seven things: frank zappa, t. coraghasen ... - … · gary mcgraw, ph.d. vice president, security...

Gary McGraw, Ph.D.

Vice President, Security Technology

Seven Things:Frank Zappa, T. Coraghassen Boyle,

and 21 Years in Security

@cigitalgem

© 2018 Synopsys, Inc. 2

Seven Things I (May) Have Learned in 21 Years

1. Passion matters.

2. So does a good rhythm section.

3. Practice, then practice some more.

4. Write original music.

5. Find the calm.

6. Give back.

7. Know your audience.

Frank Zappa

T.C. Boyle


Passion matters.

1


1984: The Chinese Room


1988: Letter Spirit with Douglas Hofstadter


Stating the Obvious? Software Security


Have Fun and Follow Your Passion

• Others perceive passion and align

• Do not compromise to make a buck

• Love your job so you can live your job


So does a good

rhythm section.

2


Develop a Rhythm for the Long Haul

• Expect to travel the world and

repeat yourself

• Reach out and don’t be shy

• Go to conferences (and speak)

~ 30 talks a year later (~8

keynotes)

(one boondoggle a year is

probably OK)


Be Patient and Be Consistent

• Get rich quick only happens with the lottery

(a.k.a. the “stupid tax”).

• Find your rhythm, share your clue.

– Publish, speak, ‘cast, blog

• Expect to work the same problem for

decades (not months).

• Changing the world takes time.


Use Your Network to Build Great Stuff

• Many minds are greater than one.

• Care and feeding of your network is important.

• Technology transfer takes a decade.

• Share great ideas and get everyone you know involved.


Practice, then

practice some more.

3


What Exactly is “Research”?

• Academia and science provide great backgrounds.

• Learning how stuff breaks is helpful too.

• Do not shy from real science or from hands-on work.

• Ultimately, make sure your stuff works in the real world.

• And practice!


Build and Break are Equal Partners in Security


Write original

music.

4


Build Your Own Stuff (Use Science)

• BSIMM

• IEEE CSD

• CISO Project


109 firms in BSIMM8 community


Avoiding the Top Ten Design Flaws

• Earn or give, but never assume, trust.

• Use an authentication mechanism

that cannot be bypassed or tampered

with.

• Authorize after you authenticate.

• Strictly separate data and control

instructions, and never process

control instructions received from

untrusted sources.

• Define an approach that ensures all

data are explicitly validated.

• Use cryptography correctly.

• Identify sensitive data and how they

should be handled.

• Always consider the users.

• Understand how integrating external

components changes your attack

surface.

• Be flexible when considering future

changes to objects and actors.


The CISO Report to released January 2018

•BSIMM-like study of 25 CISOs

•Measurement and assessment

for CISO and firm

•ADP, Aetna, Allergan, Bank of

America, Cisco, Citizens Bank,

Eli Lilly, Facebook, Fannie Mae,

Goldman Sachs, HSBC,

Human Longevity, JPMorgan

Chase, LifeLock, Morningstar,

Starbucks, and U.S. Bank

http://bit.ly/CISO-4tribes


Or, Just Write Original Music

http://garymcgraw.com/music


Find the calm.

Who can achieve

the unconscious-

conscious state of

the reader when

everything is

stimulation,

everything is

movement and

information?

5


Know What it Means to Look into the Pit

•Achieve the Buddha calm.

•Don’t panic.

•Leadership is key. Seek adult supervision.

Set realistic goals with (not for) everyone.

•Develop and use metrics.

–EBITDA

–Open book management


We are animals and we are made in

this way and this is how we behave.

I'm just kind of fascinated by how we

can deny that we are animals and

what our impact on the other animals

is like, and how quixotic we can be in

trying to assess what we've done in

trying to correct it.

Give back.

6


You May Make Your Own Luck, But SHARE IT

• Give back to others in your field.

• Give back to your community, especially

those in need.

• No money? Give your time.

• We’re all monkeys on this planet together.


There is pleasure in making art for its own

sake, but I think it screams for an audience. I

really think it would be difficult to write were I

to know that no one would ever read it.

Know your audience.

7


Thanks for Listening!


http://garymcgraw.com

seven things: frank zappa, t. coraghasen ... - … · gary mcgraw, ph.d. vice president, security...

Documents