Malware analyst careers: Getting hired and building your skills
What does a malware analyst do? Find out on today’s episode featuring Dr. Richard Ford, Chief Technology Officer of Cyren. Richard talks about breaking into the field, whether a computer science degree is or isn’t essential for the role, and an early program he wrote to brag about his high score to his classmates!
0:00 - Intro
2:30 - Richard’s cybersecurity origin story
6:07 - Being an IBM anti-malware researcher in the 90s
9:18 - How malware has evolved
11:27 - Major career milestones
18:14 - Two types of malware analysts
21:42 - How to get hired as an entry-level analyst
25:45 - Day-to-day malware analyst tasks
29:40 - Transitioning to an analyst role without any experience
34:30 - What does Cyren do?
37:25 - Outro
Have you seen our new, hands-on training series Cyber Work Applied? Tune in every other week as expert Infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real-world scenarios. You’ll learn how to carry out different cyberattacks, practice using common cybersecurity tools, follow along with walkthroughs of how major breaches occurred, and more. And it's free! Click the link below to get started.
- Learn cybersecurity with our FREE Cyber Work Applied training series: https://www.infosecinstitute.com/learn/
- Try our Choose Your Own Adventure® Zombie Invasion game: https://www.infosecinstitute.com/iq/choose-your-own-adventure/
- View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
[00:00:00] CM: Today on Cyber Work, Dr. Richard Ford of Cyren walks us through the job of malware analyst. You’ll learn all about breaking into the field. Learning whether a computer science degree is or isn’t essential. And Richard tells us about the early program he wrote to brag about his high score to his classmates. That’s all today on Cyber Work.
Also, let’s talk about our new hands-on training series. It’s called Cyber Work Applied. Tune in as expert infosec instructors and industry practitioners teach you a new cybersecurity skill then show you how that skill applies to real-world scenarios. You’ll learn how to carry out different cyber attacks, practice using common cyber security tools, follow along with walkthroughs of how major breaches occurred and more. Best of all, it’s free. Go to infosecinstitute.com/learn or check out the link in the description and get started with hands-on training in a fun environment. It’s a new way to learn crucial cyber security skills and keep the skills you have relevant. That’s infosecinstitute.com/learn.
And now, on with the show.
[00:01:04] CM: Welcome to this week’s episode of the Cyber Work With Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cyber security industry. Dr. Richard Ford is the chief technology officer of Cyren. He has over 25 years’ experience in computer security working with both offensive and defensive technology solutions. During his career, Ford has held positions with Forcepoint, Virus bulletin, IBM Research, Command Software Systems and NTT Verio. Dr. Ford has also worked in academia having held an endowed chair in computer security and worked as head of computer sciences and cybersecurity department at the Florida Institute of Technology. Ford holds a bachelor’s master’s and doctor of philosophy in physics from the University of Oxford. In addition to his work, he is also an accomplished jazz flutist and instrumental-rated private pilot. Quite a well-lived life there. We like to cover all aspects of the cybersecurity landscape. At the heart of the show is that we want people to know the nuts and bolts of different cyber security job roles and careers. Richard’s been a malware analyst and manages teams of malware analysts and has agreed to come on to talk about what it’s like to be a malware analyst in 2021.
So, Richard, thank you for joining us today on Cyber Work.
[00:02:18] RF: Well, thanks for the opportunity, Chris, to talk about something that I love.
[00:02:22] CM: Oh, great. Glad to hear it. Do what you love and every day is a treat. So I gave you a little bit of your bio here, but I’d like to start with the origin story. How did you first get involved and interested in cybersecurity? You’ve been at it for a long time and I know you went to school for physics, but you moved over to technology and cyber pretty soon after. So what was the attraction?
[00:02:43] RF: Yeah. I love the question, the origin story, right? I feel like a character in MCU.
[00:02:49] CM: Absolutely. Yeah, that’s the idea. We want to hear about what it was like on Krypton. Yeah. Or, yeah, it was a DC reference, I realized. But, okay.
