AISA “In the Hotseat” - Interview with Patrick Gray

Posted on March 6th, 2008 by Drazen Drazic

The following is an interview I did with Patrick Gray that was published in the recent AISA (Australian Information Security Association) March Newsletter. It will be available under “News” at www.aisa.org.au. As a friend of BorB and we of his work as one of few journos who really understand our industry, I thought people would like to see a view on things from the other side. I really enjoyed doing this but also seeing a refreshing view from the media that differs greatly to the majority of rubbish we are fed daily. The rest is the published interview:

In the Hot Seat…

Welcome to the first in an ongoing series of interviews that will become a regular feature of the AISA Newsletter. This month, Drazen Drazic, CEO of Securus Global turns the tables on someone recognised within the industry as one of the
best IT Security journalists in Australia, Patrick Gray, and putting him in the “hot seat”.

Patrick Gray has been writing about information security since 2001, winning five awards for his reporting along the way. His articles appear in The Age and Sydney Morning Herald newspapers, MIS, Business Week and The Bulletin Magazine. Online, his stories have run on Wired.com, ZDNet.com.au, SecurityFocus.com, Silicon.com and have been syndicated around the world. In 2007, he launched the Risky Business podcast on ITRadio.com.au.

You’ve become one of the most respected IT Security journalists in this region. Tell us a little bit about your background.

That’s the advantage of being one of the ONLY IT security journalists in the region!

It’s a job I fell in to. I graduated from an electronics engineering degree in 2000, before working in the IT security field for a couple of years. I didn’t have the technical chops to do the really interesting stuff and I didn’t like sales, so I gradually drifted towards the media thing. It was the right move for me. I get to talk to the most interesting people in the industry, and I really do maintain a genuine interest in the field.

The diversity within the security scene is something you don’t find in many other disciplines. You’ve got the suit-and-tie wearing risk management stuff, which can be interesting, right down to the nutters who spend their time pulling apart binaries in IDA looking for bugs.

What pushes Patrick Gray’s buttons? (What are the types of stories that you like to chase?)

Being a journalist, I’d have to say the stories I like most are the ones people don’t want you to write….everything else is advertising. That said, one of the things I love about the podcast [Risky Business] is we get to do some pretty decent analysis of security technologies and cut through all the vendor BS. That’s fun too.

What frustrates you about the industry?

Vendor BS. (Unbreakable!). There are good actors and bad actors, but like every IT discipline, everyone over-sells their security kit or misleadingly touts the “security features” of their enterprise software.

Because many journalists don’t have a solid understanding of security, the amount of pure crap peddled at them by the software-makers is un-be-lie-va-ble. Some CIOs are known to fall for this type of crap as well. It’s really up to people like AISA’s membership to help management understand the technology so it can make informed decisions.

It was also tough to get people to trust me in the early days. Security types are a paranoid bunch (bless) and in the past it was difficult for me to get people to talk to me. I guess I’ve been around long enough now so people tend to trust me not to burn them these days. It’s made life easier. People know that something said off the record stays off the record.

If you want to talk, I’m always available. My details are on ITRadio.com.au.

You’re one of few journos in this region that stays close to the research/”hacker” community. Why don’t others?

I’m close to that community because I really enjoy the social aspect. It’s not a calculated move by me to get better stories…I find “hackers” interesting. They’re typically smart, politically aware types with finely tuned humour. I don’t think you could find any other group of people in IT that are as much fun to drink with.

When I first moved to Sydney in 2003, I was there for a year working for ZDNet. I used to love going to the 2600 meetings at the Crystal Palace. My God, those guys can drink!

At first, everyone was really worried I was there to write a story about devil-worshipping cyber-terrorists, but after I kept coming back long enough, and their names didn’t appear in the headlines, everyone relaxed a bit.

I don’t know why other journos don’t get in there, but many of the writers I know would feel a bit out of place at something like Kiwicon or Ruxcon, but with respect to them, a lot of what’s discussed would probably go over their heads.

They’re smart people but they just haven’t been up to their eyeballs in infosec since 2001. That said, considering the crazy amount of world exclusives I got at Kiwicon, I reckon there’ll be a few other writers in attendance at the next one. No one likes to be scooped like that.

And for the record, Kiwicon was a blinder. I loved it and can’t wait for the next one. I’d love to see more CSO types attend, they’ll learn more there than they will at Gartner’s Symposium.

Risky Business on ITRadio.com has become one of the world’s best IT security podcasts. Tell us a bit more about Risky
Business.

Ah, flattery. Love ya work Drazen!

I did some community radio as a teenager and always enjoyed it. In my Sydney days I’d contribute to the ABC’s NetNews program on ABC NewsRadio and I always got a kick out of it. Fast-forward to early 2007 and I was getting really sick of writing stories about VoIP security for IT business magazines, so I thought I’d do something of my own. I rang Wendy Hill at Verizon Business (nee Cybertrust) and asked if they’d sponsor a podcast. They said yes immediately and signed up for a year. From there it’s just taken off. I don’t get crazy download numbers, but I have around 5,000 listeners stopping by at least once each month. They’re a pretty passionate bunch of listeners, too — I had a guy text me about five seconds after the most recent podcast went up because I’d posted a typo.

Risky Business really is for the die-hards, and I’m happy to serve them. It’s done well commercially as well. We’ve got sponsors like Symantec, Check Point, Sophos, RSA and HP ProCurve on board these days, so expect to see some expansion of ITRadio’s site over the next couple of years.

What do you predict the hot topics in 2008 will be in IT Security?

From a media point of view, cyber-espionage will be big this year. I think we can expect at least one major data loss in Australia to be exposed and the debate around data loss disclosure will really heat up.

Token-based 2FA is going to start looking pretty useless as an anti-phishing measure by the end of the year and we might start seeing some interesting movement around a new national ID card under a different name. Federated identity could also get a run this year, but we’ve been saying that for yonks, so who knows.

Patrick Gray, host of Risky Business, can be heard each Tuesday on ITRadio.com.au/security