Are you ready to IGNITE your information security
career? Well then buckle up, put on your tin foil hat and get ready for HACKERS ON FIRE
with your host, Glen Roberts. Glen: Hello everyone, this is Glen Roberts;
I’m thrilled to introduce Ben Wright to Hackers on
Fire. Hi, Ben. Ben: Hello.
Glen: Ben Wright is a former teacher of mine at SANS, he’s been with SANS for over a decade
teaching students on the law of data security and investigations. He’s got an educational
background at Georgetown University Law Center. Ben, I’ve given everybody a brief intro into
your background, but why don’t you tell everyone more. Let’s hear about you personally and
what you do. Ben: Okay, Glen. As an attorney I have been
in solo private practice for over twenty-five years
where my practice has focused on the law of technology. And as the years have passed that
precise work that I do has evolved because technology evolves. So I spent more of my
time in the 1990’s focusing on electronic commerce
whereas in this century a little more work has been
focused on security investigations and records management although electronic commerce
remains one of the things that I do. So I work for a wide variety of clients around
the world. Typically they’re enterprises that need some
kind of help with technology law and policy, and
in managing risk related to cyber law. Glen: That’s quite a bit Ben. I know you’re
busy, highly sought after. I want to start out by
asking you if you have a motivational quote that we can share with the listeners?
Ben: I guess I do have a motivational quot. I’ve carried this little quote around in my
wallet since about law school, or maybe even college.
The quote is from Ralph Waldo Emerson and he
said, “Hitch your wagon to a star. Let us not fag in paltry works that fill our pot
and bag alone.”
Glen: I love it. Ben: I’ve long admired that quote to remind
me that my professional work is about more than
earning a living. Glen: Absolutely. And that’s the case for
all of us. Ben: Indeed.
Glen: If we look at your specific career, I mean it is just phenomenal, it’s mind blowing.
Every conference I go to I see you there and the
room is just full of students learning about security
and legal security in particular. And I know you’re doing a lot of amazing things, but
that wasn’t always the case and we all started somewhere.
If I was to ask you to look back at your history, at a struggle that you were faced with during
the initial course of your career, especially breaking into internet security…
Ben: In my career I see two big times of struggle. One of them involved getting into security,
and the other one was prior to that. As I had earlier, in the 1990’s more of my work
focused on electronic commerce and the struggle was that
I was a young lawyer who had been working at
a law firm and I had a vision of doing something with my career that would be unconventional
and would lead me to future opportunities that are hard to predict. And so the difficult
thing was somehow taking a law degree and getting
involved in technology where I had no background in technology. I was an English
major in college. And it was challenging, it took a
lot of work, and a lot of effort in the late 80’s and early 90’s. But essentially I found
people who would support the writing of books, and giving
of presentations, especially writing books on
electronic commerce; that was in the 1980’s and the 1990’s.
So, that got me going with a law practice and with a career. Then, the second big challenge
did relate to security. And that is my professional
life, my practice, was pretty successful and intensive, especially in the last half of
the 1990’s, because the web was hot and lots of people
were putting money into all kinds of .coms, and new technology. So, plenty of things to
do, however, around the year 2001 came we had
the .com bust. And then we had September 11, those two things together just put a big kibosh
on my business. Suddenly no one wanted to talk
about electronic commerce law anymore. People were not putting money into technology, and
I had to struggle and find a way to reinvent myself. What I ultimately did, and it was
a struggle, is that I found the SANS Institute,
as well as some other things connected with security and records management and evidence
law, which all have fueled my practice since around 2003 or so.
Glen: Ben, before we move on, you talked about the struggle getting into security in the
first place and the whole disaster that was the
.com bubble bust. What would you like the audience
to take away from that? What’s a key point that they can extract and really resonate
with? Ben: Well, my personal experience involved
searching around for a place where I could use my
talents and be of value. And that means talking to lots of people, and trying to pay attention
to what’s happening in the marketplace at a particular
time. One of the interesting things about September 11 is that it caused a lot of corporations
and governments to think hard about security. And September 11 was good for the
SANS Institute, so SANS was growing and SANS had
a message and that is “we help you provide security” and everybody’s worried about security
in the wake of September 11.” And so I found
the SANS Institute just by hunting around, paying
attention to the stuff that comes in the mail. I got a brochure from SANS. I read it and
it said, “If you’ve got an idea for a seminar let us
know.” And so I contacted SANS and I said, “You need
to have a seminar on the law of information security.”
