- Share this item with your network:
- Download
Information Security
- FeatureLooming cloud security threats: How attacks will follow your data
- FeatureRole of CISO: FICO enlists CISO in security product management
- AnswerWhat new NIST password recommendations should enterprises adopt?
- ReportRecent ransomware attacks: Data shows 50% growth in 2016
- OpinionUncharted path to IT and compliance with Digital River's Dyann Bradbury
alexlukin - Fotolia
Uncharted path to IT and compliance with Digital River's Dyann Bradbury
Bradbury chats with Marcus J. Ranum about her early interest in computers and her unexpected career path to head of global compliance for an e-commerce provider.
Dyann Bradbury is the senior director of compliance at Digital River, a global e-commerce technology provider that processes online transactions in Europe, China and South America. "My role is to build that trust between IT and compliance," said Bradbury, who joined the company, based in Minnetonka, Minn., in 2006.
She also served as president of the InfraGard National Members Alliance from 2009 to 2012. Bradbury chatted with Marcus J. Ranum about her early interest in computers and the path that lead her to become head of IT and compliance for the company's global business units.
Was there anything you'd identify in your childhood that set you on a course for your professional career? How did you wind up where you are now?
Dyann Bradbury: Where I was raised, you grew up, went to high school, got married, had a job -- only you were a farmer's wife -- and that's it. Or you were a secretary or taught school. I happened to get a job at a bank when I was in high school, so I could go there and work in the morning for a couple of hours. I think it was 1979, and I graduated from high school in 1980 and was scheduled to be married in 1981.
I went in to the senior vice president of the bank and said, 'I want to take some [college] classes; what do you suggest?' And he said, 'Why not learn about computers because everyone is going to have one on their desk in 10 years.' I took 'Intro to Computers and Data Processing' and got so interested in it that I decided I needed to know everything there is to know about computers -- everything from how the current comes in to the power supply, to how the software works. What sparked my passion was how the computer read the information -- yes/no, on/off. I thought, this is incredible!
By then, I was working full time, I was married, and I was taking night classes. I took electronics classes -- transistors and base-level stuff, [including] computer repair. They would give us a motherboard and [computer] case, a drive [and say,] 'make it work.' I took classes in networking from beginning to advanced.
So this was all early '80s -- probably a Z80 [Zilog 8-bit microprocessor] or an 8088-based CPU board. Neat!
Bradbury: I learned how to solder, populate a board with chips. I remember the advanced networking lab: The lab tech took out segments of cable and replaced some of them with bad cable; he removed the jumpers from network cards and threw them in the middle of the room, that sort of stuff. We had to build boot floppies that would get the system up and running after diagnosing and fixing all the flaws in the network. Anyway, I passed it and loved it. I did very, very well.
Then it was time to upgrade the bank's data processing systems, and I contacted the data processing center and said, 'Just send me the equipment, and I'll upgrade it.' Well, I did that and they offered me a job. So I came to Lincoln, [Neb.] -- and by then we had our son -- and applied for an engineering position. And everything needed to be upgraded well in advance of Y2K. We were told that failure was not an option. We had a project to convert 250 banks from Novell [Netware] to [Windows] NT in 18 months. There were 13 of us. We averaged three hours a night of sleep; we were on the road one week installing systems then back the next preparing for the next install. I was configuring [Microsoft]Exchange servers, SQL servers, converting Novell to NT, running and terminating cable, the whole thing. We'd walk into a bank at 3:00 p.m. in the afternoon, and we had to have everything up and running and converted by 8 a.m. the next day. We all shared the responsibility and the opportunity.
That's really hardcore.
Bradbury: I was thrown into the fire and I learned so much. And I was the only woman. I went from an engineer all the way to a senior engineer. Bam, bam, bam!
When did you start getting into security?
Bradbury: I've never had a position that has had security in the title. It's always been engineer or analyst or compliance. I've been mostly a manager. Security should be part of all IT, no matter if you're putting in a firewall or configuring a desktop or a server.
We're a side effect of bad systems and network administration.
Bradbury: But I do consider myself a security person because, in everything I do, it's a consideration. Right now, I oversee global compliance. So if a business is thinking of developing a new system that touches customer card data, they'll call me into the meeting -- anything from an IT and compliance perspective, I consider that security. Anything from a product offering to setting up a new data center to developing new code -- it's all security. I get called into the room when they're setting up anything that affects the business.
That's one of the things I keep yelling about: This is all something that has to be embedded in! It's all part of system reliability. You wouldn't build a new data center that didn't have uninterrupted power supplies or redundant network links, would you? Security is an operational consideration; it's part of building reliable systems.
Bradbury: Our job is making the business realize that this stuff is important, and if we don't approach it this way, we're making false economies. You have to ask the right questions. You have to understand the business -- the data, the services you're offering, what products are in use. You have to have a full understanding of the entire infrastructure … because when you introduce something, it affects everything.
Dyann R. Bradburysenior director of compliance, Digital River
Engineering at its highest [level] is understanding interactions between loosely coupled, connected processes.
Bradbury: It's also the controls that you have in place for all of them. You introduce something in here; it's going to change that. How do we need to change the controls? So you need someone that understands it from a reliability, security, global compliance and legal perspective. That's why [you should] always approach things so that there's no division. We're all working toward a common goal. You cannot have division between compliance and security.
I don't see many organizations that do that. Thanks to some standards like [those for the] Payment Card Industry, Sarbanes-Oxley and the HITECH Act, I think we've created separate priesthoods that see compliance as a goal in its own right.
Bradbury: We've had to start going through audits, and building an IT and compliance program was one of my first responsibilities. My role is to build that trust between IT and compliance -- my technical background helped there. I can tell in a few minutes if someone's trying to BS me, and it doesn't work. And I know what it takes for someone to do their job because I've done it and I respect their work. I also serve as a liaison between auditors and IT, and I can start pulling people out if they start going down a rabbit hole. I can advocate [for] either side and be a buffer between them.
Computer security is a boy's club and -- as much as I hate to ask -- has being a woman ever been a problem for you?
Bradbury: Sure! I remember one time when I was a junior system engineer and the lead systems engineer said, 'I give her two weeks.' I stuck it out, and I was promoted, and he always asked me to work with him in the future. The boy's club mindset breaks down as you move up the management tree. Organizations know you can't afford that sort of behavior as you get more senior; it wastes energy. Sometimes you have to prove yourself immediately -- but in a respectful and productive way. As leaders, we have to look at how our people treat other people; it's part of mentoring.
Next Steps
The changing role of women in information security
PCI Internal Security Assessor can help compliance
Why healthcare ransomware are HIPAA violations