Interview with Robert Slade, Information Security Consultant, Researcher, Author, and Instructor
About Robert Slade
Robert Slade is an information security specialist, management consultant, author, and instructor from North Vancouver, British Columbia. He has consulted for Fortune 100 companies, and taught information security courses at Simon Fraser University, the University of British Columbia, Langara College, Kwantlen Polytechnic University, and the University of Phoenix. He was also a Senior Instructor for the International Information Systems Security Certification Consortium. He is frequently published in the Information Security Management Handbook, and writes regularly about information security for ITsecurity.co.uk. He is the author of Robert Slade Guide to Computer Viruses, Software Forensics, and Dictionary of Information Security, and the co-author with David Harley of Viruses Revealed. He has a Bachelor’s of Science from the University of British Columbia, a Master’s of Science in Computer and Information Science Education from the University of Oregon, and a Diploma of Christian Studies from Regent College.
[OnlineEducation.com] From your perspective, how has cybersecurity come to be defined as a field and a discipline?
[Mr. Slade] As a discipline/career/area of study and practice, most of us old-timers got into it by being geeks and techies first, having to solve problems, and then starting to specialize in problems caused from malice — intruders, virus writers, etc…
Our younger colleagues seem to have a different experience. There are now companies in the infosec industry, fun opportunities such as the Cyberlympics (Global Cyberlympics/International Hacking Competition), and infosec programs at universities.
Given Gene Spafford’s dictum that a “secure” system is one that does what it is supposed to, proper programming/development should result in a secure system: one that does what it is supposed to, and doesn’t do what it isn’t. However, programmers have an inbuilt drive to make a system do something without necessarily thinking through the implications of putting a function there. There are also pressures on the business side for “time to market” and “update cycles.” Thus the implementation part of development gets the most time and attention, and planning and testing for security are given short shrift.
Another name for information security is information assurance, which is also another name for cyberesecurity. Computer forensics and cloud security are parts of infosec. Since “cloud” is just “renting time/space on someone else’s computer” it is identical to what used to be called timesharing, and the same rules apply: do you know and trust the security of the person who owns the computer you are renting, and are you following the rules to keep the other people on the same system safe? Almost all of the new technology is old technology under a new name, hence Slade’s Law of Computer History: those who fail to study computer history are doomed to buy it again — repackaged.
[OnlineEducation.com] Given that historical perspective, what should we be teaching the next generation of information security specialists and technicians?
[Mr. Slade] We tend to be teaching the latest tech, and we should be concentrating on fundamentals. My concern, from my own teaching and discussion with students, is that large areas of basic technologies can be lacking in the programs, with a major focus on recent and superficial tech. For example, when teaching about communications and networking, most students no longer understand the physical layer. If they don’t know about signaling over RF, IR, twisted pair, coax, and fiber, they don’t know what the risks are. We tell them that quantum cryptography requires dedicated single mode fiber optic cable, but they don’t realize that if you have dedicated single mode fiber optic cable you probably don’t need any encryption. We also don’t teach them that quantum cryptography isn’t cryptography; it’s just key exchange. In our Vancouver Security SIG we’ve addressed this by adding a short “security fundamentals” bit to every meeting.
Security is a huge field: you have to know everything about all fields of technology. And, of course, you can’t. One of the main benefits of the CISSP exam is that it tests for “just enough” knowledge of every field so that an infosec professional can speak to a specialist and understand the problem.
[OnlineEducation.com] How do you see the interplay between government policies, technological innovations, economic forces, and social dynamics playing out in the near future in terms of cybersecurity, and how will that impact education and employment in the field?
