Diversity in Security (Guest: Ian Murphy)

Ben Newton: Welcome to the Masters of Data podcast, the podcast that brings the human to data and I'm your host, Ben Newton. This episode is the first in a series of interviews I did on the floor of Sumo Logic's 2019 Illuminate conference. This first interview is with Ian Murphy. Ian has been a journalist, editor and analyst for over 30 years and is currently an editor at Enterprise Times. He and I talked about his very interesting background, the need for diversity on security teams, and his passion for working with veterans. So without any further ado, let's dig in.
Ben Newton: So, welcome everybody to another episode of the Masters of Data podcast. And another recording we're doing here in the Illuminate show and as always, I'm getting to talk to a lot of interesting people like Ian Murphy. Thank you for coming on. I really appreciate having you here.
Ian Murphy: Thank you for inviting me.
Ben Newton: Yeah.
Ian Murphy: My name is Ian Murphy. I served in the British Royal Marines for a period of time. I then came out into journalism and analyst work and I've run around being disruptive at conferences.
Ben Newton: I like that. Have you rehearsed that? So I was just recording for your podcast and I joked you should be on my podcast, and here we are. So this is perfect. This is why this stuff is fun. You're a writer and analyst, editor at Enterprise Times. You've clearly been around the industry a lot. I mean, what's your story? What got you to where you're at today? Other than being in the Royal Marines.
Ian Murphy: Well, when I left the military I was working in a publishing house. And I couldn't understand why my Atari 800 computer at home could do all sorts of cool stuff and I had to use an old set up and big typewriter in the office.
Ben Newton: Yeah.
Ian Murphy: When we had a mainframe at our other office. And I worked through trying to understand this. Got given the rights to go and do a project for the company, and discovered when I spoke to magazines like, "Do you cover PCs? Do you write about word processing software?" Bear in mind, this is 1983. And the magazine said, "Well no, do you want to write about it for us?" So an editor sent me over an IBM PC with two floppy drives and an Amber monitor and a little box of single-sided five and a quarter inch floppy disks and a copy of Lotus one. A copy of Lotus 123.
Ben Newton: That's fantastic.
Ian Murphy: And that kind of started it from there. I just love what I do here.
Ben Newton: And you've basically been some version of like writer, analyst, reporter since then basically? Is that that what amounts to, you've always been writing and observing and...
Ian Murphy: I write, I was a certified trainer for lots of companies in the eighties and nineties. Gave it up in the 2000s because trying to keep skills up was just too much for the training.
Ben Newton: Yeah.
Ian Murphy: I do a lot of analyst work with companies these days as well. That's when I'm not doing ridiculously stupid long drives, off coaching sport and playing sport and sitting on airplanes.
Ben Newton: Yeah. We should add the context there that I was very interested to find out that, so we're here, you know, just south of San Francisco, and that you drove from Las Vegas. And this is a trip that you do quite a bit, apparently.
Ian Murphy: And then decided to have a complete mental aberration. So instead of coming up via Death Valley and across Yosemite as I normally prefer, because it's nicer than I-15 and I-5.
Ben Newton: Yeah.
Ian Murphy: I decided to drive towards [inaudible 00:03:23] for some reason yet to be established.
Ben Newton: Yeah. Well you seem like you came out the end okay. So in kind of talking about your background and things you're interested in, you had mentioned a topic that I thought was really, really interesting. I mean a bunch of people that I've interviewed on the podcast, we've talked a lot about culture. I, I've always found that that's a topic that's both, you know, sometimes it's overcovered but then it's really undercovered in a lot of ways. Like people talk about it a lot, but it's so key. Like we're talking about humans. As much technology as you want to talk, we're talking about humans. You know, particularly in the field you're in. I mean, what are you seeing in that particular, you were talking a little bit about diversity in IT security, kind of where you focus.
Ian Murphy: Yeah. Part of the problem with IT security is, you walk around most SOCs today and what you see is white middle class men.
Ben Newton: No.
