Today’s interview is with Joshua Corman. I was introduced to Josh at SANS Network Security in San Diego, CA in the fall of 2009 by Dave Shackleford. He’s a great guy with lots to say about lots of different things.
Q: Tell us a little about yourself.
I’m 34 years old. I live with my wife and 2 daughters in New Hampshire [Live Free or Die].
Security pros didn’t initially know what to make of me – some still don’t. I’m technical, but no l33t. Business savvy, but not a marketing wonk. Mostly, I’m a very effective translational bridge between the super technical and the rest of the world. I was at a BlackHat many years back sitting with some guys from Lehman Brothers. I could understand WHAT was just covered, but could also help them understand WHY it mattered and HOW it impacted their day jobs. Unfortunately, that mix of technical acumen, business savvy, and strong communication skill is far too rare in our industry. In fact you and I probably know all of them.
I am passionate about Security – I see it as both a technically interesting/challenging space, and also a sacred trust / higher calling. I am candid and direct – firm, but fair – critical, but not to be negative. I can sometimes be mistaken as negative, because I start by identifying a problem – but I am a fierce optimist in my actions and in my drive to affect positive evolution. I am big on intellectual honesty. I am a huge advocate for the security practitioner.
I wrote my “Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry” for a few reasons:
1) I felt the “trusted security advisors” had been increasingly abusing that trust.
2) I felt that we had ceased to keep pace with the evolutions in this space.
3) I saw how hard things were getting for the CISO +/- community and no one seemed to be looking out for them
4) I think part of me was trying to get fired… so I could get a breather from Security for a bit.
5) I saw several peers quitting security – and decided maybe I should 1st speak up and try to change things.
Well, I didn’t get fired. And my candor was very appreciated. For some practitioners, I put crystalized what was on the tips of their tongues or just beyond their reach. For others, the discussions fundamentally changed the way they looked at their work. I half expected backlash from some of the vendor community, but none of them could refute anything I was saying – because it was true – and it was fair. In fact, much to my surprise, some of the vendors were very happy that I started this ongoing dialog – they actually agreed.
Beyond being cathartic, the process gave me a renewed conviction and confidence that these challenges [although huge] were possible to fix – as long as we are candid, critical, ask the tough questions, challenge us to evolve, and get people talking.
Silence, Willful Ignorance, and Blind Spots are/were killing a space I am passionate about – so I wanted to motivate us to do just the opposite.
We’ve got to evolve – and we haven’t been. One of the biggest threats to our evolution at the moment seems to be the overall affect PCI DSS is having – but don’t get me started on that… [yet].
Q: How did you get interested in information security?
Well. I have always loved the heros of ancient mythology and modern mythology (comics) – so I’ve always wanted to fight bad guys. My father worked for Digital, so I’ve been around computers since I could walk – and was fascinated by the early viruses. My 1st adult job was at Cabletron, a network company. I got a lot of foundational knowledge and value there, but one of our partners came in one day [Intellitactics] and gave us a “Security Primer”. I knew that day I had to get into Information Security full-time. I joined a start-up doing Behavioral Anti-Malware and was hooked. We were later acquired by ISS [Internet Security Systems] – which gave me more access and breadth. And they were later acquired by IBM where I helped drive the Cross-IBM Security Strategy and had exposure to just about every topic in the market.
Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
As an undergrad, I initially studied Micro/Marine Biology. I got kind of bored with it, but I was happy to be infused with the metaphors, models, and scientific methodologies. Any fan of Dan Geer knows how useful biology can be in the field of IT Security. I ultimately got my degree in Philosophy. I liked trying to solve insolvable problems. It was great practice for IT Security. Also, I knew that sound logic, analytical structure and writing skills would suit me for anything I tried to do.
Q: What did you want to be when you grew up? Would you rather be doing that?
I wanted to be a Marine Biologist and train dolphins. I love the sea – always have. Over time though, I wanted to write and direct films. Still do!
Q: What projects (if any) are you working on right now?
I could tell you, but I’d have to… Aside from a brand new job at The 451 Group, I do have 2 Security related initiatives cooking. One has to do with the supply side of vulnerabilities. Most of this market is focussed on the symptoms versus the underlying disease. We’re fighting the heads of the Hydra – not its heart. Another effort has to do with the good versus evil side of Security. Security is both a market – and a higher calling. Most do not realize the awesome responsibility that comes with Security. There are very bad people, doing very bad things. Too few of us recognize this – or are willing to rise to meet this sacred duty. What draws some of us to this problem space is somewhat akin to what draws people to be firemen, soldiers, EMTs, etc. E.g. Rich Mogull was an EMT. It is a space in need of Protectors. Some of us are drawn to this because we have a need to serve our fellow man.