[00:02:59] RF: Well, I’ll forgive you. But yeah. So as a kid I was always fascinated with computers, and back in those days there were no real PCs, right? So I had a Sinclair Spectrum. And if you grew up in England, you’ll know what that was. I think they were sold on a different brand, but they were sold in the US too. That was 16k of memory. Woohoo!
[00:03:19] CM: So this is around the time of the Commodore 64 then or that kind of year?
[00:03:22] RF: Yeah. Exactly right.
[00:03:23] CM: Okay. That was my first rig.
[00:03:25] RF: Commodore 64, VIC-20.
[00:03:27] CM: VIC-20. Yeah, right, right. Sinclair, okay.
[00:03:30] RF: And we loved playing games.
[00:03:32] CM: Oh yeah.
[00:03:33] RF: So nobody believed me when I would go into school and say, “Look at my high score.” And there was no way to save your high score, because they were loaded from cassette tapes, right? Or floppy discs. They actually know nothing. So 12 or 13-years-old I decided I was going to write a program that would capture the screen and save it to tape so I could then load it when people came around and see that I’d done well with this game. And that got me into a very interesting world because these games were copy protected. And so when you tried to run something alongside them, they wouldn’t run, they wouldn’t load, they wouldn’t start up.
And so I learned assembly with the sole goal of getting around the copy protection, not to steal the game, but to be able to take a picture of the screen and save it back to disc. And I suddenly discovered that I was more interested in how computers worked than playing the games, and that was a sort of pivotal point for me.
So I went off to university to study physics. And what you’ll find if you talk to a lot of people my age who are in computer sciences especially security is we don’t have computer science degrees. It’s mathematics, philosophy, physics, because computer science degrees were much rarer then. They weren’t as big. So I’m the sort of last generation of computer scientists who came up with a different education. And even during my PhD, which was in quantum physics, I spent more time writing computer code. So I was automating experiments. We took an experiment that took hours and hours and hours to take the data, plot the data, analyze the data and turn it into something that would plot it and analyze it in real-time.
And in those very early days, Oxford University was just getting on the Internet. So I sort of fell in love with computing. I was really a computer guy living in the physics department. And one morning I turned on my computer and it sort of made a complaint at me in Spanish about the phone tariffs in Spain and then rebooted and wouldn’t run. I’m like, “Well, that’s different.” Turned out I got a very, very early computer virus, Spanish Telefonica. I wrote a little article about it, and this article got out, and I got a call from Virus Bulletin. And they called me up and said, “Would you like to see how it’s really done?” I said, “Sure, I’ll come on down.” And they offered me a gig disassembling viruses for them for cashy money when I was a student, and the rest is history, right? From, “You’re going to pay me cash to do this? Sure. Sign me up.”
[00:06:04] CM: And learn at the same time. Learn something you wanted to learn anyway.
[00:06:09] RF: Yeah, exactly.
[00:06:09] CM: That moves nicely into my next question here. I wanted to talk about your early days and especially your work doing malware in the 90s. You were at the anti-malware researcher at IBM way back in 1996. Now, for me, I was in college from ‘92 to ‘96 and I remember getting my first virus or malware around ’99, 2000, and it was really a surprise to me. So I feel like I don’t think of malware as being something that was that prevalent or talked about so far back. So can you talk about the malware landscape in the mid-90s and how it’s changed at intervening decades?
[00:06:43] RF: Yeah, it was crazy. I remember my first DEF CON. There were like a handful of people in a room. It was like DEF CON 3 or something. It was literally a handful of people and I knew a bunch of them. Their virus scene back then was really interesting because people were sort of exploring. There were people – People weren’t doing it for money. They were sort of almost explorers. Now they were causing chaos and they were hurting people. It wasn’t really their intent mostly. They were sort of trying to figure this stuff out. But it was all boot sector viruses, file infecting viruses, and people exploring the consequences of connecting computers together. So we were starting to see worms, Trojan horses. So it was interesting, and it was so easy to get at people.
So I remember sitting down to interview John McAfee in San Francisco on one of my first gigs as a reporter going out and –
[00:07:37] CM: A lively talk, I bet?