Ian Murphy: It's a shocker, isn't it? They're generally university educated. They understand how to code. And all we're doing is perpetuating this myth that to do security you've got to be a geek. The problem is the attackers have a whole different mindset.
Ben Newton: Yeah.
Ian Murphy: They will social engineer the hell out of an organization. Well, you can't defend social engineering with technology. You can only defend that with people and by educating people. They will suddenly throw up a weird set of attacks that technology might catch, but actually if they're phishing and looking for things, they'll use stuff you wouldn't expect. Good example. Somebody's monitoring your social media feed. They notice you started talking to somebody you haven't seen for a very long time and you've arranged to meet up.
Ben Newton: Right.
Ian Murphy: My next attack on you would be to see when you meet up, see what you said you're going to do, look for some photos on social media and then send separate emails to the pair of you pretending to be from the other person. I might just embed a couple of attachments of photos that I say we took on the night.
Ben Newton: Yeah.
Ian Murphy: Most people are going to click on those photos. You've now enabled me to get you my code on your machine.
Ben Newton: And so when you talk about, you know, diversity in that context. So are you saying that basically the lack of diversity makes that easier for the attacker?
Ian Murphy: It's diversity based on age.
Ben Newton: Yeah.
Ian Murphy: It's based on culture. It's based on ... gender. It's based on race.
Ben Newton: Yeah.
Ian Murphy: So let's say we see an attack going on in South Africa. And it's targeting businesses that are mainly populated by 15 to 25 year olds. And they are based around a particular culture.
Ben Newton: Yeah.
Ian Murphy: If the attack team who see that are white and middle class, they may not understand the relevance of some of the terms of some of the engineering, particularly the social engineering used in that attack. The net result is that they will be unable to pause that and pass that out to their customers in terms of, "Hey, we're seeing this type of attack beginning to develop, this type of vector being used."
Ben Newton: Yeah.
Ian Murphy: Therefore you have a gap in your visibility. The stupid thing is you actually have the intelligence sitting right in front of you.
Ben Newton: But you just don't see it.
Ian Murphy: You just don't see it.
Ben Newton: Yeah. That's really interesting. What do you think, you know, other than I guess the obvious, like why? Why is this the case? Is it just, you know, a larger factor of being in the technology industry in general? Or is it security in particular?
Ian Murphy: I think it's very security focused.
Ben Newton: Yeah.
Ian Murphy: There's this obsession that everybody in security needs to have a degree at the moment.
Ben Newton: Yeah.
Ian Murphy: No, I would go in and play a whole lot of people who don't have degrees because they're much more useful to me than people who spent all their life in education. Don't get me wrong; those people have a very good role to play for me further down the line. But actually today when there's a massive skill shortage, there isn't as big a skill shortage as you think. So we need to change our focus or what our employees are. So walk around in the UK, we call them counselor states, over here you call them projects.
Ben Newton: Yeah.
Ian Murphy: These are areas where you've got deprivation, you've got a lot of crime, but you've got a huge high technology usage in those zones. This is where your generations of hackers are being schooled. They're not going out stealing cars or killing people. There's an easier, softer way for them to make much more money, and that's technology. They've hacked their favorite game because they don't have the money to buy the next version or the upgrade or the additional pieces to go with it.
Ben Newton: Yeah.
Ian Murphy: They have problem solving skills. They have the interest in doing this. Now they might be excluded from school because they're disruptive, but you can teach them that traditional educational block. You can improve their writing, improve their reading, improve their numeracy. What you can't do is teach people problem solving. It's an innate ability.
Ben Newton: Yeah. Yeah.
Ian Murphy: Now you've got Wizards of the Coast presenting here. One of the challenges I think that's interesting for them is that they're dealing with gamers, role players, people who are preconditioned to solving puzzles on what is a security attack. This a series of unlocking a puzzle.
Ben Newton: Yeah.
