#9: Joel Scambray

October 28, 2015

Welcome to Episode 9 of the Building a Life and Career in Security Podcast.

Today’s guest is Joel Scambray. If you don’t recognize the name, look on your bookshelf for your tattered copy of Hacking Exposed and you’ll see Joel’s name on the cover. Joel is the founding father of the modern information security profession.

As you’ll hear from the interview, Joel is probably one of the most humble guys that I know and likely hates that I actually call him a founding father. He took a very untraditional path to security career which makes for a fascinating story.

[powerpress] Joel Scambray Links from the show:

[content_toggle style=”1" label=”Show%20Episode%20Transcript” hide_label=”Hide”]

Joel Scambray: We started to build the outline for a book what we’d hope would be the seminal piece of its time on sort of how to break into things and how to fix things, We pitched it to a few publishers and actually we were thinking more of the Hacking for Dummies and actually we’re turned down for that title at the time, again this is mid-90’s, too negative to write what’s going to sell. I guess that was one of those things that I always kind of chuckle at because we opened them, we did publish it and ultimately we did do very well.

Speaker 3: From the jayschulman.com studio, this is the Building a Life and Career in Security Podcast. Now, your host, Jay Schulman.

Jay Schulman: Thanks. Hi, it’s Jay. Welcome to another episode of Building a Life and Career in Security Podcast, the podcast that lets you see how others grew their information security careers. Today’s guest is Joel Scambray. Joel is the founding father of modern information security. Having written the first book on contesting called Hacking Exposed. As you’ll hear from the interview, Joel is probably one of the most humble guys that I now and likely hates that I actually call him a founding father. He took a very untraditional path to security career which makes for a fascinating story. Here’s Joel’s career journey in his own words.

Joel Scambray: I landed on information security by accident if you will. I was a scientist, a biologist by training in school and ended up doing molecular biology in genetics and wound up spending more time on the computers, doing stuff like gene sequencing and protein folding in school. Then I was spending time at the lab bench and enjoying the computing more that after getting a degree in related to science and biology, I went right into IT. Sort of jump ship as it were and really never look back. I guess you try to do what you love and I guess I picked that. Technology had an instant gratification to it, you can build a PC, build a network, wreck a network, cause the problem very quickly and solve problems and there were sort of a good job satisfaction in that.

I get by stumbled into security the same way I moved along the typical arc of system administration and technology, and security was part of my responsibility but never something I honestly took very seriously, all of them to make sure that the firewall was up and antivirus was deployed generally and then I went to work for InfoWorld Magazine where I wound up by chance. I guess my job at InfoWorld was technology analyst and I would write articles about the products and services that I reviewed, and by chance I wound up with sort of a string of security products one year and became one of the security specialist guys around the lab.

Also at InfoWorld I guess the key that I guess a lot of people learn in their career is it’s who you know not what you know. Sometimes I ran into one of my future collaborators and good friend still, Stuart McClure, and we ended up writing a security column together every week and that encourage us to think about security in a very consistent and regular manner. I think deadlines are a great way to focus the attention, weekly deadlines from magazine publishers, that’s the case maybe with InforWorld, it was then. That really got marinated in security from a technology perspective and really all kinds of stuff; policies, procedures, services, VPNs. This is probably mid-90’s and technology was really flourishing, dot com was just around the corner and really it was a great time.

From there, to cut a long story short the rest is history. I journeyed with Stuart with various consultancies, Ernst and Young Stewart. Stuart started another one called Foundstone that some people may know and remember because I joined very early on. From there, really, sort of continued the career and have been doing the same things ever since. Trying to help people solve problems and security, still trying to solve the risk management puzzle and helping people balance the right amount of protection and with the right amount of functionality in business and revenue, all of that other good, positive stuff that us, security guys, sometimes think of as the enemy. I think that’s again sort of the quick story.

Jay Schulman: You probably left out if you would acknowledge the fact that you are security famous. The book that you wrote, Hacking Exposed, I know for me personally that was the very first book that I bought on Amazon.com. How did that come about? Was that directly related to writing the article of the story?

