If you want to be an infosec guru, there are no shortcuts to the top. And enterprise information security expert, Christina Morillo knows exactly what that means.
When she worked at the help desk, she explained technical jargon to non-technical users. As a system administrator, Christina organized and managed AD, met compliance regulations, and completed entitlement reviews. Also, as a security architect, she developed a comprehensive enterprise information security program. And if you need someone to successfully manage an organization’s risk, Christina can do that as well.
In our interview, Christina Morillo revealed the technical certificates that helped jumpstart her infosec career, described work highlights, and shared her efforts in bringing a more accurate representation of women of color in tech through stock images.
- Follow the Inside Out Security Show panel on Twitter @infosec_podcast
- Add us to your favorite podcasting app:
Cindy Ng: Christina Morillo has been in the security space long before automation and actual data became the industry’s “it” word. She has been helping organizations advance their infosec and insider threat programs through her deep technical expertise in centralizing disparate systems, strengthening and automating tasks, as well as translating complex issues between the business and IT stakeholders. In our interview, Christina highlights hallmarks in her career, turning points in the industry, and how she worked her way to the top.
Cindy Ng So, you’ve been in the security space for almost 20 years, and you’ve seen the field transform into something that people didn’t really know about. Into something that people see almost regularly on the front page news. And I wanted to go back in time and for you to tell us how you got started in the security business.
Christina Morillo: So, I actually got started in the technology industry about 18 years ago, and out of that, in security, I’ve been like 11 to 12 years. But I pretty much got started from the ground up while I was attending university. I actually got a job doing technical support for, at the time, compaq computers. So that’s like I’m aging myself right there. But back when compaq computers were really popular, I worked for a call center, and we did 24-hour technical support. And that’s where I kind of learned all of my troubleshooting skills, and being able to kind of walk someone through restarting their computer, installing an update, installing a patch, being able to articulate technical jargon, in a nontechnical format. Then from there, I moved on to doing more desktop support. I wanted to get away from the call center environment, I wanted to get away from that, and be in, like, an enterprise environment where I was the support person, so I could get that user interaction. So that’s where my journey started. It feels like yesterday, but it’s been a long time.
Cindy Ng It goes by quickly, and how did you get started at Swiss Re?
Christina Morillo: When I came back home from university, I am originally from New York City, I was looking for work. And I wanted to really get into financial services, doing IT within the financial services industry because I knew that would be a good strategic move for my professional career. I bumped into this recruiter, and he told me about a position at Swiss Re within their capital management investment division. And so I gave it a go even though I didn’t have the experience. You know, I took a shot. And they really liked the fact that I had prior experience with active directory and networking. And since I was very much hands-on and I had just taken some Microsoft certifications, so I was like really into it. So I was able to answer the questions really efficiently, and they liked me, so they gave me the shot. That’s what started me into the world of information security, and identity, and access management, and access control. I learned all my “manual foundation” I’ll call it, manual fundamentals, at Swiss Re.
Cindy Ng Would you say that your deep understanding of AD was an important part of your career?
Christina Morillo: Oh, absolutely. Absolutely.
Cindy Ng And what do most sysadmins get wrong when it comes to their understanding of AD?
Christina Morillo: There is a lot to do with the whole permissioning and file structure. A lot of times people don’t really go into the differences between share permissions and NTFS permissions. And it can get really complex really fast. Especially when you’re learning in school, you create your environment, right? So it’s very clean. But when you start at a company, you’re looking at years of buildup. So you go into these environments where it’s nowhere near what you learned at school. So you’re just like, oh my goodness. And it becomes really overwhelming very quickly. I think it’s, like, not having that deep understanding and deep knowledge, and just kind of taking short routes. Because we’re very busy during the day, and there’s a lot to do, right? Especially for sysadmins. They have a lot on their plates. So I think a lot of times it’s like, okay, use your own backlist. Just throw them in whatever group, we’ll fix it later. And later never comes. I don’t fault them, but I just think that we need to be a little bit more diligent with understanding structures and fundamentals.
Cindy Ng How did you spend time figuring out how to restructure a certain group, if that was an important part in your job? In your team?