Ian Murphy: So bring these people in, give them an education. It doesn't matter how old they are. Starting with 15, 16, 17, 18, it really doesn't matter. On the job education, they bring skills to you, you give them something back. You give them an escape out of where they're stuck at the moment, where their life may just end up being worse and worse crime. But you then get a whole bunch of side benefits. You get a whole different cultural mix in the organization, a whole different view on why some attacks work. A whole different view on mock vectors are clearly open that you would never naturally look for.
Ben Newton: Well you know when, when you say that, okay, so, I don't know if the right word is trope or whatever that comes to mind, but you know, I'm thinking the, the wild but smart kid who hacks, gets caught, put in the prison, and the NSA recruits him. Right. You know, it's like, it's after they've committed the crime. But it seems like in the real world that's probably not the best way to recruit these people. So how do you actually get to that group of people?
Ian Murphy: First of all, you've got to start reaching out to them. You've got to find some way to engage them. And at the moment we're not, in cybersecurity, engaging the gaming companies. We have lots of hackathons going, we have lots of competitions for schools go on. But often many of these kids are the excluded group.
Ben Newton: Right.
Ian Murphy: They're not going to be invited to take part in the competition at school because they're not in school.
Ben Newton: Yeah.
Ian Murphy: So we need some way to fuse games or something else to engage these kids into doing stuff. We need to create a credible engagement with them, show them that we're not trying to trap them or get them in trouble, but give them a way to do something, to achieve something. Pay them early on for something they find. Find a way to show them there's a career out of this. Then that career isn't against, you're talking about tropes, that career isn't somebody who's not seeing the sun in six years sitting in the basement or the loft wearing a hoodie 365 days a year and who wouldn't know a bathroom apart from to use it to get rid of things.
Ben Newton: You have a very creative way of explaining things. I like that. That's really interesting. I mean, do you, well, I mean, do you see anybody doing this?
Ian Murphy: I'm starting to see this certainly in Europe. There's an increasing attention on this within Europe, and it's coming from security companies and it's coming from large enterprises who are realizing that inviting people in for interviews and throwing away any CV that doesn't start with a degree is losing a huge set of skills across the entire business.
Ben Newton: Yeah.
Ian Murphy: They're now much more willing to go to where the people are to talk to them. They're willing to meet with these people. They're setting up apprenticeships. They showing them that there is a way forwards in this. Now, this is not just about attracting people who can hack and code and solve problems. They're also reaching into other disciplines. So when we talk about phishing attacks, think about the psychological impact of this. How do you manipulate people? So psychology's, there's a whole base for that. We don't prosecute all of cyber crime. Why? Because lawyers have no clue what it's about.
Ben Newton: Yeah.
Ian Murphy: If they don't know what it's about, they don't know how to charge it. And let's be honest, lawyer's not interested if he can't bill.
Ben Newton: Right.
Ian Murphy: So if we're going to prosecute, why are we not making cyber part of the legal framework, part of the legal courses they do? Engage these people in. We did this in the 70s. In the 1970s, we had this massive explosion of computing mid to late seventies, and one of the things we did at that point in time was we went around universities and we took people who want arts degrees or mathematics degrees or science degrees and we said to them, come be computer programmers.
Ben Newton: Yeah.
Ian Murphy: And we wanted them, particularly those on arts, and science because they have problem solving mathematics are just as valid.
Ben Newton: Right.
Ian Murphy: And we turned them into that generation of analyst programmers from the late eighties through to the mid, late seventies through to the mid eighties. There's a good case now for at that degree end, going out and finding these people and they then supplement these other people on projects. There's also a wider scope on this when I talk about culture. Many companies recruit people who look like them.
Ben Newton: Right.
Ian Murphy: Why? Because it's a safe thing to do.
Ben Newton: Yeah.
Ian Murphy: "I the school you went to. I know what I can expect. I can communicate with you." When you're trying to recruit people from different social strata, it's very, very hard to know how to engage with them, how to talk to them. You get this, them and us in the office straight away.
