CyberWire Daily - Ed Amoroso: Security shouldn't be the main dish. [Computer Science] [Career Notes]
Episode Date: December 19, 2021Chief Executive Officer and Founder of TAG Cyber, Ed Amoroso, shares how he learned on the job and grew his career. In his words, Ed "went from my dad having an ARPANET connection and I'm learning Pa...scal, to Bell Labs, to CISO, to business, to quitting, to starting something new. And now I'm riding a new exponential up and it's a hell of a ride." Hear from Ed how he sees security as a side dish that you'll progress into naturally once you've paid your dues and mastered a skill like networking, software or databases. We thank Ed for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Hi, this is Ed Amoroso, and I'm the chief executive officer and founder of TagCyber,
which is a research and advisory firm located in New York City.
And I also am a professor over at NYU, where I teach in the Computer Science and Engineering Department.
Well, my dad was the second computer science PhD ever in the world.
He was at UPenn, and he was doing a PhD in electrical engineering.
They came to him and said, we'd like to make a computer science. This was the Moore School in the 60s. That's where ENIAC was built in the 50s. And my
dad famously said, well, if you have to call yourself a science, you probably aren't one.
And he's right. Computer science is not a science. We don't have any laws. But he did that. So I grew
up in a family where we had an ARPANET connection into our home in the 70s.
I was a very mischievous kid and I learned to program on Carnegie Mellon's.
CMUA and CMUB is where I learned Pascal when I was about 12.
My dad guided me along. I eventually got my PhD in computer science.
I went to Bell Labs and joined the Unix group.
Again, with guidance from my dad, he said, again, famously,
think how unfair this is that I had this guidance.
In 83, he said, you should go to Bell Labs.
You should work in computer security.
That's going to be big.
It's like, could you have had better advice,
you know, in the mid 80s than to go work on Unix at Bell Labs on security? I mean,
talk about died and went to heaven. That was the greatest place I've ever seen in my life.
You know, I would walk down the hallway where Brian Kernaghan and Richie and Thompson,
all those guys were working. And I would just go like this,
hoping that some of that genius would waft into me.
I don't think it ever did, but it felt good.
Like I often ask my teams,
what was the best day you ever had at work?
And it's a fun question to ask.
And most people sadly say the day I got like this promotion or raise,
what a sad reflection if that was your best day.
I always tell them, you know, it was my best day.
When I was about 27, I was working a Unix project and I'm in a meeting and Brian Kernaghan,
the inventor of the C programming language, he said, Ed, that's a good idea.
That's it.
I walked out of there
probably about six feet off the ground
and I've gotten to know Brian since then.
I've interviewed him.
He came at Tag Cyber.
We have a conference.
He was our keynote.
Signed books.
I joke with him about that.
He didn't remember it,
but for me, it was the greatest thing ever.
We were doing Unix security, and in 92 or 93, the CEO of AT&T and the president of the network, Frank Ayanna at the time,
pulled me aside and said, hey, all this work you guys are doing with government, you think you could do like a security group to protect our company?
And I remember going, wow, what a great idea.
Like you'd have a group that would do security for the company?
And he goes, yeah, what do you think?
And I went, wow.
I go in nose and ran asking if anybody else was doing that.
Find Steve Katz over at some bank
city or something he hands me his card and it says chief information security officer i said what's
that he goes that's my title and i said can i keep this business card so i go back to work
can i be this and they go no you can can't have the word officer in your title.
Forget I had some other thing.
Like I was running something called the Information Security Center or something like that.
But I had a very cool boss then who said, you know what?
You can put whatever you want on your business card.
Just go print.
So I printed.
I still have them.
It's a chief information security officer.
It was like self-dubbed.
From that time on, for the next 20 years,
it became my passion, my research, my life's work to figure out how to make the chief information security officer position viable.
And man, did we make mistakes.
Everything you could imagine that you could goof up on. is her position viable? And man, did we make mistakes.
Everything you could imagine that you could goof up on.
AT&T, I give them so much credit that they didn't fire me because I would kiss my wife goodbye and say,
well, today's going to be the day
that they're going to be on to me
and see that I'm making this thing up.
There was a tool called NetRanger IDS.
We plug them in all over the network and I
hire a bunch of operators, because it's a phone company, to sit in a big room and field the alarms
and it didn't work. It was all this false positive garbage coming in and I learned on the job
what it is to run a security operations center.
We figured out that, okay, they can do tier one.
So maybe we need some people like who can do cybersecurity helping them.
We built a managed firewall service.
And then we married up some of that IDS and we're building the first managed security service.
AT&T starts getting big and powerful.
SBC buys us, we merge, we bought DirecTV,
we bought Bell South, we bought Singular,
and then we had the iPhone launch.
So my team got bigger and bigger.
I start becoming this big, fancy executive.
And I didn't know what an income statement was.
So AT&T sends me off to Columbia Business School to learn to be an executive. I think all the professors must have quit after me. Can you imagine putting a computer scientist, computer
science professor, no less, into a business school environment? I'm sure I drew them crazy. But when I retired from AT&T,
I'd done all this thing,
ran these big teams,
had thousands of people working.
It was really quite an experience.
Nothing I ever wanted.
I just wanted to be a computer scientist like my dad.
But I became this executive.
And I decided one day,
I didn't want to be an executive. So I quit,
started TagCyber. I had no customers. I had no revenue. I had no office. I just had a logo that
I made up. TAG is the Amoroso group. And my wife thought I was nuts because I was quitting a job
where I had basically tenure, I guess. I'm making a lot of money.
And I quit to make no money, but to do what I wanted to do, which was disrupt and fix
research and advisory. But little by little, we're starting to grow. And now I'm on an exponential
where we're doubling every year. so that's my story went from my dad having an arpanet connection and i'm learning pascal
to bell labs to cso to business to quitting to starting something new
and now i'm riding a new exponential up, and it's a hell of a ride.
I think this is going to sound crazy, but security shouldn't be the main dish.
Computing, networking, software, systems that we're building, that's the main dish.
I always say if you want to get into something, then look at the meat of it.
Learn development, learn engineering, learn networking, learn to build databases, learn to build cloud systems.
There's the construction of working functionality to support business objectives.
That's what you want to be good at.
Security is a feature.
It's an aspect.
It's an attribute.
It's an incredibly important one.
So young people, all my grad students, they go, what's the best way for me to break into network security?
I say, break into networking.
But they say, I'm really interested in software security.
What should I do?
Learn software.
I love database security.
What should I do?
Learn databases.
You've got to pay your dues and learn something, develop some capability in something, and then you'll very naturally progress into cyber security so that's always
been my advice Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.