Joel Scambray: It did. I’m glad so you mention and I appreciate the comment. It still amazes me to this day. I was just at Black Hat this week, Black Hat 2015 USA, it got very wide read and it still is. I still run into people. A guy came to me after one of the sessions and said, “Hey, I’ve read this from early in my career. I really appreciate it.” Yes, working with Stuart at Infoworld we, all of the different things we were doing encouraged us one day to think more broadly, “Hey, can we do something more than this,” and we started to build the outline for a book and also some other folks got involved. I think George Kurtz is obviously our co-author on the book. I can remember Eric Schultz at that time as well, he was somebody that we met and he was really inspirational to us in writing what we’d hope would be the seminal piece of its time on sort of how to break into things and how to fix things.

It wound up to be one of those and certainly had been stuff before that. I mean, Ben Farmer’s articles were very inspirational and many folks before that. Some of them were escaping my memory right now but there have been many since of course but I think for our era, I remember meeting Stuart in a coffee shop and sort of writing the outline down. We pitched it to a few publishers and actually we were thinking more of Hacking for Dummies and actually we’re turned down for that title at the time, again this is mid-90’s, too negative to write what’s going to sell. I guess that was one of those things that I always kind of chuckle at because we opened them, we did publish it and ultimately we did do very well with exactly that sort of approach.

Yes, I feel very fortunate to have run into the right people and the right circumstances to allow me to coalesce a whole bunch of experiences and learning and testing into a very focused write up which became Hacking Exposed and I’m still amazed to this day at how far it’s gone and how many people have read it, including yourself. Again, thanks.

Jay Schulman: I’m a one small person. It’s now a franchise, so you last book, Hacking Exposed mobile came out probably in the last year, year and a half. How is it different to write a book today in information security that it was way back when?

Joel Scambray: The process itself has not changed much for paper publishing, that may apply to digital too. I mean, at the end of the day you still have to get a compelling story together and you still have to have the discipline to get pen to paper and put the content down, and do the research to back up what’s your writing. The digital, I guess I’ll use the word revolution, has occurred with publishing. I mean, many more people now are doing eBooks blogs, Wikis webpages, social media and I think that’s really atomized the publishing, it lets the process more just sort of the way the information is delivered. It’s more the sort of continuous model now. I think the podcast that you’re running is a great example of that.

I think people are becoming more used to these higher quality, more on demand and more bite-sized chunks type of forms because they’re busy. I think they want a really straight, direct learning experience on their terms and again, this podcast is a great example. I hope this one specifically, but more generally I know you did an example of that trend, that change that I think is a good thing for the industry and I hope for security.

Jay Schulman: It’s interesting too because I keep these to about 15 minutes solely because the attention span doesn’t go any longer than 15 or 20 minutes. I think that bite-sized chunks is very, very true today. Going back to your career, at some point you actually started your own company. What was the thought process on going out on your own and certainly it seems to have turned out well for you?

Joel Scambray: The thought process is probably pretty typical. We were in mid-90’s and business was booming at Ernst and Young Hitters. We thought we could do pretty well and keep more of the rewards for ourselves and we were smart enough to do it. Fortunately, I had some collaborators, I mentioned a few of them, that were smart enough to do it. I still don’t think I was. I’ve done a couple other startup since then and I still continue to learn about business. I think you have to have that entrepreneurial urge, a real desire to do things your way, a real strong sense of the right way to do things. I say that in air quotes, “The right way is the way you think it should be done.”

It doesn’t necessarily mean it’s the right in the abstract. You learn that as you go in most cases, but I think having that strong urge is one of the drivers. I think we emphasized again on having good collaborators whether they are partners or advisors or key first employees, it’s pretty critical. The entrepreneurial track can be a very lonely one for sure because you’re it’s you against the world. If you don’t have somebody there to help you and, in many cases, fight with you it can be very overwhelming. That’s my two cents on it, have the urge, have the courage and have good supporters.

Jay Schulman: I mean there are probably of that era two iconic firms of its time, AtStake and Foundstone, and you go back and look at the personalities yourself included. You made the point early on in your overview about it’s not what you know but who you know, do you still keep in touch with that core Foundstone group that is broken up and gone and to do so many different things as kind of a whole big crew?

