Posted by David Harley on April 28, 2015.
I was a late starter in Information Technology, but I’ve nevertheless been in that field for nearly 30 years, which tells you that unfortunately, I’m not in the first flush of youth. In fact, if I wasn’t such a sad workaholic, I’d be retired now.
My academic background is in both social sciences and computer science, which I guess is why I’m at least as interested in the psychology of both criminals and victims as I am in the bits and bytes of malware and anti-malware or the more esoteric aspects of cryptology. My vocational qualifications have ranged from security audit to CISSP (Certified Information Systems Security Professional), though I’ve recently dropped my subscriptions to (ISC)2 and the BCS Institute, where I was a Fellow (FBCS). I’m still in sympathy with the general aims of those organizations, but as I don’t intend to look for other jobs in information security and I don’t see the point in paying just to have extra letters after my name.
For some years my main ‘profession’ was music, supplemented by various casual jobs such as bar-work, then more permanent work in various corners of the building trade. I actually have qualifications in architectural ironmongery and wood-machining, though I wouldn’t want or expect to find work in either of those areas now.
In the late 1980s I started working in medical informatics at the Royal Free Hospital in London, though my role was in administration, support, and systems development rather than in data manipulation and interpretation. In 1989 I moved to what was then called the Imperial Cancer Research Fund (now merged into Cancer Research UK): after two years working in the Human Genome Project, I moved to the Fund’s IT unit, and over the next few years worked in software/hardware/network support and systems administration, but soon became highly focused on security in general and virus/malware management in particular.
By the late 1990s I was talking about security at international conferences and writing papers and articles (for specialist organs such as Virus Bulletin as well as more generalist publications), and even some Internet FAQs, and was actively researching malware in general, but in particular Mac security, anti-malware product testing (I was for a while a director of the Anti-Malware Testing Standards Organization), email abuse management, and various forms of computer-related fraud. I also played a major part in the development of AVIEN, an organization that represented the interests of the security industry’s major customers as well as that of the vendors within the industry.
In 2001 I was absorbed into the UK’s National Health Service, where I ran something called the Threat Assessment Centre (but was still specializing in malware and mail management), and co-wrote several security books in fairly quick succession. Really, I suppose I was re-absorbed: it was actually my third spell in the NHS, though my roles on each occasion were very different: from nursing, to administration/data entry/coding, to security management.
In 2006 I left the NHS to work as an independent author and consultant: in those roles I have since worked closely with the security company ESET, where I currently hold the position of Senior Research Fellow, and hope to do so for a while yet, though the views I express here are my own, not ESET’s.
It’s been a very long time since I was directly engaged in coding or malware disassembly or the other preoccupations of the true anti-malware geek. I eventually realized that while there are many people who are far better at that stuff than I am, I have a certain talent for what I like to call Geek-to-English translation. This means that I get to work with people who are far smarter than I am and gain some reflected glory by explaining their research in terms and language that the public and the media find easier to understand. So while I still do a lot of writing and high-level research on my own account – much of it is linked from here – I also do a great deal of editing and proofreading. Much of my non-technical writing can be found here (songs and music) and here (verse).
My wife and I live in the UK: we’re currently living in the West Midlands.
I haven’t written a security book since 2008, though there’ve been a couple of projects with mainstream publishers that I eventually decided against continuing with. If I do write another security book, I’ll probably self-publish, and I’m more likely to do more writing in other fields. Still, here’s a not-quite-complete list of my security books, as listed in Wikipedia.
There’s a far more comprehensive list of the other security stuff I’ve written – including nearly all my conference papers and some of my articles – on my Geek Peninsula blog.
Small Blue-Green World