Each month I choose an industry leader, security executive or manager, or other noteworthy security name to answer ten questions on Twitter. This month, Gunter Ollmann, long-time security veteran and currently CTO with IOActive gives us his responses to ten questions in 140 characters or less.
CSO (@msjoanieg): Let's start with your background. How long have you been in security and how did you get started?
Gunter Ollmann (@gollmann): I started in "security" back in 1982 breaking software and writing hacks and trainers for games back in New Zealand.
@msjoanieg: Interesting. What first intrigued you about security that brought you to that line of work?
@gollmann: Games etc. were very expensive in NZ, so it was popular to hack for most kids. Running my own BBS meant I had to secure that too.
@msjoanieg: OK. You're now at IOActive as their CTO, a job you've been in for almost six months now. How have things been going?
@gollmann: I'm having a fantastic time with IOActive. It's great to be back in security consulting after 5yrs running product R&D teams.
@msjoanieg: Excellent. What have you've been working on in the new position as of late?
@gollmann: Developing new "chip to code" service offerings. In particular semiconductor reverse engineering and security design > incl. ICS.
@msjoanieg: Sounds interesting. What would you point to as one of the largest catalysts for change in the industry in the last 2-3 years?
@gollmann: I'd say the paradigm change of acknowledging "we will constantly be breached somehow", and dev. realistic remediation strategies.
@msjoanieg: And how do you think the industry as a while is adapting or reacting to this “new reality”?
@gollmann: Detection tools are shifting from "attacks" to "attackers". IR is de-skilling to helpdesk. Forensics moving to re-imaging.
@msjoanieg: What’s your security “philosophy”?
@gollmann: My philosophy... expend effort on identifying key IP and prioritize defenses on that. "Protecting" everything is a fools errand.
msjoanieg: Give me three words that you think are essential characteristics for working in security.
@gollmann: Does ADD count as three or one O_o -- ADD, skeptical, and multi-tasker.
@msjoanieg: Funny :) OK, fill in the blank: If I didn't work in security, I would _______________
@gollman: I'd probably own/run a chain of high-end/boutique delicatessens. I may still do that when all the vulnerabilities are gone. :-?
@msjoanieg: Ha! That could be awhile...One last question: Pass the buck now. Who should we tweet with next?
@gollmann: 2 folks I respect in the security world are David Litchfield ("unbreakable Oracle") and Malcom Harkins (Intel CSO) < both worthy