Category: Security

So I am looking for new things to do. This is a post that provides some background to that.

I joined Virus Bulletin in January 2007. I was hired to do maintain its website and make sure it didn’t fall over when the BBC and Slashdot linked to it, which I did, but then there were more things at the company that needed doing and I realised I kind of liked security so I stayed on. I built a test for email security products (we called them spam filters back then) which is still running. I started doing other things too, such as write blog posts, give conference talks, and build a web security test framework. I also became heavily involved in our conference. Then, in 2014, I became Editor, which in VB’s funny set-up means I kind of run the company and I am pretty involved in just about everything the company does, from making budgets to writing test reports, and from doing pre-sales talks to putting together the conference programme.

But the time has come for me to move on. In part because I think I have done at VB what I can do. In part to close a chapter in my life. And in part ─ and this is actually the most important part ─ because there are so many other exciting and important things to do.

My main requirement for future work is that what I do is meaningful and makes an actual difference. I have a strong interest in work related to civil society, but I know a big difference can be made elsewhere too. I would like my dozen years of working in security, and thus getting a pretty good grasp of how security works beyond the sales pitches and scary headlines, to be turned into something really good.

I am looking for a full-time, or mostly full-time position, at a new location, but I would be happy to work on short term and possibly part-time projects for a while. I do like working towards a clear, tangible goal, so that could actually be exciting.

I think my understanding of security and my experience in it is rather broad, which is one way of saying I am not necessarily good at one particular thing. I can do a lot of things reasonably well and I think I would be most useful in a broad, varied role.

I can do research. Though never a core part of my job, I have analysed spam campaigns and, based on C&C traffic, malware families. I have done many smaller, ad hoc research projects. I have a background as an academic researcher in pure mathematics, which gives me a pretty good understanding on topics such as machine learning and cryptography. I have given a number of technical talks on the latter subject. I am familiar with a wide range of research tools and can program and design technical systems.

I can write. I have written a great many blog posts for Virus Bulletin, as well as guest articles for various sites such as Forbes and Ars Technica. I write a weekly newsletter on threat intelligence. I have written technical reports and edited a many often technical papers written by others. In the past, I have written articles on music, history and mathematics.

In can speak. I have spoken at more than a dozen industry conferences around the world including RSA, Nullcon, AfricaHackon, NorthSec and TROOPERS. I have given talks at private industry events. I have given both technical and non-technical talks, depending on the subject and the audience. I have helped others prepare for talks and sometimes speak to the media.

I can plan. I have been the main organiser for the Virus Bulletin conference since 2014 and have been a member of various industry committees. I currently serve on the board of AMTSO. I was chairman of the students’ association for maths students and a student member of the faculty council at my university. At VB, I have worked in implementing various regulations and managed a remote team.

I also know a lot of people in infosec. This can come useful in future jobs, especially when it comes to using their help in achieving a goal.

I have over the course of my career in infosec come to learn that the challenges we face are far less of a technical nature than we are led to believe. I would like future jobs to be technically inspired rather than purely technical, but I do enjoy the occasional deep technical challenge. Working with an inspiring team is even more important to me though.

Two final things. First, I am a white man working in an industry with an abundance of white men. If you find yourself discussing possible work with me, which undoubtedly will involve me trying to convince you I can do that work, please try and be critical and consider whether it makes a difference to you that I confirm to the stereotype of an infosec professional.

Secondly, it is important for me to work in a diverse and inclusive work environment. Not only do I believe that as individuals we have more to learn from people that aren’t like us, but a big part of information security is about trying to understand other people’s threat models, thus making working with those other people, in an environment that suits them as much as it does me, of vital importance.

I you want to talk about work, please email me at thinksmall on gmail, or find me on LinkedIn or Twitter.

A few years ago, I attended a two-day work meeting with a few dozen others from all over the world. The latter part matters: though the meeting was conducted in English, a majority of the attendees weren’t native English speakers and in quite a few cases not exactly fluent in English. (I lived in England for many years and consider myself a fluent speaker, but I am not a native speaker.)

At the end of the meeting, a brave individual pointed out that most of the talking had been done by a small number of individuals, all of whom were fluent in English. By the time he himself had put his thoughts into English words, he said, someone else had already started speaking.

He was right. And I had been one of those individuals.

This was rather awkward, as once upon a time, I too had been one of those people for whom attending a meeting in English meant spending a lot of effort just to comprehend what was being discussed. It made it harder for me to be an active participant, just like now it was harder for others.

There is a relatively simple solution to this: the use of microphones and session chairs who ensure that people only speak up when they have a microphone; and ideally also make sure that it’s not always the same people who are speaking.

Since that meeting, I make a point of only speaking when I have been given a microphone, even when a chair doesn’t enforce this rule. But also, because I know I may forget this when I get passionate about a subject, I try to take a seat at the back of the room, from where I can’t easily start having a one-on-one discussion with the chair.

Finally, this isn’t just about non-native speakers. It is known that women and other members of underrepresented groups tend to be disproportionally ignored in meetings. These rules should also help make them equal participants in such meetings.

There are a great many diversity initiatives in the tech and security community. They make me excited, optimistic and occasionally a bit sceptical about the real intentions of the company organising them. They rarely if ever make me feel uncomfortable.

That is strange. I am a white man to whom you can easily apply half a dozen other adjectives to show I don’t belong to an underrepresented group. In a parallel and more diverse universe there are fewer people like me on company boards, on conference programmes and in your Twitter timeline. And maybe one of these fewer people like me would be me.

I am used to talking about my career in security as one where I have combined hard work and talent to find the right opportunities. But that is only half of the story.

The other half of the story is that to many people I will have looked like the kind of person who could do the job, or give the talk. Research shows that this too makes a different even among people who don’t think they have such biases. (Which, no doubt, includes me.)

And thus I got my first role at a security company as a Perl developer based on three websites I had once built and a few scripts I had written in the decade previously. And thus no one ever questions my credentials as a ‘former academic mathematician’, even though I never finished the PhD thesis I was paid to write. (I don’t think anyone has ever asked me the question how I deal with a big deadline four years into the future. They should have.)

On the contrary, people regularly overestimate my knowledge on technical subjects and confuse an ability to casually discuss a subject with a thorough understanding of it. When I quietly correct them, it is from a position of confidence, not from one where I have to worry I confirm to biases they had about me. I can afford such a position.

Those two paragraphs were surprisingly difficult to write. It is very tempting to think that it wasn’t me but that loud-mouthed CEO or that misogynistic programmer that benefited from the lack of diversity. That I am a neutral outsider in this story. But diversity (and the lack thereof) is far more subtle and complicated than that and I think it is crucial to acknowledge how my privilege has affected me and my career.

So if your diversity initiative doesn’t make me — and people like me — feel at least a little bit uncomfortable, chances are it isn’t very good. And if I don’t use my privilege to actually try to make this community more diverse and more welcoming, even if this would make things comparatively more difficult for future versions of myself, I had better stay out of all the diversity excitement.

So let me do that. And you are welcome to hold me accountable.

I have been doing a lot of security blogging recently, at Virus Bulletin, but also at other places. I will collect these articles here on this blog, with the permalink going to the respective articles. If you care about the things I write, you may want to add the RSS feed to your RSS reader.
Don’t hesitate to contact me if you’d like me to do some writing for your blog or website.
(And please bear with me while I will add blog posts I’ve written in the past three months.)