As identified this is a personal blog, delving into the depths of my history with cybersecurity. In full transparency I am new to the industry, but actively learning. At the various conferences I attended in pre-pandemic times I would meet men and women that had been in the industry for years. The more I talked with them the more I realized I actually did have some experience with security, but that even the wisest sages in the room were still constantly learning because the game is ever-changing.
A Geek In The Making
Few people know this, but my original answer to the question ‘What do you want to be when you grow up?’ was ‘In charge of Digital’, as in Digital Equipment Corporation or DEC. My father had spent a number of years at Honeywell, and then transitioned to DEC selling terminals and servers. Going to his office was quite a treat for a kid my age, seeing rooms full of cool technology and posters of various applications of that technology. There was a really cool ‘X’ shaped space jet that always caught my eye, and the company that was hoping to produce it used DEC equipment. My dad must have been the coolest guy in the world.
Adding to the coolness was the terminal and then early PC in our basement, which through a phone line (and with a lot of patience) could connect to the internet. There were several games that I could play with people around the world, never really knowing who they were. Most memorably there was a game with insanely poor graphics and a gorilla that would throw explosive bananas based upon coordinates I entered. My opponent could have been anywhere in the world.
At that time there was little thought of security, if any. It was just an innocent kid in a basement rotating between the GI Joe aircraft carrier and bad computer games. While this was going on I’d watch movies like War Games and wonder if hacking was real. Later, in law school, I read a number of cases involving hacking in the early 80s and was reminded of those days. Sadly, none of the hackers were ‘Matthew Broderick cool’.
Movies So Bad They’re Good And Nerd Threats
Skipping ahead a bit, I grew up as a late Gen Xer, meaning we had the internet in the computer labs in middle and high school. Coach Wagner, the varsity special teams coach, and Ms. McDonald helped us design our first webpages for science projects and navigate the web to find video clips of Tyrone Wheatley and Charles Woodson. It only took three hours just to download a ten-second clip. Just kidding, but it did take forever. Suddenly there was a new world opened up to us.
It might have been various chat rooms, meeting people all over the world. The big threat at that time was giving your contact information to a ‘girl’ online that our parents warned us was really a 35-year-old drifter looking for murder victims. I even remember riding with a friend to meet a girl he met online in the Meijer parking lot, which required parental supervision on both ends. Thankfully the connections were both real people, but sadly no love connection. But the risks were real. Everyone watched The Net with Sandra Bullock and Disclosure and started freaking out about what people knew about us online.
And this was also the time I first received a real threat. During an AP English study session one of my fellow nerds and I got into some kind of dispute. He was far more computer savvy than I was and threatened to ‘bomb’ my email, which he said would basically destroy my family’s computer (just one). My dad, by then working at Oracle, needed that computer, so I was terrified. So I did the smart thing and changed my Hotmail password, which of course made me invincible.
Then Security Became Important
After that I went off to college. My alma mater, Kalamazoo College, used something called Pine at that time, and it was functional but pretty basic. I also spent a year at Marquette University, where the email was by far the most advanced I’d seen at that time. I still remember my password, ‘Remember1’, because I didn’t change it the entire year. When I told one of my classmates that his head nearly exploded. He then taught me as much as he could about internet security.
My first job out of school was at CDW*G, in 2002, and security was often a topic of discussion in our training and with our customers, most of whom were in higher education and local government. I set out calling on police departments, and there was a definite move to be more secure. At that time a lot of it was hardware driven, but firewalls were getting more advanced and other security software packages were introduced to us at internal ‘comdexes’ on a regular basis.
I also worked at a for-profit university for a while before I went to law school. There we were dealing with a lot of personal information, and several insider attacks occurred. It was also the first time the company was actively monitoring our web activity, using Websense and taking time to educate our staff on various forms of attacks that may occur. I even downloaded adware on a computer at my parent’s condo in Chicago and had to call a guy to come remediate the threat.
It was also around this time that I first had a PayPal account, which I used to buy sports tickets on eBay (and one Ghana soccer jersey…long story). PayPal and I became regular email partners because phishing attacks were so regular and they asked people to forward them the emails. I also saw attempted phishing attacks on BankOne (now Chase) and Bank of America accounts I had. Since I’d visited West Africa and flown through Lagos to get to Ghana I also got a kick out of the Nigerian email scams.
Being Secure Is Part Of The Job
It took a few more years for me to really gain exposure to the more current state of cybersecurity. I finished law school, clerked for several judges and the Cook County State’s Attorney Juvenile Division, and all had various measures in place for security. But it wasn’t until I took a job in the State of Michigan Department of Securities as a reviewer of security offerings that I really had a deep dose of security training. I overlapped with Dan Lohrmann, so it makes sense that this was a priority.
From there I entered the startup world, working for VerifyValid, a form of check payment that could be emailed. It’s now known as the Deluxe eCheck, and I learned a lot about payment security and the level of threats that financial institutions face, as well as small businesses and other regular check senders. ACH now terrifies me, and I had an ACH payment hacked, which thankfully was an easy problem to fix. Now I sit on the advisory board of QCheque, another secure joke method, and stay active on the security side of FinTech in a few ways.
I also have been lucky enough to work in the cybersecurity field at BitLyft Cybersecurity. I’ve learned more in these few months and have truly become passionate about all things security. The reality is that business, education, government and almost everything else is done digitally these days, and will continue to be done that way. And the hackers have gotten so much smarter and faster, and even better funded.
While I was already aware of Single-Sign-On and Multi-Factor-Authentication I’ve now learned acronyms like SOAR, SIEM and SOC. And as I’m working remote (like so many others) during the pandemic the need to be secure has become even more top of mind. Zoom calls, the current meme producing gem of our times, are hardly funny with the security and privacy risks. And as a lawyer, there are real legal ramifications and long-term implications of policies being put in place. It’s fascinating to see where this journey has taken me, and guess where it will take me in the future.