Glen: And you got it. Ben: And we started working, and the seminar
was a success. We started out with one day of
material back in 2003, and then we have expanded upon it over the years so that it’s now a
five-day course. Glen: I took the course, I’ve taken several
SANS classes, and I like the labs and getting in
there, hacking stuff like I’m sure a lot of the other students do. So, you know, when
I came to find out that this legal class was necessary
as part of the Masters program…you know, I kind of
saved it for last. But I was pleasantly surprised. I thought it was the best class, hands down,
that I’ve taken at SANS. Ben: Wow! That’s a tremendous endorsement!
Because I think very, very highly of the other classes and the other instructors there so
thank you. Glen: There’s a lot of overlap in all the
different classes, but your class in particular stands
alone as a lot of original material. And so I just learned so much, and that’s why I think
it was the best class, because of all the original
material. And I am so glad that you found SANS back
in 2003, or whenever it was. Would you say that was your turning point?
Ben: It was. It was an important turning point. The first turning point was leaving the law
firm and setting out on my own. And the second
turning point was getting past the .com bust where
e-commerce was a hot topic, and moving into a new hot topic of security.
Glen: What is your proudest moment in your InfoSec career?
Ben: First, I have a hard time with the word “proud.” That is just-personally, that’s not
the way I think about my work. I don’t think about
it as pride, I think of my work more as trying to help
other people. And that’s not about my pride, that’s about helping other people. So maybe
to change the…
Glen: Ben? Ben: Yes?
Glen: Are you a lawyer? Ben:>I’m sorry, I have to admit,
and my family accuses me of this all the time! Glen: It’s quite all right.>
Ben: They can’t get a straight answer out of me on anything. And what I was going to
say is that there is one particular case that I have
been involved in that has been described in a book.
And I am happy that I was able to help the client under the particular circumstances,
and it’s an ongoing manner, even though the guy’s already
written a book about it. He’s going to have to write another book when the whole thing
is finally over. So the name of the book-and I guess
it’s a little bit of a plug here for my client’s book-the name of the book is The Devil Inside
The Beltway. It’s a very complex story. It is
the most interesting InfoSec law story and case that I’ve
ever encountered, whether being involved or not. But it essentially involves a dispute
between a medical laboratory and an InfoSec company
that ended up with some sensitive files that belonged to that medical laboratory and all
the legal fallout, and the investigation by the
Federal Trade Commission that has come from that. And so that is a moment, and that’s
a point in my career that I am pleased that I was
able to help the client. And the client in his book says
that I helped him a lot. Glen: I’m looking forward to reading that
book. Ben: Alright.
Glen: All right, well, so obviously your successful – several years of success on all of us. And
you know, what I’m trying to do here is really
get at what someone can take away from someone as
successful as yourself and put that into what they’re doing, into their career plans, and
benefit from that. So, are there any habits that you
do on a regular basis that if someone were to take
on those habits themselves would have some additional ingredients for success?
Ben: I really try to think outside of the box and I’m constantly asking myself, “What
is the next thing that’s going to happen?” And in technology
things change really quickly, and therefore being flexible, so that when opportunities
arise, or when a new technology comes up, or a new
problem arises that you’ve got a way to approach it. And lawyers often have rather specific
ideas in their head about what it is a lawyer is supposed to do. And I try to put that aside
to a large degree, and just ask what value can
I deliver to a client or to the marketplace at any
particular time not, “Am I billing hours the way a traditional lawyer bills hours?” and
“Am I getting professional credit the way a professional
lawyer gets?” I really try to put that aside and just say, “What can I do that’s of help
to anybody at any place in any way?” Glen: I love it. Well, you know, adopting
that kind of an attitude, that’s really a lot of what IT
is-or information security. It’s performing a service. I really love your philosophy.
I think that it works well for anyone and for his or her success.
