Michael Hill meets security super blogger and all-round nice guy Javvad Malik to learn how he became one of the most well-respected and genuinely liked individuals in the infosec industry
Javvad Malik has an infectious friendliness, warmth and sense of humor topped with a passion and excitement for our industry.
He was one of the very first people I was introduced to when I first forayed into the information security journalism sphere back in early 2016, and he has remained a trusted, reliable and insightful source of knowledge and support ever since.
By Infosecurity’s own admission, it does feel slightly amiss that it has taken until now for us to shine the profile interview spotlight on Javvad’s career endeavors, but as the old adage goes, there’s no time like the present. So here is it, the story of how the North-London boy became the man, the myth, the legend that is Javvad Malik.
Biking to Banking
Javvad’s early passions saw him spend much of his time as a child exploring outdoor pursuits of a more sporting nature than the technologically-inspired exploits that have played such a pivotal role in his professional career.
“I did have a computer at a young age, and I enjoyed it for the games and stuff, but I was never what you’d describe as a hardcore techie or somebody who was really interested in coding or those bits and bobs. I was more into playing football and riding my bike.
“BMXs were big things back then and, not too far from my house in Edmonton, there was a BMX track with all the steep banks and jumps that my friends and I would always go to.”
It wasn’t until several years later when Javvad was mulling over his university degree options in the mid-90s that technology would begin to have a greater impact on his life.
“I had quite an interest in doing business studies, but I also realized that computer science was one of these up-and-coming things that was starting to have an impact on more and more parts of life,” he says.
Javvad explains that his cousin, who was working in trading at the time, advised him that “the future is computers” – and with that guidance in his mind, he opted to pursue a degree in business information systems at the University of North London.
“That was the combination of some business studies models and some computer science modules – without the ‘hardcore’ computer stuff. I really enjoyed that – it just suited me perfectly. It was all about how to practically use computers in business without going into anything too heavy.”
That four-year degree also included a year-long work placement, which allowed Javvad to not only hone his business-related computer knowledge through his studies, but also gain his first experience of the full-time working world.
“I applied anywhere and everywhere for that work placement, and I managed to land a job at a bank in its IT security team,” he says. “To be honest, before joining, I had no idea what IT security did, but once I was there, I enjoyed it immensely. I did enjoy college and university, but not half as much as I enjoyed my work placement.”
Through this placement, Javvad caught the security bug and, a year later upon completing his degree, he was back at the bank as a permanent employee, working within a small but tightknit team of people securing the IT infrastructure.
“That was the golden era of working in IT security – you had the opportunity to learn everything and make as many mistakes as you needed, as the impact wasn’t as great as it is today. Now, you really can’t afford to make any mistakes because the fallout can be so huge.”
Javvad spent the best part of six years at the bank, and he says that time was “critical to who he is today in many ways. That was probably some of the best learning of my career. The fact that I was there before we had any real automation or tools that could do things for you allowed me to understand how and why you do certain things. You can always tell when people haven’t actually had that hands-on experience, because their advice is often divorced from reality.”
“It’s the art of storytelling and the creative process that I really love”
A Smooth Operator
Whilst Javvad looks back at those five/six years with immense fondness, he admits that, around 2006, he had hit a glass ceiling in his professional life, and he describes that it was the arrival of a “smooth operator” at the bank that inspired him to take the next steps in his career.
“We had a contractor join us for a project, and he really knew his stuff, but more than that, he was just such a smooth guy; he was very good at stakeholder management. He knew how to speak to people – he could charm the pants off every project manager. I was in total awe! I was like: ‘you’ve got to teach me your ways master.’”
So what was the key ingredient to being such a smooth operator? It all came down to “people stuff” Javvad says – that is, the ability to effectively and confidently impart a message onto an audience.
“He said I should start contracting – but I thought there was no way I could do that – I didn’t know enough. He said just work by the two-week contractor rule; if there’s something you don’t know, say you know it, and then you have two weeks to teach yourself how to do it. He told me that if you can do that – and most people can – you can be a contractor.”
So that was how Javvad took his first steps into the security contracting sphere, something he describes as a step away from hands-on IT security to encompass far more responsibilities. He picked up a contract for a year initially, honing various people-related skills, before opting to head back to full-time work when the second of his four children came along.
“I got cold feet slightly and I went permanent again – at the same bank, but in a different department – for about three years,” Javvad explains. “This time, I was working in the internal security consulting team, and it allowed me to use the skills I had picked up in the year or so I was contracting. Unlike the first time I was there, I wasn’t doing any hands-on technical work, and was mainly engaging in assurance activities.”
It was during his second stint at the bank that Javvad first threw his hat into the regular security blogging domain – putting pen to paper in his spare time to share stories on a wide range of security topics in an engaging and entertaining fashion. This is something he would later become synonymous with, and a passion of his that will I divulge later.
Back to his day job, and the appeal of contracting would see Javvad having another crack at going solo as a consultant in 2010.
“With contracting, you’ve got so much more flexibility; you can choose your clients, move around more...and it pays more! You can gain more experience in a shorter length of time.”
Javvad contracted at several different banks and companies in the energy sector until 2013 when, quite out of the blue, a fellow industry pioneer and Infosecurity profile interviewee reached out to him with an enticing new opportunity.
Loving Every Day
“I was contracting happily – and had been blogging and vlogging for around five years too, under the brand Infosec Cynic,” Javvad says [his personal blogging moniker would later change to J4vv4D.] “That really started to get my personal profile out there and Wendy Nather, who then was head of security research at 451 Research, had seen some of my videos and read some of my blogs. She asked me if I would like to become an analyst at the company.”