Ben Newton: Yeah. And I would think, I mean, having been a hiring manager myself, it's like, what are the red flags if you're not in that group? Yeah. If you went to the same school and you came from similar background, you know what to look for and what you shouldn't see. Whereas if they're not in your, you know your group, how do you know what to look for and what not to look for?
Ian Murphy: And this is also where education has become part of the problem.
Ben Newton: Yeah.
Ian Murphy: Businesses continually complain that when people leave school or they leave college or they leave university, they really are not the people they want and they have to spend all this time retraining them to understand the real world.
Ben Newton: Right, right.
Ian Murphy: But that's because we set up education in such a way that we're trying to teach them a set of facts and a set of skills that take a long time to teach. If you change a curriculum, you start with people between five and eight because that's your start point for this.
Ben Newton: Yeah.
Ian Murphy: Now think. By the time they leave university you're talking up to 20 years. It's just 20 years before your next major shift. You cannot adapt education as fast as business wants it unless a business gets involved. And where we've lost an awful lot of this vocational training, out of education, we've lost that ability to have that rapid turnover and that improvement. And vocational training leads to apprenticeships. That's degree equivalent apprenticeships.
Ben Newton: Right. You know, it's interesting you say that because I would think that at least in past experiences, it feels like Europe sometimes does a better job of that than the US because the US, it's just, there's been a downplaying. It's like, well everybody has to go get a bachelor's degree. The idea that I could go out and learn a specific skillset that's highly useful to society without having to go get a bachelor of arts. None of which will you remember in a few years. I mean, do you feel like you see that more in Europe that they are doing, am I right?
Ian Murphy: Very much so in Europe. And there's another reason for this and that is the cost of getting that degree.
Ben Newton: Yeah.
Ian Murphy: People are now leaving university. They're leaving college. They're leaving school with debt.
Ben Newton: Yeah. Right.
Ian Murphy: That debt stays with them for most of their life. The vast majority of people who leave university do not start on a job that is good enough to pay off their debt in five or 10 years.
Ben Newton: Right, right.
Ian Murphy: So why are we putting people in this position? It has major impact for society in other ways. They can't get a mortgage.
Ben Newton: Yeah.
Ian Murphy: They can't buy a car. They can't move into a nicer neighborhood or buy a house or do other things they might want to do with their lives. So we need to change this. We need to change this for the future health of these people going forwards. One group that we have been relying on a lot is the ex-military.
Ben Newton: Yeah.
Ian Murphy: We've been looking at veterans, particularly in security, to solve problems. And it's a subject close to my heart as a veteran myself. And as somebody who works with a number of charities that help raise money for mental health issues amongst veterans.
Ben Newton: Mm-hmm (affirmative).
Ian Murphy: We have veterans dying daily on both sides of the Atlantic, taking their own lives because they don't see a way out of this for mental health. But many of these veterans are the sort of people that security companies would employ.
Ben Newton: Yeah.
Ian Murphy: Because they're task focused, they're mission focused. They will get the job done at all costs. They're not people who want to turn up at nine and go home at five o'clock.
Ben Newton: Right.
Ian Murphy: You know? If the problem has to be solved, they will stay until they've solved the problem or until they can hand it to somebody else.
Ben Newton: Right.
Ian Murphy: And the problem can be worked on. Now if they've come back from deployment and they've got a physical injury, we can all see that. And people will adapt the office to accommodate them. People no longer point and stare if you're in a wheelchair or if you've got a prosthetic leg or prosthetic arm. But mental health injuries are so much harder to detect. And many of them struggle at times with the pressure, suddenly, that cybersecurity puts on them. So we're having in the cyber security industry to also deal, as we try and push diversity, we're having to deal with mental health that comes into this.
Ben Newton: Yeah.
Ian Murphy: And it's becoming another significant challenge for the industry.
Ben Newton: How do you deal with that? You just make that part of like, you offer those services like, when they come on board?
