Senior Computer Information Security Analyst, Software Engineering Institute at Carnegie Mellon University

>> My name is Angel Heurrca [assumed spelling]. I am a Senior Computer Information Security Analyst with the Software Engineering Institute of Carnegie Mellon University. I work here in DC, in Washington DC, and I support -- our specific branch supports the DOD, and specifically, DHS and other federal agencies in the Washington DC region. We work on different projects, depending on the agency and what the need is. We kind of particularly come in and work with -- if there's something that the government can't figure out on their own, they will call in the Software Engineering Institute to help them kind of come up with a plan or a process to implement something or to develop a solution. Something that could happen is they need help with analysis of cyber security, what we could call indicators. An indicator would be something that would come up in an intrusion detection system, an anomaly that's been detected. How to do fine correlations within anomalies and those type of things. Also, working with developing policies around cyber security and how user awareness and how users should behave on a network, but also to inform users themselves about what proper etiquette is on the Internet. Yeah, the biggest thing that affects not only federal agencies but just industry in general is phishing scams and malware delivered that way, or malicious actors trying to take advantage of users, and it typically revolves around the user not knowing how to react to something. So when I said earlier about talking about developing policy and developing user awareness, a lot of the issues revolve around user understanding that what is within scope or what is out of scope of what their normal day-to-day would be. Let's say, for example, you get an email today that is indicative of a, oh, you have a package coming. Well, you know you haven't ordered anything the last couple months, but you have this email, and then what you do? Do you automatically just go click on the link, or do you already know that this is something that you should question? Oftentimes, people are, all, who sent me a package? Click. People that work in security operations centers are definitely looked as a 24-7 operation. You know, three shifts, so that is out there. My particular role is not necessarily in that type of environment. Mine is more structured. So I actually have more banker's hours, like 9 to 5. But you know, aside from that, it's still very important to work with policy, to work with strategic implementation of cyber security solutions and those types of things. You know, we come up with a plan of how things should be mapped out, architected out, and then have you know, actual hands-on keyboards, hands on deck type of technical people to kind of go in and implement those out.