Skip to content ↓ | Skip to navigation ↓

This week, I had the pleasure of sitting down with Graham Cluley, an award-winning security blogger on grahamcluley.com, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon’s. Graham has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

A transcript of the first part of our interview is provided below.

David Bisson: What made you decide to get into the field of information security?

Graham Cluley: I got into the field accidentally. You see, I was going to college in the early 1990s, and back then there wasn’t really a World Wide Web as such. There was very limited Internet access and about a dozen or so mailing lists that were sent out to people (I was subscribed to a few of these, including Virus-L/comp.virus, where people spoke about computer viruses).

At any event, I was a programmer, and I spent most of my time writing computer games. Each of my games ended the same way in the sense that I would ask people to send a small monetary amount if they enjoyed the game. And people did. I was doing quite well with this. In fact, I wish I was making games when the Internet had really taken off as it would have been a lot easier to get people to make an impulse purchase!

One day I came home to find a huge parcel waiting on my doorstep. Inside was a check for £20—more than I had ever received before—a packet of cheesy biscuits, and a copy of Dr Solomon’s Anti-Virus Toolkit, a highly respected UK-based antivirus program at that time. There was also a letter from Alan Solomon in which he stated that he liked my games and I should get in touch if I wanted a job.

I had been looking for a job for a while, so I called Solomon and was soon after hired as the first Windows programmer for his Anti-Virus Toolkit. So, that was my entry into the field of computer security, which occurred about 25 years ago.

I remained a programmer for some time. But then I began doing some talks and transitioned into product management and marketing, which morphed into my becoming something of a spokesperson for Dr Solomon’s. After eight or nine years, I eventually shifted to Sophos, where I found myself as the missing link between the firm’s virus lab and the outside world.

You see, many technical people are amazing at what they do, but they are not the best communicators. At the same time, individuals in marketing are great communicators but they often don’t understand the topic. This thinking resulted in the setting up of Sophos’s Naked Security blog. I have since left Sophos and have been working as an independent security blogger for the past two years.

That’s my work career in a nutshell thus far!

DB: Why did you go on to become an independent security blogger? What are the challenges/successes associated with this path?

GC: As I said, I had been working for Sophos for 14 years and for Dr. Solomon’s for about eight or nine years before that. I left not out of ill will towards Sophos. I just wanted to do something different. To be honest, everything just got boring and repetitive. There weren’t too many challenges after a while, which made me think, “If I don’t go now, I’m going to die here!” I didn’t want to stay there for another 14 years, so I left.

I did not have a job to go to, and I was honestly not sure how I was going to make a living, but I thought I was going to be all right. I’m an optimistic guy. Fortunately, I already had a bit of a public profile back then, so even if I fell on my face, I knew that I could get a job somewhere. Sure enough, I was lucky enough to receive job offers from a number of other security firms when folks found out I was leaving Sophos, but I chose to not take them up. It would ultimately have been the same thing somewhere else, after all.

graham cluleyIt’s been an interesting experience. One of the best things about working independently is the fact that you get to be your own boss. This means that you get to set your own hours, choose your holidays and vacations, and decide when to spend time with family, all without anyone ever telling you what to do. This benefit, however, is balanced by the challenge that as the only breadwinner, you don’t make any money if you’re sick or on holiday. It’s a lot of pressure, especially if you’re trying to raise a family. But I’m enjoying it a lot.

Above all, I’m enjoying not having to go to meetings. I’m not a big fan of meetings. As an independent security blogger, researcher and public speaker, I can focus on what I’m good at, and set my own priorities.

DB: What is your biggest mistake and what have you learned from it?

GC: Like anyone and everyone, I make mistakes every day but unlike some people, I work in a medium where I can very easily correct my mistakes. If I write something inaccurate, for example, I can edit the article and apologize for any misinformation I may have helped spread. There are several instances where this has happened in the past, and across all of them, I have learned that people love it when you own up to your mistakes. They respect you for admitting that you were wrong and that you handled the situation with transparency.

I think this is a wider trend in security, as well. Look at the different approaches with regards to how companies respond to data breaches. Some are just awful at handling to an incident but for those that respond in a timely manner and with transparency, I cannot help but think that they must be good organizations with which to do business. It’s the upfront nature of their response that makes a world of difference.

 

Please stay tuned for Part 2 of our interview, in which Graham reflects on the security industry and the threats confronting users today.

In the meantime, we are pleased to remind our readers that Graham Cluley is a regular contributor to Tripwire’s The State of Security. To read some of his most recent articles, please click here.

Title image courtesy of ShutterStock