This week Crain’s named NowSecure Director of Mobile Services Katie Strzempka a member of it’s Tech 50 list “ Crain’s “guide to the city’s sweeping technology ecosystem: founders, CEOs, technologists, risk takers, investors and up-and-comers whose names you should know.” Crain’s selected Katie because of her “inside-and-out” knowledge of mobile security and the crucial role she plays in product development and managing NowSecure’s professional services offerings. To celebrate Katie’s being added to such an impressive list of technology leaders in Chicago, I sat down with her to learn more about how she became interested in technology, the nuances of mobile security and risk management, and advice she has for people interested in a career in information security. Below are edited excerpts from our discussion.
What are some of your favorite parts of your job?
I like that I get to take part in all aspects of the company whether that’s product, services, or anything else. I get to use our products and identify areas for improvement, work with our product team to fix any issues or make those improvements, and see things through from start to finish. I really like to help other people connect the dots. For example if I’m working with our developers on a product feature, they have one piece of the puzzle; and I like that I have other pieces that act as a bridge to the larger picture. I get to help people and different groups connect the dots, and I love to see things “click” into place. It’s also never the same thing over-and-over again day-in and day-out. That’s something I like about forensics work too. Sure, some of the tools and techniques used to recover data can be repetitive, but the analysis involved in every case is different. Through working with customers, helping our sales team, and conducting trainings, I’ve found that I love that interaction. I love working with people, seeing that they’re learning, and knowing that I’m helping them learn. Starting out I had no idea I’d enjoy the customer interaction and teaching as much as I do.
What interested you about technology in the first place?
I can’t point out any one particular thing that sparked my interest. It was just a natural thing “ since I was a kid my family always had computers, and I always enjoyed using them. In elementary school I played the games Where in the World is Carmen Sandiego and Touch Typist Typing Tutor, both of which ran on DOS and required command-line to run. I used my computer a lot in high school, whether it was playing games or chatting with people. I learned HTML and developed a website on my own, and some of my friends were also interested in computers. No single thing necessarily made me say “I want a job that lets me work with technology.” Technology was just available to me, and I naturally gravitated toward it.
How did you start to focus on cyber security?
I went to Purdue and majored in computer technology. I started out in the software development track, but after a couple of years realized it wasn’t for me and switched to network security. I then I got an internship at Kimberly Clark in a security role. I liked that, and then they hired me on full time.
You co-authored the book “iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices,” and you conduct mobile forensics investigations and serve as an expert witness. How or why did you decide to focus on forensics?
As an undergrad I took one class in forensics, and I really enjoyed it. For a few years after graduation I worked as a Computer Security Analyst, administering firewall rules, and was looking for a change. Because I enjoyed it so much during my undergrad, I decided to study for a master’s degree in cyber forensics. During my studies, I also got an internship where I was performing forensics investigations for a local police department. When I graduated, I was looking for forensics consulting firms and found NowSecure. It was just Andrew [Andrew Hoog, co-founder and CEO], and I was employee number two. At first he was taking general computer forensics cases as well, but within just a couple of months of my being there, we narrowed our scope to mobile only.
What widely accepted idea or belief about mobile security do a lot of people take for granted that you think is false?
A lot of times I’ll hear people talking about one mobile platform being more secure than the other. I don’t think of all mobile devices as being created equal. For example, we might both have an iPhone 6 running the same version of iOS. My device might be secure whereas yours might be completely insecure based on how you use it, what apps are installed on it, etcetera. Don’t assume that your mobile data is more secure because you have a particular device or OS version. How you use that device and what apps are installed on it are also factors.
There’s an information security skills shortage, meaning there aren’t enough people to fill the available jobs. Are companies also struggling with mobile security expertise?
Yes. A lot of companies out there don’t have specialized mobile skillsets in their security groups. Mobile security usually falls to more general security or incident response staff, which forces those people to become mobile experts. There are plenty of parallels between more traditional security know-how and mobile, but mobile is still unique. Companies are adapting, but there’s not yet a central focus on mobile security. We talk to customers who say that they’re growing from 30 apps to 300 apps in the course of just a year, and this is true of a number of companies. With that sort of exponential growth, people with mobile security expertise are in high demand, and I don’t see that changing anytime soon.
What advice do you have for people trying to get started in the cyber security industry?
You need the capacity to learn how to use the tools and analyze the results. When it comes to security specifically though, what’s more important is looking at the big picture and all the moving parts. You need to look at all the information available to you and ask “what is the risk?”. And I think that’s more of a mindset than a technical skill level. There’s a lot more to it than just being able to run and use tools. You have to think about the probability of whatever scenario you’re working through. Again, what’s the risk? Our customers know that when they send us their app, we’re going to find things wrong with it. What’s more valuable to them is information about what things they absolutely have to fix to reduce the risk associated with their app. That’s the big picture “ thinking not just about the vulnerability, but the likelihood of an exploit and its impact. That takes more of an analytical mindset. The more you grow in this field, the more you have to be able to do that because that’s what people care about. A developer may not necessarily care about that because they want to know what specific thing do they have to fix but the people that are going to tell them what to fix is probably the security team “ the team responsible for balancing this risk. That’s ultimately what people are looking for when they have us look at their apps.
What’s the difference between a good mobile app penetration tester and a great mobile app penetration tester?
A great penetration tester thinks outside the box and doesn’t just run through a checklist of tests. There are so many tools that people use that will just look through a certain checklist of things regardless of the type of app. To be great you need to customize your assessment to the type of app you’re testing. If you’re testing a banking app, you need to think like the bad guy to come up with relevant scenarios. If you’re testing an app that handles financial data, you want to think about what someone might want to do with the data they can access. A bad guy is probably trying to exploit the app with an end goal of somehow getting money out of the app. So, one good approach would be to try and make a transfer and see if you can modify that transfer. You need to customize your thinking or testing approach for that particular category of app.