Career Notes 6.21.20
Ep 3 | 6.21.20

Johannes Ullrich: Superhero origin stories and lessons that last. [Education]


Johannes Ullrich: Hi, my name is Johannes Ullrich. I'm the dean of research at the SANS Technology Institute.

Johannes Ullrich: My first sort of exposure to ideas of security and networking that was really in the old bulletin board times, and back then I was still living in Germany, going to college. There was a video tech system I was playing around with. My main job or college major at the time was still physics. And I really sort of didn't decide to sort of make this my main profession till well after I graduated from graduate school.

Johannes Ullrich: After I finished college, I first started to work for a while as a physicist. Now, again, still sort of being involved with computers on the sidelines. And I was jokingly self-describe my transition to cybersecurity as sort of the typical superhero origin story. And like all origin stories, there has to be a physics lab and radiation involved with that.

Johannes Ullrich: The reason I liked physics in the first place is that I have an awful memory and I was always bad in like chemistry remembering all these formulas, and such. In physics, what I liked is you have these very basic principles so you don't have to remember a lot, it's really more about how do you derive sort of the actual observation from these first principles. And I think good network security goes a long way sort of along these the same route. I think the wrongness is the opposite approach is to essentially learn tools. Tools change. Every year someone comes out with another new and shiny tools or or learn about specific attacks. Over the years in information security, I've seen some of the same attacks being discovered over and over again, but it's really still the same thing. And the it's a lot easier to do information security if you stick with these first principles.

Johannes Ullrich: I think one great thing about information security is that you get involved in all kinds of different industries. And what you start to learn what these systems need or what these industries need, what their specific vulnerabilities are, and really helping people understand how to secure their business from illegitimate access.

Johannes Ullrich: If you're thinking about switching careers, I would suggest really get started with the basics. Have a good understanding of computers, software, and networks, how they work. Don't specialize too early. If there is a lot of fancy pentesting that you can do and people seem to really like that, but understand that doing the same pentests over and over and finding the same vulnerabilities over and over may not be all that interesting in the long run. So really, stay flexible and try not to specialize too early.

Johannes Ullrich: My main job these days is teaching. Teaching people how to secure their systems and at the same time also learning what they need to know to secure the systems. My favorite part of my job right now is really sort of finding out how what I am teaching people helps them in their day job and how they are able to apply it. So, for example, last year I was teaching a class and in our network security class before we are going back to the nitty gritty bits and bytes like it is a first principles really how do networks work. And one student class really didn't understand that and pushed back a lot. No. Why do I have to learn all this math? Why do I have to learn X? And a couple months later, he sort of sent me the e-mail back and saying, hey, you know, I'm sorry, I just dealt with an incident and every single thing you ever teach me in the class. I actually got to apply. So really, seeing how what you're teaching impacts students, that's always very rewarding.

Johannes Ullrich: I hope people will remember the things I taught them and they find they will find it helpful. And I think that's particularly difficult in this industry that changes so fast. So I really hope that things I'm teaching people today will last. These lessons will last and will not just help them to get their job done like this week and tomorrow, but really that years from now they say, hey, you know that class I took way back then? Yes, he exactly told me about this problem. And see, it still applies.