Unusual Journeys into Infosec Featuring Rik Ferguson

We join Rik Ferguson (VP of Security Research for Trend Micro), as we explore his unusual Journey into infosec.

Unusual Journeys into Infosec Featuring Rik Ferguson

Its that time again, where we explore another unusual journey into infosec, so sit back and relax as we uncover the TTPs, motivations and operations of this very special guest. This week we are joined by Rik Ferguson who is one of the few people that need little introduction, especially if you have worked in infosec for a while.

Little did he know before writing this article that I've been a fan of his for a while (I think he might know now). In this interview we cover a lot about what it was like starting out in infosec in the 2000's, and some of the challenges today. I really enjoyed this interview, and hope you will find as interesting and thought provoking as I did.

Rik is currently the VP of Threat Research of Trend Micro, welcome to his Unusual Journey into Infosec.

Rik on Twitter, go and follow him!

CyberSecStu (CSS): If you are new to the Unusual Journeys into Infosec articles, the vision for the series is to provide stories and inspiration for those who may have not considered, or may be struggling to find a path into Infosec!

My vision for this article (or series), is to help break the illusion that you have to follow a certain route to have a career in infosec. Where did your journey begin?

Rik Ferguson (RF): Well, OK so I am old (although not quite as old as the hills) so my journey started in about 1981. The computer room at school was full of wardrobe-sized machines, punch-cards and ticker tape. It was esoteric enough to get me thinking about computers, but my interest was really sparked in 1983 when I got my first personal computer, a ZX Spectrum 48K. These things cost a mint by my family’s standards at the time and in all honesty, the only reason I got one was that my grandmother had died and my parents had inherited enough to pay for our first holiday abroad, a Casio keyboard for my brother and this rubber-keyed exercise in dexterity for me.
I took out a subscription to Your Computer magazine, hooked the Spectrum up to an old black and white CRT TV that I had found in a jumble sale, plugged in my cassette player and got stuck in. Not sure how much story you want, but that started me on the path of learning BASIC as a programming language, which was further developed by taking an ‘O-Level’ in Computer Science in 1986, by which time my home computer was a Burroughs B21 (my dad worked there).
Found this, my Computer Studies O-Level exercise book. 1984
RF: So that was how my “interest in computers” started, but it never really went beyond that. I got distracted by games, music, acting, girls and life in general. When the time came to apply to Uni (1988), I hadn’t touched a computer for two years and ended up pursuing a degree in French, for no other reason than I seemed to be good at it without trying very hard.
So I got my degree in French and graduated in the middle of a recession (1992), to the point where my dad was made redundant. So the chances of fresh graduates finding a job were slim to none. I applied to any company that had anything vaguely French about it “Pain de France”, Norbert Dentressangle, Renault car dealerships (seriously) and I still have a folder full of the rejection letters I received. Most of the applications were on spec as there were no jobs advertised. I was lucky enough to get to the final 2 being interviewed for a job at the ad agency Publicis and had to travel to Paris, but I never got the job. The future could have been *so* different had I been successful at any one of these.
So I took any job I could get, teaching English as a Foreign Language and taking French kids on tours around London and Stratford-upon-Avon, the night shift in a bread warehouse (the most soul-destroying job by far), barman at several local watering-holes and assistant manager at one of them, where I lived up in the roof. Eventually I decided enough was enough and that I might have better luck abroad. As my TEFL duties came to an end one summer, I hopped in the bus that the kids were returning home in, took my £60 life-savings and a suitcase off to seek my fortune in Paris.
In Paris I managed to find myself a job in WHSmith, right in the centre, a 6-month contract working down in the basement. My main responsibility was carrying boxes up and down stairs. When a friend from Uni moved over too, we shared an apartment in the 15th arrondissement and had a whale of a time. I was a box-carrier by day and singer in a rock band by night. We played for beer mostly!!
Eventually my dad got sick enough that I felt that I had to return to the UK in 1995, which meant that I had to start (again) looking for a career. And still computers were the furthest thing from my mind, I hadn’t laid hands on a keyboard since the first year of Uni, but had become fascinated by the Minitel system in the most affluent of French homes :D
As it turns out though,  my first job on returning really honed my social engineering skills. It was my responsibility to cold call enterprises around the world, construct an organisational map of staff and responsibilities, and eventually get into conversation with the right person who I could coax into telling me about their future investment plans inside the UK.
My employer sold this information and published a magazine aimed at corporate investors and those that wished to attract them. The job was awful, but for the first time in years I was back in front of a PC (green monochrome screen).
I hated it, I lasted 6-months, but my next job was the one that I consider the actual beginning of my career. And without all that had gone before I would never have scored the job. In fact I nearly didn’t anyway, my first application was rejected without an interview, so I simply applied again! :)

CSS: This is amazing so far!

