What was your first job?
My first job was working at a petrol station, cleaning the shelves and forecourt. My first IT job was working for a small consulting firm called Charles Duncan Consultants. This is where I really learned my trade. We worked on a forerunner to the mobile phone system, called CT2. It only allowed you to make phone calls in certain areas (you could not receive them). With the same firm I went on to work on GSM phone systems, large database systems, complex SI projects, etc.
What do you think most people imagine your job as?
I think most people think I am actively working on research and guidance for the CSA, but I am not. My main job, as I put it, is “making sure people get paid on time”. I run the day-to-day business operations to free up our CEO, Managing Directors, researchers and program managers to focus on the “cool stuff”. I keep my hand in, but it is not my main job.
If you were to describe yourself as a household object, what would it be?
The telephone. Preferably an old, rotary-dial model.
What would your last meal be?
Are you telling me I have been indicted and convicted of a capital crime? Pizza. But it would have to be a damned good pizza. Two Boots from NYC, or Pagliacci from Seattle, for example.
If the battle between IT security pros and cyber threats were to be embodied in comic book characters, what classic super hero/nemesis match-up do you think would be most fitting?
Batman for the IT security pros – they are all a little dark and twisted, and Joker for the non-organized cyber threats - because most of them are truly disorganized and hide behind comical pseudonyms. I do not believe there is a comic book comparison to organized crime and nation states, though, and that is where we really need to be concerned.
If you had to have an occupation other than the one you're doing, what would you do?
University professor. I already hold the position of Visiting Professor at Edinburgh Napier University in the UK, and Research Professor at the University of Arizona in the US. I really enjoy working with each institution, which I believe are both world-leading in different ways, to provide students with real-world insights to cloud, security and privacy issues, and to engage in cutting-edge research.
Have you ever heard a good joke about IT security?
For the most part, IT Security is the joke. Very few organizations get it right, and it is ridiculously easy to find holes in IT systems (the people, processes employed, and the technology deployed). It is one of the reasons behind my belief that I will never take the job of CSO/CISO.
What is the most important personality trait for a successful cyber security professional?
It is sad to say that there is not one, but a slew required. Technical ability is definitely not the most important, though. I would have to say general business skills and awareness. If you do not understand the business, how it is run, business risk tolerance, where money comes from, how budgets are set, how you need to justify expenditures, etc., you cannot succeed after a certain career point.
What technology did you used to rely on, and are now happy is obsolete?
Most of the technology we still rely upon today is obsolete. The problem is that we are relying on software, protocols and paradigms from the Sixties and Seventies which were never designed with security and privacy in mind, and certainly not with modern use cases. Case in point is IPv4. We need to move away from it immediately. The problem is anyone who says IPv6 is the solution just “doesn't get it”. IPv6 embodies most of the problems of IPv4 merely extending the addressing scheme, and introduces its own set of privacy and security issues. We would be better off sticking with IPv4 while we come up with a brand new set of protocols that embody security, anonymity (required for privacy), identity (for when you need to know who you are communicating with), etc. We also have to transform our operating systems and not rely on technology that is rooted in UNIX and VMS, as all common operating systems are, with their out-dated security models. We need to reconsider how applications work, and the concept of identity, security and privacy in each.
What is the best career advice you ever received?
I used to be extremely stubborn (although I preferred the term tenacious). I think that all of the managers who I have worked for over the earlier years who told me to compromise more often probably gave me the best advice.