Nmedia - Fotolia
Interview and photograph by Marcus Ranum
The security people I know who are good at this [job] grew up off the beaten track; they think in ways that are a little bit different. How did you get started in security? Where did you discern your interest?
Kevin Johnson: I actually started way back when, in the old bulletin-board-system days -- connecting out to pirate boards -- and I got into researching phreaking and all that stuff we would not do nowadays.
Did you read The Anarchist Cookbook?
[Laughs] Of course I did! I had a friend who worked for IBM but then started a small company -- what we'd now call a startup -- and he called me and asked if I wanted to build stuff for him. So I was a systems administrator. Personally, what I find is that most good security people start as system administrators. We like to poke at things, take things apart and learn, and automate.
For me, it's all about having a consistency in my systems and my thinking. I want things to work the same way and it hurts me when they don't.
What I don't understand is whether we're born that way, or we're made: Some people just want to make things work, and they become systems administrators and security people.
You mentioned you have a diagnosis of obsessive-compulsive disorder?
Those people aren't born -- they're formed. But, yes, my OCD has something to do with it. When I approach a network or a web application or something, I feel like it's unbalanced -- there's a sense of 'not rightness' that pulls my focus. I never really thought about it from that perspective. But, yes, it bothers me.
Kevin Johnsonfounder and CEO, Secure Ideas
When we have customers that just won't fix things, it bothers me to the point where we've actually fired customers. It's so simple and obvious: They have to fix it. And, if they don't, I just can't work with them.
I've noticed that top-notch security people tend to be very unforgiving of mistakes in themselves and in others. I've always assumed that's cross-discipline. But maybe it's not.
Yes! [Laughs] When I was at a previous employer, I literally had someone from human resources assigned to me. I had had so many complaints because I'd be dealing with a developer and I'd say, 'I just want to know how you know to breathe regularly … because this is so stupid.' And then I'd get counseled. I try very hard to work with people and to have someone else from my company around who can jump in at any time and say, 'That's not what Kevin really means.'
I was raised in the South, so 'bless her heart' is the verbal tic -- when you catch a Southerner saying that, they're not thinking very highly of you.
Top security people are really good at self-assessment and reflexive self-management. We're learning our personal risks and failure modes, and we think about what we do wrong; then we mitigate the personal and professional risks to ourselves.
We tend to become consequentialists, too. We don't say, 'Don't do this because I say so.' It's always 'Do this because if you don't, the following things could happen.' Do you have kids? Do you talk to them like that?
[Laughing] Yes! I have a 14-year-old and a 10-year-old, and we've just started teaching the 14-year-old to drive. It's risk management. I say, 'Context!' It's not 'What's the worst thing that could happen?' It's 'What's the context? If you do that, what else will be affected?' And, yes, I talk to my clients just like that. That's my job!
Kevin Johnsonfounder and CEO, Secure Ideas
I've always said that security is taking your brain, twisting it 90 degrees and using it that way. We approach the problem from a different angle. It's not better -- it's just different. So when I talk to a developer, they are so focused on making things work. I feel like I'm trying to get them to broaden their context: Did you think about this? Did you think about that?
How has your thinking about security changed and evolved?
I've gotten better at not telling people 'no.' I was the stereotypical 'no guy.' Now I explain why it's a good idea or a bad idea: If you do that, here's what's going to happen. My thinking has not changed much; I've gotten better at communicating.
One thing that surprises me is so few customers think: What if I don't do this? Last night, I had a call with a customer who wanted to do a pen test, and they seemed to have no idea what they were doing.
'Why do you want to do this?' I asked. 'Have you ever done this before?'
'Then you don't want a pen test. Don't get me wrong -- I'm a greedy capitalist -- but you're not going to get anything out of it except feeling bad and getting a list of things to fix.'
So I directed him to a list of other options: Do a Nessus scan, check this, check that. You're not ready for a pen test. When you've got your arms around all this stuff, then we can schedule a pen test.
What's the weirdest random phone call you've gotten?
I had a woman who believed that she was being cyberstalked. She had this guy she worked with, and she felt that he had done something to her phone because they'd be at work and sometimes he'd reference something from in her email. It was extremely creepy. I told her to get a gun and contact HR.
Learn the key components of information security assessment
Marcus Ranum interviews pen tester Jayson E. Street
Why the Certified Ethical Hacker is making a comeback
Should you hire a former hacker?