Let’s talk about your job at ReWa.
I’m writing policies for governing cybersecurity across the organization or doing analyst work where you’re down in the bits and bytes, the network traffic, looking for attackers. I pretty much cover all the cybersecurity here.
How did you become interested in cybersecurity?
My interest in technology started from an early age. Most kids around that time were into Nintendo DS, Pokemon games and just video games in general.
Once I got into high school, I got with a really great computer teacher and he showed me an Apple event. That was the year they unveiled the first Apple watch and that just blew my mind. So that’s what got me into technology. As far as security goes, when I was in high school I was required to do a three-day internship. I got a wonderful opportunity to go to a data center in Greenville called Immedion, which has since been renamed to Dart Points. I did a three day internship with one of their cybersecurity engineers. This person engineers all of their security tools, firewalls, that sort of stuff, so I really got to dive my head in pretty early to the field at the front end of the field—the data center was really on the cutting edge.
From that point on, I was interested in cybersecurity, but there were no college programs that really supported that in the state of South Carolina when I first wanted to go to college.
Originally I was not going to go to college at all. I was going to teach myself how to do cybersecurity on my own. That’s how most people entered the field at that time. Of course, my mom begged me, “Just look at a couple of schools. You’ve got to apply to at least one.”
I said, “okay.” She actually signed me up for the All-Access event at AU, which is the overnight stay where you have the full experience of what it’s like to be an AU student, which I highly recommended during my time as a tour guide to anybody, because it’s an awesome experience. I just fell in love with the place—the people and the environment of just wanting to learn, and then obviously the Christian side of things where I would be surrounded by an environment that supported my religion.
I came into Anderson as a Business and Computing data analytics major. I started there and was very fortunate to be one of the first five students in the Cybersecurity program. I think it started my sophomore year. As soon as I was aware that program was available, I immediately transferred to it.
What was it like being among the first in the Cybersecurity program?
My experience at Anderson was pretty awesome, especially in the beginning. I had several classes where I was one of five six seven people in the class, so you got a super personal relationship with the professors, which is still the case. I recently came back to Anderson—at the beginning of this year—and gave a presentation on my duties at ReWa—different things I do—it was still very much the same experience that I had when I went there.
The class sizes are maxing out, but I’ve heard from students who say they still have that personal relationship, doors always open, that mentor kind of relationship. My experience was not any different from what you would have if you went there today. It was nothing short of awesome.
What were some of your favorite parts of studying at Anderson’s Center for Cybersecurity?
That’s a good question—there are so many. Some of the biggest highlights were some of the final projects we would do. Each class culminates in a large project. Typically the professors make a point where you come up with the topic you want to do. Obviously there are rules and regulations around that—you can’t just do anything. As it applies to the class, they really put the responsibility on you to pick a topic.
One of my favorites we did was in network security. I was always a big networking guy. I studied all of the network protocols and that sort of thing. In that class I chose to look at vulnerable protocols across the network and try to see what was easily accessible from the public.
In the open source intelligence class—it’s one of the higher level classes—you study how to use the public Internet to find vulnerable machines.
How has what you studied at Anderson helped you in your work?
In the specific case at ReWa, it taught me how to list all of the assets we own at ReWa—public IP addresses that we use, public devices—that sort of thing—so you want to take inventory of what you have so you can assess them and see what these open source tools are seeing on your network. An example of that is Shodan. Shodan goes out and looks at all these machines—it crawls throughout the whole Internet and then it will report “This machine has a vulnerability.” If you don’t know how to use Shodan and search through their databases, you might have a server at your corporation you don’t know about that could be vulnerable. You can’t protect against something you don’t know about. You definitely want to be able to use Google and those other tools out on the free public Internet to be able to look at your assets.
I would say the second thing that the cyber program really taught me was how to troubleshoot. Troubleshooting is such a hard skill to develop and it takes time. Not taking no for an answer and really pushing your knowledge of how a system works is the only way to gain this skill. Being able to troubleshoot as well as having a strong ability to document security findings was a big part of why I got this position. Lastly I think that the program really teaches you how to display security information to non-security-oriented people. This especially helps in situations when I am showing directors and officers pen tests or other cyber material.
