By Rose Ross, @Rose_at_O
Well infosec PR peeps, Christmas certainly has come early this year. If you need a code to crack or a lock to pick. Who ya gonna call? Steve Mansfield-Devine of course….
Q. Tell us a bit about yourself:
I’ve been a journalist for 30 years, freelance for most of that time. I’ve covered all kinds of subjects, from gaming in Nevada to life in the US Marines. I’m a private pilot and so have written for flying magazines. And I do some work in the defence sector. But overwhelmingly my beat has been technology. I started to specialise in infosecurity a few years ago and became editor of Network Security and Computer Fraud & Security about 18 months ago. This year I became a Certified Ethical Hacker (CEH).
Q. Tell us a little bit about the titles you write for and their interest in data security.
Network Security and Computer Fraud & Security are monthly, subscription-only journals aimed at infosec professionals and institutions. They focus mostly on technical issues, although we do cover infosecurity strategies and policies. We assume a high level of knowledge on the part of our readers and run in-depth features, typically starting at 2,000 words and often running as long as 6,000.
Q. What’s hot in IT security this year?
People can’t seem to stop talking about comsumerisation, which is clearly an issue. And the cloud is making a lot of people very obsessive – to an exaggerated degree, I think. There’s been a lot of talk about ‘hacktivism’ too, of course, but I think that’s also over-hyped. The likes of Anonymous and LulzSec are media-friendly – especially to those parts of the media that don’t understand infosecurity. But from both a technical standpoint and a business impact perspective, it’s fairly trivial stuff. That may change if the volume of hacktivism increases. There’s an associated issue, which isn’t hacktivism per se, but which I think is far more significant, and that’s how people are using communication networks in support of genuine activism, as in the case of the Arab Spring. And there’s the dark side of that, too, with the attempt by various authorities to kill thse networks as an act of oppression. That’s going to be a very interesting area to watch.
Q. How many security events do you attend each year?
I try to get to three or four. Being based in rural France makes it a little difficult sometimes. But InfoSecurity is a must, and RSA is high on my priority list.
Q. Which one are you most looking forward to?
SecurityBsides London. Last year was the first time it was held in London and I found it invaluable. I got to meet a lot of people who actually do security – rather than selling it or talking about it. I got to talk to a number of pen-testers and security professionals who were able to give a very different picture to the glossy products that tend to dominate trade shows.
Q. What types of stories or companies are likely to attract your attention this year?
The mobile market is getting very interesting. When it comes to malware and other exploits, Android is starting to look like the Windows 98 of the 21st Century. With smartphones outselling PCs and the rise of tablets, mobile networking is where the action is going to be from a security perspective. That, of course, is why so many people are focused on consumerisation. But that’s just about Bring Your Own Device issues: mobile is a hot topic that extends well beyond the problems of securing smartphones within the corporate perimeter.
Q. What’s the best way to pitch a story to you? Email? Phone? Twitter? By mail?
Definitely email – smd[at]contrarisk[dot]com. You may be lucky and get my attention via Twitter (@contrarisk), but I can’t guarantee it. Never by phone.
Q. Who is worth listening to (about IT security)?
Pen-testers. They know where the bodies are buried. Strangely, that saying is usually metaphorical…
Q. What is your favourite piece of technology?
My iPhone. Sometimes I even use it as a phone.
Q. What do you think is the most important development in IT security to date?
That’s a very broad question. What strikes me as the most significant issue in security is what hasn’t happened – and that’s to do with our inability to get to grips with the Layer 8 problem. For all our fancy new technology – next-generation firewalls, IPSs, Security as a Service – we still continually fall prey to our inability to adopt secure habits. That affects everyone – from software writers who don’t build security into the development lifecycle, and still produce code vulnerable to buffer overflows or SQL injection, to individuals who re-use weak passwords and fall victim to even the most blatant social engineering tricks. Computers and the Internet are now such an intrinsic part of the fabric of our lives that it’s time we put some real effort into raising awareness.
Q. What is the best piece of advice for companies pitching stories?
Make them technical. I want details, facts, figures, examples and practical information — not opinion. We get offered way too many high-level opinion pieces.
Q. What was the best press trip you’ve ever been on? Worst? Why?
Oh well, that goes way back (as I do). It would have to be the NATO press trip to watch an amphibious assult exercise in the Med. Doing a catapault launch from the USS Eisenhower was definitely a high spot.
Q. Are you a social media lover? Which ones are you on? FB? LinkedIn? Twitter?
I use Twitter, though I can’t say I love it. I’m on LinkedIn, which is genuinely useful. I also use Facebook and definitely hate that.
Q. Tell us something no one knows about you. Do you have any unusual or unexpected hobbies/interests? Do you have a claim to fame?
My phone number was printed in the first edition of the Hacker’s Handbook, back in 1985. That led to some very interesting late-night calls. And my latest hobby, with which I’m currently obsessed, is lock picking…