[00:07:39] RF: That was fun. Yeah, John was a hoot. We sat down, and I think it was the San Francisco Marriott. And just talked about malware, talking to Alan Solomon. Talking to all these people who became super successful in the industry. And it’s a family. So I’ve got friends now that I I’ve known for 20, 30 years through the anti-malware world, and it’s that group of connections that has sort of seen me through in my career. Now it’s changed, right? So now it’s all about blood. Back in those days it was more friendship.
Now when I say it’s about blood, I mean that that’s between attackers and defenders. So we see nation states getting in there. We see organized crime getting in there. We see that big sums of money are being impacted by malware. Back in my day, it was I’m going to draw a picture on your screen. I’m going to format your hard drive. Woohoo! That was funny. And that changed. It’s interesting. It’s also interesting to note by the way that there’s a lot of what I would call coopertition in the industry still.
So of my old friends, it doesn’t matter which company they’re at. If they call me with a malware-related question, I’m still going to help them out. We still trade samples with each other if somebody needs a sample of something that’s in the news and I have it. We’ll exchange that sample. I’ll give them a leg up on my disassembly, whatever it is. And so, yeah, it’s a really nice community especially among the old-school folks have been there for a very long time. Yeah, the community itself, the threat, completely different. It’s like the difference between joyriding and x-murdering. It’s pretty interesting.
[00:09:21] CM: I was also just curious about how it’s changed in terms of complexity, because I always think of sort of malware and anti-malware as being this kind of arms race where maybe the earlier malware wasn’t as complicated, but there weren’t as many sort of safeguards in the way to sort of keep it at bay. Whereas now, like just the defenses get higher and higher and therefore malware just gets more and more virulent and strange as ways of sort of like bypassing things. Can you sort of talk about that change over the years?
[00:09:50] RF: So back in the day, I remember the first time I saw a polymorphic virus. And for those of you who aren’t into viruses, a polymorphic virus is just one that looks different every time it replicates. Same code, but it lays out differently. It’s packed differently. And we were all like, “Oh my goodness! The sky is falling.” Now we have server-side polymorphic Trojans that are just a nightmare that use the Internet to update themselves. So the levels of complexity, yeah, it’s night and day, because we have better tools now too. So back then we would often have to build our own tools. Now you can go online and get hold of OllyDbg or IDA Pro and you’re using the same tools the pros use.
So viruses have got infinitely more sneaky. There’s a lot more evasion. They burrow down into the operating systems. The operating systems are much more hardened than they used to be back in the old MS-DOS days, anything right to any other thing. Now you have to evade all these defenses, but you have so much more space to do it. I remember when 4K was a huge virus. And now these things are tens of mag at times. So the complexity is night and day and it’s hard to draw a border around something too.
So what do I mean by that? Back when I was looking at malware when I was first in the industry, I’ve got my piece of malware and I’m examining it. Now it’s reaching out and it’s getting updates through command and control. So these things are dynamic. They morph. They’re monetized. You rent space on a hostile computer or a computer you’ve taken over. So it’s crazy more complicated now than it was.
[00:11:28] CM: Okay. So going back to your career, obviously you started out in malware and you were excited about malware. Can you talk about some of the major career and personal milestones that brought you from these early jobs up to being the CTO of Cyren? Like what were some of the major projects or responsibilities or studies or search that you know got you from point A to point Z here?
[00:11:48] RF: Yeah. So I’ll start with the thing I used to tell my students, because we’ll touch on the fact that I was a professor for a while in the middle of all this. So I would always tell them make your plans, but hold them loosely. This is not a life story I would have written. If I was orchestrating my life, this is not the set of coincidences that you would believe, right? I grew up as a relatively poor kid in England. By the grace of good fortune and great teachers, managed to get into the University of Oxford. I scraped my way in. And I was the dumb kid in class when I joined, right? First time I saw a differential equation, I felt very proud of myself because I cancelled the D’s, right? I’m like, “Well, that’s simpler.” I wish I could tell you I was kidding as well.
