Today’s interview is with Dave “Shack-Fu” Shackleford. I’ve known Dave for more than a few years and he is one of THE guys to go to if you ever have a security related question, need a cake baked, or need a Mr. Clean stunt-double.
Q: Tell us a little about yourself.
Married with a 9-yr old, live in Atlanta GA, been in infosec for a long time, networking and sysadmin before that. Before computers, I was a professional chef.
Q: How did you get interested in information security?
I was interested in the subculture of hackers and hacking for a long time before I actually fell into the field. I started doing IT consulting while in college, then worked in telecommunications for a while. I went back to school for a 2nd degree, and one of my professors’ “day jobs” was Infosec Mgr at a Fortune 500 – he recruited me. Once I started there, I never wanted to do anything else.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
I have a Bachelors in Microbiology/Psychology, another one in Computer Information Systems, and a Masters in Business Administration. I own over 3000 books, and read constantly, which I think is more important than schooling for our particular discipline. I have a slew of certs, from CISA and CISSP to MCSE and CCNA to GCIH, GCIA, GSEC, etc. All good for mental exercise, and some have been good for “selling” my consulting services or getting paid better.
Q: Do you find your Psychology Degree or your MBA to be more beneficial when communicating security concepts to those who aren’t in the trenches? Does one help more than the other?
It depends on the audience, but the psychology degree helps out in surprising ways! Having a general understanding of what makes people tick, how they’re likely to behave or react, and how to get them on board with your programs is beneficial in any discpline, not just security. In that regard, it may be somewhat more useful overall. However, in the average consulting engagement or internal security project, you’re dealing with business or IT folks, and the MBA helps a lot in the latter case. Presenting security as a business case in its own right tends to be more successful, I find.
Q: What did you want to be when you grew up? Would you rather be doing that?
I wanted to be a doctor – I originally studied genetic engineering. I still have a deep fascination with genetics and biology, but I found my passion in IT, particularly security.
Q: What projects (if any) are you working on right now?
Writing a whitepaper series on virtualization security and incident response. Putting together a few conference speaking abstracts. Working on a few SANS projects, of course.
Q: You’re always busy working on something. How do you find a way to balance your time and family life?
I’m pretty lucky – my career is also one of my major passions in life, so I don’t feel like I’m working half the time, truth be told. I’m a great example of someone who gets into trouble when I’m bored, so keeping me occupied is a good thing. However, I have a few ways to balance things. First, I do something outside or away from the computer every day. Usually, it’s something fitness-oriented, but not always. I work from home, so I’m deeply involved in my daughter’s life, from taking her to school every morning to going to see her gymnastics practices in the evening, but weekdays are tough just like most working families’ lives are. The weekends rock though – we always have some great family activities, from going to museums or movies to hiking and camping. We also do a lot of world travel together, with at least one or two trips outside the country every year. Finally, and this is good advice for anyone that’s married – find some time for you and your spouse. Turn off the blinking thing with the email and the Internet, and go let loose for a bit. My wife and I take several weekend trips every year while my daughter stays with the grandparents, and it’s good for all of us. Vegas is a good choice. 🙂
Q: What is your favorite security conference (and why)?
A tie between Shmoo and Defcon. Defcon wins, though – I like Vegas more than DC, and warm weather more than cold. Lots of people I know are at Defcon, so I can catch up with friends and relax a little bit. I hate “stuffy” conferences.
Q: What do you like to do when you’re not “doing security”?
I do “adventure races” – kayaking, mountain biking, running, etc. I’m a total fitness nut. I’m also a musician, been playing piano for 30 years and learning guitar.
Q: What area of information security would you say is your strongest?
Incident Response and Intrusion Detection. Next would be risk management and compliance…I know, it’s pretty diverse. 🙂
Q: What about your weakest?
Reverse engineering. Never had a reason to do it for a job or otherwise.
Q: What advice can you give to people who want to get into the information security field?
Don’t get in because it seems “cool” – you need to love it intrinsically, and lots of it is boring and repetitive. Also, spend some time in other areas first. Learn programming, networking, etc.
Q: How can people get a hold of you (e.g. blog, twitter, etc.)