Christina Morillo: Yeah. Of course, absolutely. I always want to because it makes my life easier. But, you know, you’re not always able to. And that’s because, like I said, it’s so complex, and there’s so many layers that peeling these layers back will cause chaos. So sometimes you have to prioritize. And just from like a business perspective you have to prioritize. You know, is this something that we can do gradually or look at setting up as a project and completing it in phases, or is it high-priority, right?
And so, the first thing I do is I talk to whoever owns the group or let’s say whatever specific department, like finance. So who approved access to this group? So I like to kind of determine that. And then work my way backwards. So, okay, if this is the owner of the group, then I like to say, “Who should get access to this group?” What kind of access do they need to this group? Do they need read-only access, or do they need modify access?” And then go from there. And who should be the initial members of the group? And a lot of times its a matter of having to recreate the group. So create a fresh group, add the individual users, read-write or modify, or read-only, and then migrate them into the group, and then delete the old group. Which that part can take time because you don’t know what you’re touching.
A lot of times people like to permission groups at different levels where they don’t belong. The worst thing that can happen is you can cause an outage and you never really want that. Kind of investigating and using tools like DatAdvantage to help with the investigations to better understand what you’re doing before you do it. So it’s a process. I mean, I wouldn’t say it’s something easy. That’s why, a lot of times, it’s put on the back burner. But, you know, I feel like it’s something that has to be done.
Cindy Ng Your next role which was at Alliance Bernstein?
Christina Morillo: So at Alliance Bernstein, that was a short-term contract. That was part of their incident response & security team. 50% of the time I was handling tickets, and, you know, approving out FTP access, and approving firewall access, and checking out scans or anti-virus scans, and making sure that our AV was up to date, and doing all that stuff.
And then the other 50% was working on identity management and, like, onboarding applications into the system and testing. And then training the team that would handle day to day support. So it’s like a level two, level three. And then defining the processes. You know, onboarding the applications, defining the processes, writing the documentation, and then handing over to the support team to take over from there. So it was a lot of conversation with stakeholders, application owners, and I really appreciated being able to be a part of those processes.
That’s why I started seeing more of the automation. I mean, at Swiss Re, we were very much manual for the first couple of years. Which was fantastic because, you know, although it was a pain, it was fantastic because I got to understand how to do things if the system was down. It gave me that understanding of like ‘Oh, I know how to generate a manual report.’ So when it came time to automate, I was like, ‘Oh. Okay, this is nothing. I understand the workflow,’ right? I can create a workflow quickly, or I can… I understand what we need, right? And it also helps when people are just like, “That’s gonna take four days.” I’m like, “Absolutely not. That’s going to take you 45 minutes.” So it was a great experience.
Cindy Ng Would you ever buffer in time if systems went down? I’m thinking about something like ransomware.
Christina Morillo: Thankfully, that never happened while I was at these companies. That never happened. And since it didn’t hit my team, I think I’ve always been more on the preventative rather than being on the reactive side. A lot of times you did have to react to different situations or work in tandem with other teams, but I’m really into, like, preventative. Like, how can we minimize risk? How can we prevent this from happening? Kind of thinking out of the box that way. You have to not be an optimistic person. Like, you have to be like, well, this can happen if we leave that open. Right? And it’s not even meant to sound negative, but it’s almost like you have to have that approach because you have to understand what adversaries and hackers, how do they think? What would I want to do? Right? Like, if I see a door unlocked. It’s almost like you’re on the edge and you have to think that way, and you have to look at problems a little bit differently because, in business, you don’t rank, you just want to do their work.
Cindy Ng Did you develop that skill naturally, or was it innate, or did you realize, ‘Oh my God, I need to start thinking a certain way’? The business isn’t gonna care about it. That’s why you’re responsible for it.
Christina Morillo: I think I’ve always had that skill set, but I think that I developed it more throughout my career. Like, added strength in that skill throughout my career. Because when you’re starting, especially with network administration and sysadmin stuff, you have to be the problem solver. So you have to be on the lookout for problems. Because that’s, like, your job, right? So there’s a problem, you fix it. There’s a problem, you fix it. So, a lot of times, just to make your job a little bit easier, you have to almost have to anticipate a problem. You have to say, ‘Oh, if that window’s open and if it rains, the water’s gonna get in. So let’s close the window before it rains!’ It sounds intuitive, but a lot of times people just don’t think that far ahead.
Cindy Ng I’ve read your harrowing story about taking a class at General Assembly with having kids and a husband. Oh my God, you are so amazing. It’s so inspiring.