So I got into security, and each job just kind of came along. And I think the trick was be curious. Be friendly. Climbing up the ladder doesn’t mean pushing people down. I’m not taller because you’re shorter, right? So I helped a lot of people along the way. And guess what? Karma is wonderful. They’ve helped me back. They’ve made introductions for me. I can pick up my phone and call one of a dozen researchers and say, “Hey, can you help me with X, Y or Z?” And the answer will be yes.
The big milestones, IBM Research was probably the most amazing place I’ve ever worked. Smartest people I ever hung out with, doing the most interesting stuff. Just crazy times. Running IBM antivirus, quality assurance. Trying to build the IBM computer immune system. It was an incredible journey. I thought going into management for a long time, right? And this is a decision everybody needs to make in their career. When do you go from being an individual contributor or a researcher to being a manager? Because normally you step up the career ladder is moving further and further away from what I call the metal and more and more into managing the people. I thought that for a long time. I’d probably be wealthier if I’d gone into management earlier, but I’m not certain I’d have been happier. I enjoy managing people, but I love to still occasionally roll up my sleeves and write some code.
So IBM was a big deal for me. Verio NTT was a huge deal, because I joined a small company that ended up ultimately getting rolled up and sold to NTT for what? Like 5 billion I think. So that was a good experience. Taught me a lot, taught me about the Internet. So the reason I went to Verio NTT, at the time it was called Highway Technologies, is I wanted to learn. I knew that the Internet was going to be a huge deal. I knew security. I knew viruses, but I didn’t know a lot about the underlying protocols that ran the Internet, BGP, TCP/IP, all that good stuff. So I’m like, “Oh, I’ll go get a job at this web hosting company. I’ll learn all about Internet security and that should prep me for later in life.” I didn’t expect it to be the really good run that it was for me.
So that was very important because it introduced me to some wonderful people. The founder of Highway Technologies, the CEO, took me with him when he left to be CTO of a venture fund. So I learned the business side of the world from him. So now I’ve got malware Internet security and business. And those things were just a great sort of primer for me to have a sort of broader remit in life. That was the point where I decided to make a career change and go into teaching.
So at the end of all that great run, peak of the NASDAQ, I remember, Scott, my CEO friend telling me, “When were you happiest? What do you want to do now?” I said, “I don’t know. I think I was happiest when I was at universities.” “Then why don’t you go make students?” So I did, and for 10 years. So another big career change, right? I gave up that corporate world and went to become a professor and then endowed chair and then department head and then found an institute, the Florida Institute of Technology, and that institute I’m very proud to say is still doing extremely well and going from strength to strength to strength under the management of one of the guys that I hired to be at the institute. So it’s still sort of spitting out students.
And from there, getting back into the game, it was a former student and also a friend who called me up one day and said, “Hey, Dr. Ford, Raytheon might be buying Websense. How would you feel about helping sort that all out and securing their technology?” I said, “Well, you’re going to have to stop calling me Dr. Ford if I’m going to work for you.” He said, “Okay, I will Dr.Ford.” And that got me back in. And I had several happy years at Forcepoint. But the point is none of those things fit together. I don’t think you can plan that far ahead. You just have to sort of go with the current.
[00:16:55] CM: Right. I think I’m glad to hear that too, because you’re I think my 133rd guest on this show or whatever and I’ve had lots of people who are in C-suite positions and I ask them this question, “What’s it like to move into a management position? Do you ever get sad that you don’t get to do the work anymore?” And most of them will say, “Well, no that’s just part of the natural progression. You got to let things go.” When I was a child, I thought as a child, blah-blah-blah. But I’m like, “Surely, some people must still want to do the work that they got into the job to do in the first place.” And so I’m glad you’re here saying this, Richard, because I think people need to hear that if you don’t want to stop doing the thing that you liked, you don’t have to. There’re other ways that you can sort of like make lateral moves or sort of keep your head in the game. It’s not this like, “Oh, you got to put your toys away now. It’s time to be a grown up and manage other people and things like that.”