RF: The next job, was the one, if I look back now, I can see it all started. Although initially it didn’t feel that way. This was 1994, I got a full-time job as a “Telebusiness Communicator”, posh word for a phone jockey. Theoretically I could have been put on any telephone based job, as my employer was an outsourcer, running phone-based projects for other companies. The job I had (twice), applied for though was that of European Tech Support on behalf of their IT client company, which turned out to be Tektronix.
I got the job based on the fact that I was fluent in two European languages and “knew a bit about computers” I was staggered to find that that “bit” actually was far more than most of the other successful applicants, but then back in 1994 there was no cyber. What it meant though was that I had found a role I could both shine in and get passionate about.
1995, learning about flatbed scanners
RF: We were providing tech support for networked colour printers and X terminals. I had never in my life come across *nix operating systems, I had used an Apple (pre MacOS), my home computers and that was about it, but the theory wasn’t foreign to me at all, only the language, and I was *good* at languages.
In the first few weeks we had a lot of “telephone training” which I regarded with utter cynicism at the time, I mean how hard is a phone. It wasn’t long however, and certainly with hindsight I can really appreciate all the tools I learned, establishing rapport, matching the customer, controlling the conversation. This was all new to me, but it was all new and different ways of being a hacker.
From a technology perspective I was in at the deep-end. Troubleshooting *nix environments and networks, learning IP networking, subnetting, figuring out other people’s mistakes in those areas. The world back then was so much more diverse, TCP/IP was a choice among several and Wintel didn’t rule my world. Our graphic arts customers were heavily Mac-based, our CAD/CAM were *nix and most of the office environments were Windows.
So I dealt with AIX, HPUX IRIX, WFWG, NT3.51, Novell Netware 3, Token Ring, AppleTalk, EtherTalk, IPX/SPX. I had to pick it all up from scratch and then learn how to fix other people’s mistakes… remotely. Through my time in that role I saw the release of NT4 and Novell 4, the standardisation around TCP/IP and the slow decline of *nix in the workplace. I learned how to troubleshoot from network captures, with reference to RFCs and how to sight read PostScript.
Tech support at a .com in 2000
It was an era defining era and I stayed with Tektronix for 6 years until the new Millennium saw them acquired by Xerox and my job moved off to Dublin. I opted not to follow the job and after a very short stint in support in a collapsing .com I found myself working for Network Associates (now known simply as McAfee) and my journey into pure play security had begun. I found myself back at square one, a great grounding in networking and troubleshooting but nervous as hell about supporting Gauntlet Firewall, PGP encryption and VPN clients, Cybercop and a bunch of other technologies.
Network Associates 2001 at my desk
So, there, that’s the beginning per se. What else can I tell you?
I will say that coming up through tech support has been a fantastic route into the industry. All I ever saw, for literally over a decade, was broken stuff. I had to work out why it was broken and fix it, all mostly without ever laying hands or eyes on it directly. No one ever comes to you with something that is running as it should. On the negative side, tech support is *really* hard to break out of.

CSS: This is amazing! So what advice would you give to those starting their journey into infosec?

RF: Jokingly the other day on Twitter I said it was “use moisturiser” and I stand by that, although I will give you something probably more helpful and less flippant.
What you don’t know at the beginning of your journey doesn’t matter *in the slightest*, even if one of those things is your destination. Whatever you learned in education will be out of date before the ink is dry on your CV, whatever you taught yourself will be proven wrong a hundred times over, and anything you packed for the journey will have been taken care of by someone else.
What matters is *who* you are. Are you tenacious? Do you think outside the box? Can you always come up with a “what if”? Can you build a structured set of questions without anticipating the response? Do you want to make the digital world a safer and more trustworthy place to live, work and relate? If any one of those things is you, then just keep following your feet and your heart, this is such a wide open field, so full of possibilities and potential that there is room for people in their infinite variety, armed with nothing more than a desire to contribute.
Now if only we could take care of the gatekeepers...
When I left tech support and went to work for EDS as a security and privacy architect, I had no experience in that area. I just had the confidence that I had seen enough badly built or broken scenarios that I must have something positive to contribute. And I did.
When I left EDS, to go and work at Trend Micro I had never once set foot outside the backroom, professionally speaking, and didn’t expect to at Trend. Your career will consistently bowl you a googly (there’s an expression which hasn’t aged well into the internet age). There is nothing you can do to be prepared, other then invest in your own self-belief. If you opened your eyes this morning, you’ve got this.
Possibly my first ever public presentation.

CSS: Really interesting, you mentioned gatekeepers, what do you think the industry needs to do to improve gatekeeping, especially for those starting out?

RF: You’re not going to stop people from having opinions, and rightly so, we are all entitled to them. If there are people out there who seriously feel that someone like me has no place in our industry, well good luck to them in solving their skills gap issues.  
What we need to do to combat those gatekeepers, as an industry, is twofold.
We need to to continue to be the moderating voice of reason, we cannot combat an extreme position through conflict, and we need to make sure that our industry is a welcoming environment that values and celebrates the unique contribution of every practitioner.
We need to celebrate the strength that we achieve through diversity of thought, gender and outlook. We need to recognise and put a stop to restrictive hiring practices and unreasonable job requirements by building routes into the industry through hiring programs and training courses open to all.
Trend Micro is already on this and I am happy to talk about these initiatives with anyone seeking to emulate them. And importantly we need to continue to engage with those gatekeepers to help them understand the true value of a diverse workforce, in print, online, in interviews and through celebrating our success stories.

