Welcome to Episode 10 of the Building a Life and Career in Security Podcast.
Today’s guest is Murray Rosenthal. Murray started his information security career in the late eighties, and now works in security architecture for the city of Toronto. Murray talks about everything from smart cities to how he uses his history degree today, he is definitely a renaissance security professional.
[content_toggle style=”1” label=”Show%20Episode%20Transcript” hide_label=”Hide”]
Murray Rosenthal: I was trained academically to go into the history field, my wife actually thought that it might be a good idea for me to take up programming. So, I listened to her and enrolled in a nine month programming boot camp in Honeywell.
Speaker 1: From the Jay Schulman.com studio, this is the building a life and career in security Podcast. Now your host Jay Schulman.
Jay Schulman: Thanks, it is Jay. Welcome to another episode of building a life and career in security Podcast, the Podcast that lets you see how others grew their information securities careers. Today’s guest is Murray Rosenthal, Murray started his information security career in the late eighties, and now works in security architecture for the city of Toronto. Murray talks about everything from smart cities to how he uses his history degree today, he is definitely a renaissance security professional. Here is Murray’s career journey in his own words:
Murray Rosenthal: My journey in the information securities field really started in the early eighties, unbeknownst to me at the time. When I was actually involved in liberal arts and how no idea about the information security profession, I was trained academically to go into the history field. That basically went to a missing course correction in the early eighties when my wife actually thought that it might be a good idea for me to take up programming. So, I listened to her and enrolled in a nine month programming boot camp in Honeywell writing cobalt code. I made it over that hurdle and that really was the beginning of the end in terms of my involvement in the information securities profession, though at the time of course writing cobalt code did not have much to do with information security or nothing at all.
But, it was an introduction into the burgeoning area of IT in the early eighties, and I took my first job as a shift operator in an RPG2 shop where I mounted forms and I started and stopped production programs. A kind of right of passage or an initiation if you will into the field of IT, I saw a job for a QA analyst that wrote software for the property manager, property management vertical, and I applied and I got the job. I stayed there for about four years, I changed roles and became a technical writer in that company and I enjoyed that quite a lot. Then took a position as a QA analyst in a major life insurance company, that lasted about a year. It was not the best experience, but it continued my exposure in the field of IT in general.
The big move came for me when I signed on as an internal auditor in a schedule A bank auditing IT on info sight controls, and it is at that time I started to get serious about the security professions, so we are talking about the late 1980s. So I decided to use it for my thesis designation and I was in that organization, in the banking industry for about ten or so years. After that I moved on to a major professional services organization and it really started at that point, to lead information security engagements in some areas for major clients and it was during that time I met John Zackman here in Toronto. Who really had a profound influence on me, in terms of my understanding of enterprise architecture which at the time was still being developed. Although John had already published his framework but, just in terms of its overall socialization in companies and the familiarity with enterprise architecture at the time.
As a result of my exposure to John, I began to start to connect the dots on security architecture through John’s work and that led me and him to get together. To the point where he asked if I could come to one of his conferences and actually present on the subject, which I did. I stayed in the professional services area for about two years and then I moved on to the position with the cit of Toronto, which is where I am currently. I have been here for the last thirteen or so years, that and my key risk designation during that time and I make some major contributions in terms of standing up a programmatic approach to information security here at the city, advocated for the see so role and the establishment of enterprise architecture practice. I led the security architecture passage for about two and a half years and managed the development of the cities identity management and the publication architectures.
I tried to maintain a strategic view of information security architecture in the last little while, in 2013 I had a number of articles published by Springer as part of a overall publication on smart data and I was pretty excited about that. That was an interesting experience and I am currently working on co-publishing a book with another colleague of mine on topical security issues from practitioners across Canada. These days my focus tends to be on strategic issues and security affecting the city, the least of which would be cyber security. Security in a smart city context internet of things, big data and security assurance in global co-developments.
Jay Schulman: So that is fascinating, lets talk about smart cities for a second. What do you think the major risks are going to be, what are we not thinking about when it comes to smart cities?
Murray Rosenthal: I think Jay, just in general the landscape is so fluid that, I think just organizationally we tend to get ahead of ourselves in terms of really trying to perhaps shift down into second or first gear from third gear, and really deal with what we just talked about. I think what we are seeing in the inability for organizations within a smart city context to really understand that we are talking about what used to be esoteric verticals, whatever they may be. It might be financial, it might be water, it might be electricity. Now having to organize themselves, or orchestrate service [inaudible 00 = 06 = 10] within this overall umbrella called smart city and if these verticals were publishing, developing their own vertical cyber security documentations, strategies, fuse. What is going to have to happen is a coalescing of these various hysteric products into one overarching one I think.
