xix
Acknowledgments
The acknowledgements section of a book can sometimes read like a celebrity speech at an award ceremony.
They thank everyone that has ever contributed to their career development, all the way from their parents
to their pets. Another factor is that acknowledgements are rarely read by anyone other than the author and
the people being acknowledged, oftentimes because the author has told them about the mention. What
I’ll try and do here is something a little different, since I have too many people to thanks and the things I’d
like to thank them for may be directly unrelated to the topic of cybersecurity but have contributed to my
own perspectives. I grew up in Northern Ireland during the 1970s, which as anyone with an ounce of world
history knowledge will know, was a particularly troubled time for the province. As a young lad trying to find
my way in life, I quickly had to learn which parts of Belfast city were off limits to the likes of me, based on
the intangibles of religion, the school I went to and the color of scarf I wore. I also learned to read situations
well and quickly assess the clientele in pubs so that I could predict any trouble before it escalated, which it
often did. So, from the moment I ventured out on my own as a naïve schoolboy, I was programmed to assess
physical risks that had the potential to lead to harm or even death in pretty much every situation I found
myself in. You might ask yourself what this has to do with information security. That’s easy, I was technically
minded and certainly spent a lot of time building electronics projects, and programming computers (I had a
ZX Spectrum), so coupling that mindset with an innate capability to assess risks, falling into a security career
was almost destined. When I finally left Northern Ireland in 1989, I moved to a job in England, working
for the UK Meteorological Office, where I became a C and Fortran programmer. However, my love was in
systems and administration, as well as network architecture, so I ditched the programming life for a sys
admin job, which is where things turned around. System administration was awesome back then—we were
the guys with all the power. When we finally replaced all of our old DEC equipment with Windows NT 4.0, I
finally realized that security was the job for me. I moved from Meteorological Office to a Ministry of Defence
contractor and from there started working directly on highly-classified military systems. I was in my element
as a security administrator, but always seemed to end up inheriting a team of wannabe security guys that I
had to mentor. This was always fun, but came with some frustrations that what I considered obvious from
a risk perception point of view seemed hard for these guys to grasp. I had no problem in teaching concepts
and methodologies to these guys, but what I noticed was that it took a significant amount of time for people
to just get it. What I had forgotten was that my time was served watching my back on the streets of Belfast,
which had programmed me in a way that was alien these mainlanders, who didn’t have to think twice about
answering a question such as, “What school did you go to?” In Belfast, the wrong answer to that question
could result in your kneecaps being smashed with a tire iron. So security, for me, became a calling and
no matter what kind of role or project I took on, I always covered the security viewpoint. Security became
my career and when it was possible to be classified as a security professional, I was there in line for the
badge, and I’ve never looked back. To me it’s been a calling in life that I have no found, coupled with my
other calling, writing, so the opportunity to fuse these two passions together into this book was an exciting
prospect. Security is all about risk assessment, management, and ensuring you’ve done enough but no too
much, since too much security will stop you from doing the things you want to do.
But let’s get back to the point of my life story. I could personally reach out and thank dozens upon
dozens of people who have been with me on my personal journey, but there are a few who need special
mention, those who taught me about risk assessment, contingency planning and writing and self-critique,
to whom I am eternally grateful. My grandfather Davy taught me to question and consider people’s motives