I can’t remember what year I first met Graham Cluley. It may have been around 2006 at an awards event of some sort. We were both nominated in the same category; I believe it was for best security blogger. Graham was already well-established with many awards under his belt, whereas I was the jittery newbie, glad to have even been nominated for anything at all.
As you may have guessed, Graham won that night. Usually I’d force a smile, congratulate the winner with some hollow words and then drown my disappointment at the buffet.
But Graham is quite the quintessential gentleman. He sat and chatted with me throughout the evening, sharing tips and techniques and being overall very encouraging.
I’ve kept an eye on his career ever since and stayed in touch with him. I felt like it was worth getting some time once again and talking through what makes him tick.
You’ve been in the industry for a long time, what’s the secret to staying so apparently happy and enthusiastic - not to mention retaining a full head of hair?
Life is so ghastly and absurd that it's impossible to take it too seriously. One of my failings is that I have a pitifully low boredom threshold, and find it a hard thing to disguise. This isn't a good thing, and has probably harmed my career immensely.
Recently my wife says she's spotted a couple of grey hairs on my head, so it does appear that I am mortal
My brothers don't seem to have lost their hair either, so it must be something in the Cluley gene pool. That or the fact I spent the first eighteen years of my life eating only cheese sandwiches.
There were your early days at Dr. Solomon’s, the Naked Security era, and now your life as an independent expert - with a more respected brand than most companies have. Was this a planned journey? How did your career end up here?
I don't really think I have a career. I find it hard to describe to people what exactly it is that I do for a job. When I meet up with my brothers, they're baffled as to how I'm able to make a living too.
So, there was no planned journey to get to this point. At college, I wrote and sold computer games, and they're what got the attention of Alan Solomon who offered me a job as a programmer in the early days of anti-virus.
I left Dr. Solomon's (which was a fun place to work) because they got acquired by McAfee (who didn't seem very fun). I joined Sophos because it was a small fun company, and then left when it became big and stopped being fun.
I make decisions like these fairly impulsively. Something will switch in my head and make me say, "I'd rather do something fun", and then that's it, my mind’s made up.
Life is a little different now as I have a wife and young son, and I need to remind myself that I have some responsibilities. If they weren't in my life, it's quite possible that I would be doing something other than computer security. But I do enjoy finding new things to do – and my latest obsession is the weekly podcast I co-host with Carole Theriault.
You’re a pretty public figure, but what little-known fact about your background usually surprises people?
While I was studying at university, my girlfriend joined a cult.
I tried for years to get her out, without success. That was pretty horrible, but I met a lot of good people and - hopefully - helped some other people leave a destructive group.
There, that ruined the mood!
Yeah it did… ok moving swiftly on. You’ve done technical roles, non-tech roles, you’re a writer, speaker, media commentator, YouTuber, podcaster, amongst many other things. What is the role, or job that you enjoy the most, or have enjoyed the most over the years?
I really enjoy public speaking. There's nothing quite like it, and you get the instant reaction of an audience to make you feel good about yourself.
The other thing right now is editing podcasts. Such such fun! It's amazing how many hours you can spend tweaking what at the end probably sounds like an unedited 30-minute conversation.
Conversely, what part of the job do you not like at all?
I hated managing people. When I worked for big firms they kept trying to "reward" me with management positions, providing teams to work underneath me. This seemed crazy to me. If I was good at one thing, why would that mean I would also be good at managing people? And even if I *was* good at it, why was it assumed that managing a team would that be the best use of my time rather than letting me do the thing I was really good at that they were presumably paying me the megabucks for?
The way I got around this was by attempting to promote my staff to ultimately be my boss, effectively reversing our roles. This strategy actually worked a few times.
Who were your mentors, or greatest influences along the way?
Alan Solomon - a very clever, and very funny chap. He and his wife Susan had faith in me and I learnt a lot from them.
Who is your favourite fictional character?
John McAfee.
I heard that you were once mentioned by a malware author in their virus. Is this true?
I think you're talking about Gigabyte, a Belgian virus writer whose real name is Kim Vanvaeck.
Back in the mists of time, I made some comments to the media about women being too sensible to write malware. Kim somehow misconstrued this as me saying that girls weren't capable of writing viruses, which is, of course, nonsense.
Anyway, she wrote some viruses which mentioned me and my favourite sandwich filling, and invited computer users to throw a coconut at my head to ensure that less files were infected on their hard drives.
She got caught by the police, but was never charged as far as I know. However, I do believe she turned her back on malware writing many years ago, so that gets the thumbs up from me.
How many awards in total have you won over the years? And don’t pretend like you don’t know the exact number!
Come on. What is this?
A serious interview! Give me something.
I'll tell you this - my first ever award was runner-up in a Cow & Gate beautiful baby competition.
What would you say is the most underrated skill in the industry - or the skill you wish more people spent time developing?
Talking and listening, but not necessarily in that order. I'm naturally introverted and often find myself in awkward situations outside of my comfort zone in the course of my work. I imagine there are many others out there like me.
Fundamentally, we need to not just invest in our technological skillset, but also in our emotional and social skills.
Diversity in InfoSec - what are your thoughts?
Anyone who has worked in computer security knows that diversity is a good thing.
Imagine that everyone in the world was using Windows 95 because there were no alternative operating systems. Imagine that everyone used the same anti-virus, the same firewall software, and the same spam filter. It would be a security disaster, and the criminals would make hay.
Why should we feel any differently about encouraging people from other countries, cultures, backgrounds, and orientations to work alongside of us? Info security is weakened by a lack of diversity.
However, the one area where I would like to see *less* diversity is amongst the cybercriminals. In fact, I would love it if there was such a lack of diversity that we could know that it was going to be a 38-year-old white guy, called Norman, living in Sidcup, who has a model railway in his loft. He was the one behind the botnet. And whatever the cybercrime, it was *always* Norman.
That would be brilliant.
For those starting off in the industry, or even those that have been working in the industry for a while and want to be like you - what advice can you impart?
Don't do what I did.
Instead, buy Bitcoin in 2014 and sell it in December 2017.
But seriously, I often have people contacting me asking for career advice, and I feel like such a fraud. I fell into the security industry with no relevant qualifications, and haven't been to a job interview for 25 years. What would I know about how to get a step up on the career ladder? I feel like my career path has been unorthodox and may not make
a great example for the average security wonk.
One thing I would say, though, is that you need recognise your strengths and don't let people distract you from exploiting them to the full. Also, don't allow yourself to be pushed into endless meetings ("Can't I just do some *work* instead??").
What's different now as compared to 25 years ago is the availability of so much more information via the internet. Expertise and knowledge are more accessible than ever. You can learn more easily, make industry connections, and make a name for yourself by sharing knowledge and helping others via platforms such as Twitter.
Oh, and make sure you subscribe to my "Smashing Security" podcast.
Article Link: An Interview with Graham Cluley