[00:17:47] RF: Yeah, I think it can be hard, but it can be done. And I’ve got to give some credit to the companies. Companies are getting smarter about saying, “Hey, this this guy or this girl is an awesome engineer. Why should I take them away from what they’re really, really good at?” So they make these sort of fellows tracks, right? Where you can sort of become an engineering fellow in a company, which allows you to continue on that technical track and do what you love. And so I think that companies are figuring this out and that’s very encouraging.
[00:18:16] CM: Yeah. Now I want to uh go from there to the main subject of our topic today, as I say, Cyber Work is all about cyber security careers and how they work and how do you get into them. And I’ve been looking for someone to talk to us about malware analysts for a while now and you said I don’t actively do it now, but I manage lots of malware analysts. And as you say now, you like to sort of keep your hands in the game and stuff. So I want to just hear all about it. To get right at the beginning here, what are the roles and responsibilities of a malware analyst in 2021?
[00:18:48] RF: So I think there are two flavors of malware analysts. Let’s start with that. There’re the guys and gals that work inside the cybersecurity industry, right? So they worked for a vendor. And then there are very large enterprises, BLEs, that have their own SoC that also have malware analysts in-house. And those jobs actually look somewhat different. They share some similarities, but they have some pretty big differences as well.
So let’s talk about the similarities. At the basic level, what a malware analyst does is they do a lot of reverse engineering of malware. So some attack will come in. Some machine will get compromised and they’re going to look at the implant on that machine. Understand what its indicators of compromise were. What did it do? Did it open any other back doors? What was the infection vector? And then your job diverges. So if you’re in the industry, you’re mainly focused on how do I detect this thing? How do I stop it? How do I automate detection of this?
So one of the big things in industry is that we’re dealing with millions of infected files a day, or in fact millions of different bits of malware every single day. If I had to have people look at that, I’d have an army of people. I couldn’t afford it. And your malware, anti-malware software would cost you a thousand bucks to see it, right? So how do we do it? We do it with automation. And so my malware analysts not only –There’s a continuum, right? As they get more and more seniors, they progress in their career. They start off on writing signatures, writing signatures, writing signatures. As they progress, it’s I’m looking at things that are more interesting. And then it’s I’m looking at detection techniques that fit well with this family of malware that lets me detect this stuff more generically.
Now, in an enterprise, you’re not so focused. You’re not focused on writing detection signatures. What you’re focused on is working with the rest of that SoC team the incident response team to go, “What was the impact?” So you might get teamed up. You might get teamed up with a network analyst. You might get teamed up with the incident response team. You might get teamed up with the SoC itself to see what’s going on.
So at the end of the day, the basics are the same. I’m pulling apart malware. And that’s finicky and it’s tiring and it’s fun. But what you do with it, the output’s different. In my industry, it’s I’m all about detecting not just this bit, because detecting the piece of malware that it’s in your hand is easy. Detecting all its brethren, that’s hard. So there’s the detection aspect.
In the company, it’s more the investigational aspect. So it’s what are the threats that can come against me if I’m Bank of America? What are the threats that are going to come against me if I’m Wells Fargo? What impacts me? What was the impact of this in my environment? And so the career paths also look sort of very different too.
[00:21:44] CM: Yeah. That leads nicely into my next question about especially if you’re just starting, like what combination of skills, backgrounds, experiences, certifications or other qualifiers make up a good malware analyst? Like if you’re looking for people to fill these early positions, like what do you need to see on their resume?
[00:22:03] RF: That’s a toughie, right? Because ideally I’m going to hire somebody with a computer science degree. Somebody who has low-level assembly experience and somebody who’s shown and demonstrated interest in security. At the low-level, entry level, you don’t have to have a certification of any kind necessarily. What’s more important is are you super keen? Are you inquisitive? Are you a good people person for a computer scientist, right? We have the stereotype about computer scientists.
[00:22:36] CM: Yeah. The group.
[00:22:38] RF: Yeah. So I think I’m looking for low-level skills. Not necessarily in security though. I’ll take somebody who’s really curious about how things work. I think if you want to understand how things don’t work, you have to start with understanding how they work. So when I used to have PhD students, I very often start them off by reading the RFCs, the sort of fundamental rules of the road for the Internet and they’d say, “Richard, this is really boring.” But it’s like being the karate kid, right? it’s wax on, was off. Once you really understand how TCP/IP works, now you can use it. Now you can see how to exploit it. Now you can break it.