Q: What is your favorite security conference (and why)?
Tough one… I’m growing sick of most of them. This space evolves so fast, but the conferences remind me how little we [collectively] are evolving. Of the bigger shows, I guess I dislike DefCon least of all. Some of these smaller shows are a lot more relevant. I really enjoyed webcasts I saw from SOURCE Boston, DojoCon, and BruCon. I’m super excited to do our PCI Debate at ShmooCon in January. I see PCI as a very serious threat to this space. Mike Dahn and Anton Chuvakin disagree. Hopefully we’ll break records for the sale of ShmooBall
Q: What do you like to do when you’re not “doing security”?
There’s life beyond security?!? [kidding]
I love movies. I love music. I love to cook. I especially love my 2 daughters. My personal time often involves 2 or more of these. Then there is also my lovely wife’s Honey-Do list… I had been playing Ice Hockey, but fell out recently due to too much travel. I miss it, I’m hoping my new job lets me get back into it.
Q: What area of information security would you say is your strongest? What about your weakest?
Hmmm. Good question. Tough question.
Strongest: I really feel like I’ve always groc’d the Malware threat domain. But I’ve really moved beyond that. I feel like I’m strongest at pattern recognition. I’m able to see the tectonic plate movements and see where things are going. Most of my higher value contributions in the last few years are looking at the macro issues in the Security space. I don’t look at what people just did – I look at WHY they did it, and predict what is likely to happen next – with pretty good accuracy. I think we’ve got a complex [and highly sub-optimized] ecosystem, so I’ve been paying attention to the major forces that shape it – evolution in Threat, Compliance, Technology, Economics, and Business Priorities. When you see the patterns, you can predict what will happen next, what will work and what will not, and see how we’re failing over-all – as well as figure out how to evolve to approach a better equilibrium.
Weakest: I’d have to say “Identity & Access Management”. In the grand scheme of things, I know it is super important. That said, I’ve always found it incredibly boring. I’m just being honest. Recently though, I’m starting to pay more attention to it – for at least 3 reasons 1) As we embrace clouds, this space gets even more important. 2) I’m eager to see us combine disparate controls for greater security. E.g. WHO accessed WHICH data, via which APPLICATION, on which SERVER, etc. and 3) One of my analysts Steve Coplan has some real mastery and passion for the space, and together we’ve been seeing some of the roles it could play in the future. I mentioned cooking… as an individual ingredient, I’ve been bored by this space – but in the right soup, it plays a critical role.
Q: What do we, as a society, need to do in order to make information security more important?
Very good question.
I’d like to see more varied educational backgrounds enter our field. The most interesting angles I’ve seen often come from the people with atypical fields of study. The new thinkers bring us Economics, Psychology, Sociology, Communication skills, Biology models, Philosophy, etc. Security is far too focussed on technology. The People, Process, and Technology trinity put technology LAST. I think until we’ve embraced and involved people-at-large, we’ll be fighting up hill. I often refer to my mother-in-law in speeches. If my mother-in-law can get it – or carry a security mind-set or “ready stance”, we won’t have so hard a time getting some of our security agendas to make progress. That’s just an example. In general,
Security folks speak in security tech/elite terms. If you want to get executive support, you need to speak their language. If you want a more engaged and aligned government participation, meet them at their level. If you want to take a bite out of eCrime and attacks on the unwashed massed in the “leper colony” of our mother-in-laws PCs, we need to use pop culture and accessible means to raise their ThreatIQ – even 1%. The people who say End User education doesn’t work are usually vendors who want to sell technology or people who suck at educating/communicating. Lame, 10 year old, annually mandatory Flash training doesn’t work – correct. I’ve written about positive examples before – maybe I’m due for this topic again. Quick example though: My hairdresser told me how she saw a Facebook quiz asking 20 questions. She skimmed them and realized that many looked like the kind of personal data that her bank might ask her for security questions. She was so proud that she didn’t fall into answering it. I made her 1% more skeptical – but that’s where it starts. You were with Shackelford and I at SANS when I said he and I should do a series of YouTube videos for the masses… “You can learn a lot about Security from [fill in the blank] – e.g. a Zombie Uprising”. Social Engineering WORKS… how come only the bad guys use it? We have a lot of untapped room for progress if we can make a Stop, Drop, and Roll-like campaign for Internet Safety.