[Mr. Slade] In terms of government, economic forces, and social dynamics, we are driven towards security theater and a waste of time and money. Every two-to-four years the U.S. President sets up an “advisory council” of security greybeards who ponder for a while and turn out some kind of document. The recommendations vary, but it always contains a suggestion that there be more “information sharing” between government and industry. This is hailed as a good thing until business remembers/finds out that the government perspective on information sharing tends to be one way — info goes into the government, but it never comes out. I recently got a chance to belabor a government rep on this. He managed to deflect it with some bafflegab — but, I think tellingly, he didn’t say I was wrong. Geekonomics is a reasonable reference in this regard — http://victoria.tc.ca/int-grps/books/techrev/bkgknmcs.rvw
Technological innovation really just makes our field nominally bigger. As noted earlier, it really doesn’t change anything if we would only pay attention to the basics. New forms of attack actually come very slowly. Ransomware, the current infosec bugbear, is actually almost 30 years old, and is easily dealt with via one of our most frequently repeated security suggestions. Everyone repeat after me: “Make a backup.” The advanced persistent threat (APT) furor of a few years back is really only common email-borne malware, with a slight touch of spear-phishing to make the social engineering more targeted.
Unfortunately, the biggest factors shaping employment and education do tend to be the social dynamics. Hence jobs and training follow the latest big news event, with education trailing about 2-3 years behind due to course development cycles. Overall, we tend to prepare fairly well for fighting the attacks of three years ago that are already passé and dying, and fail to see the reality of the overall levels of threat, and those that are likely to come. Or come back.
[OnlineEducation.com] What does working in cybersecurity mean on a practical level, and what kinds of skills/personality traits are an asset in the field?
[Mr. Slade] Even though we, in infosec, are a tiny corner of technology, overall we are still huge. Some of us do get to be “big picture” people, and others get to be specialists. However, a number are stuck in net admin or access management jobs where they may be forced into an essentially clerical role, making minor changes as the result of some ridiculous business process that should have been automated out of existence long ago. One of the reasons I have no sympathy for the bleating of companies complaining about not enough skilled people for security jobs: misuse of skilled personnel.
One of the things I have to point out to students is that we, in security, are generally not in ultimate charge of security. We are usually advisors, because the people who own the systems we are supposedly guarding don’t think about security. We have no ownership. Which gives rise to a whole other set of problems.
Security people should be curious and have a kind of professional paranoia. I think it’s Bruce Schneier, in one of his books, who has this lovely diatribe about how security people can’t look at doors without figuring out how to break into them: “Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.” We constantly look for vulnerabilities: it’s just how we are built.
[OnlineEducation.com] The significant gap between the demand for cybersecurity specialists and the supply of qualified professionals is well documented. So, what are employers looking for in cybersecurity hires and how should someone who’s aiming to enter the field prepare him or herself?
[Mr. Slade] Documented by whom? I’ve seen this same kind of whining from companies for over three decades. Our local security group has a mentorship program and a lot of very active student members, and those kids are not being snapped up as soon as they graduate. I did seminars for CISSP candidates for more than ten years, and while all of them had to have had five years work experience to get into the seminars, nobody was camped on the doorstep with competing offers.
To corporate HR departments, “qualified professionals” means “people who have years of experience on the device we bought yesterday.” You think I’m exaggerating. I’m not. I’ve seen ads asking for twenty years experience in technology that has only existed for ten. In addition, companies are not willing to do any training, or to let new hires have time to come up to speed. HR people, having zero experience in technology themselves, have no idea what is relevant experience to the jobs they are hiring for. In my own experience as a job seeker, I was once asked, for a tech management position, to fill out a “qualifications questionnaire” that was simply looking for Excel Easter egg trivia, and had been photocopied from a computer magazine. (I walked out.)
My experience on the other side of the table is somewhat less, but I’ve been brought in as a consultant to fill a number of positions in specialty areas (and I do a seminar series on technical hiring). Because I know the technology, and know what is relevant to the jobs required, I have never had any problem filling positions, generally within a couple of weeks.
[OnlineEducation.com] What kinds of coursework and practical training should students look for in an advanced degree in cybersecurity, and what kind of experience outside of the classroom are helpful in cultivating expertise in the field?
[Mr. Slade] The short answer is “anything.” Security is affected by the whole environment, and so almost anything you learn is useful. I will make one exception: watching CSI: Cyber will teach you nothing about security.