So it’s the same with malware analysts. So a lot of the students that I taught, I used to teach a class, windows systems programming and an assembly language class. And I had a local company who if my students had taken those two classes and passed them, they were hired as a malware analyst. Period. That was sort of the interview, “Did you take these with Richard?” “Yes.” “Okay, you’re hired.”
Now, your SSCP or CISSP, CEH, those are good things to have especially later on in your career. But for an entry level position, they’re not as important as those sort of low-level skills.
[00:23:59] CM: I imagine if you have those certifications you get to sort of enter at a higher level. Like you’re showing sort of a level of dependability in terms of your technology that you might not have to be that sort of signature, signature, signature beginning level, or not necessarily.
[00:24:13] RF: Yeah. I mean I would normally ask somebody unless they have previous experience through the same thing. That’s a lot faster, right? Because I’m going to sort of involve them in the same things, because they have to learn my engine. They have to learn how my system works. But yeah, in a company, if you’re walking and you certainly might be – You will stand out a little bit from the crowd. Sometimes– Because one of the one of the downsides of the way we do hiring right now is there’s a lot more computers involved in hiring. So they may just go, “Oh, I got 30 applicants. I’ll just filter them on who’s got their ISC-squared certification. And that’s a shame, because some of the best talent doesn’t, right?
So what I look for is somebody who – What I personally look for is somebody who’s shown outside interest. Have you shown initiative? Do you know try and get up B science? Or are you an active member of local user groups or local security groups? Did you reach out to me on LinkedIn and say, “I’ll do anything. How do I get into this? Show me the way.” I’ve ended up hiring some of those people.
So assistance pays off and being curious. If you’ve just stayed between the nice narrow lines and you went to college, you got your degree and you’ve got all straight A’s. That’s nice. But if you showed some initiative, even if you wrote a paper and it was resoundingly rejected everywhere, talk about that, because it makes you different. And what makes a good malware researcher, persistence, persistence. Oh, and persistence.
[00:25:47] CM: So to move on the other side, let listeners think that malware is just fun kind of 24 type stuff where you’re cracking enigmas and problem solving. What are some of the sort of like repetitive or things that malware analysts have to do every day? Because you think of like, “Oh, I’d love to be a film director someday,” and you think, “I’m just going to be the guy clocking the board,” but you don’t think about you’re up three in the morning checking fabric swatches and checking two different types of paint and whatever. So if this sounds like a fun job, like what are the things you say, “Well, just so you know. You also have to do this.”
[00:26:21] RF: Yeah. So it’s not CSI. You’re not like this super cyber solution who’s going to get sucked into some sort of massive story that involves –
[00:26:30] CM: Rotating in the large. Yeah.
[00:26:33] RF: Yeah, exactly. B but with that, so you have to be prepared to look at a lot of malware. And depending on where you go, it can feel like you’re working on a production line or you’re really interested. So you have to have some sort of plan of what you want your career to look like and you should vet your employer, right? What are my opportunities? So I’m not just looking at a huge bucket of malware every day right.
So if you’re in a large enterprise, I think sometimes it’s more interesting to get pulled into breaches and get pulled into working with other members of the SoC team. You can textualize, there are ways you can branch out. Working in the industry, some of the entry level jobs, you are grinding through a ton of malware, right? And that could not be very exciting. You’re not really paid just to demonstrate your amazing understanding of malware. You’re paid to to be able to get a sig out and move on to the next one. But this one looks really interesting. It doesn’t matter. Can you detect it? Yes. Okay. Move on.
Now in a good company, I mean we try and find other outlets for creativity and we try and find a career path for the people that want to move on and sort of go to the next level. But you should look at the company that’s hiring you or be prepared to move after a couple years, right? So yeah, the boring part of the job can be, “Hey, I’m grinding through a huge bucket of malware,” and that can be wearing. If you like puzzles and if you’re in the right environment where you can do some of those next step things, that works out very well. But if you’re not, I do hear from folks in the industry who get frustrated, “Well, all I know is this.”
