Hugh Thompson is the Program Committee Chairman of RSA Conference and a Senior Vice President and Chief Security Strategist at Blue Coat Systems. But he's perhaps most famously known for hacking the Florida and Utah state electronic voting systems in 2006 and presenting that work on HBO's Hacking Democracy.
Dr Thompson took some time out from the busyness of the RSAA Conference to speak with CSO Australia.
This year's RSA Conference was the biggest yet. For the first time, the event filled both the North and South sections of the Moscone Center and a record crowd of over 25000 people attended.
"It's a sign of how much this industry is growing," said Thompson. "If you look a the demographics of where those people are from, the companies their from – it's not just big financial services companies or Fortune 100s, it people from utilities. If you asked who were the most progressive people in infosec you would not have identified those folks four or five years ago".
"Now there's hacktivism and these very targeted attacks by nation states, especially in Asia," he added.
What's obvious when spending a few days immersed in the infosec business is that the industry is changing. The people that are entering the business are coming from a far wider pool of backgrounds and with different skills.
"There is a huge demand for the ninjas – the extremely technical people can do things like forensics or solve a puzzle. They're still being recruited very heavily. They're in short supply – if you're a ninja in today's infosec world you can name your price at any company," according to Thompson.
"Sometimes they're coming out of the government, there are some schools doing a good job of training them up but I think it's beyond the formal education that you get. "
The challenge is that while it's possible to teach people the skills to be extremely competent infosec professionals, they also have an innate ability – much like you can teach someone to hold a hammer but there are very few who can use that hammer to become great sculptors.
"There's another group of people entering the equation," according to Thompson. "These are people who've traditionally been in risk – way beyond infosec risk".
For example, one CISO that Thompson knows has a background as an actuary – very technical and very analytical. This has lead to a very different view of security.
"If you go back three or four years ago, security was very binary. You’re hacked or you're not hacked. You breached or you're not breached. But today it's very much around this acceptance that bad things will happen. People will get in. If the adversary is sophisticated enough they'll find a way in. So the question then becomes how can we quickly recover from an attack and identify it fast, said Thompson".
The focus then moves away from stopping attacks to dealing with the consequences.
What's also interesting is that the people entering the infosec business are no longer coming just from traditional technology-based backgrounds. Students from backgrounds as diverse as music and political science are finding their way into the business. It's their capacity to look at problems in different ways and see solutions that is deemed to be the critical skill. The technical skills could be learned later – it was the innate problem solving and analytic skills that are being valued.
"We [Blue Coat] have a lab in Draper, Utah. You start to think – why have a lab in Utah. It's not a traditional hub. The fact is that there's an incredible competency there around analytics. Big genealogical project are going on there – projects that have gone on for a really long time. And there's a huge competency around linguistics. If you go into our lab you'll find the traditional PhD computer scientists but around the room you'll find PhD linguists, people in behavioural psychologists," said Thompson.
"You want diversity. You have to have diversity of view otherwise you going to look for the same thing," he added.