Infosec Interviews: 10 minutes with Graham Cluley

2014-09-17 at 08.04You may remember last year that I interviewed Lee Munson about his journey from retail to infosec.

As it turned out, that interview was incredibly popular, leading me to interview a range of infosec personalities. As the not-so-old saying goes, go big or go home – so I went big and grabbed ten minutes of Graham Cluley’s time – recent winner of the Tech Blog of the Year award.

Hi Graham, thanks for taking the time out to speak to me. Let’s get stuck in. When you started as a programmer back in the 1990s, did you ever expect to be working in information security journalism?

Ha! No, not at all.

I actually started programming in the 1980s.  My dad brought home a 1K Sinclair ZX81, and I started writing simple computer games and applications on it.  I remember that one of my early programs was a simple word processor (I think I must have had a luxurious but slightly wobbly 16K RAM pack by then)… and I did enjoy writing a lot.

The major problem with the word processor I had written was that I had no way to save documents, so when I turned off the computer (or if someone bumped the table and caused the RAM pack to wobble) I lost everything I had written.  Hey ho.

But at school I imagined that I would do something with English, and studied English Lit at A Level, wrote the 6th form pantomime and ran the underground school magazine.  It was only when I stylishly failed all my A Levels due to lack of revision and too much messing around that I realised that maybe I should try something else.

So I went off to study computing for a few years, which I had always had an affinity for.  Computing was easy for me, and I imagined I would be a programmer forever.  Somehow I have ended up a blogger and public speaker.

Your role at Sophos was a split between being a senior technology consultant as well as the editor of Naked Security. Was there a point when you realised you preferred the journalism side of infosec?

I’ve always enjoyed bridging the gap between the public and (for want of a better word) the geeks.  I think many smart technical people struggle when it comes to explaining what they do in a way that is accessible to the public.  And a lot of the people who are great communicators don’t necessarily understand the technical stuff.  People say that I’m good at being the missing link, so I’m happy to do that.

At Naked Security, we managed to create a very popular blog for a business which only sold to companies. It raised Sophos’s brand awareness to a height which shouldn’t really have been possible for a company which didn’t have a consumer product. It’s flattering to see so many other companies try to emulate that success.

When you decided to become your own boss, did you expect that your independent site would become as popular as it is today?

The only thing which really matters is “am I having fun or not?” I have a low boredom threshold, and running your own site introduces all kinds of new challenges which I would never have had at Sophos. It means I’ve had to learn some new skills, some of which don’t come naturally to me, but mainly I really enjoy being my own boss – capable of making my own decisions rather than have someone else watching over me.  I really enjoy the independence.

My site is fairly popular, but I still feel there is a long way to go and potential to reach even more people. Helping people learn more about computer security and privacy is a great privilege, and I guess I would always like to reach more folks.

You often speak at industry events and sometimes you even sing! Do you enjoy public speaking and do you have a favourite event?

Yeah, I do love singing.  In a parallel universe I would have a residency in Vegas.  Not that I’m very good, mind you.

Regarding events – it’s just fun meeting new people, getting the adrenaline rush of being on stage and doing a good job.  I’m probably my own worst critic and striving to improve my talks and make them more entertaining and interesting.

It sounds like a cliche, but my favourite event is always the one I’m currently speaking at. Once an event is gone, it’s history – time to move on to the next, and try to win over the audience again.

You often highlight organisations that have suffered a breach of sorts but have failed to inform their customers, such as eBay not providing their customers with an easy-to-find link when they were breached in 2014. Do you have advice on the steps organisations should take to notify their customers?

Be transparent, share as much information as possible, and don’t let the lawyers bully you into making decisions which will piss off your customers.  Simply putting your hands up and saying “sorry” goes a long way, I reckon.

Yes, your company is a victim of a criminal attack, but it’s even worse for your customers.  So treat them with respect.  They’re angry and hurt, so recognise that. It is possible to turn a disaster into a positive relationship with your clients by being honest and open.

The increase in data breaches suggests that organisations aren’t getting much better at cyber security. Is there a common failure organisations are making?

Where do you start?

Poor password security (password choices, password reuse), lack of authentication, weak encryption, lack of updating… Often, of course, the problem stems from humans.

If I were to give some generic advice it would be to hack yourself before you get hacked.  Better to put yourself in the mindset of a hacker, and try to find the weaknesses in your organisation before someone malicious attacks your systems.

What’s next for you? A new video, we hope.

I have some foreign travel lined up, but yeah… I’m late with another video. 🙁

In a few week’s time, I’ll be interviewing a social engineering expert. Subscribe to the Daily Sentinel to ensure you don’t miss out.