Ian Murphy: So I'll give you an example from IBM. I was talking to their European Vice President of Security a couple of years ago on a podcast of all things. And we were talking about, how do you recruit for the military, how do you help people make that transition from military life to civilian life?
Ben Newton: Right, right, right.
Ian Murphy: It is a tough transition.
Ben Newton: Right.
Ian Murphy: Even more so today where there's so much expectation. What they do is if you join from the military, they match you with somebody in that department who also came from the military at some point.
Ben Newton: Oh, interesting.
Ian Murphy: Now if they can, they will match you with somebody from the same branch. Army, Navy, Air Force, Marines.
Ben Newton: Right.
Ian Murphy: But at the very least, there will be another serving personnel if they can't match you to your branch. And that person will help mentor you through that transition period.
Ben Newton: That makes a lot of sense.
Ian Murphy: Now in that conversation, they start to understand a little bit more about them. They make it clear that there are services that they can access. Healthcare services around mental health. The big problem with mental health in forces is that it's not always exposed when you leave.
Ben Newton: Right.
Ian Murphy: And armed forces around the world have this problem that if you're a veteran and you leave, if it's not on your record the day you leave, you don't get medical support for it five years down the line.
Ben Newton: Yeah.
Ian Murphy: I know this personally. A family member of mine ended up having to write a book and get his member of parliament involved in order to get treatment for his PTSD when he left the armed forces.
Ben Newton: Wow.
Ian Murphy: In his case, it did show itself for a number of years, but because it wasn't on his record and was, but was clearly related to his service, he wasn't going to get treated at all to begin with. Now, that's where an awful lot of veterans are out there and cybersecurity is pulling those people in. But it's not just the veterans who are suffering from this. It's very easy to look at this and think about veterans. If we look around, we see the same thing with people who are suffering from PTSD, who have served as first responders with our police, fire, ambulance. We see it from all new people working in security. The pressure they're under, we're not paying enough attention.
Ian Murphy: Now, diversity gives us an interesting play here. Because people come from different parts of society, because they have different views, they have different expectations; actually, they will all react slightly differently in a situation. You'll find that instead of this, "I've employed you because you look like me and therefore big men don't cry," people will walk up and ask how you really feel.
Ben Newton: Yeah.
Ian Murphy: Now. It might take a while for somebody to actually tell you how they really feel. But if we don't start that conversation, then we don't get anywhere. So you have this real set of things coming together that can take cyber security so much further. Diversity by all sorts of vectors. Being more human about it. Understanding what the long-term health implications are of the job we want people to do.
Ben Newton: Yeah. Wow, that's super interesting. I lived in DC, Washington, DC, for a long time. Worked with a lot of veterans that were exactly like what you're saying. They moved out of being in the service into security in particular and yeah, no, it makes a lot of sense. And I don't think there's a lot of companies that were, I mean, DC that was just part of the environment, that you hired veterans. It was just kind of a natural, but that doesn't really always extend at least in the US, like outside of DC. So I think that really, that really makes a lot of sense. In particularly in this area, you know, kind of thinking forward, I mean, where, how do you see things changing? What do you see like looking a few years into the future?
Ian Murphy: One of the successes I'm seeing is I'm seeing companies no longer just employing security in their head office.
Ben Newton: Yeah.
Ian Murphy: If they've got offices overseas, they're starting to realize that the only people who can protect their office in Vietnam or China or Australia or anywhere near in Europe.
Ben Newton: Are locals.
Ian Murphy: Have to come from that local environment.
Ben Newton: Right. Right.
Ian Murphy: Why? Because they understand the local culture, therefore they spot some of the early phishing attacks. But then they combine that knowledge, so they're able to talk to each other a little bit more, so that when something happens in a different office somebody can say, "Oh yes, I come from there."
Ben Newton: Yeah.
Ian Murphy: "And I can tell you that this is because of that." And that sharing, that openness of that information is helping to solve that. But that can only come if you've recruited enough people who are diverse enough across cultures to understand where the difference comes from.
Ben Newton: Yeah.