[00:28:20] CM: Yeah. So this might be completely off the mark, but it makes me think of like my friends who are graphic designers and who are also sort of masters of every font face. Is it that sort of thing where you have to sort of like collect a bunch of really similar looking things? Like you have to have just like the sort of like encyclopedia of malware types in your head where it’s like, “Okay, that’s this one. That’s this one,” and then sort of speeds up your day?
[00:28:43] RF: It does speed up your day. But because there’s so much malware out there, it really is like that conveyor belt that could go faster and faster. And so we do see fatigue in malware analysts. I see it in my own company, right? It’s a fatiguing job. But I think if you enjoy it, and if you’re given – It is challenging and it is a puzzle and you do run into really interesting bits of malware. So provided you have the outlet, so you can write a blog on it, or dissemble all the way. If you’re just measured by how many of these things did you churn through? That could get pretty old, and that wouldn’t be a long-term gig generally for somebody. They would probably end up wanting to do something else after a while.
It is a great way to understand some of the attacker techniques though. And because malware now is so woven into the computer, there’s no philosophical to learn. I miss it. I wish they would let me in my virus lamp and pull stuff apart.
[00:29:39] CM: Yeah. It never stops being fun for you. That’s awesome. So what advice would you have for people who are maybe interested in doing this type of malware analyst either as a job or a career or on a continuum but didn’t get into computer science early on and might feel like they’ve fallen behind? Are there ways to woodshed your way into this type of work even if you don’t have a background in this area?
[00:30:03] RF: Yeah, I’d say resoundingly yes. And I want to tell you a story, if you’ll indulge me for a minute. It’s that one my former students, and I’m not going to name him or her. Respect that privacy. But I remember – So we’ll say him just to make it easy. So I have some of you who refer to. And we’ll give him the random name, Chris, right? Just because I can see that on my screen.
[00:30:26] CM: It makes me feel very special.
[00:30:29] RF: So I remember, Chris, I remember getting a knock on my door. This is when I was a department head. And there’s Chris standing there. And Chris says, “I’m in the blah industry. Nothing related to computing, whatsoever. I never went to college. I want to join I want to go and pull – I want to be a one of the world’s best malware analysts. That’s what I want to do.” I said, “Okay.” And this was a lifetime learner, right? So not a typical student. They’d been in the workforce for a decent chunk of time. And I looked at Chris and I’m like, “You know this is going to be hard, Chris? Here are the skills that you don’t have. We’re going to have to get you these basic skills, brush back up before we can even enter you in the –” And he said, “Dr.Ford, I’m in. I’m going to do this. I am going to do this.”
Well, Chris would show up in my office at all hours. Make use of office hours. I did admit him to the program after he picked up a couple of missing things, and he struggled, and it was hard, and he would be at my door every time I had an office hour, It’d be the same student showing up. And he went from not so good, to good, to great, to really, really great, because he sort of – He just ground his way through. He had every reason not to succeed and is now a very successful malware analyst. And I think of him or her very, very frequently. When I think about what can be done. When you just go, “No, I’m going to master this skillset. I don’t care that I don’t have the background. I don’t care that I’m going to have to brush up on some of my more basic skills to to do this. I’m going to do it because that’s what I’m going to do.”
And so I would encourage anybody, if their heart is really in it, but it’s going to require focused effort, mindful focused effort. As I used to remind students, practice doesn’t make perfect. Practice makes permanent. So if you’re doing it wrong and you practice doing it wrong, you’ll always do it wrong. The goal is do it perfectly and understand every step along the way. And I’ve met many students like that who are living proof that you can walk in to this discipline knowing absolutely nothing about computing but just knowing that you really want to do it and go through and come out the other side and be very successful, but it requires one thing of you, and that’s persistence. And being persistent is extremely challenging. It’s hard to continually have that time over target. To sit and be – A lot of us now, because of the Internet, we’re not used to being stuck, right? So in other words, if you can’t solve a problem in five minutes, the problem’s impossible.
