A (0:02)

You're listening to the Cyberwire network powered by N2K.

B (0:12)

And now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only act the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

A (0:51)

Hi, this is Ed Amoroso and I'm the chief executive officer and founder of TAG Cyber, which is a research and advisory firm located in New York City. And I also am a professor over at NYU where I teach in the computer science and engineering department. Well, my dad was the second computer science PhD ever in the world. He was at UPenn and he was doing a PhD in electrical engineering. And they came to him and said, we'd like to make it computer science. This was the Moore school in the 60s. That's where ENIAC was built in the 50s. And my dad famously said, well if you have to call yourself a science, you probably aren't one. And he's right. Computer science is not a science. We don't have any laws. But he did that. So I grew up in a family where we had an ARPANET connection into our home in the 70s. I was a very mischievous kid and I, you know, learned to program on Carnegie mellons CMUA and CMUB is where I learned Pascal when I was about 12. My dad guided me along. I eventually got my PhD in computer science. I went to Bell Labs and joined the UNIX group again with guidance from my dad. He said again famously, think of unfair this is that I had this guidance in 83. He said you should go to Bell Labs, you should work in computer security. That's going to be big. It's like, could you have had better advice, you know, in the mid-80s than to go work on UNIX at Bell Labs? Jabs on security, I mean, talk about died and went to heaven. That was the greatest place I've ever seen in my life. You know, I would walk down the hallway where Brian Kernahan and Richie and Thompson, all those guys were working. And I would just go like this, hoping that some of that genius would waft into me. I don't think it ever did, but it felt good. Like, I often ask my teams, what was the best day you ever had at work? And it's a fun question to ask. And most people sadly say the day I got like this promotion or Raise. What a sad reflection. If that was your best day. I always tell them, you know, it was my best day. When I was about 27, I was working a UNIX project and I'm in a meeting and Brian Kernahan, the inventor of the C programming language, he said, ed, that's a good idea. That's it. I walked out of there probably about six feet off the ground. And I've gotten to know Brian since then. I've interviewed him. He came at TAG Cyber, we have a conference. He was our keen, I would sign books. I joke with him about that. He didn't remember it, but for me, the greatest thing ever. We were doing UNIX security and in 92 or 93, the CEO of AT&T, the president of the network, Frank Ayana at the time, pulled me aside and said, hey, all this work you guys are doing with government, you think you could do like a security group to protect our company. And I remember going, wow, what a great idea. Like you'd have a group that would do security for the company. And he goes, yeah, what do you think? And I went, wow. I go in nose and ran asking if anybody else was doing that. Find Steve Katz over at some bank city or something. He hands me his card and it says, Chief Information Security Officer. I said, what's that? He goes, that's my title. And I said, can I keep this business card? So I go back to work. Could I be this? And they go, no, you can't escape the word officer in your title. Forget I had some other thing like I was running something called the Information Security center or something like that. But I had a very cool boss then who said, you know what, you can put whatever you want on your business card. Just go. So I print, I still have them. It's a Chief Information Security Officer. I was like self dubbed from that time on for the next 20 years, it became my passion, my research, my life's work to figure out how to make the Chief Information Security Officer position viable. And man, did we make mistakes. Everything you could imagine that you could goof up on AT&T. I give them so much credit that they didn't fire me because I would kiss my wife goodbye and say, well, today's gonna be the day that they're gonna be on to me and see that I'm making this thing up. There was a tool called NetRanger IDS. We plug them in all over the network and I hire a bunch of operators because it's a phone company to sit in a big room and field the alarms, and it didn't work. It was all this false positive garbage coming in. And I learned on the job what it is to run a security operations center. We figured out that, okay, they can do tier one, so maybe we need some people, like, who can do cybersecurity helping them. We built a managed firewall service, and then we married up some of that ids and we're building the first managed security service. AT&T starts getting big and powerful. SBC buys us, we merge. We bought DirecTV, we bought Bell south, we bought Singular, and then we had the iPhone launch. So my team got bigger and bigger. I start becoming this big fancy executive. And I didn't know what an income statement was. So AT&T sends me off to Columbia Business School to learn to be an executive. I think all the professors must have quit after me. Can you imagine putting a computer scientist, computer science professor, no less, into a business school environment? I'm sure I drew them crazy, but when I retired from AT&T, I'd done all this thing, managed these big teams, had thousands of people working. It was really quite an experience. Nothing I ever wanted. I just wanted to be a computer scientist like my dad. But I became this executive and I decided one day I didn't want to be an executive. So I quit, started TAG Cyber. I had no customers, I had no revenue, I had no office. I just had a logo that I made up. TAG is the Amoroso Group. And my wife thought I was nuts because I was quitting a job that I had, basically tenure. I guess I'm making a lot of money and I quit to make no money, but to do what I wanted to do, which was disrupt and fix, research and advisory. But little by little, we're starting to grow. And now I'm on an exponential where we're doubling every year. So that's my story. Went from my dad having an ARPANET connection and I'm learning PASCAL to Bell Labs to CISO to business, to quitting to starting something new. And now I'm riding a new exponential up, and it's a hell of a ride. I think this is going to sound crazy, but security shouldn't be the main dish. Computing, networking, software, systems that we're building, that's the main dish. I always say, if you want to get into something, then look at the meat of it. Learn development, learn engineering, learn networking, learn to build databases, learn to build cloud systems. There's the construction of working functionality to support business objectives. That's what you want to be good at. Security is a feature, it's an aspect, it's an attribute it's an incredibly important one. So young people, all my grad students they go what's the best way for me to break into network security? I say break into networking. They say I'm really interested in software security what should I do? Learn software. I love database security. What should I do? Learn databases. You got to pay your dues and learn something develop some capability in something and then you'll be very naturally progress into cybersecurity. So that's always been my advice.