Thank you for that. So, you’re giving some advice but what’s the best advice that you’ve
ever received? Ben: I had a professor in college who was
very inspirational to me. She taught that society
provides all these conventions and roles for us. And she said, “Learn how to overcome these
conventions, or at least how to set them aside as appropriate.” She had her own interesting
way of stating this. This was an English professor when we were back in undergraduate, but she
said that any person should recognize that they can see things from both a male and a
female perspective; and she used the word androgyny.
And what I took away from it was, I’m a very male person, but the way I took it was to
learn how to see things through the eyes of other
people. She was saying if you’re a guy, learn how to see things through the eyes of a woman
and think about how women would respond to a problem. That larger messaging piece of
advice in my life, in my career I guess, has enabled me to try to think about legal issues
and technology issues and security issues from
many perspectives. From the perspective of law, but
also the perspective of management, from the perspective of the clients or customers in
an enterprise, and so on. I guess that’s a little
quick bit of advice I took from Dean Colleen Grisham at Trinity University back when I
was in college. Glen: It’s amazing advice. I mean, every day
we are faced with different types of people with
conflicting interests in the workplace. And it’s very helpful to see what they are doing
or what they did and the way they did it from their
viewpoint. Ben: Right.
Glen: Especially instead of casting aspersions and getting real judgmental.
Ben: Yes. Glen: Alright, excellent. Something that I’ve
been curious about, because I haven’t been at
SANS for a while, is what you’re doing right now? What’s motivating you? What’s going on
Ben: Well, the material at the SANS Institute that I deliver is very dynamic and keeps me
really hopping because there is so much going on.
I mean just this year we’ve had Target, we’ve had
Home Depot, we’ve had J.P. Morgan Chase Bank – all announcing breaches. These are massive
breaches! And we’ve had heart bleed, we’ve had shell shock bash vulnerability. And those
are just the big highlights. So I do put a great
deal of energy into trying to keep up with where
culture is going and responding to these security problems. And when I say culture I believe
that in order to understand law on these topics of information security, we’ve got to
understand politics and ultimately to understand politics we have to understand culture. What
is our society thinking and expecting in the wake of these very sophisticated kinds of
attacks that we are seeing. So that’s one topic that
keeps me really ginned up. And every day I spend
quite a bit of time just reading the news, just trying to figure out what’s going on.
Another thing, I guess, that’s taking a lot my time directly is working for a client,
an enterprise. It’s a multinational financial institution,
and they deal with privacy and information security,
regulatory issues in many countries. And so trying to explain their position on information
security in the different languages, the different cultures, the different countries, the
different laws that they face in doing all this in a practical way is a very rewarding
challenge and a difficult challenge. So those are a
couple of examples of things I’m working on. Glen: I imagine it’s really challenging when
one country says to do it this way while another country says to do it the other way and it’s
in conflict. So that can be difficult, I’m sure.
Ben: Yes, we do have conflicts and we’ll have a relatively small country that says you’ve
got to do it some very specific way that really doesn’t
make sense, and they start looking like the tail
that’s wagging the dog. And then the company has to make some difficult choices when the
law in one of the many countries they do business
in says you’ve got to secure passwords in this
very certain way and it just doesn’t necessarily make sense.
Glen: If you think about the audience that’s out there, some of the audience will be looking
for ways of getting into InfoSec and earlier on
you mentioned a struggle getting into information security. Do you have any additional advice
for someone that’s getting into information security? Or if you were just now getting
started in this day and age with everything that’s
currently going on, how would you approach it?
Ben: One thing that I see is that forensic investigations is a growth field. And as the
Internet of Things continues to expand, the quantities
of data that are collected at any given moment about any given thing are just mushrooming.
And therefore I see growth opportunities for the
careers of those people who are looking for some kind of a professional place where they
can add value. If they understand how to run a
forensic investigation that collects data out of a
cloud, or out of mobile devices, or off of Nest thermostats, and so on, I believe those
kinds of people will find a place to earn a living,
a place to add value. So I like recommending that
people looking to advance their career look hard at something related to digital forensics.
Glen: That’s a solid lead for everyone out there. Before we go on into the resources
and stuff like that, how would someone get a hold of
if they wanted to contact you about something? Ben: The easiest way to contact me is BenjaminWright.US.
