Interview extracts from the first volume of an oral history of cybersecurity practitioners.

Project maintained by MichaelTanji Hosted on GitHub Pages — Theme by mattgraham

The Advocate

One of the evergreen arguments in cybersecurity is the value of certifications. Are they validation of knowledge, skills, and abilities, or are they a rent-seeking scheme designed to promote people who test well over practical knowledge, keep people out of the field, and inflate salaries? Like most issues in security, there is a lot of nuance, but 30 years of experience in a wide range of positions gives John McCumber, a farm boy who found himself walking with some of the pioneers of the field, a perspective few can match.

John McCumber: My job involves advocating for our profession as well as our members, to provide them with insights that address their needs, and to reach out to the 140,000-plus members that we have in about 170 countries. I am able to put a lot of experience behind these efforts. I’m one of a handful of people—maybe not “handful,” but “few”—people who go back 30 years in this industry. Starting in 1988, I’ve had the privilege of having about every job you can have. I was in the military, I’ve worked for vendors and consultancies, in corporations and in the intelligence community; being able to put all that experience and knowledge together and then be able to really try to work to bring professional and insightful leadership to members and helping them address these issues as we go forward, and hopefully try to bring a measure of sanity to it.

What do I do to make all that happen? I deliver a lot of presentations. I write a lot. I’m a textbook author. I put out a variety of columns and materials and content for ISC2. Recently I completed the ISC2 lexicon, which is going to be followed by an Industrial Control Systems (ICS) lexicon and an Internet of Things (IoT) lexicon. People ask what someone with so much experience at working at such a high level is doing putting out primers? Well, I found myself spending a lot of time working on Capitol Hill, and with leaders in the federal government, people who were charged with various roles in cybersecurity. And I noticed a lot of words being written on paper that are used incorrectly … words like risk, and threat, and vulnerability. Not only did these people not know what these words meant, they didn’t realize that there is actually a mathematical relationship between many of these key elements. So, the goal of putting together a basic lexicon was to ensure legislators and decision-makers and lawyers and journalists—anyone who has any kind of influence—is using the right terminology and understanding what those terms mean. It sounds mundane, but it has actually exploded in popularity. In the month and a half since we published the first lexicon, we’ve distributed nearly 6,000 copies. We have universities asking for copies for their students, government agencies asking for copies for their personnel.

It’s 2018 and as much as I try not to be, I’m still surprised that some people aren’t doing some very basic things. Some of it is willful ignorance, but it’s also a function of every couple of years, there is a new generation of folks who have no idea what came before.

You have to keep addressing the new generations. I did a lot of this teaching for the intelligence community and the DOD, and then took many years off and worked with Symantec and RSA and others. I taught at George Washington University so I could keep my street cred valid in academia. But I wanted to get back into education, and we’ve got a whole new generation here of people that I have to get out and touch and show them the principles. What we do is risk management. How do we mathematically mash up these relationships, and why is that critically important? And we’re trying to also instill, and continue to be … not only do we want to make it fun, we might make it entertaining and engaging … but we also want to keep it professional. I think we’ve reached kind of a tipping point in that regard. You go to conferences and you see drinking on stage and how many times people can drop the f-bomb, and I feel like the Spanish Inquisition of information security, which is not the guy I want to be. I mean, people who know me know that I’m not a prude by any stretch of the imagination, but at some point you have to say, “Come on, man.”

The professionalism thing is also more than just behavior. I got pinged on Twitter the other day, where someone was saying they had a 13-year-old who was better than someone who held one of our certifications. All sorts of arguments. I said, “That’s very interesting. Let me tell you the last job I had before I came over ISC2. Just one aspect of that job was to define an identity and access management program. This included doing vendor selection criteria, developing policies around the enforcement mechanism, and managing the program after vendor selection, implementation, testing, etc. This is for a 40,000-seat installation.” I said, “Bring me the 13-year-old who can do that.” Hey, look, if you’re really good at a very specific thing, that’s great. There is definitely a demand for people with in-depth skills, but that isn’t the sum total of this business, and it certainly isn’t the only way into this business.

One of the things that I really like doing here is going out and running down barriers to entry. Of course, people think that’s an oxymoron for me. They say, “Wait, you ARE the barrier to entry!” We’re the certification you love to hate. And I can see that point of it, but if you didn’t have us, you’d have to come up with something like us. This isn’t just about certifications. There have been dramatic upheavals in education and training globally, and certainly dramatically, in the United States. And cybersecurity is in many ways a bellwether. I’ve got two programs going on, one in North Carolina and one in Virginia that focuses on veterans, working with them to get our certifications. We had 200 of them in Virginia last year alone. I’m working with the state of Massachusetts to work in underserved communities, community colleges in underserved neighborhoods, giving young men and women an opportunity to take a look at this career field.

The battle between the folks who like certifications and those who don’t can get pretty heated. The CISSP credential, in particular, is singled out by a lot of folks as not worth the investment. One of the things that I don’t think people understand, and I’ve worked with plenty of people who don’t have certs and will never get a cert; but part of the idea of a certification is not to declare the certified person is better or worse than the non-certified person, it is both a reflection of commitment, and a tool for people who aren’t experts. If you’ve got to hire at all, much less hire at scale, you don’t have the time to work the underground, to talk to a candidate’s peeps, to peruse their GitHub account. Certifications serve as a filter, if for no other reason than liability purposes. How do you combat this sort of thinking?

You made some great points. Liability is critical. People don’t think about the fact that if you earn the credential and sign on, you have to agree to adhere to our code of ethics, like the law or any other profession. Some people might think, “So what?” I’m not saying that raising your hand and swearing on a religious text or something is the answer, but it is at least a start. and we’ve stripped people of their credentials for violating our code of ethics.

