as privacy and information security.”
“If you love the work and love always learning new things while building upon long-standing standards and concepts, the privacy and information security areas are perfect for anyone of any age!” she says.
Herold has received numerous awards and recognitions for her work, and she’s honored and grateful for each. However, the recognition that will always mean the most to her is “being Mom” to her two favorite people in the world, her sons Noah and Heath.
“I am so very happy and grateful to be able to build a business with Noah, and I know Heath will excel in an engineering career when he graduates from Iowa State University in 2022,” she said.
Herold says that her times for relaxation are “few and far between,” but there are a few things that she absolutely treasures for relaxing and recharging.
“One or both of my sons visit me on the weekends,” she said. “On Friday or Saturday nights, they pick out a movie for us to watch.”
Herold also enjoys spending time with her Doberman, which she rescued in July 2019, several months after Stella, her first rescued Doberman, died.
“Stella was a wonderful member of our family,” Herold said.
Herold adopted Stella in 2007. The Animal Rescue League related that the Doberman, estimated to be 10-12 months old, had been found in an alley, with a littler of pups. Her bones were protruding and she had a scar on the top of her head.
“The veterinarian’s theory was that she was likely the runt of the litter, and someone hit her in the head with the claw side of a hammer and threw her in the alley, or somewhere close by, and that somehow she survived,” Herold recalled. “She had taken very good care of the other pups, at her own expense.”
Herold’s present Doberman, a male, was left at the Doberman Rescue of Nebraska with a note that said he was six months old.
“Whoever left him there spent a lot of time with him. His ears are cropped, his tail docked, and he knows many commands. So many mysteries why someone would abandon him. He does have a strong will and can be a bit scary to people who are not used to dogs in general, but certainly not used to Dobermans. But he is a perfect fit for me.”
Herold also loves traveling, meeting new people, and experiencing different cultures. She loves visiting national parks, castles, old architectures, and museums.
In 2022, she’ll be going on a long road trip to visit several national parks.
“Starting from here in Iowa, going through states over to California, up the coast and back,” she said. “I am really looking forward to being outside a lot and seeing and experiencing the great diversity of natural wonders that we have here in the USA.”
Rebecca Herold is featured in “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.” To learn about more women fighting cybercrime, pick up a copy of the book.
– Di Freeze is Managing Editor at Cybersecurity Ventures.