Blog 3

As mentioned in Blog 1, I had decided to get my master’s degree in Information Security, a career choice that was not that common back then.  For the ones who weren’t born yet or were too young, it is hard to imagine Information Security not being that popular, but it wasn’t!  Today, every day we see several news about a malware attack affecting large companies or organizations or … facilities or government offices, but back then this was rarely discussed.  

Shortly after my return, I remember that my friends in El Salvador made fun of my work, saying that it was a too sophisticated way for malicious actors to achieve their goals.  That it was much easier for them to use the traditional analogue ways, like assaulting people at gunpoint to take their money, instead of having to hack a computer or email to then rob people’s bank account credentials to then get their money.  I also remember people thinking I oversaw security guards and physical security when hearing I worked in security.   Around that time, I wrote a chapter in a book that talked about security in RFID (Radio Frequency Identification) with some cool people I had met at an RFID Security conference in MIT during my masters.  I remember I wrote about how people would give away their personal information to receive some small gift in return or to enter a drawing to win a prize.  It was very common to see this, and although it still happens today, I do believe people are much more conscious about protecting their personal information.   

I had a blast during my early years building the Information Security department at one of the largest banks in Central America.  At first, I was in charge of building the department in El Salvador, and later in all the Central American countries where we operated.  During this period, I spent a lot of my time explaining why it was important to protect our network, systems, data and how it was possible to access them if we didn’t put the right controls in place.  I remember having eternal discussions with some of my colleagues arguing about all kinds of threat scenarios exploiting x vulnerability.  Sometimes it felt like an endless battle, but this was part of what excited me about the topic – this was new and unknown for most, and I was responsible for making people aware, opening people’s eyes to the risks we were facing, and changing the status quo of how things were done.    

A few years later, this bank got acquired by one of the world’s largest banks.  The financial industry was one of the industries where Information Security was most mature, as there were some regulations requiring controls to be in place to protect the systems that managed money.  And within the financial sector, this bank was the leader in Information Security – they had one of the most mature security programs.   We needed to reach a certain level of security before a firewall dividing both networks could be removed.  This was a several-years project, during which I was Head of Information Security for Central America and was in charge of implementing the technical security controls.  I learned so much during this time.  This was like a second master’s degree! 

When we finished that project, I received a call from a Telco operating in Latin America and Africa offering me a position to lead the security of one of the first mobile money applications.  This was very exciting for me, as Application Security is one of the areas in Information Security I enjoy the most. And this was a mobile application – something that was very new.  So, after 7 years of working at the bank, and the completed project, I moved to the Telecommunications sector, and a new chapter in my career began.