Joel Scambray: I do, not as much as I would like. It’s funny it’s timely, at Black Hat I met Stuart, I ran into some of the original founders, Chris Prosise, Will Chan, there were others of course, George Kurtz. I also ran into Black Hat, that’s kind of our annual pilgrimage as Chris joke to me, Chris would share Austin with me and we run into each other on the plane every year. It’s definitely great to see those guys. It is a very warming experience for me to see them, some great memories. Then I think as you mentioned, some real deep respect, I mean they were the collaborators that I mentioned that really made I think maybe experienced what it was and made the company iconic, I appreciate the word.

I think back to those times and we felt right or wrong, like we were something special and we drove the business that way and we always had a certain degree of humbleness in front of the customers to ensure and I think that ultimately paid off. I think it was definitely a group effort and took a 120% from all of us to build to what it was.

Jay Schulman: I ask everybody the same two questions and the hope is that people who are agonizing themselves over some things, you can hear about other things that people have agonized about, so if you could think back to a big decision that you really had trouble making but ultimately, “Man, it worked out for the best.” Can you think back to something like that?

Joel Scambray: Yes, that’s a good one because there’s been plenty of those. Which one do I think that is the least embarrassing? Which one did work out? You could think about it in two tracks but I guess I would think about on two tracks, that they’re sort of career decisions and then they’re sort of I guess I’d called them the security professionals your decision. From a career decision’s standpoint I made a decision at one point to relocate from California to Washington State, Seattle and that was a pretty scary thing. I grew up in California and lived there for over three decades and it’s really at that time certainly was a big part of my life and I’ve raised a family there, I was in the process of raising a family there and I made a scary decision to pack everything up and move.

I think it was something that, there were more trials and tribulations beyond the move as well in the job that I went to certainly was very challenging in Microsoft and that a whole new constellation of people. This was also right at the time that the Foundstone was being acquired and that was also a very difficult part of the decision was to leave at a very exciting time for the firm, being acquired by McAfee and ultimately decided to do it and take on an opportunity to run a security group, build a security team and try to do that in a context to one of the larger and better known software companies in the world and still is. Despite all of that, I think it is something that’s become my very important part of my background. As you know, I worked with you in the software security space today and that’s a lot of where my experiences in the discipline of software security came from and that would certainly be a very big blank thought for me as an information security professional.

Without that experience, I would have missed out on what I continue to believe is really one of the big important themes of the last five years or decade is the importance of software and software security, and making sure that all of the code that we’re writing for these things, great things from Facebook to iPhones has been operating the way we expected to particularly in the security dimension. I wandered a little bit but back to you question, yes, from a career perspective, taking a risk like that was scary but I think it definitely has paid off for me in terms of diversifying my background, diversifying my network and having me learn a lot of different experiences that I probably would not have having left and to stay in the same place.

Jay Schulman: Up until now I think it’s been for the most part a fantastically fabulous story. Everything going perfectly right, is there a part where if we magically can do it all over again that you would have done something differently?

Joel Scambray: I think one of the things that comes to mind is having a sense of level. There have been times in my career where I have been ambitious in trying to take on the next rung on the ladder, the next role and I have to admit there were some times in my career where I wasn’t prepared for that. I think having a good sense of yourself is important and understanding and building a progression. Having a plan for your career, and that sounds maybe kind of quaint but I mean that in a very individual and personal way. Understand what you’re strong at and where you would like to see yourself in one, three, five years and talking with people in your network that are in those positions and getting information from them about what are the types of skills and activities that you could be expecting to exercise at those levels.

I don’t mean necessarily levels in terms of job ranks, career progression. I think again as I mentioned, there have been some times in my career where I’ve probably gotten a little bit ahead of myself and there have been times when maybe I’ve been underachieving candidly. I’m not pushing myself as hard as I could and I guess I learned as I’ve gone, every once in a while taking an inventory and sticking your head up above the trees and looking around and asking people in different discipline, at different levels, and different types of career paths what they’re thinking about, what they[‘re doing. Different industries, different technology platforms is always good to help understand where your current decision process could be improved I guess.

Back to your question of what things didn’t go well. I found myself in places where I recognized that I’ve probably bitten off more than I can chew and a little bit more preparation would have helped me to get there in the right way versus being in up to my neck.

