They say you should never meet your heroes—often they will just disappoint you. But thankfully, there are also exceptions to this rule. In this series, I will be introducing you to five of my key cyber security/infosec heroes. These individuals inspire me to continuously strive for more, with one even motivating me to move across the pond. All five have given excellent advice along the way. See parts one, two and three of this five-part series for which I interview Dr. Jessica Barker, David Prince and Holly Williams. All of these individuals have inspired me to pursue different areas of cyber security. In part four, we’re connecting with Per Thorsheim, another one of my best friends whose passion for passwords and authentication has him running PasswordsCon, a bi-annual conference dedicated to simply that. Funny enough, Per initiated my relocation across the pond along with the beginning stages of my career in cyber security. After all, it was his tweet that connected David and I. Per has always seemed to see the world through a slightly different lens. When the world was blaming users on their password and security shortcomings, Per fought back by pointing out that our systems were allowing it and that we, not the users, were to blame. One of the most interesting perspectives came from Per’s mum, when he asked her about a password she was using:
“Listen: this system has been installed by the IT department. I assume they are good at what they do. If this system accepts my password, then they consider my password to be good enough. Period. Why would they allow me to use a bad password? That doesn’t make sense.” – Per’s mum
Per taught me to constantly look deeper, to not spread fear, and to enable users to understand more. Per taught me to teach users on how to create passwords in a fun way, not a fight, which will enable them to want to learn and to care.
When was a time you failed, or felt like you did, and what brought you back?
Oh, I have failed too many times to remember them all. Whenever I fail, though, I try to learn from it. Evaluate myself and other factors that influenced me and whatever it was that failed. A simple example is to evaluate my own talks. Reactions from the audience, questions during and after my talk, how I dress, talk and move around on stage. Not to mention the dreadful “watch yourself on video to see how you act on stage.” You can learn a lot from it.
What are your motivators?
Well, I simply love seeing people understand what I’m talking about and realizing that the ideas, actions, products, or services we are talking about are easy, smart and secure. At a deeper and broader level, I like to make a contribution to society. It may sound a little weird, but I think I’ve done a few things here and there to the benefit of many. I like that.
Who’s inspired you?
Ooooh! That’s a long list, believe me. I’ve had the opportunity to work with, meet and interact with lots of very skilled people from various parts of the world. That said, some of those who really inspire me are those who have done great things but who never boast about it. Modest, kind and skillful people who take a great interest in both teaching and learning from their peers. In no particular order, I want to mention Cormac Herley at Microsoft Research, Jim Fenton, Anne-Marie Eklund Löwinder at IIS in Sweden, Joan Daemen (inventor of AES ++), and last but not least my mum.
What do you feel is your greatest achievement so far?
Aside from 1) having a child and 2) saving someone’s life, I am very happy to have participated in convincing the world to adopt RFC 3207 STARTTLS for SMTP support. It took me 10 years and a lot of my spare time, but it was very well worth it.
What advice do you have for others starting out in Cyber Security?
Listen to others, but never accept a single source as “the truth.” Double- and triple-check, and seek out opponents to theories or “facts.” You should also find yourself a mentor who is willing to answer questions you might have, give you practical advice, and introduce you to people and opportunities. Be brave, but remember to be humble, as well. Oh, and NEVER be afraid of picking stuff apart and trying to put it together again. Figuring out how stuff works is a lot more fun than being told how stuff works. :-)
If you could go back, what advice would you give yourself when starting out?
Learn to code. Learn to code. Learn to code. Learn to code. Learn to code. Learn to code. LISTEN; I’LL TELL YOU ONE MORE TIME: LEARN TO CODE.
What advice do you have for others that may be or are feeling stale in their career currently?
Well, I’ve had that feeling before, and there is no easy answer to the question. Some prefer a stable job and income, some wouldn’t mind moving around the world for new and exciting ventures, and others prefer to work from home. Never be afraid of taking on new challenges that might look too difficult. You learn faster than you think. Never give up on learning new stuff!
What do you think are some key development areas for the Cyber industry?
There was, is, and probably will be even more Fear, Uncertainty and Doubt in this industry in the future. As everything seems to get connected, the need for better security usability is increasing by the day. Try to think positive and ask people HOW you can help them do their job while maintaining an acceptable level of security. I think there is a direct link between the usability of security and security itself. If it's hard to use, people will avoid, circumvent, or break it, and none of those options are acceptable. So, make sure that security gets easier for everyone.
Any final thoughts?
The best advice I’ve ever given to the general population: stop enforcing mandatory password change. It makes security worse; it hurts the usability and productivity of any organization. Only change when you actually needed to. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