Christina Morillo: Definitely hard. But, you know, you gotta do what you gotta do. And it’s a problem because when you become a parent, it doesn’t mean that you lose your ambition. It just kind of goes on a temporary hold. But then you when you remember, you’re like ‘Oh, wait a minute. No. I have to get back to it.’
Cindy Ng So let’s talk about Fitch Ratings. That role is really interesting.
Christina Morillo: Yeah, yeah. Thus far, it’s been one of my favorites. Because, at Fitch, I was actually able to deploy an identity and access management platform. So, on nothing to create something completely new and just deploy it globally, right? So what that means is that I changed the HR onboarding process and offboarding process. So, like, how new-hires are added to the system. How people that are terminated are removed from the system. How employees request access to different applications. How managers approve. How authorizers approve the entire workflow. So that was amazing.
Basically, when I started, they wanted to go from pretty decentralized to a centralized model to purchase this out of the box application. They had a lot of transitions, so they needed someone to come in and own the application and say, like, “Okay, but let me implement it.” It was just on a like a development server, not fully configured. So, my job was to come in, look at the use-cases, look at what they needed. At least initially. What needed to happen? How did they need to use this application? Then I needed to understand the business processes. Current things, or how do they perform this work today? Like, does the help desk do it? Does a developer give access to a specific application that they manage? What are they developed for? What happens now?
So I took time to understand all of the processes. Right? Like, I spoke to everyone. I spoke to HR. I spoke to finance. I spoke to legal. I spoke to compliance. I spoke to the help desk. I spoke to network administration. I spoke to application developers. To compile all of that information in order to better create the use-cases and the workflows, and to kind of flesh them out. Then what I did is I started building and automating these processes in that tool, on that platform.
My boss gave me… He said, “Oh, I’ll give you like a year.” And I was like, “Okay. Fine.” But, I guess, once I got into like the thick of things, I got like really aggressive, and I really was hard with the vendor. Because I was a team of one. You know, I had support from our internal app team, and network administration team, and the sysadmins. But I completely owned the process, and owned the applications, and owned building it out. So I rode the vendor like crazy just to get this done, and understand, and just to look at it from top-bottom, bottom-to-top. And we were able to deploy it in five months.
You know, I got them from sending emails and creating help desk tickets, to fully automated system, onboarding, offboarding, and requesting entitlements. But more importantly, I was able to get people on board. Because that’s one of the other big things that you don’t really discuss. A lot of times we got a lot of pushback. While what we do is extremely important, especially in security, and sometimes we’re not the ones that are the most liked. People are afraid, right? So it’s also about developing new relationships with your constituents, with the users, right? And helping them understand that you’re not trying to make their lives miserable, you’re just getting them on board. I think that also takes skill. It takes finesse. It takes being able to speak to people, relate to people. And also, it takes being able to listen at scale. Right? So you have to listen to understand.
You know, I think if a lot of us did more listening and less talking, we would definitely understand where people are coming from and be able to kind of come up with solutions. I mean, you’re not always gonna make people happy. Maybe some of the time. Not all of the time. But at least you’ve communicated, and they can respect you for that. Right? So I was able to get pretty much the entire company on board. And to welcome this tool that they had heard about for so long. And they weren’t hesitant. To the point where I couldn’t get them to leave me alone about it.
Cindy Ng You were able to help them realize that you’re still able to do your work, but to do it securely.
Christina Morillo: And better.
Cindy Ng When you say scared and concerned, what were they worried about?
Christina Morillo: When you say the word “automation,” the main worry is that people are gonna lose their jobs. When someone says, “Oh, I heard that the tool will allow you to onboard a user.’ People won’t need to call the help desk anymore for that or won’t need help with that. Then you’re taking away like a piece or a portion of their work that may affect their productivity. And if it affects their productivity, it will affect the money that the team or the department gets. If that happens, then, obviously, we don’t need ten help desk people. We only need five. Right?
So, pretty much, it’s like fear of losing their jobs or fear that they’re becoming obsolete. So that’s usually the biggest one. And also when there’s, like, a new person coming in asking you how do you do your work, what is the process, that’s kind of scary. “Why do you want to know? Are you taking over? Are you trying to take away my work?” You’re always going to get push back. I think that’s part of the job, especially when you’re in security. You’re just always going to. And, you know, people fear what they don’t understand. So that’s part of it too.