Ian Murphy: The other thing I'm seeing is the openness to looking at where we go back to vocational training.
Ben Newton: Yeah.
Ian Murphy: Yes, we're still struggling to get into those groups that have got the skills that we want, but that's going to come only by outreach. It's got to come by establishing a set of trust between the two. Where it's not working is that people will think it's too difficult to solve.
Ben Newton: Yeah.
Ian Murphy: They will take the easy route, which is, "Well, I'll rely on the CV." If they've not got a CV, if they didn't finish school, why throw them away? So let's talk about me. I left school at 16 with two O levels and some CSEs. I barely rate a US high school GED. Has it stopped me?
Ben Newton: Yeah.
Ian Murphy: But I was lucky. I went into the military and they gave me a home. They taught me the things I needed to do. They showed me there's a way forward. I came out into civilian world and I ran into employers who were prepared to help me go forward, people who gave me some mentoring. As a sports coach now I work with adults and children. And I believe there's a mentoring role there outside of the sport. You treat somebody as a person; you don't just treat them as what they do in that sport. They're not just a forward or a defensive end or a batter or goalkeeper. They're a person.
Ben Newton: Yeah.
Ian Murphy: And they have issues outside of that. So talk to them. Create a safe space so that if you're teaching kids, those kids can talk to each other, and then maybe get an adult involved if there's an issue. Because half the time they have nobody to turn to.
Ben Newton: No, that makes a lot of sense. And providing that structure is a way to, yeah.
Ian Murphy: This is where companies can get involved. They can go into schools, they can start to show themselves.
Ben Newton: Yeah. I mean this could probably be a whole podcast by itself, but I think it's that you're definitely getting into this whole idea that like, businesses should be more than profit machines. You know? Like you, and it actually is better for you as a business to not think that way. Because when you think about bringing in these different groups and reaching out and touching other communities, that's actually good for you as a business.
Ian Murphy: Always seeing the changing of the guard. 15 years ago, corporate social responsibility programs focused on, were we cleaning up our acts? Were we being good neighbors?
Ben Newton: Yeah.
Ian Murphy: That's moved through to understanding more about pollution. It's moved through to sponsoring programs. We have some companies, particularly here in America, in California, who put up a percentage of their profits, a percentage of their employee's time, a percentage of their products that are given to charities to help people out.
Ben Newton: Yeah.
Ian Murphy: They allow their staff to make those engagements and nominate who they want to spend that time with and who they want the company to help move forwards. That generation has moved from being the new entrants in the company to now having been there for 10, 12 years. They're moving into those management and control roles.
Ben Newton: Right, right.
Ian Murphy: And as they move through, we are seeing the shift. You see it with climate change. You see that drive from the millennial generation in particular to, how do we get to grips with climate change. That same generation is also very socially aware in terms of poverty and bringing people on. We've got to hook to that and the sooner the old guard management who sit at the top of these companies who didn't have that when they came up through the company.
Ben Newton: Right.
Ian Murphy: They will never need another penny; they're so comfortably well off. The sooner they realize that there's a shift at the bottom and they recognize that and they change the company and they enable this-
Ben Newton: Right. Right.
Ian Murphy: The sooner you will see change on the street.
Ben Newton: I like that. I think that's a good note to wrap it up on, Ian. As I expected, this was a fun discussion. You took us down some fun routes, but this is really, it was very thought provoking, so I really appreciate you spending the time with us.
Ian Murphy: Thank you for inviting me.
Ben Newton: Thanks everybody for listening and as always, check us out on your favorite podcast app. Rate us and review us so other people can find us. See you on the next episode.
Speaker 3: Masters of Data is brought to you by Sumo Logic. Sumo Logic is a cloud native machine data analytics platform, delivering real time continuous intelligence as a service to build, run, and secure modern applications. Sumo Logic empowers the people who power modern business. For more information, go to sumologic.com. For more on Masters of Data, go to mastersofdata.com and subscribe, and spread the word by rating us on iTunes or your favorite podcast app.