I’ve said before that students should take a whole breadth of formal and foundational courses in technology. I do think that is mandatory. However, the next speaker at our Vancouver Security SIG (a university prof) is going to be telling us that students need to learn the latest technology, which I find hilarious, since I’ve taught in his class and I know he, himself, teaches strictly formal stuff. I would argue that it’s important to have actual security workers teach part of the stuff and leaven the material with “war stories” so that students can see how the formal stuff needs to be applied.
Again, almost any practical experience is useful, although students may have to have a bit of direction to benefit. If the student works in construction, they can consider physical access to the worksite. If the student works in retail, look for weaknesses in the point of sale. If the student volunteers at a charity fete, see how people can “game” the lineups, and try to figure out how to prevent that gaming.
Research the security of your own system, and then teach others around you — your family, work, libraries, old folks homes: take any opportunity. Don’t worry about being an expert: as soon as you start researching, you know more than 95% of the people around you. If something strikes you as interesting, research it. There is plenty of work to go around, and you never know when you might come up with something useful, even if it is only backstopping someone else’s work. And you’ll learn all kinds of things surrounding your main topic. Some of them you’ll never use. Some may become vital.
And find and hang out with the professionals.
[OnlineEducation.com] In addition, how did you get into the field, what drew you to it?
[Mr. Slade] I got fired from a teaching job in one of the conservative budget purges of the early ’80s. Since I was one of the first of about 10,000 teachers in BC, I was (since I’d formed an interest in computers in education) volunteering teaching computer seminars for unemployed teachers. Hence my push for volunteer work. This got me into a group where I managed to score an account on an Internet connected machine. I got on the Internet before it was called the Internet, at a time when the Internet population was about 1,000. Unrelated, but coincidentally, I also took my masters in computer and information science education. The program was in education, but not prepared for full-time students, so I had to scrounge whatever computer-related courses would have me, and was thus forced to take quite a breadth of topics. Hence my push for a broad background.
With the connection to the Internet, I got started researching these new things called computer viruses. At the time, this was not considered security: I wasn’t allowed to present at security conferences. Since nobody else was doing it, I started reviewing antiviral programs. Then, in another volunteer role, I got started reviewing technical books, primarily in security. Along the way, I was doing various technical, security, and management consulting jobs, in government, business, and industry. (Along with teaching every chance I got. I love teaching.) After some years I figured I’d better take the CISSP exam to see if I knew what I was talking about in security. Apparently I did, and they even let me facilitate review seminars and write up preparation materials. I’ve now “taught,” one way and another, on five continents.
[OnlineEducation.com] How have you seen cybersecurity evolve over the last decade or so?
[Mr. Slade] I’ve seen a lot of evolution in thirty years, but if you limit it to the past decade, that makes it more difficult. Even the switch from amateur to monetary-driven hacking had occurred by 2006. I have to say that the biggest change in the last decade was the (primarily vendor-driven) rush into system complexity. Earlier than that, we (professionals) could understand the systems, even if the average user didn’t want to. That meant that we could, at least, provide some kind of reasonable list of security do’s and don’ts, and be fairly sure that following it would keep people safe. That is no longer the case.
We’ve always known that complexity is the enemy of security. Now, however, systems have become so complex, with applications tied to utilities tied to networks, that threats can come from anywhere. My wife, although she insists she knows nothing about computers, by virtue of being married to me and editing all my books, can hold her own with any security professional. This morning she, following a link from Google, ended up on a site that told her the computer was infected. She knew enough to simply dismiss the browser window, but even though I managed to find it again, I’m still not sure if this was simply a temporary breakdown in Google’s security. (I also know that the site was relatively simplistic, and that a number of them are much harder to get rid of.)
I have to trust my OS, my browser, my router, my ISP, and a number of outside vendors (like Google) just to get any work done on any given day. Ten years ago I could have checked the internals at least on the parts that I owned. That’s much harder now. I use simple and stripped down applications for as much as I can, but that’s getting harder as time goes by. It is this difficult to protect a home system. It’s much worse to protect an enterprise.