That someone is going to have to deal with common threat and to me that is not easily done, but equally so I think it is something that has to come together. So, what we may see is a kind of consortium of various thought leaders from the various verticals getting together to share notes on the subject and develop some kind of standard to deal with these commonly shared risks.
Jay Schulman: I really liked how you phrased that being multi-disciplinary. So ancillary to that you have worked in a whole bunch of different areas both in the private sector and the public sector. How do you think it is different today being in the public sector than it is working for a bank as for example?
Murray Rosenthal: I think one of the major constraints that any public sector organization faces, certainly in terms of the size of the city, is budget and we have to be able to spend a dollar in a fashion that is going to return the greatest investment of security risk management. So, we develop our budget annually, we argue for them, we stand in front of them. Plus we also are faced with reality that we may not actually get approval for the entire annual budget, so we then have to describe what residual risk will be in the event that we are not able to re-mediate through funding, and what the risk on the table looks like. That I think is peculiar to the public sector where, you know, the pockets are not necessarily as deep as they may be in the private sector, where funding may be more easily extended and I think that really is a challenge that I see in my state here in the city. That does not go away any time soon because the pressure on the budget is always there and justifying what to spend on info-spec is always a challenge.
Jay Schulman: So take me back for a second to the late eighties, when you first got into information security. How do you think information security has transformed from the late eighties to today?
Murray Rosenthal: When I entered the field, there were certainly very robust and well respected security organizations that offered certification and people are getting certified, and I think that management valued those certifications. But the more I think about it and the more I come to work and see what the landscape is like, I think that the certifications not with standing. What management is looking for is people who have some deep experience and have the gray hair to kind of go along with what they say, and I think that what we are really seeing now is a situation where organizations are hard pressed to find people who really have deep experience in an [inaudible 00 = 09 = 35] one area, you know internet of things. How old is that whole discipline in any event, how old is the data and what we are seeing is shift toward experience where it may not necessarily be there to have deep knowledge in a specific area.
I do not think we ought to kid ourselves about where we are going to get this knowledge, where does this knowledge actually exist and more than just the knowledge, where is the experience. So, it is not like we can reach into a market where this deep experience exists, we are going to have to I think cobble it together in a fashion that makes sense and fall back on the generally accepted risk of principles. I think that this expertise is going to come over time, as it always does, but I do not think that we can kid ourselves and say that it is there.
Jay Schulman: I mean I completely agree, I am fascinated by the background and the knowledge that we bring every day and so to that respect you are a history major. Do you think you use your history degree today on a regular basis in information security?
Murray Rosenthal: That is an interesting question Jay, I can say that is use it to the extent that it helps me from a completely different academic pursuit and that is one of the things that I have learned just generally in life. Is to be open to knowledge wherever it comes from and I value the experiences that I had when I was involved in that discipline some time ago. I also, by extension, value the experiences of other people that I come in contact with and to try and formulate some idea of how security risk needs to be managed from these various vantage points. I do not come to the discipline with any particular property rights, or intellectual rights on what I know. It has been a long journey, a very fruitful journey but I think having the background that I did helps in terms of just being open and being broadminded and being willing to listen and to not dismiss what I hear. I think that has helped me well in my career.
Jay Schulman: So lets go back to that journey, and I ask every guest on the Podcast the same two questions and this is the first question. So thinking back to your entire journey, is there something that you really agonized over or a decision that you really had trouble making, but man it worked out for the best?
Murray Rosenthal: I mentioned a minute ago, the turning point came when I left the bank and I went into professional services and I was at a bank for a long time. The decision to move out from that environment into a professional service organization, which is much more fluid, less deep in bureaucratic organization, pretty flat. Very nimble, very agile, that was a very good choice that I made at the time and vicariously it also happened to allow me, as I said a minute ago, to come in contact with John Zackman. So those forces at the time caused me to really see the security profession in a very different and exciting light.
Jay Schulman: So I do not know if this is possible, but thinking back to meeting John and when you met John. What was it that clicked, how did you know that he was the right guy, the right mentor for you?
