Work overview

My most recent consulting work has involved serving as a subject matter expert on the National Institute of Standards and Technology (NIST) Cybersecurity for IoT (internet of things) program. More generally, in a typical day or week, I do a lot of research as I answer client questions, learn about new threats and vulnerabilities, write explainers and create training courses, and present keynotes and other types of sessions at conferences or at schools or other types of organizations. I also do proof-of-concept (PoC) projects, have written 22 books on topics in my areas of expertise, and have served as an expert witness for some very interesting court cases.

I regularly take science concepts into consideration, particularly the cause-and-effect impacts of physical systems on the environments within which they are used. For example, I needed to understand basic electrical science concepts in order to carry out a PoC project for NIST that sought to verify if a proposed cybersecurity standard for a “smart” (connected to the internet) electric grid truly provided cybersecurity protection as described.

I love learning something new every day and helping my clients. I especially love to identify the security, privacy, and safety risks of emerging technologies.

Career highlights

My career highlights have included seeing my recommendations and research become part of new standards and laws, starting my businesses, writing my books, traveling to five continents for client projects (staying extra days to do some exploring), and meeting people from all over the world, with some business contacts becoming longtime friends.

Career path

I wanted to be a veterinarian growing up, but I also had an affinity for math. After scoring in the highest percentile on both the ASVAB exam and the ACT, some folks from MIT and the Naval Academy visited to speak with me about getting mathematics and computer science degrees at their institutions. I was intrigued but also a bit intimidated; I’d never been out of Missouri or away from my family for more than a week at a time. During my senior year, my mother started developing some health problems, and I decided I didn’t want to be that far away. I am so thankful I decided to go to a university within a couple of hours from home and was able to spend a lot more time with my mother, who turned out to have early-onset Alzheimer’s.

I earned a double degree in mathematics and computer science at the University of Central Missouri.

I originally wanted to use my degrees to do LISP programming on robots. However, I couldn’t find any nearby openings, so I accepted an offer to work as a systems analyst at AT&T in a suburb of Kansas City. After a few months, they wanted to transfer me to New Jersey to Bell Labs. However, I didn’t want to be that far away from my mother at that time. Instead, I chose to teach seventh- to twelfth-grade math and computing for two years in a town near where my parents lived. I then got my Master’s degree in computer science and education, and I was offered a systems engineering position at Principal Financial Group, a multinational insurance and financial corporation, in Des Moines, Iowa.

For two years, I was responsible for creating and then maintaining the corporation’s IBM System/390 change control system that was used to move application programs from development to testing, then to pilot/beta, and finally to production. I then applied for and got a job in the company’s IT audit area. I performed the first enterprise-wide information security audit of the company, and based on my findings, I recommended that an information security department be created. The executives were impressed with my report and assigned me to create the department. Computer viruses were becoming a big concern in the early 1990s, so I designed and established the first organizational antivirus program used by a Fortune 500 corporation. I then also designed and implemented a remote-working/dial-in program and subsequently spoke about both of them at security conferences and wrote about them in articles.

In 1994, I was given the responsibility of establishing privacy as well as information security requirements for the first online bank. At that time, there were no privacy laws applicable to online banks, making it another great opportunity to do something that had never been done before.

I eventually left that company to become an entrepreneur. I founded my consulting business, which I am still running, in 2004. I later started two software-as-a-service (SaaS) businesses, focusing on the management of healthcare records to ensure security and privacy compliance with U.S. medical cybersecurity and privacy law. I also worked as an adjunct professor and created curriculum for Norwich University’s Master of Science in Information Security and Assurance program for almost 10 years while building and managing my businesses. After reducing my involvement in the first two SaaS businesses, in 2021 I launched my third such business, Privacy & Security Brainiacs, with one of my sons.

Knowledge, skills and training required

Critical thinking, attention to detail, and accuracy are important, as is being able to recognize design errors, abnormalities within systems logs, reports, outcomes, and new threats and vulnerabilities. It is often helpful to have some type of IT, cybersecurity, and/or privacy certification. Typically, the larger the business, the more likely they will require a college degree.

Advice for students

Always look to the lessons learned from past experiences in order to better understand new situations. If you work in my field, you will be creating many new types of controls, devices, procedures, training, designs, and other new ideas to address new security and privacy threats and vulnerabilities. Most of what you will do will not be found in a book, because it has not yet been done. However, you will need to utilize long-standing concepts and standards to create effective and efficient new solutions.

Volunteering for projects that involve activities that have never been done before will establish you as a pioneer and as the go-to person for such work. This is a valuable way to break into the field and can also help you advance your career. Also, if you have an idea about how to engineer a technology design more securely and/or how to better protect privacy, clearly document your ideas and speak about them with your manager or a person at an organization where you would like to work. More broadly, being active in a professional organization, such as the Institute of Electrical and Electronics Engineers, can be a good way to network and knowledge share.

Bonus Points

Herold’s Education: B.S. in mathematics and computer science, University of Central Missouri; M.A. in education and computer science, University of Northern Iowa

On the Web: https://www.linkedin.com/company/privacy-and-security-brainiacs

Related Careers: Robotics engineer, IoT product engineer, software engineer, firmware engineer, hardware engineer