Name: Shelly Epps, MS, HCISPP
Title: Information Security Analyst and Program Lead, Security Outreach & Education
Employer: Duke University Health System
Location: Durham, NC
Education: BS in Biology from Kansas State University, Master’s in Genetic Counseling from University of Pittsburgh
Years in IT: 6
Years in cybersecurity: 6
Cybersecurity certifications: HCISPP
How did you wind up in a career in cybersecurity?
I stumbled into it! I had been working in healthcare, research, data and employee management and administration for about 20 years when I chose to take a step off of that pathway without a solid backup plan. I was surprised to be invited by our InfoSec team to interview for a job – one that I was largely unqualified for on paper. I interviewed, accepted an offer and began a career in InfoSec with minimal security knowledge, a sense of humor, a host of transferrable soft skills and institutional knowledge and a strong work ethic. Wrapping those soft skills around a growing security knowledge allowed me to tackle problems using a unique, often successful approach. I was fortunate to have some amazing InfoSec coworkers who mentored me and selflessly shared knowledge they had acquired over years of experience.
How did you decide to pursue your HCISPP?
Honestly, it’s all in the name. I’ve worked in healthcare my entire life and have spent most of it under the HIPAA umbrella. I’ve watched and participated as regulations have evolved, as cybersecurity has become a focus, and as healthcare breaches have become a common event. When I looked at HCISPP, it seemed to me that understanding security, privacy and healthcare was the exact combination of knowledge that would be needed for certification. I’m very excited to see (ISC)² offer this certification that recognizes the value of those combined skills.
In cybersecurity, no two days are the same – what is your main role in your organization?
I wear three hats normally. Most weeks I’m on the phone assessing security of potential third party vendors and Business Associates to ensure they meet our security standards. I also function as our research security SME and bridge the security office to the IRB, contracts offices, research units and privacy office. Finally, and with great joy, I serve as lead for our security outreach and education program across our Health System. I’m something of an evangelist when it comes to speaking about security and October – National Cybersecurity Awareness Month – is my favorite time of year!
Tell us about a project that you were particularly proud of?
Honestly, what I’m most proud of isn’t a single project, but the growing culture shift toward embracing security that we’re seeing evolve within our entity. I’ve helped to socialize the roll-out of multiple technical security controls over the last six years. Change in an entity the size of Duke Health is often met with some initial resistance, but I can honestly say that our efforts to connect with end users and other offices have resulted in a more willing adoption of both technical and administrative security measures. It’s exciting to see how the effort pays off and how your end users start to become your partners. If I leave a legacy at Duke, I want it to be that our “weakest link” – our people – are knowledgeable, vigilant and resilient and that security is embedded within their identity.
What impact has the HCISPP had on your career?
First, it’s given me a way to help people better understand what I do. When they ask about my cert, I take it as an opportunity to explain how healthcare information security and privacy are complementary, intertwined functions that work best in tandem. Secondly, it’s given me a way to connect with peers. I get so excited to talk to other HCISPPs because I know they speak my language and understand my challenges and I want the benefit of their lessons learned. I also encourage both privacy and security peers to look into this cert as a way of broadening their career landscape. Finally, I approached my leadership about a promotion after becoming certified – and was promoted!
What advice would you give to those who are thinking about pursuing cybersecurity as a career?
If you’re just starting, focus on security internships and training – so many good online and in-person security training opportunities exist - and try on a bunch of different roles. Cybersecurity roles are no less varied as those in medicine. There are so many specialized iterations of what a person can do in this field to fit a very diverse spectrum of personality and skills. Find what you’re natural at, what brings you joy and what capitalizes on your inherent abilities and then focus on that area. If this is a career shift, do the same but also leverage all of your existing knowledge and skills, even those not directly related to security. Use what you’re already excellent at but creatively apply it within a security framework. And network! Join your local ISSA, go to security conferences, introduce yourself to your CISO or your local security team – find a way to connect with others in the field. Read security blogs and articles. Practice good security in your personal life and don’t give up – the job market is huge within the field of cybersecurity.