Last time, I spoke with Stephanie Vanroelen. She’s an OWASP contributor who specializes in web penetration testing. She also organizes BruCON, Belgium’s largest cybersecurity convention, and volunteers at CyberSKool, an information security camp for kids.

This time, I have the pleasure of speaking with Tiffany Gerstmar. Working with the US Navy taught her a lot about cybersecurity policy!

Kim Crawley: Hi Tiffany! Tell me about what you do.

Tiffany Gerstmar: Hi Kim! My technical job title is “Cybersecurity Policy and Compliance Analyst,” which is a lot of words that means I help develop and implement infosec policies and processes for clients. I have always worked as a contractor supporting the Navy throughout my career, so I’ve gone from using those processes to assess and validate systems to now helping the Navy understand, train, document, and implement those processes, in this case NIST’s Risk Management Framework (RMF), across the enterprise. When I started, it was DITSCAP, and then Navy transitioned to DIACAP, and now we’re in RMF, which I actually really like.

KC: Do you think your experience with the Navy made you a better cybersecurity professional?

TG: I think it’s provided a different viewpoint than supporting commercial clients. I’ve certainly been exposed to a lot of different types of systems and seen the complexity of implementing security in extremely large networks. I actually think one of the best things I’ve learned from the Navy is the benefit of having actual defined and documented policies as guidance for infosec implementation, as well as everyone knowing and working towards the same mission.

KC: How did you get into cybersecurity in the first place? Were you interested in computers when you were a kid?

TG: I was! Well, I was interested in computer games. I started out with a Vic 20, (Read more...)