Of course, people are going to make the comparison to guilds in the twelfth and thirteenth centuries, but this is an internationally recognized certification. It’s done to strict ANSI standards. One of the challenges we run into here, is how do you distinguish one certifying body from another? There’s one company that runs at least 100 courses. And when you’re done you’re a “certified expert” in whatever. I think that’s interesting, but without experience, without a code of ethics, without skills training—not just education—but skills, and bringing all that together, I don’t know how you can make that claim. Certainly not after a 40-hour session in the classroom. I wouldn’t hire a plumber or electrician that only had 40 hours in a classroom and that’s it. We try to make sure people understand these factors as a part of the value proposition, and to maintain currency, so that it remains a nearly indelible mark on their resume like a college degree—it’s not a college degree—but an accomplishment with some permanence that is widely accepted.

People say the whole thing is a mile wide and an inch deep. I say, you know what’s really important to keep in mind? This career field is a mile wide. If you don’t know that, if you think those other domains are to be laughed at, the point is again, “Bring me the 13-year-old who can successfully complete all of the elements of an enterprise-level, security capability deployment.” Especially as you reach beyond journeyman’s stage in your career, it’s important to be able to demonstrate an ability to work with other professionals because none of this gets done in a vacuum.

So, let’s roll the clock back a little bit. How did you get started in security? Complete accident … like a whole bunch of other people. It was 1987. I had been enlisted for a number of years. Got myself an education in my spare time and got a commission. I was running four data centers for the Air Force at Hanscom Air Force Base, which is outside Boston. I had a pair of VAX-11/780s , and my best coder lived in Nashua, New Hampshire—Technical Sergeant Ray Delong. He would have to come in at odd hours all the time, and if you know anything about the traffic around Boston, you know what a nightmare that was. So, I said, “We have some money in the budget. Let’s set it up so you can dial in, so when something comes up on the weekend, you don’t have to drive 50 miles, work for 10 minutes, and then drive back. Within a month I was being contacted by the Air Force Office of Special Investigations, to be told that these numbers I had assigned these boxes had shown up on a hacker bulletin board. And there was this guy out there who was known on the bulletin board as Erik Bloodaxe.

I know Erik Bloodaxe.

I do too. He’s probably not happy that he knows me. I was involved in that case, and I went looking for everything I could find on computer security to serve as a reference, and guess what? There was hardly anything written on computer security. There was one book I could find called Security in ADP Systems. We called it the Green Book. I think I have a copy somewhere in my attic. Back in those days, you know this, you had a gray phone and a black phone on your desktop. So, I picked up the gray phone and started calling around and found out there was this place called the National Computer Security Center. So, I did what any other curious young Lieutenant would do. I called them and started talking to this guy, and he goes, “Do you know where you’re calling?” I said, “No, but I need computer security help. I don’t know where else to get it in the Defense Department. Are you at the Pentagon?” He said, “No, this is Fort Meade.” His name was Lieutenant Colonel L. Gary. He passed away several years ago. We ended up becoming fast friends, and a couple of months later he showed up near Hanscom and said, “Let’s go out to dinner.” And we sat down and, as we shared, you know, our backgrounds, experience, he goes, “You need to work with me.” And so I was hustled off a month later for two days of polygraphing and everything else and then in early 1988 ended up at the National Computer Security Center (NCSC).

Very cool.

Oh, it gets better. Because I ended up working at the NCSC and because I’m military, I was a Captain by that time, they put me on to support the director and his military staff. One of the guys that I supported up there was a guy named Bob Morris.

No kidding?!

Of course, everyone in this business knows his son, RTM , but back then I was a military guy, and I was always in early, and I had been warned by the Director that Bob hadn’t got the message that you couldn’t smoke in government buildings anymore. If you’ve ever seen a picture of Bob, I mean, if you saw him on the street you’d give the guy a dollar.

Paul Erdos, the homeless mathematician.

Right. So, my second language is German, and we’d sit around and speak German, and when he got tired of that he’d switch to French. And then he’d get tired of that and switch to Spanish. Brilliant guy. But one day I smell smoke coming out from under his door. I went over there because it was part of my job to take him out of the building when that happened and walk with him to the smoking area. So, I went to get him, and he says, “I need you to come in here and shut the door. Something happened last night.” And that’s how I learned about the Morris Worm. It was a real, life-changing moment for me. So, I’ve had a really interesting career. I mean, I’ve met Peter Norton, I’ve met John McAfee, I watched Clifford Stoll crawl around the floor of the Pentagon showing the Undersecretary of Defense what took place in a book he wrote called The Cuckoo’s Egg. So yeah, I’ve just had a great career.

You spent some time at Trident Data Systems way back when, which if we had to divide the information age up into eras, Trident , RipTech, and a few others were the first generation of cybersecurity companies. The dot-com bubble inflates, and then bursts, and no one remembers these guys. What parallels and differences do you see between the security industry today and the industry that it was almost 20 years ago?

The big difference I see between those days and today is the universal aspect of things. I went to Trident right out of the Air Force. Trying to explain to people what I do, they stood there like dogs with their heads cocked to the side. “Well, it used to be called COMPUSEC, now we call it INFOSEC, but it might also be called information assurance. You just know there was someone at the Pentagon furiously typing out acronyms. It was a great place to be, but it was a burgeoning market back then.

Then, of course, the tech industry in general blew up. I used to get Wired magazine delivered to my house, and it weighed as much as a Boston yellow pages. My favorite cover of that magazine ever was called “Big Long Boom.” I don’t remember what year that cover appeared, but they assumed this party was going to rock and roll forever. No one predicted the crash. So, the early pioneers of like the Wheel Group and Trident and RipTech are what started this whole crazy trend in security.

Chapter 3: The CISO

To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at