Sergey Nivens - Fotolia
The internet revolution hit close to home for Diana Kelley, who caught the technology bug and could never quite shake it. Marcus Ranum sat down with Diana Kelley, global executive security advisor for IBM Security, to talk about the path that lead to her success. In addition to IBM, she has advised Bank of America, Intel, Microsoft, Merrill Lynch, many other tech companies and the U.S. government.
How did you wind up in security? What were you like as a kid?
Diana Kelley: [laughs] I was actually a typical nerdy -- but book nerdy -- kid. I had a big penchant for Gilbert and Sullivan plays and learned many of them by heart. One day, my dad came home with a Texas Instruments programmable calculator. I was about 9 years old -- it was early 1970s at this point -- and I absolutely fell in love with it. You could program this thing to do stuff. I made it calculate out Hello. Later, when my dad decided he was going to build his own Heathkit computer, I was the kid that got really, really excited about this whole 'computer' thing and wanted to work on it with him.
My dad was a research professor at MIT Lincoln Labs, and he had accounts on the PDP computer at Tech Square, and I got a kid account so I could dial in. It was actually a rotary-dial phone with an acoustic coupler -- you wait for the beeps and the boops. I was in the middle of this incredible revolution on the ARPANET: you could send email to people or have chats, and there were games -- I think [one] was called 'Adventure.'
Yeah, I played that one, too. 'There is a little dwarf here.'
Kelley: I was talking to people who were working on research with mice and IT, and I was just completely floored. It was the coolest thing that it all worked. I actually 'hacked' without knowing what I was doing: Nowadays, no 12-year-old would have plausible deniability, but in 1978 or '79, I would say I did.
All I knew was that I couldn't get to the manual pages of the system I was on, and I was talking to someone who said, 'Well, you just don't have enough access.' I was a kid; how could I get access?
Well, the mucky-mucks had access, so I figured out eventually that there was a bug in the login and people couldn't see what they were typing their password into, but you could set the terminal up to ghost their keystrokes and get their password after they entered it. I got an admiral's account, I believe, and I was on one of the .MIL systems in D.C. I was able to read everything I wanted about how the system worked, and the next day there was a phone call to my father.
I think the statute of limitations has run out on that one.
Kelley: After that, I stayed on, taught myself how to code and wrote my own little adventure game. I didn't take any courses -- then I was told that computers were 'nerdy' and I wasn't going to have any friends. I got less interested in computers for a while, went to college for English and focused a lot on Shakespeare, and didn't do anything with computers except that I was the GM at the radio station, and we published our playlist on the old VAX. Sometimes, I had to go in and figure out how to do things with the formatting using Scribe [descriptive markup language]. I got out, graduated and thought, 'Well, what do you do if you have an English degree?'
I thought I was going to be an editor and find the next F. Scott Fitzgerald. So I got a job at the academic press, and we had these old Wang terminals for producing output. Every time those broke, people would come to me. At my next job, I was assistant editor at a math textbook company, and I became the go-to person for computers. I started to do more with IT and became the person picking the software and teaching everyone how to use it. The woman who was in charge of our parent company was there one day, saw me working with the people and computers, and said, 'Look, you obviously love computers, and we have a project starting to network all of our subsidiaries together -- we need someone to be our IT person.' My first title was micro specialist.
Finally, I ended [up] being the manager/corporate systems administrator for a startup in Cambridge. They had a global set of offices that needed to be connected. This was when Windows didn't have an IP stack and you had to install Chameleon. …
That'd be around 1992, then.
Kelley: I used to tail the syslog; I'd sit there and watch it scroll by. If you knew the IP addresses by heart, you could understand what was happening.
Back in 1988 or so, that was how I saw my first-ever security incident! I love syslog.
Diana Kelleyexecutive security advisor, IBM
Kelley: One of my systems just started to fill up, and it was an FTP server. Christmas Eve at 6:00 p.m., there was me and a contractor sitting there, and someone had taken over our server and filled it with 'warez' [illegal software]. I realized that I hadn't protected my FTP server, and that was when I started keeping security on my checklist. I also [thought at] that moment: I shouldn't have been able to see all those passwords on that system so long ago; this is a thing! It's going to be the most important thing going forward. That was when I decided to start to focus exclusively on security.
Most of the security people I've talked to have had some experience like that -- they got pulled in on the operational side and got serious about it. Or they started on the other side of the fence and decided to try to teach the 'good guys' how to do it right.
Did you at some point think 'I am a security person now'?
Kelley: I had already known I was going to be a network person, and the only way to have a world-class network is to understand the bad guys. I realized that I had to be security-focused to be a good network architect. That was when I started learning about firewalls -- including your product. [Marcus Ranum invented the first commercial bastion host firewall.] We went into the business of installing firewalls for other people, as a third party, because in those days it wasn't as straightforward as it is now.
From there, I went to a big consulting firm that specifically hired me to be a security architect in financial services consulting. I had an absolute blast: I was hired to focus on security, and here I was in the middle of the big internet build-out in the late '90s, with all the banks and brokerages trying to go online for the first time. The challenges were wonderful, and they're still challenging.
The changing role of women in information security
Are degrees or certifications better for infosec career advancement?
Executive-level security position still open to debate