Career Notes 12.19.21
Ep 80 | 12.19.21

Ed Amoroso: Security shouldn't be the main dish. [Computer Science]


Ed Amoroso: Hi, this is Ed Amoroso, and I'm the Chief Executive Officer and Founder of TAG Cyber, which is a research and advisory firm located in New York City. And I'm also a professor over at NYU where I teach in the computer science and engineering department.  

Ed Amoroso: Well, my dad was the second computer science PhD ever in the world. He was at U Penn and he was doing a phD in electrical engineering, and they came to him and said, we'd like to, um, make it computer science. This was the Moore School in the 60s. That's where ENIAC was built in the 50s. And my dad famously said, well, if you have to call yourself a science, you probably aren't one. And he's right. Computer science is not a science. We don't have any laws, but he did that. So I grew up in a family where we had an ARPANET connection into our home in the 70s. I was a very mischievous kid and, you know, learn to program on Carnegie Mellon's CMU A and CMU B is where I learned Pascal when I was about 12. 

Ed Amoroso: My dad guided me along. I eventually got my PhD in computer science. I went to Bell Labs and joined the Unix group, again with guidance from my dad. He said again, famously think how unfair this is that I had this guidance. In '83, he said, you should go to Bell Labs, you should work in computer security. That's going to be big. Could you have had better advice, you know, in the mid eighties then to go work on Unix at Bell Labs on security? I mean, talk about died and went to heaven, that was the greatest place I've ever seen in my life. You know, I would walk down the hallway where Brian Kernighan and Ritchie and Thompson, all those guys were working. And I would just go like this, hoping that some of that genius would waft in to me. I don't think it ever did, but it felt good.  

Ed Amoroso: Like I often ask my teams, what was the best day ever had at work? And it's a fun question to ask. And most people sadly say the day I got like this promotion or raise, what a sad reflection if that was your best day. I always tell them, you know, it was my best day? When I was about 27, I was working a Unix project and I'm in a meeting and Brian Kernighan, the inventor of the C programming language, he said, "Ed, that's a good idea." That's it. And I walked out of there probably about six feet off the ground. And I've gotten to know Brian since then. I've interviewed him. He came at TAG Cyber, we have a conference. He was our keynote. I joked with him about that. He didn't remember it, but I it's for me, greatest thing ever. 

Ed Amoroso: We were doing Unix security and in '92 or '93, the CEO of AT&T the president of the network, Frank Diana at the time, pulled me aside and said, "Hey, all this work you guys are doing with government, do you think you could do like a security group to protect our company?" And I remember going, wow, what a great idea. Like you'd have a group that would do security for the company and he'd go. He goes, yeah. What do you think? Wow. I go in nosing and ran asking if anybody else was doing that, find Steve Katz over at some bank Citi or something. He hands me his card and it says chief information security officer. I said, what's that? He goes, that's my title. And I said, can I keep this business card? So I go back to work said, should I be this? And they go, no, you can't just get the word "officer" in your title. I had some other thing like I was running something called the information security center, something like that. But I had a very cool boss then who said, "Hey, you know what. You can put whatever you want on your business card, just go print it." I still have them. It says Chief Information Security Officer was like self dubbed. 

Ed Amoroso: From that time on for the next 20 years, it became my passion, my research, my life's work to figure out how to make the chief information security officer position viable. And man, did we make mistakes. Everything you could imagine that you could goof up on. AT&T, I give him so much credit that they didn't fire me because I would kiss my wife goodbye and say, well, today's going to be the day that they're going to be on to me and see that I'm making this thing up. 

Ed Amoroso: There was a tool called the NetRanger IDS. We plug them in all over the network. And I hire a bunch of like operators because it's phone company to sit in a big room and field the alarms and it didn't work. It was all this false positive, garbage coming in. And I learned on the job, what it is to run a security operation center. We figured out that, okay, they can do tier one. So maybe we need some people like who can do cybersecurity helping them. We built a managed firewall service and then we married up some of that IDS and we're building the first managed security service. 

Ed Amoroso: AT&T starts getting big and powerful. SBC buys us. We merge, we bought DirecTV, we bought Bell South. We bought Cingular and then we had the iPhone launch. So my team got bigger and bigger. I start becoming this big fancy executive and I didn't know what an income statement was. So ATT sends me off to Columbia Business School to learn to be an executive. I think all the professors must have quit after me. Can you imagine putting a computer scientist, computer science professor into a business school environment? I'm sure I drove them crazy, but when I retired from AT&T, I done all these things managed big teams, had thousands of people working. It was really quite an experience. Nothing I ever wanted. I just wanted to be a computer scientist like my dad, but I became this executive. I decided one day I didn't want to be an executive. So I quit. Started TAG Cyber. I had no customers. I had no revenue. I had no office. I just had a logo that I made up, TAG is The Amoruso Group. My wife thought I was nuts because I was quitting a job that I had basically tenure, I guess, I'm making a lot of money and I quit to make no money, but to do what I wanted to do, which was disrupt an and fix research and advisory. But little by little, we're starting to grow. Now I'm on an exponential where we're doubling every year. 

Ed Amoroso: So that's my story. Went from my dad having an ARPANET connection and I'm learning Pascal to Bell Labs, to CISO, to business, to quitting, to starting something new. And now I'm riding a new exponential up and it's a hell of a ride.  

Ed Amoroso: I think this is going to sound crazy, but security shouldn't be the main dish. The computing networking, software systems that we're building that's the main dish. I always say, if you want to get into something, then look at the meat of it. Learn development, learn engineering or networking. Learn to build databases, learn to build cloud systems. There's the construction of working functionality to support business objectives, that's what you want to be good at. Security is a feature. It's an aspect. It's an attribute. It's an incredibly important one. So young people, all my grad students, they go, what's the best way for me to break into network security. I said, break into networking. Or they say, I'm really interested in software security. What should I do? Learn software. I love database security, what should I do? Learn databases. You gotta pay your dues and learn something, develop some capability in something, and then you'll be very naturally progressed into cybersecurity. So that's always been my advice.