Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Apr 6, 2007

How I got started on security awareness

Having been 'tagged' by a colleague from the Security Catalyst community, it seems I must explain 'how I got started' in infosec and specifically how I ended up in security awareness.

My first contact with computing was in connnection with my childhood interest in amateur radio and electronics. I saw a demonstration of one of the first PCs at the radio club, running the game "Life" ata bout one generation per 15 seconds. It was amazing!

I started using IT systems at school (where the students knew more about IT than the teachers!) and in college I wrote programs for my own research project and for colleagues in the department working on DNA fingerprinting, fruit flies, bacteria and yeasts. That's where I started teaching IT - mostly 'demonstrating' to undergraduate and adult classes, passing on the few little tips that I'd picked up by trial and error. In the land of the blind, the one-eyed man is king.

In the late 1980s, I moved out of the science labs to become a system administrator for a pharmaceuticals company, eventually running the IT systems for several R&D sites in the South of England under the excellent tutelage of a canny Scotsman, Stef. A takeover by a larger American company was partly responsible for my specialisation in infosec: overnight, we plugged our two extensive DECnet networks together with no firewalls or other additional security measures. Trying to explain the changing risks to my managers was something of a challenge, one I eventually gave up on. By the way, Stef subsequently became the head of information security so I guess some of the things I was saying must have struck home.

I spent most of the 1990's in infosec and IT audit jobs for a privatised electricity utility. Security challenges there included all the normal office and eBusiness systems security issues plus real-time process control systems. I developed and ran an early security awareness program warning about the dangers of, amongst other things, boot sector viruses on floppy disks (remember them?). I wrote my first security policy manual based on the Code of Practice for Information Security Management (later BS 7799, then ISO 17799 and now ISO 27002) and technical security standards for VAX VMS, DECnet, X.25, "PCs" (well, VAXmates anyway!) and Iris graphics workstations. I also learned how to deal with management by playing them at their internal politics games. The value of security metrics and 'evidence' really came home to me in this time. I was amused to play the game of Life on my handheld PDA, at a few milliseconds per generation (the screen is just a blur).

From electricity, I moved first to aerospace and then to a series of consultancy assignments and eBusiness startups. Along the way, a little brainwave led to an awareness program suggestion to a client and, some months thinking and research later, the NoticeBored security awareness service was born. Security awareness has developed into an absorbing passion since 2000. I'm totally fascinated by the challenge of helping ordinary people understand and respond appropriately to the information security risks around us. Many people are waking up to the importance of security awareness, training and education, but relatively few of us get much beyond the "Something must be done!" stage.

So, that's me done, well mostly. It'll cost you a beer or two to fill in the gaps.