We ‘Go Phish’ with Andy Harris, CTO, Osirium

We ‘Go Phish’ with Andy Harris, CTO, Osirium, who tells us about life inside and outside the office.

What would you describe as your most memorable achievement in the cybersecurity industry?

The industry will remember the invention of the MIMESweeper series of products – MAILSweeper, WEBSweeper etc. Personally, there were more challenging inventions and solutions, some of the principles of the Osirium PxM platform are particularly elegant.

What first made you think of a career in cybersecurity?

It was 1987 – the experience of a war dialler looking for modems at the CEGB.  War diallers used to call numbers in sequence to see if they were auto-answered.

If they were answered, the software would check for open sessions and if no session was found they would send an <enter> to see if the login prompt was recognised and from there test well known passwords.

At the time, I worked in a R&D department that developed power station software. The consequences of a breach were clearly unthinkable.

What style of management philosophy do you employ with your current position?

We have a very good team of developers. It often transpires that more than one person holds what they believe to be the correct solution. I see these moments as vital, since one is making a grey decision where there are multiple routes forward.

In these instances, it is the people with the ideas and views that are in the best position to choose the best route. I’m in a privileged position to be around these arguments. My contribution is to ensure that people are arguing about the ideas and not the personalities. I sometime think of it as herding lions – particularly with good people.

Management philosophy changes with conditions and situations. I hold a belief that teams need to change their practices as the number of customers increases.

For example, your development team has a lot of freedom before the first customer but once the first customer starts using a product, the team has a responsibility. This changes again with the second customer because they will be different to the first.

Once a product has five customers, common issues start to emerge. At 10 customers one of the developers will gravitate towards support. At 20, a dedicated support person is needed and at 50 a small team.

Ideas are very easy, implementations are difficult. I wince inside when I’m introduced to an ‘ideas person’. I’d prefer to be meeting the doing person.

There’s also friction to adding features as the customer numbers grow. A good team will try to see into the future in order to deliver an architecture that can adapt.

There will always be features that fight each other and features that you’d like to lose but the customer base won’t allow it.

Most of my experience is in the 0 to 1,000 customer range for significant security software. The MIMESweeper range exceeded 20,000 customers before I moved on. Things will be different for those developing consumer apps.

What do you think is the current hot cybersecurity talking point?

My biggest concern is the view that things are a case of ‘when’ and not ‘if’.

It represents a state of despair amongst the security professionals in the customer base.

IT is growing in complexity and the Internet provides too many public interfaces. This trend is increasing with an ever-growing shortage of security professionals. Thirty years ago, there was a deep respect for credentials – not that we had that many to worry about.

Today the human cognitive load of too many credentials is driving breaches, even in the DevOps community. Witness the recent ransoms for accounts on GitHub, GitLab and BitBucket.

How do you deal with stress and unwind outside the office?

Make stuff, code stuff, laser cutting, CNC and 3D printing. There is always something to learn.

What do you currently identify as the major areas of investment in the cybersecurity industry?

It seems that people have bought into the idea that monitoring is a priority. It is easier to make a monitoring product than a prevention product. Forewarned is forearmed is a useful philosophy, but I believe this comes after defence in depth.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions? (Middle East, Africa, Europe, Americas.)

The main difference is the degree of trust in staff, which in turn affects the degree in which organisations are worried about insider attacks. There is also a difference where organisations have outsourced much of their IT. In these cases, the security posture is dictated by the outsourcers. This can be good, since experience counts, or bad in that any change is a significant cost – more than the cost of the solution.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

Recruitment and remote working are closely tied. In order to get the best people, we need to offer remote working. But this means we need the network bandwidth and tools like Zoom and Owl to get as close as possible to the nuances of being part of a face to face meeting. We pay more attention to the onboarding process. Working on Slack is good and getting better.

What advice would you offer somebody aspiring to obtain C-level position in the security industry?

The quickest way is to start your own company. It could cost you a lot if you fail, but that experience will teach you about how managers feel about sales/marketing and all the non-tech sides of the business.

A safer route is to start at a large company and switch to a senior position in a smaller company and be prepared for the culture shock. Never engage in office politics – learn how to spot it happening and how to put the brakes on.