Sherry M.

Sr. IT Security Analyst — ISC Office of Information Security
Sherry M. portrait photo

ISC service(s) or programs/projects: Vulnerability management, risk consulting, DE&I

Length of time in ISC: Joined ISC in 2014 and Penn in 1999

Previous work experience:  Penn School of Arts & Sciences Computing since 1999, where I was a project leader on security projects. Prior to joining Penn I worked for the U.S. General Services Administration in Philadelphia doing IT support, networking, and training.

Tell us about a challenge that made you proud to be part of ISC.

My biggest challenge creates my biggest accomplishment (and superpower) — the ability to move between silos within ISC to solve problems. My job is to cover ISC as a whole, and I have good relationships with people throughout ISC. That really helps, especially during sensitive times like security incidents. It’s a challenge, because folks in ISC naturally have differing opinions colored by the concerns of their own departments. I feel I can represent those views fairly and be a bridge in the gaps. It’s challenging, but it’s fun.

Because I previously worked for Penn’s School of Arts and Sciences, I’m really happy to see how ISC always tries to serve its constituents. ISC staff don’t just go to bed and think, ‘Well, that’s done.’ They are always trying to think of ways to do it better. When I was hired at the School of Arts & Sciences, I was told that Penn always hires the best. ISC seems to take the best of the best. Every day I’m happy that I work with such smart people. I thank my lucky stars because there’s so much talent here.

What are some interesting technical or business problems you’ve worked on?

When I first came to ISC, we didn’t have a regular security patching schedule for all systems — only some. There was no systematic process, and it took time. As IT and information security have evolved, it has become more critical for those patches to be applied faster to meet threats. I was able to work with Bob Desilets and Technology Services to develop an automated daily vulnerability scan, and set up a process to meet weekly to schedule missing patches. So patches now get applied within days rather than weeks or months — and systems have patching schedules in their Service Level Agreements.

The Identity and Access Management (IAM) team has been working with policy groups to establish effective ways to prove people are who they say they are. It sounds easy, but remote identity proofing can be challenging. For people in gender transition, their PennCard or passport photo might not match their current appearance. When I brought this up as an issue, it was immediately accepted by IAM leader James Brewer and his policy team as something we had to work on. Working with the LGBT Center, we found there were no existing policies around this at Penn. And no other universities have them, so we’re at the forefront of this issue!

How has the pandemic changed the way you approach your role?

I didn’t like working at home. I wanted to come back as soon as possible. A lot of my bridge-building and relationship-building happens when I deliberately circulate so that people don’t only see my face when there’s a security emergency. Besides, I love interacting with ISC’s great people.

What are you passionate about in your free time?

I am a cosplayer! I create outfits based on characters from movies and books, and attend conventions in costume with friends. I also lead an ISC lunchtime crafting group. Crocheting, knitting, bookbinding… We normally do this in person, but we’re keeping it up virtually.

What else would you like to share with people at Penn?

I have the best job in the world. If I won the lottery, I might still work here. I enjoy my job, and I’m grateful to say that. And I’m an equal-opportunity nerd. I like to hear about anybody’s weird hobbies, even if it’s not something I’d do myself. I love learning about unusual things.