Q: You mention PCI quite a bit in Twitter. What is your feeling on its effectiveness? What needs to change?
Where do I start… I’ll try to be brief. I am very concerned over the unintended consequences and impacts Compliance is having on our space. This is a BIG issue – probably the most central issue in our entire industry. Compliance is the #1 driver of security in our space right now. We have come to fear the auditor more than the attacker. You and I know Compliance != Security. One can be compliant and far from secure. The issue is that the world has conflated the digital dozen of PCI DSS for credit card PII data with industry best practices for all security. People are spending on mandated security – and little else. It was meant to set the minimum starting line, but in a down economy and overly costly/complex market – it’s become the finish line. This is not the intent – but it is the result.
I’ve compared PCI to the No Child Left Behind Act for Security – and the analogy holds very well (rybolov prefers “No Merchant Left Behind”). As an industry, we need to be VERY careful and VERY deliberate about the role compliance should and shouldn’t play. Compliance cannot keep up with [or be an effective proxy for] the evolutions in threat or technology – not with 2 year cycles and minor changes. Jack Daniel put it well, “Security is 2+ years behind threats, and compliance is 2+ years behind security”. But this is just ones issue with it. What’s good is we’ve started some ongoing Adult, Rational debates on this. There is a 2 part podcast debate with CSO and NetSecPodcast. We debated this at ShmooCon and there is a [controversial] video that will be posted soon [we hope]. We’re also doing another panel Wed March 3rd at Bsides San Francisco… maybe even DefCon! The Southern Fried Security Podcast interviewed me this week on this topic. I think it airs as a special episode this Saturday. The important thing is the rational discussion with people from diverse, informed perspectives. It’s advanced my thinking and theirs – we need to keep going. It affects our whole industry.
Q: I saw you launched “Rugged” and the Rugged Manifesto at www.ruggedsoftware.org. What is the goal?
Software is modern infrastructure. Unlike steel and concrete, this digital infrastructure is not nearly as reliable. We’ve done a decent job developing tools and frameworks and evolving how we respond to weak software… but we’ve really failed to reach the non-security community. Rugged is a meme – a contagious value set – aiming to make non-security folk understand and value Rugged Software. I was also a little sick of our industry saying developers are lazy – so not true. Developers are talented, professional problem solvers. We’ve done a poor job raising awareness getting people to see why they should care about Rugged software. “Security” has not worked. Rugged is something non-security people are understanding. Programmers can want to be Rugged and write Rugged code. Buyers can demand Rugged Software, etc. We’ve had huge excitement thus far. Oh… and by the way… clearly security vendors stand to benefit from Rugged getting traction, as more people need help becoming Rugged. If all we do is get 1-5% more people to their 1st OWASP meeting – or first Top 10 list… this is how change starts. Last point, there are lots of critics in our space – so there have been some “haters” already. My response is… we all claim we want better security – and for more people to care about security. Is Rugged perfect? Heck no. Is there good intent – and possible promise in it? Yes. I’m asking people to latch onto the good. shrdlu and jjx put it well in their blog posts. Its a baby meme and needs support – but its worth nurturing and pursuing. So decide if you want to help make it better – or tear it down. I’m hoping for the best in our community to be their best and add their influence in a positive direction.
Q: What advice can you give to people who want to get into the information security field?
Hmmm. You need to bring your “P’s” or don’t bother. We need Passionate, Principled, Purposeful, Protectors (nod to Clint). This space is HARD, it is thankless, and it will suck the life out of you if you don’t “bring it”. We’re over our quotas for whiny, mopey, entrenched, sedentary, defeatists. Lead, follow, or get out of the way. Also, you need to be able to thrive on change. In a space that changes CONSTANTLY, our current ranks are often incapable of changing. Yes, “change == risk”, but guess what folks… we’re surrounding by it. Do the Evolution! So we need fresh blood – and if you fit the bill, please join the ranks.
Q: What advice do you have for technical people who want to move into an analyst or researcher role?
I will say that we need fresh voices and people will to dialogue and tackle the tougher, central issues. I think too often the Analyst community is simply reflecting the “Consensus of the Uninformed” or echo’ing what a vendor told them. So selfishly, I’d like people with intelligence and passion [who may not even like analysts] to consider joining the ranks.
In fact, I’m hiring – right now. I need someone who wants to help me cause the right kind of trouble in exactly the right and necessary spots.
Q: How can people get a hold of you (e.g. blog, twitter, etc.)