Andrea Harston (who goes by Andee) grew up in Florida, not far from the Kennedy Space Center. "The town that I was in — that was really what the economy was built off of, was the space program," she said. "It was a common occurrence to walk outside and see the space shuttle or take a field trip to the Kennedy Space Center and see all of the cool technology that was there." This kick-started her own interest in technology, and her first goal was to earn a bachelor's degree and get a job at the Center.
Harston's first job was working on an AS/400 at the Center, editing launch documentation, and working on a variety of contracts there. She did everything from technical writing to training and development to training management. She did software testing and helped develop and document their launch operation software. "That was my introduction to the world of information technology," she said.
More about cybersecurity
Now, Harston is the cybersecurity curriculum director for Infosec. But her career in IT and security has taken twists over the last two decades. After the Space Center, she worked for 11 years at Computer Sciences Corporation, where she wrote launch documentation. There, one of her roles was the training development. She followed this with a couple of years in the private sector, in a technical writing rol, before returning to Kennedy Space Center as a technical writer. Later, she took a job at AECOM, where she was first introduced to cybersecurity. "I actually started writing security documentation for them — things like disaster recovery plans, incident response plans, continuity of operations — in the capacity of the technical writer," she explained.
The cybersecurity team there had more than a dozen information systems, and it was "the happening, popping place to be." She quickly earned her first certification, a FITSP-Auditor, a federal auditor certification, and started training to become an assessor. She also worked as an assessor, ISSO (information system security officer), for multiple contracts, and briefly as security control assessor (SCA) for NDTI (New Directions Technology Inc.), also at Kennedy Space Center.
SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)
"I basically acted in the capacity of an internal assessor and an external assessor for the bulk of my cybersecurity career for the Space Center," she said.
On top of the CISA, Harston has racked up certifications -- as a Certified Expert Risk Management Framework Professional (CERP), Certified Expert Risk Management Framework Professional (CERP) - DoD, and Certified Expert Independent Assessor (CEIA). Although these certifications are important, "the reality of the job a lot of times does not align with the framework," she said, "and you may have people who are operating in different capacities than what is actually written on paper or whether it's a testable objective."
Much of her learning took place on the job, since "there's so many different experiences and unique anomalies that can occur," she said. "There's just so many things that you pick up auditing a control, because how you audit the same control for a different system may be a completely different experience." She describes real world experience more like "shades of gray" –– where there can be "a lot of subjectivity in assessment.
Harston's bachelor's degree is in business administration, not cybersecurity. But she recommends a foundational certification, like Security+, for anyone interested in the field. "It will help you exponentially. It can open a lot of doors for you," she said. The nature of the field means that certifications always need to get refreshed. "It's not just a one-and-done degree. It's like a continuing learning process to keep your knowledge up to date."
On a typical day, Harston gets up around 6:00 a.m. and logs onto her computer. The bulk of her work is to review content by vetted subject matter experts, who have been subcontracted by Infosec to create content for different learning tasks. Most of the content comes in videos and slides. Harston reviews it for technical accuracy, as well as content for the website's resources page. This could be anything from "a certain certification, a technical walkthrough of specific ransomware, or a hot topic, like the human factor in cybersecurity or something," she explained.
"I'll review that from a technical perspective just to make sure, 'Hey, does this person know what they're talking about? Is the information correct and accurate and being presented in a way that the students can consume easily and effectively?'" She is a de facto fact-checker, making sure the material covers all the necessary details and is accurate, and cites proper sources (i.e.,, not Wikipedia). If it doesn't, she sends it back for revision. Harston also makes sure that the material covers the learning objectives required by the industry — which are more specific when it comes to certifications.
Harston's team has two other employees under her, who work on hands-on skills and the IQ product, or the security awareness training, and she says it's a collaborative process.
"They'll say, 'Hey, we have a scenario here for one of our new choose your own adventure modules and we want to know if using a lock screen on a computer in this scenario is secure enough for the learning objective we're trying to teach.' So they'll run that by me or I'll give input there," she explained. She spends about half of her time in meetings, and the other half reviewing content.
SEE: Top 3 reasons cybersecurity pros are changing jobs (TechRepublic)
She also listens to clients for feedback about what they would like to see more of. Clients who attend conferences and can report back about products can add value. Sometimes she will collaborate with the product team. "I'll say, 'Hey, we have this request from a client that they want this certain functionality integrated into the system.' So there is a lot of team collaboration as well, in addition to getting that feedback from the client."
On top of loving the research aspect of her work, another highlight of Harston's job is the opportunity for constant learning from people at the top of their field.
"When I left the DOD, I specifically sought out this type of position with this particular company — to me, it was the marriage between that cybersecurity knowledge, which I love, and that educational component, which I really like a lot as well," she said. For those interested in following her path, Harston recommends finding a mentor. If there isn't someone readily available, she suggests joining a professional organization, such as Women in Cybersecurity, a nonprofit offering resources and networking opportunities, or National Institute of Standards and Technology, which offers public working groups.
"The good thing about the government framework is they're all online, all the information you ever would want or need to know is there," Harston said. "It might be overwhelming looking at the bulk of it, but there's a lot of great people that you can reach out to that would be happy to give you resources you need to take the next step in your career."
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered Tuesdays and Thursdays
Sign up today