Cindy Ng Let’s talk about Morgan Stanley now. So at this point, you’re at a really more strategic level where you’re really helping entire teams managing risk?
Christina Morillo: Yeah. So while I was at Fitch and, you know, while I loved it, it became more of a sysadmin type of role. So I decided to begin looking for my next opportunity. And Morgan Stanley came up with that summer. And I looked at it as, well, this is a great opportunity for me to be at a more strategic level and understand, become a middleman, right? Almost like a business analyst where I’m understanding what the business needs and the kind of liaising on the technology side. So I thought it would be a good opportunity for me to hone that skill set on the business side and look at values opposition. But also because of my technical background, I’ll be able to communicate with and get things done on the tech side.
So that was amazing. I mean, I learned a lot about how the business and IT engage. What’s important, and how to present certain, I guess, calls for action. Like, if you need something done, like, oh, you implement a new DLP solution. Are you solving a problem for the business or are you solving a problem for technology? Understanding the goal. Understanding your approach. And looking at things two ways. Looking at how to resolve a problem tactically. How can we resolve this issue today? And then what is the strategic or long-term solution? So a lot of business-speak, a lot of how to present.
I think I would almost equate it to… My time at Morgan Stanley… And I’m no longer at Morgan Stanley, actually. But my time at Morgan Stanley I equated to getting a mini-MBA because it really prepared me and allowed me to think differently. I think, you know, when you’re in technology you tend to stay in your tech cocoon. And that’s all you want to do and talk about. But understanding how others think about it, even how project managers engage with a business. The business is just thinking about risk, and how to minimize risk, and how they can do their jobs and make money. Because, at the end of the day, that’s what the goal is, right? Yeah, it allowed me to understand that. Whereas normally, on the tech side, I never really had to deal with that or face it. So I didn’t think about it. But at Morgan, you have to think about it, and you have to create solutions around it.
Cindy Ng Also, IT’s often seen as, like, a call center rather a money generator.
Christina Morillo: I’ve always had an issue with that. Even though IT, like, we’re seen as a call center, without us… And I’m biased, obviously… But I feel like without us, you wouldn’t be able to function. At the end of they day, are we generating money? I think so. But then it goes into that whole chicken or the egg thing. But that’s my argument, and I guess I’m biased. I’ve always been in IT, right?
Cindy Ng What’s most important to business? Is it always about the bottom line? For IT people, its always about security and minimizing risk.
Christina Morillo: It is about the bottom line. There are many avenues to get to there more efficiently, or just a little bit smarter. It’s like working smarter. But I think one of the ways is by listening at scale. Just like if you’re starting a company, you’re providing a service, you need to understand who your target market is, right? You need to understand what they want and why they want it. And that’s how you know what service you can provide or how you can tailor your needs to them. Why? Because then they will buy it from you, or they will seek services from you. And what does that mean? That means you get to collect that money.
And sometimes you need, like, a neutral group. You know? Like a working group. I realized they have a lot of working groups. So a lot of discussion. Sometimes that can be good and bad, but I see it as more of a positive thing. And the reason why is because you need to be able to hear from both sides, right? Both sides need to be able to express themselves, and everyone needs to be one the same page or get to that same page somehow. You need to understand what I need as a business user. I need to be able to book a trade, or I need to be able to do this, and I need to do it in this amount of time. Now how can you help me? And then the IT person, or the security person, whoever needs to be able to say, “Okay. Well, this is what I can do, this is what I cannot do right now. But maybe this is what I can do in the future.”
Again, it goes back to that we are problem solvers. So we’re all about solutions and how to keep the business afloat and keep the business running and operating. That’s our job. We’re not there to say we have to do it this way. That’s not what we’re there for. So I think it’s also understanding what role everyone plays, and understanding that we all have to kind of like work together to get to that common goal.
Let’s say we have a working group about implementing Varonis DataPrivilege globally, right? So then you have stakeholders from every department, or every department that it would touch. So if that means if that the security team is going to be involved, we have a representative from the security team. If that means that the project management who’s managing the project is gonna be involved, we have someone from that team. So you pretty much have a representative from each team that it will affect. Including the business, at times, so that they’re aware of what’s going on. And then you have status updates on what’s going on. What do we need? Where are the blocks and the blockers? And people get to speak, and people get to brainstorm, and you get to bring up problems, and what you need from the other team, what they need from you. And it just helps with getting projects moving and getting things going quickly and just more efficiently without anyone feeling like they weren’t represented in the decision-making process. It also speaks to that as well.