Now, if you want to learn your way into malware analysis and from a totally non-technical background, you better be ready to be stuck for days on some hurdles. But the lesson you learn by getting over that little mountain will stand you in good stead for the rest of your life. So what you can do is if your heart is set on it, don’t let anybody tell you that you can’t do it or that you’re not good enough to do it or that you’re not smart enough to do it. You just have to take a reasonable assessment of your skills and then put the time in, right? Because is it a job anybody can do? No. Sadly it’s not. There are some people who just – God didn’t make them that way, right? They’re just wired differently. They’re not wide the same as me. There’s something else that maybe they should do.
But if you know you have the interest, you know you could learn the skills, don’t let anybody look at you and go, “You’re too old. You’re not qualified. You didn’t get the right college diploma.” Just recognize it’s going to take you time and energy. And I have my set of poster children who when, “No, Dr. Ford, I can do this,” and did.
[00:34:31] CM: That is an awesome way to end. I’m going to wrap it up here. But before we go, thank you very much for your, time first of all, Richard. So as we close up, tell me about your work with Cyren. What services do you provide your clients? What large projects or products do you do that you’re excited about right now and in the years to come?
[00:34:51] RF: Yeah. So what I love about Cyren is we do good things, right? So we’re the good guys. We’re the cavalry. We do a lot of work around cleaning up the messaging infrastructure of the world. So a lot of stuff around email security, malware detection in emails, malicious errors that get sent in emails. We have two sides of the business. One is called CIS, or Cyren Inbox Security. What that is, it’s an enterprise product that can attach to Office 365 and go into somebody’s mailbox and help you remediate messages that have already been delivered but now you know are phishing. So it clusters them. It helps you yank out ten thousand messages in one button click, right? So it’s all about giving the administrator more time to do their job, because people don’t just want to mess with that all day. And then there’s the OEM side of the business where we build threat detection tools maybe in their file space or web or email that get OEM’d into some of the largest names in the cyber security world, right? So it’s a pretty good chance that you’re using one of our products so that you’re being protected by one of our engines and you don’t know it. So that’s the company.
What I love is that we have offices in Berlin, Iceland and Tel Aviv. And it’s a great melting pot of different people who see the world differently. And I actually love the people. I really enjoy the people I work with. I’ve traveled to Israel a little bit before I joined Cyren. I’ve had the opportunity to travel a lot since I’ve been here, obviously not in the last year. And it’s just been a blast learning about the different cultures and how we can work together and use those cultural differences to put out even better products. So that’s been a blast. And knowing that our products make people’s lives better, that’s what we do. We protect people. That’s a big deal.
[00:36:41] CM: So one last question. For all the marbles, if our listeners want to learn more about Richard Ford or Cyren, where can they go online?
[00:36:47] RF: Well, for Richard Ford, it’s easy, because you noted when we started I’ve been in the Internet forever. My website is malware.org.
[00:36:56] CM: Wow!
[00:36:58] RF: Yeah, exactly. I’ve had that a long time.
[00:36:59] CM: Yeah, that’s the early bird right there.
[00:37:01] RF: Oh yeah. I’m easy to find on Twitter, Ford On Security. I post mainly actually articles and things there, and also LinkedIn. I quite frequently post some thoughts on the state of the world. So any of those places are great place is to connect up with me. I love hearing from people. So reach out.
[00:37:22] CM: I hope our listeners take you up on that. Richard, thank you for your time and insights today. This is a lot of fun.
[00:37:27] RF: Thanks, Chris.
[00:37:28] CM: And thank you all for listening and watching. New episodes of the Cyber Work podcast are available every Monday at 1 p.m. central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. Don’t forget to check out our hands-on training series, Cyber Work Applied. Tune in as expert infosec instructors teach you a new cyber security skill and show you how that skill applies to real-world scenarios. Go to infosecinstitute.com/learn to stay up to date on all things Cyber Work.
Thank you once again to Dr. Richard Ford, and thank you all again for watching and listening. We’ll speak to you next week.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.
Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.