Editor’s note: FC, a well-known ethical hacker and social engineer, has been working in the information security field for over 20 years and excels at circumventing access controls. He will be the general session keynote speaker at ISACA’s 2020 EuroCACS conference, to be conducted virtually from 28-30 October. FC visited with ISACA Now to discuss his career arc and what enterprises need to do to shore up their defenses. The following is a transcript of the conversation, edited for length and clarity.
ISACA Now: What put you on the path to becoming an ethical hacker?
There was nothing else; it was like there was no other option for me. I messed around with computers as a teen in the ’80s, anything I could get my hands on. The worldwide web hadn’t even been invented, so there was a lot of self-learning around that time. During college I got a job as a systems administrator for a local multimedia company and, as part of that, started looking at security issues. From there, it just evolved. I got involved in hacking clubs, met with other hackers, and this whole world just opened up to me. I can’t imagine doing anything else.
ISACA Now: In your work as an ethical hacker, what have you found to be most interesting about what you’ve been able to accomplish?
The accomplishment I am most proud of is seeing the impact of the company I set up with my wife and business partner, Dr. Jessica Barker. We make a positive difference, not just to the companies we work with but also to the individuals in those companies, and to their family and friends. Some of our clients do really important work, for example in healthcare, and being able to support and help protect what they do is something I am really proud of.
ISACA Now: In terms of the weaknesses you’ve been able to expose, are there common threads that you’ve been most surprised are not better protected within organisations’ cyber defenses?
Segregation of networks is lacking in many larger organisations. It probably stems from one of two things: the organisation is so old, it probably migrated from token ring networking, or that the organisation grew very rapidly and did not put structures in place to grow in a secure way. Segregating your network is crucial because it can stop attacks from spreading. It allows the business to compartmentalise at a business functionality level, ringfencing different departments with greater security if needed.
ISACA Now: What concerns you most about the level of preparedness of governments when it comes to cybersecurity in this era of increasing cyber threats?
Governments around the world have a history of dealing with visible threats. Even in the Cold War era, spy networks were mostly a cat and mouse game. As the Cold War evolved into a more digital realm, it is not always easy for governments to see the global threats, which can come from homes as well as military sites.
ISACA Now: You’re also known for your humorous approach. How have you been able to find the humor in a field that is often associated with fear and anxiety?
The more you understand an issue, the less you fear it. Finding humor and levity in something scary can help us master it and can help us demystify it. Humor is a great communication tool. It breaks down barriers and helps people engage with a topic that can be seen as dry or technical.