It’s all one word BenjaminWright.US. So I own that little domain and from time
to time it points to different things, but it’ll always
get to me, so that’s a easy way to find me. Glen: Well, I appreciate your approachability
and for getting on the podcast as well. I’m really
looking forward to staying in contact with you, and then also getting back to a SANS
conference as soon as I can.
Ben: Well, I look forward to seeing you when you’re there.
Glen: What do you have going on in the next few months?
Ben: Well, I do teach at SANS in about eight days so that is a major thing for me. Every
big SANS conference, I really gear up for it and
I have a lot of preparation, and so that’s a big
project in front of me. Beyond that one of the things I guess is on my radar right now
is Bitcoin, and I have a hard time evaluating whether
Bitcoin or things like that will be a success. But
Bitcoin is very interesting to me, even if Bitcoin itself does not succeed the concept
of a block chain or recording transactions as Bitcoin
uses is a very powerful, innovative idea. Thus, I’m
blogging about Bitcoin, and things like Bitcoin. So that’s one of the things that does have
my attention. So I’ve been doing some blogging
already and have some plans to blog more and to
make some videos on that. Glen: That’s an interesting subject. I’ve
spoken privately with some people that work at very
notable financial institutions and they have been asked to research these unregulated
currencies and ways in which to get involved in. And I don’t think they can really find
their way right now into those markets due to some regulations.
But I think they’re chomping at the bit to experiment.
Ben: And one of my observations is for those big institutions that may think that they
can’t get into it because of regulations. I think they
run a big risk that somebody else; somewhere else in
the world is going to get involved and find a way to avoid regulations or roadblocks.
And so you may see, for instance, the Canadians seem
to be fairly open minded on Bitcoin and therefore you can see big financial institutions out
of Canada, running circles around maybe American institutions who feel that they don’t have
runway to be able to do that. Glen: That’s an amazing insight. I couldn’t
agree with you more. What are some websites or
tools or resources that you would suggest to the audience that they could take a look
at and would benefit from career-wise?
Ben: Well for me I focus, of course, on looking for law and regulation related to information
technology and investigations. The number one place I go to for a good feed of information
is the SANS Newsbytes newsletter. About three
days a week SANS sends out an e-mail newsletter. It’s free, you can signup on the SANS.org
website. That’s an excellent digest and summary of
major things that are happening in Information Security.
Glen: I agree. Ben: The next major place that I go to is
a free e-mail newsletter that comes from a law firm
named Steptoe and Johnson. They’re a large law firm in Washington DC. And they have a
newsletter that’s called the E-commerce Law News. And it’s easy to find on their website,
it’s easy for you to search for it. But if you
really want to keep up with cyber law those guys are
fantastic in keeping up with the leading cases and interesting cases from around the world
and developments. I couldn’t operate without them.
Finally, a place where I get a lot of news is on Google Plus. Google Plus is Google’s
not-so-well- known social network. For me, I found that
I’ve been able to cultivate a group of people and
entities that I follow on Google Plus such that it becomes a very efficient feed of information
for me. And I try to use it as a way of learning about things that I don’t know that I don’t
know. It’s not just InfoSec, not just investigations
that I follow there. It’s a broader range of
technology developments so that I can kind of see things that are coming, things like
the Internet of Things, for example. And that’s
also a place where I learned a lot about Bitcoin. Glen: What about a book recommendation?
Ben: The number one book recommendation that I have for someone thinking about
technology and policy includes InfoSec, but it also includes investigations and compliance.
The name of the book is The Naked Corporation.
It’s written by a guy named Don Tapscott, and I am
absolutely astounded by this book. It was written in 2003 and it is such a prescient
book, meaning it foresees the future. And the essence
of the book is… this is something these guys
picked up in 2003, they said that a corporation, as well as a government agency or nonprofit
needs to recognize that its secrets just can’t be maintained as secrets. And you’ve got realize
everything about you is going to get out because of Snowden and WikiLeaks and…
Glen: Employees… Ben: And a whole bunch of other things. And
so he says we need to be much more transparent as Enterprises in the Internet age.
Glen: Everyone, you can find the links to these resources, tips and guidance that Ben’s
given us during this session online. All you have to
do is go to hackersonfire.com and search for Ben
Wright. Thank you, Ben, for an amazing interview. Ben: Glen, thanks a lot for reaching out to me.