Ford returns to the vendor world, where he previously had roles within Zynga, McAfee, WhiteHat Security and FishNet Security.
What attracted him back to the vendor side of the industry is Rapid7’s “great passion for the research community”, allowing him to continue the relationships with research professionals that he developed during his tenure at Black Hat. “Rapid7 is here to make the industry better, and passion comes first”, he said of his new employer.
“When news of Heartbleed broke, we leapt into action and ran a webcast before we even understood fully what was going on”. It’s this cutting-edge attitude to research that Ford found irresistible about the company.
It’s the people in the information security industry that Ford considers to be the industry’s magic. “[Information security] is a calling. The people are selfless, driven and misunderstood”, he says referring to the failure of the industry to market itself effectively. “We’re so good at what we do, and we work to make the world a better place. We need to market that better”.
The passion of industry professionals whilst inspiring, can also develop into one of the industry’s greatest downfalls, according to Ford, and that’s what he terms “burn-out”. He also criticises the industry for valuing technical skills above everything else. “[The industry doesn’t] elevate ‘cross-training’ enough, and this makes it hard to make the jump into management”, he said.
“We also have a habit of assuming that everyone knows what we know”, says Ford, calling the industry’s assumption a “curse of knowledge”.
Cybercrime is a Vertical Sector
Discussing the evolution of cybercrime, Ford deems the kill-chain “a worthwhile concept”, drawing comparisons with the aviation industry where “everything is checked four times. There is wisdom in a basic [cyber] kill-chain”, he told Infosecurity.
The attack landscape, said Ford, is pretty much the same as it was ten years ago, with age-old attack methodologies like drive-bys still working. “It comes down to economics as it always has, and now cybercrime is a vertical sector. You no longer need to be as skilled [as a hacker] to get in and hammer down the door”, he said, referring to the simplicity involved with buying an attack toolkit.
“It’s easy to social engineer human behaviour. Hackers no longer need technical skills, they just need to be able to manipulate people. If you can buy a technical toolkit and do it the easy way, why wouldn’t you?”
Whilst the black hat community may be lacking in the technical know-how that it once needed, the white hat community is not immune to the skills shortage, considered Rapid7’s Ford. “There is a very small population of really talented high-level cybersecurity professionals.”
Focussing on the basics will reduce the “need for super advanced controls”, Ford told Infosecurity. “We need to educate to the point where our mums get it, and take the [infosec] message outside the room. The general public need to understand, not just industry. This needs to be our next big movement”.