Cindy Ng Before our initial conversation, I had no idea that you used DatAdvantage.
Christina Morillo: My last employer, they used DatAdvantage, and were also implementing portions of DataPrivilege. The company before that, Fitch, we used DatAdvantage heavily. So, like, recording. You know, it’s been a couple of years, so I don’t know if they still use the tool. But I know when I was there, I actually used it for reporting purposes, and to help me generate reports, and just do, like, investigations, and other rule-based stuff.
Cindy Ng Was it helpful for, like, SOX compliance?
Christina Morillo: Yeah. Yeah, especially when whether it was internal or external audits, we always got the call. Like, “Can you come and give me access to this group on such and such date?” or, “Can you come and get this removed?” or, “Can you tell me this?” Just weird ad-hoc requests. That makes sense, right? But at the time, you’re like, ‘Why did you need this?’ Being able to kinda quickly generate the report was, like, super helpful.
Cindy Ng And finally, I love what you do with the Women of Color in Tech chat.
Christina Morillo: Yeah, yeah. A friend of mine, Stephanie Morillo…no relation, just same last name…but we both work in tech. And in 2015, we decided to co-found a grassroots initiative to help other women of color, and non-binary folks and just under-represented people in technology to have a voice, a community. We started off as Twitter chats. So we would have weekly, bi-weekly Twitter chats. Just have conversations, conversations with the community.
And then we started getting contacted by different organizations. So they wanted to sponsor some of our community members to attend conferences, and just different discussions and meetups and events. So we started to do that. We also did, like, a monthly job newsletter, where companies, like Twitter and Google, they contacted us. Then we worked with them. We kind of posted different positions they were recruiting for and shared it directly with our community.
And then, the thing we’re most known for is the Women of Color in Tech stock photos, which basically is a collection of open-source stock photos featuring women and non-binary folks of color who work in technology. So those photos, the goal was to give them out for free, open-source them, so people that can have better imagery, right? Because we felt that that representation mattered. The way that that came about was when I was building the landing page for the initiative, I realized that I couldn’t find any photos of women who like me who work in technology. And it made me really upset. Right? And so that activated… I feel like that anger activated something within me, and maybe it came as a rant. Like, I was just, like, “Okay, Getty, don’t you have photos of women in tech who look like me?” Why is every… Whether white or Asian or whoever… Why is any… And I see a woman with a computer or an iPad, it looks like she’s playing around with it. Those are the pictures that I was seeing. This is not what I do. This is not what I’ve done. So I just felt like I wasn’t represented. And then if I wasn’t represented, countless of other folks weren’t as well.
I spoke to a photographer friend of mine who also works in tech. And he started like his side passion stuff. So he agreed, and we just kind of started out. I mean, we went with the flow. It turned out amazing. And we released the photos. We open sourced them, and we got a lot of interest, a lot of feedback, a lot of features, a lot of reporting on it. And we decided to go for another two rounds. You know, a lot of companies we talked to were like, “We want to be a part of this. This is amazing. How can we support you?” So a lot of great organizations. If you look at the site, you see of those organizations that sponsored the last two photo shoots.
We released the collection of over 500 photos. And we’ve seen them everywhere, from Forbes, Wall Street Journal. It’s like I’ve seen them everywhere. They’re just, like, all over the web. Some of our tech models have gotten jobs because they started conversations. Like, “Wait, weren’t you in the Women of Color in Tech photos?” “Yeah, that’s me!” Whatever. Some people have gotten stopped, like, “Wait a minute, you’re in this photo.” Or they get tags. They’ve been used at conferences. Some organizations are now using them as part of their landing pages. They’re like all over the place. And that was the goal.
But it really, you know, makes us really happy. But just seeing photos all over the place, and the fact that people recognize that those are our photos, it was just amazing. We actually open sourced our process as well. We released an article that spoke about how we got sponsors, what we did, in hopes that other people, other organizations would also get inspired and replicate the stock photos. But we also get inquiries about, you know, “Are you gonna have another one? Can you guys have another one?” So it’s up in the air. I’m debating it. Maybe.