Although he was intrigued by the offer, he admits he initially “had no idea what a security analyst did.”
Once he learned that the role would allow him to research, write and speak extensively though, he was very much on board. “I think Wendy probably had far more faith in me than I had in myself – and it was a big change, involving a lot of heavy research and writing – but I absolutely loved every day I worked there.
“I got access to some of the smartest people in the industry on a daily basis. I had the privilege to pick their brains, put their thoughts into articles and people would think ‘this analyst really knows his stuff,’” Javvad laughs. “You’re standing on the shoulders of giants.”
What resonates most with Javvad from his time at 451 Research was learning to write and communicate thoughts better, and he mentions a piece of research called Security Shelfware: Which Products are Gathering Dust in the Shed and Why? that he is particularly proud of.
“It was about the security products that end users had bought but ended up sitting on the shelf unused – it was really well-received and I was able to get some really rich data for that.” So rich, in fact, that Javvad was selected to present his research findings to an audience of security professionals on stage at RSA Conference 2014 in San Francisco.
“I try to write and make videos in a way that is enjoyable for people”
Vendor Land
A year or so later, and with his reputation as an insightful, engaging security storyteller developing rapidly, Javvad received yet another enticing job offer; this time at growing security vendor AlienVault.
“AlienVault got in touch and asked me to become their security advocate. Again, I had no idea what that was either – but they said I could define the role once I joined and make it what I wanted it to be. I thought, well I’ve been on the enterprise side, I’ve been an analyst, so let’s try vendor land.”
Javvad explains that the opportunity was very much at the “sweet spot” of where he was professionally and personally at the time, providing an ideal balance of everything he enjoyed about a role.
He stayed at AlienVault for around four years, and only left once the dust settled on AT&T’s acquisition of the company.
“AlienVault was a private startup, so you could go and do things (like respond to press) pretty much how and when you wanted to. Under a publically owned organization like AT&T, you have far less freedom in what you can say, and any comment you write has to go through some long approval phases. It became quite restrictive on how effective I could be in my role.”
He says honestly that, if he had been a decade or so older at the time, he may have been inclined to stick around, “not do a great deal and collect a pay check.” However, still very much possessing a verdant passion for being able to actively contribute to the industry in the way he wanted to, he decided to look elsewhere. That led him to his current role at KnowBe4 where, since mid-2019, he has worked as part of the company’s security awareness advocate team with the same freedom to express his ideas and opinions that he so enjoyed during his earlier AlienVault days.
“Working for 451 Research onwards has been the highlight of my career,” Javvad says. “That’s not to downplay my previous roles in any way, because I learned so much in them, but when you work for any large multi-national company, it’s very difficult to see how what you do has any impact on the bottom line of an organization. You can feel like such a tiny, insignificant cog in a huge machine.
“451 Research really changed that dynamic for me, because what you produce as an analyst becomes the product that is sold by the company, and the advocate roles have been just as fulfilling in different ways. As an advocate, you sit more under PR than marketing; it’s really nice to see when a quote of mine gets so many media mentions, or people say they really enjoyed a presentation I have given and it leads to them having more trust in our brand. It’s highly rewarding.”
In typically modest fashion, Javvad notes that all of his professional achievements would not have been possible were it not for a number of “fantastic managers” that have helped guide him on his journey.
“For the last five or six jobs in a row, my immediate manager has been a female, and they’ve been far, far better than any of the male managers I’ve ever had. They have installed so much more self-belief in me than I ever had before. Maybe the gender thing is just a ‘sample size’ issue – but I wouldn’t be here if it wasn’t for really, really good managers.”
Born to Blog (and Vlog)
So that tells the tale of how Javvad’s security career has traversed to where it is now, but an important part of his story is yet to receive the reference it deserves, having only had a few brief mentions thus far. That is: his talent for, and love of, storytelling.
Of course, it goes without saying that the highly public-facing nature of each of his roles at 451 Research, AlienVault and KnowBe4 very much require the ability to engagingly address an audience, but it is Javvad’s explanation of why he enjoys storytelling – either professionally or via his own, long-running and multi award-winning security blogging/vlogging series – that is most captivating.
“It’s the art of storytelling and the creative process that I really love, and it’s something that I’ve always enjoyed but never really had much of an output for until it dawned on me that I could do it through my security knowledge and experience,” he says.
“I’ve always approached a lot of what I do from an edutainment perspective. I try to write and make videos in a way that is enjoyable for people, with real-life examples that have actually happened.”
Effective storytelling really needs to be engaging, and that becomes even more important when it comes to communicating important security messages to broader, non-security audiences, Javvad continues.
“Even if it’s not entertaining, you need to engage the readers, viewers or listeners in some way so they feel some affinity towards you, and they can then absorb the message without feeling like they’re being preached to.
“In this day and age, people are bombarded with all types of media. If they choose to give you their time, even just 20 minutes, to read your article, listen to your podcast or watch your video, there is an unspoken contract in that they are giving you their precious time, and in return, you have a responsibility to not only inform them, but make it worth their time.”
Entertaining people or leaving them with a smile on their face is such a powerful aspect of that, he adds. “Security has a tendency to be very ‘doom and gloom,’ so being able to put a positive spin on it and talk in an engaging way is so critical, and as the sector becomes more mainstream, it becomes even more vital.”
If we don’t provide the public with an engaging format by which they can ask the industry questions and reach the experts, it will create a void that will be filled with pseudoscience or snake oil that just seeks to capitalize on marketing opportunities, he concludes.
Well, here’s to the likes of you, Javvad, for your continued efforts to ensuring that doesn’t become a reality!