Jay Schulman: With that, pick out one particular thing that you said in there that I think is just so valuable is when you get this idea of where you think you want to go to go talk to people who are already there because we have this image and I know a lot of people who want to be chief information security officers as an example have this image of what it’s like to be in that position. Then go talk to somebody who’s doing it today and see if that’s really the way it is and really matches up with what you think it is because I think a lot of times there’s a mismatch.

Joel Scambray: Particularly true that the chief information security officer, security leadership role, well in my opinion I guess many opinion is with that role was a bit schizophrenic today, right? It’s somebody that really has to adapt to the business that they’re in. Although there are of course a number of standards and increasingly generalized practices for security, a lot of people are still making this up as they go. I think, yes, talk to people that are there and particularly in security, talk to at least two people that are there and arguably more because they are probably doing it differently and getting multiple perspectives on the security leadership role is critical because you’re certainly going to talk to, I would venture an opinion that you ask three CISOs their opinion on something and I know you had four different answers.

Jay Schulman: I think that’s about how it is. You are absolutely correct. One last question here. A little bit more on the philosophical side because you talked a lot about kind of the origination of the book and it really was the first book that it’s funny to think of it as Hacking for Dummies when it was really the first book that exposed a lot of people to the idea of network assessment and penetration testing and all of that. You’ve talked about today, the issue of being around so much more on software, where do you think we’re going from a security community? You just spent the last at Black Hat. What is the next one to five year look like for information security?

Joel Scambray: I put my chips on where my mouth is I guess. I do think it is software security is, it could borrow the Gretzky phrase, to adapt it, the puck is still going there, you did a spin off on Hacking Exposed web applications I guess back in early 2000s. It sure seem like that everybody understood that applications was where the rubber was hitting the road back then security-wise. Now that tI look back that’s almost 15 years ago and it’s still evolving, in my opinion, too slowly but definitely you can take the recent example of Black Hat with the the Charlie Miller out of vehicles. It seems obvious to maybe restate but it’s worth restating. I mean, everything that we do today lives on software stack whether it’s a Chrysler Jeep Cherokee or a Samsung Android phone.

These things are becoming increasingly critical and the reality is that we really haven’t built or improved the manufacturing process for software as well as we have for some of the other things in our lives that we take for granted. You can take the automobile as example. High degree of safety and performance nowadays after several decades of learning about that and software is just not there. I do think that’s the interesting space that’s really need attention and focus and I hope to continue working in that space to help people improve.

Jay Schulman: No disagreement from me. Obviously, if people want to connect with you. If they like what they heard today, I have another question for you, what’s a good way to get in touch with you?

Joel Scambray: I am on Twitter, that’s a really good way. I think it’s JoelScam, or hashtag JoelScam. I should probably know that. I do tweet decently frequently and I never look at exactly what my identity is but I think you could find me there.

Jay Schulman: We’ll put your Twitter handle in the show notes to make sure that nobody gets it wrong but I think you are correct. I think it is at JoelScam.

Joel Scambray: I have to give a shout out to Jean Kim who is one of the legends of the security industry. He took me inside at, just a quick story, it was Aztec USA when he’s hosted in Austin a few years ago and he said, you’re not on Twitter, we’ll getting you on Twitter right now, he grabbed my phone and sign me up, so apologies if I don’t remember my Twitter handle. It was forced upon me. Thank you, Jean, for that. That was good. Yes, we should edit this and fix that.

Jay Schulman: Not at all. I think it plays out just exactly the way it was. Thanks to Joel for joining us today. There are so many different nuggets of information from today’s episode. Overall, I’d like to highlight the value of communication. Even with Joe writing Hacking Exposed among others, it was his ability to communicate that just made him so successful. If you have comments or questions about today’s podcast or want to join me to talk about your career journey, shoot me an e-mail at podcast@jayschulman.com. If you found this podcast valuable, let me know by leaving a comment in iTunes. Thanks for listening to this episode of Building a Life and Career in Security Podcast. Please subscribe to the podcast on iTunes or at jayschulmancom/podcast.

Speaker 3: Thank you for listening to the Building a Life and Career in Security Podcast with Jay Schulman. For more information and to subscribe, go to jayschulman.com.