Many of today’s information security professionals started their path towards a career in the industry by becoming frustrated gamers. Richard Ford, Chief Scientist at Forcepoint, is one of them.
His particular frustration was fuelled by the fact that he couldn’t save game scores and prove everyone how good a player he was. In order to write a program to copy the screen to a file, he had to hack the games. Eventually, though, the games became less interesting than walking through the code, so that’s where he spent most of his time.
“Because of that history, I basically fell into this field, which is pretty common for people who got into computer security in the late 80s and early 90s,” he says.
With an academic background in physics but an active interest in computing and hacking, Ford started his career in the information security field when a visit-cum-job interview at Virus Bulletin ended up in him being installed as an editor at the publication.
“My career path has been non-traditional but also pretty rewarding – everything from my time in academia at the Florida Institute of Technology to my years as a journalist plays a role. When I first started writing, my editor would cross out almost every single word in my articles to whip me into becoming a better writer. That particular skill comes in hand daily, helping me to communicate more clearly.”
“We often make cybersecurity sound complex, but in reality the basic ideas are very simple – and being able to explain that is critical,” he points out. “For this reason, I have grown to love these complementary ‘softer’ skills that very technical people are so often lacking.”
Work at Forcepoint
His work at Forcepoint is a dream come true: he can see the ideas he’s worked on in action, protecting people in the real world.
But, he notes, the choice on what technologies to research for potential implementation is not wholly his.
“There’s no single person here at Forcepoint who mandates, ‘oh, we’re going to research this piece of tech.’ I certainly have an opinion, but running it past the folks who live day-to-day in the trenches is pretty important.”
Nor is the final decision on what ends up implemented in the Forcepoint product line. “I do have a seat at that particular table, but there are people who are closer to our customers, who understand what kind of lift these technologies will give for our customers in the real world, not in the lab. I’m happy to share the responsibility because I want the results to be as good as they can be, and I certainly don’t have the only valid viewpoint.”
The company has made it their mission to meet customer needs. Listening to customers telling them how they are using Forcepoint tools ends up teaching them a great deal. “How people wind up using our product is not always as we’d expect. We spend a lot of our time listening and to find out why they didn’t turn on certain features,” Ford explains.
Searching for and fixing customer pain points is one of the things that drive his research. The other is his “sixth sense,” honed by many years in the industry. At the moment, he is focused on researching how users interact with data.
“I think that sooner or later, if you’re a bad guy and you want to steal something, you’re going to have to touch it, albeit electronically. If I understand all those points of contact, it doesn’t matter what the specific threat is. What becomes important is the points of contact with the data – the intersection, if you like, of the network, the data, and the person,” he notes.
“Through that lens, I’m very focused on ‘sense making’ around these contacts, and providing protection at this critical moment in time and space. This is very different than the very threat-centric work I’ve done previously – and which most of the industry is focused on.”
As chief scientist, his aspiration is to make security a non-issue for the users of tomorrow.
“Computing is the most exciting technology that mankind has developed since the wheel, but attackers have corrupted it and used it as a way to harm people. I would love to unleash the power behind computing where people can use it to improve their situation in life, where it really empowers others. I want to change the way we do security, change the approach so we can beat the bad guy, because what we’re doing today is not working,” he says.
Changes in the security landscape
Since his Virus Bulletin days, many of the challenges faced by the information security crowd remained the same, but the scope of the problem became bigger as today we use computers pretty much everywhere. The threat landscape has evolved in that the stakes have gotten higher, and the nature of the attacker is a lot darker, Ford says.
After such a long time in the industry, the most important lessons he learned are these: getting good, usable solutions into the hands of users quickly is extremely important, and actions and technologies that reduce security friction can be just as useful – or even more useful – than things that directly improve detection efficacy.
It is also important to think about security through the lens of “safety.”
“Security has different nuances, but safety is organic: it’s related to how a user actually behaves. I’m not going to change those behaviors dramatically, so I’ve got to think of clever ways to make them safer,” he explains.
“I don’t like to even like to think of us providing security in some ways now, I think of it more of we provide the safety mechanism. We’re like the barrier that you can lean up against, so that you can look up at the Grand Canyon and you don’t fall off the edge. It’s a different way of thinking, but it’s much more human.”
Finally, he’s become very aware that one of the key problems we face is that security solutions are noisy.
“I never have dealt with a breach where I couldn’t find signs of the intrusion when I went back and examined the logs: the fingerprints were there. That tells you that we’re seeing it, but we’re not turning that data into information. To use an analogy, we don’t need more pixels on the screen, we need to make sense of the pixels that we’ve got,” he explains.
“You need to see the big picture – and you do better in terms of security by making sense of the world rather than seeing more of the world. It’s a subtle distinction, but it matters. And that’s one of the reasons why we acquired Red Owl Analytics.”
What should modern CISOs be worried about?
“I think everyone knows the “prepare three envelopes” story, and it kind of feels like that’s the job. You are the crumple zone between the breach and the CEO when everything goes wrong – and it doesn’t matter what the root cause was. I think, for better or for worse, there’s some of that in the role of the modern day CISO,” says Ford.
In the longer term, though, he thinks that modern CISOs will actually either morph into or be placed under the Chief Risk Officer. We’ve already started to see that happening, as CEOs realize it doesn’t matter where risk comes from, be it cyber or physical. He thinks the role will evolve to be broader, and it should: physical security and cyber security should come under the same umbrella, and they very often don’t.
For the CISO, one important point of concern is differentiating between “what’s hot” and “what’s real”.
“Many of my CISO friends spend cycles making sure they have an answer for their CEO regarding some new piece of malware that the current news cycle is talking about. That’s a pity, because these cycles don’t address the real threats to the business. That’s where the experience of a seasoned CISO can really help; they need to be trusted to do their job,” he notes.
“That links nicely to my next point: I think finding the right people to support the CISO in their mission is pretty difficult. Aside from pulling in new talent, the existing talent pool is pretty expensive, and so making the cost make sense to the business is harder. Recruiting and retention; the best thing CISOs can do here is surround themselves with absolutely top-notch cybersecurity products, treat them fairly, and give them room to grow.”