Let’s talk about what ReWa does and your role on the technology side.
We provide wastewater treatment services for Greenville County and portions of Anderson, Laurens, Pickens and Spartanburg counties. We have nine plants. I cover such a wide area of security, such as training, network security forensics, penetration testing or hacking, programming, Python, open-source intelligence—that sort of stuff. Because I cover such a wide area of security, it has enabled me to make a really big difference here at ReWa.
There is never really a dull moment for me at ReWa. I might be developing a whole tabletop exercise that takes a couple of months of planning, or defending ReWa against hackers every day as well as participating in ISAC (Information Sharing and Analysis Centers) calls. The experience I’m getting here is nothing short of amazing.
At the end of the day, what gives you a real sense of accomplishment?
Recently there have been a couple of things that, after all was said and done, it was like “wow I was really able to handle that.” I was complimented by several coworkers. I mentioned the officers earlier. I was getting direct in-person compliments from CEOs, COOs and those types of people about the tabletop exercise and a couple of other things. Recently we had a penetration test done from a third party—that’s an assessment where essentially you hire them to hack into your stuff, see what’s broken, see what’s not patched, see what’s vulnerable, so that you can patch it yourself before actual hackers take advantage of it. That was about a two-month operation. It was pretty in-depth. They did an external assessment where they try to break in and luckily in our case they weren’t able to break in. We had a really strong defense.
Does cybersecurity affect all employees?
Whether you’re in the field focused on infrastructure or the CEO, you must do at least one in-person cybersecurity training per year. I give them four opportunities—one per quarter—to attend an in-person training. I'm helping them protect ReWa but also helping them personally as far as this is how you should do your passwords, this is how you identify a phishing email, this what to do if something happens on your computer.
We have the ability for a user to report phishing emails directly to me in a secure way. Prior to those trainings, I was getting maybe 5-10 reports a month of people forwarding to me what they think is a phishing email. Then after the training it went up to 30-40 a month. That’s a massive change in people’s awareness of “this email is phishy, now I know what to do. I’ll send it to Zach—he knows about this kind of thing.” Of course, presenting those metrics to your superiors is a great experience.
ReWa has more than 200 employees. Probably about 100 percent of them interact with our machines at some point. Probably 80-90 percent interact with a computer every day, and so the technology department is actively securing all of those systems.
What advice would you give someone considering a career in cybersecurity?
During my time at Anderson I was a tour guide for the Center for Cybersecurity, so I would help a lot of prospective students who would pose that question. It hasn’t really got a simple answer. I think college is a time where you should be trying things and you should be learning about yourself and really figuring out what you’re good at. I would say to anyone who has an interest in computers or programming or anything digital—cybersecurity touches every aspect of the digital spectrum. We talk about programming, networking, open source intelligence—even nontechnical things like governance and policy, rules and regulations, philosophy and ethics—all of this type of stuff—so I think cybersecurity is a very individualistic study as far as some other fields go. If you’re programming, you’re building an app. That’s what you do.
If you have the willingness to learn, you have an open mindset and you’re willing to try hard and kind of stick with it, I would highly encourage anyone who has that mindset to try cybersecurity. To anyone who is interested, as long as you’re willing to learn and put in the effort, get to know the professors and fully immerse yourself in cybersecurity, you’ll be successful.
In conclusion, cybersecurity really touches everyone, doesn’t it?
In its most basic form, it’s about morals and ethics and what’s right and wrong. Why do people think a certain way? Why do people want to use a simple password instead of a strong one? Why is it so easy for hackers to manipulate people instead of manipulating a computer? I have friends who are Psychology majors and I would talk to them about certain things and they would be like “you have a really good understanding of the way people think,” just because of cybersecurity. You touch a lot of domains. It definitely takes a lot of courage fully jumping head-first into this strange world of cybersecurity.