CSS: Couldn't agree more here Rik! What's the best advice you've been given AND/OR you've given to someone?

RF: Some of the best advice I have been given has always come from my mum and there are a couple that stick in my mind. When I was leaning to drive I was nervous of being in control of such a big chunk of speeding metal, I was used to my 50cc Gilera.
I told her I was nervous about having so many things to do at the same time and she replied “You don’t have to do them all at once, just one after another in the right order”. That really struck a chord and has stayed with me ever since.
The other one was about school. Let’s just say I had trouble with authority and would often find myself arguing my corner with teachers. To help me stay out of trouble my mum had to come up with another gem “It doesn’t matter what anyone else thinks as long, as you believe in yourself you don’t have to persuade anyone else”.
Also John Leyden in his days at The Register, when I first started my public facing role told me “Never read the comments”, I’ve failed a couple of times so I know how right he was.  
As for the best advice I’ve ever given? Probably “Leg it”!

CSS: Hahaha that's some sound advice there! What do you think companies should be doing to attract more people into the industry?

RF: A few things. It’s clear that even a CS degree rarely does any more than touch on security, so even among the “potentially interested” there is work to do.
Work in partnership with educational establishments local to where you have offices, offer graduates a free security training course, hire the best fits for your organisation and introduce the others to your business partners and professional community.  But it’s critical to reach outside our own echo chamber, so many people have skills and passion to offer the industry but have no idea that our industry needs them.  
Implement training courses designed to root out the skills you are looking for as well as offering a solid security grounding. Flyer local gyms, coffee shops, invite people who are looking for a life change or just a fair shake of the dice. Hire the best into a rotational program within your org, allow them to find their niche and flourish. Those are some pretty solid suggestions.
At my first Gartner Summit in Cannes, misunderstanding Safeboots (2009)

CSS: I really like the idea of expanding the search outside of our echo chambers, it's music to my ears. So what's the one thing you are most proud of, and why?

RF: I’m guessing you mean professionally? That would have to be the video work we have done at Trend Micro, particularly the interactive games, we made "Choose Your Own Adventure" video way before Bandersnatch here:
(http://targetedattacks.trendmicro.com )
And here:
It’s not just the finished article that I am proud of, but that we have since been approached universities and businesses asking us if they could include in their degree programs or internal training schemes.
It feels like we made something uniquely valuable. Since then we have also been approached by a large financial organisation to make an in-house version and more recently by an international cooperative organisation with a view to making some for them.
I also thought our Project 2020 Sci-Fi web series (2020.trendmicro.com) was pretty amazing, and we won a whole lot of awards and trophies for it, including the World Media Festival and Cannes.

CSS: These are pretty darn awesome! So final question what's the one thing that's stood out to you over your career in infosec?

RF:The one single thing that makes all the difference is having a good employer, whether that’s yourself or a company. It is those around you and the corporate culture they are a part of that are the deciding factors in your success. If you are  in a company that respects you as an individual, that understands that you do not live to work, that allows you to find your niche and to flourish in it, or that encourages you to be the best part of yourself then you are set up to succeed.
Like Fort Minor said, “This is ten percent luck, twenty percent skill Fifteen percent concentrated power of will, five percent pleasure, fifty percent pain And a hundred percent reason to remember the name (of your employer and recommend them to others)” :)

CSS: Amazing, I've loved this interview. Is there anyone you want to shout out to, or anything you want to say?

RF: Right then, I’d really like to thank Trend Micro for being all the above.  Big hugs to all the friends I have made in this industry. Despite the horror stories, the huge majority of us are unarseholes and allies. I raise a glass to the lifers and the innovators, the women who have been there from the start and those that are blazing new trails. If you love your music, buy it don’t torrent it, support your local artists and above all support your local venues.
If you see me at an event I am really awful at small talk and actually relatively introverted, so please come over and say Hi. I’ll be the one in the corner. 🤘
Thanks so much for giving me this opportunity!

CSS: Seriously, thank you so much for sharing your story, its been super awesome!

There is a lot to take from this journey, mainly that its your attitude that's really important, can you solve problems? Think outside the conventional box? Also its really nice to hear about the route from IT Support>Infosec, I personally think this is one of the best routes into infosec, due to the fact you have exposure to incidents, dealing with issues, and an insight into the dynamics of business.

Gatekeeping is still an issue (although it has gotten better), and we as an industry need to work with those that are asking for all the certs and 5 years experience for an entry level role, to educate them on what skills, attitudes, aptitudes and diverse backgrounds they should be looking for.

Finally Rik is a fount of knowledge and his interview is filled with so many gems of Wisdom, I had to read through this a few times to make notes of them all, there is lots to take away from this article. Finally I had to include this image Rik shared with me!

I have so many questions here Rik!

That's all for this week (month maybe), don't forget to share this on Twitter, Linkedin etc.

The awesome image in this article is called Metal! And is by Henrique Athayde go check out their work.