Murray Rosenthal: It did not occur right away, that moment, it is actually something I have been thinking about a lot over the last little while, and I took pencil to paper and I started to ask myself that question. I wrote down some thoughts, the breakthrough work that John did on enterprise architecture in which influenced my thinking on security architecture and indeed the work or SABSA. Is the formalism around the disciplines of enterprise architecture and security architecture, and I think those formalism’s around the development of artifacts be the notion of primitives, the notion of composites, the notion of an ampology or reification transformation, which John talks about. But, exposed in the context of the enterprise is so huge and so profound that I think those organizations that have grasped what he has done and continues to do in enterprise architecture and what some of us are doing in security architecture is really quite profound. So the extent to which we make the architecture authoritative and sustainable through the model that we create and reuse and the extensibility of those models, and the descriptive representations that these create are the bedrock for the design.
John would tell you that for the longest time we have been manufacturing the organization, manufacturing systems, we actually have not been actually describing them which, if you think about it causes a lot of the problem. Certainly when we talk about security we have systems that are not well behaved, they are not reliable from a security perspective, they may function and do routines over and over again but they are just not well designed. Because they do not have any predecessors in terms of the architecture, so I think these are still early days and John would say the same thing. But I think those are really, really important lessons and I think the earlier that management understands that this is really key, they are not going to argue so much about having these disciplines and new organizations because they are going to understand that it is really like an insurance policy. They are buying or investing in something that is going to manage the risk from the architecture description down into the design and then the eventual implementation of the system automation target.
Jay Schulman: So as not to diminish the moment, it is definitely interesting that it is all in retrospect that you realize that John was to guy to follow. I have certainly seen many of those in my personal career where it is really after the fact that you realize the impact that a person or project or thing made, so I appreciate that. So everything we have talked about up until now has been positive and wonderful, can you take us back to a moment that was not. Something that in retrospect you would want to do over again?
Murray Rosenthal: I have thought about that too, you know, perhaps had I been more organized early on to really start in the journey formally by deciding that I wanted to get into IT. Knowing, for example and consciously being aware of the fact that there was a branch of IT called information security. That early on my career based on the education that I would have gotten, in those disciplines, as opposed to what I did which was basically fall into it. Certain disciplines you kind of just fall into situations, I would caution or coach people who are interested in the discipline in a formal way. To me I think, spending the time being educated and really being consciously aware of what you are doing is going to be a lot, I think, more helpful than simply trying to be a journeyman or falling into situations where you land up doing something or other and to me if I could turn back the hands of time, I would rather do it that way.
Jay Schulman: That is just great advice, thank you I really appreciate that. Lets talk about for a second, writing a book, because it is either a strange coincidence that a whole lot of people in the Podcast have written books as well. Or that is just by nature who participates in the Podcast, but what has driven you to get involved in book writing, to write your own book and to contribute in other books?
Murray Rosenthal: Just to make one correction, I am not sure that I will actually be contributing, I may contribute a chapter but the idea of the book would be to expose some industry thinking circa 2015, 2016. On topical issues that are on top of mind on the key professionals in, at least in the Canadian geography. I think that the genesis for the book was that, we need a book. You know, we need a book that people can pick up that hopefully will be relevant to people and to write a contribution from various angles. So, we are thinking about having representation in the books from various subject matter experts and security based on industry [inaudible 00 = 18 = 21]. That will cut across the private and public sectors so we would have chapters that would be authored on various people who have some deep knowledge and experience, and expose the security issues, implications within those various sectors. You know, contemplating have a chapter or two on privacy, we think that it would be a good idea to have a privacy ringing in on this as well. Since the two disciplines are so closely related, so I am really excited about it, these are still early days, we are still in the concept stage but I think that once out on the market I think it will represent what is going on during this time frame from a Canadian perspective.
I am sure that [inaudible 00 = 19 = 06] find that similar books have been around on the drawing board in other geographies, to try and explain to readers what some of the issues and paying points, opportunities, risks are from the perspective of those writers.
Jay Schulman: Well, I know one reader does not make a book but it definitely sounds like a fascinating book to me, so I will pick it up. Once again Murray, I appreciate you coming on the Podcast today and thank you very much for participating.
Murray Rosenthal: Well thank you Jay for the opportunity and good luck with the series.
Jay Schulman: Thanks to Murray for joining us today, I realized after interviewing Murray that he is actually the first non-US guest on the Podcast. If you are an international listener, can I give you some extra encouragement to get on the Podcast, I really want a wide variety of people interviewed. So, I would encourage you to do that by shooting me an email at: Podcast@JaySchulman.com. If you found this Podcast valuable let me know by leaving a comment in Itunes, and thanks for listening to this episode of building a life a career in security Podcast. Please subscribe to this Podcast on Itunes or at JaySchulman.com/Podcast.
Speaker 1: Thank you for listening to the Building a Life and Career in Security Podcast with Jay Schulman. For more information and to subscribe go to JaySchulman.com.