Mr. Grimes, please tell our reader more about yourself and your professional background.
I’m a 34-year computer security professional, author of 13 books and over 1100 articles on computer security. I started as a PC repair technician, then I got into networks, eventually becoming a network manager. I eventually worked my way up to VP of IT for two different organizations. The whole time I was mostly focused on computer security, to the detriment of my other assigned duties. I eventually realized that all the other stuff was getting in the way of my true passion and I switched to computer security full-time about 20 years ago and never looked back. I started my cybersecurity career disassembling viruses for John McAfee, but mostly what I do today is to speak and write on how to make the world a safer place to compute.
What are the biggest challenges when working in cybersecurity?
My overall objective is to make the Internet a far safer place, where we all can do what we want to do without fear of malicious hackers and malware. It can be done. The problems are not technical. We know how to make the Internet far safer from a technical perspective. It’s getting people to agree to do it. It’s hard to get people in your own family to agree to do something, much less get the entire world of people, often with diametrically opposed viewpoints and objectives, to agree to do something for the common good. It will likely take a major “tipping point”, 9/11-like digital equivalent event before it happens. Even then, who knows? But we know that very bad, smaller events, don’t help that much. For example, ransomware is as about as bad as it can get, and we still are making very little progress in fixing things to be significantly better.
In your opinion, do modern companies have enough insight on potential cyberattacks? How could they protect themselves better?
Yes, but most need to sell you something. It’s their reason for being. And what most people are trying to sell you is not nearly what you should be concentrated on. The vast majority of cyberattacks are caused by social engineering and unpatched software. Probably 90-99% of successful attacks are related to just those two root causes. Concentrate on mitigating those two things far better and you’re far less likely to be successfully compromised. Do them poorly, as most organizations do, and all the other stuff you also try to do is not going to stop you from being hacked. Most of the cybersecurity is trying to sell you solutions that are designed to fix 1% of the problem. And you likely don’t need to spend nearly as much money to fix the two biggest problems. The biggest problem in computer security is that people don’t focus on the two things that would have the biggest impact.
By whom are you most inspired and why?
In computer security, Bruce Schneier. I encourage everyone to read his blog (Schneier on Security) and pick up one of his books. He gets computer security. My best thinking and ideas are built upon the way he has helped me to better understand the real risks as they apply to computer security. He is my unofficial doctorate in computer security. Outside of computer security, Albert Einstein. Not only because of what he thought of, but how simply he explained and defended his ideas. He also argued against his own ideas better than anyone else, so once you came at him to try and dismantle his theories, he had already thought of that, too, and figured out a better rebuttal. And it made his own theories better because he could argue for and against them better than anyone else. It helped hone his own ideas before he released them to the world. Plus he was often very funny.
What advice would you give to people with a passion in the field?
This is going to be self-serving, but go buy and read my book, A Data-Driven Computer Defense (https://www.amazon.com/Data-Driven-Computer-Defense-Way-Improve/dp/1092500847). It’s my magnum opus. It takes what Bruce Schneier taught me and turns it into actionable advice of how to be a superior computer defender. The lessons it teaches should be known by any defender. It will absolutely change the way you think about computer security the rest of your life, for the better.