Have you ever met a man with two full-time jobs? If not, you’ve obviously never encountered Eric Cole: security consultant; SANS curriculum lead; father; virtual CSO; and new Infosecurity Europe Hall of Fame inductee.
Interview by Drew Amorosi, written by Phil Muncaster
The week that Infosecurity meets Cole at Infosecurity Europe in London, he’s already flown from his home in northern Virginia to Washington DC, and then to Texas to teach several classrooms full of expectant students. He’ll return from the British capital via Austin and Portland, again spending most of his time at the blackboard. Cole recounts his travel plans whilst wearing a bow tie in homage to Gallifrey’s favourite son, and it’s hard to imagine where he finds the time.
“One of the things my dad always taught me growing up; if you find something you love to do, you never have to work a day in your life, and I don’t consider this working – I love this,” he says. “Everyone’s like, ‘that’s insane!’, and I’m like, ‘it’s fun!’, because I just enjoy it, I love it. So to me, getting paid is always nice, but I’ve always done network security because I love it.”
It’s hard to disagree with Cole. A 20+ year industry veteran who’s already held roles at the CIA, Lockheed Martin, McAfee, CA, the Commission on Cyber Security for the 44th President, and, perhaps most importantly, as a father. Today he splits that elusive time between SANS, where he’s curriculum lead for cyber-defense, and Secure Anchor Consulting – a job so demanding that a quiet Tuesday afternoon can quite easily turn into a trans-continental flight to investigate a client data breach.
Fighting Fires
So what exactly does that job involve? Well, unfortunately, recalls Cole, 80% of the time it’s still about customers firefighting rather than addressing their security issues proactively.
“Two business areas that I’ve ended up doing a lot more in are incident response, and the virtual CSO. Incident response leads to the consult and then the network architecture redesign. The other area, a big business area of ours, is ‘virtual CSO’. When companies suffer a breach, Cole explains, they become frustrated that their CSO did not go in and set the proper metrics, he says.
“So they fire their CSO, but they don’t know what they want. So they bring us in for six or eight months as a virtual CSO to get them structured, set up with metrics, then help them hire the right person that can do the long term." As such, Cole says there is no such thing as an average day.
So what about the other side of his career, the academia?
It’s actually something Cole got into accidentally when he attended a SANS conference. The scheduled speaker, Char Sample, couldn’t make it and organizer Stephen Northcutt literally dragged him out of the crowd to fill in. That ‘unofficial interview’ led to a 14-year love affair which took up more and more of Cole’s life, willingly mind you, to the point we’re at today where he sits as curriculum leader at a body which has become an institution in the information security world.
How did it ever get to this point?
Back to Basics
Cole always liked breaking things as a child. So far so normal, you might say. The difference with this child, though, was that he put stuff back together better.
“I was always fascinated with how and why things work, how they function, and more importantly, I did that so that when something breaks, you can learn how to fix it,” he says.
“I always loved technology, and I’ve always loved how things work," Cole says. "I remember I begged my parents when I was in junior high school to get a state-of-the-art Commodore 64 computer, so I could go in and learn the basic programming language. And back then, when you bought that Commodore 64, it literally had nothing on it.”
Despite this love of computers and engineering, Cole nearly went into a career as an architect, but was persuaded at the last minute by a friend to take New York Institute of Technology’s course in computer science. At the dawn of the home PC era in 1984, this was a leap of faith to say the least. In the end it was a small moment which, like his last minute emergency teaching slot at SANS, ended up having a decisive influence on his future.
After interning in Grumma Aerospace where his job was to find vulnerabilities in radar comms systems, Cole was picked up by the CIA, where he ended up pen testing operating systems as an intern. After that, it was a brief stint at CA’s new Islandia facility in his home state of Long Island until the government called again. For a few years he did some “cool stuff” securing communications facilities – although sadly that’s where we have to leave that part of the discussion, for obvious reasons. Stints at Telegen, Visa IT, AIR, Lockheed Martin and McAfee followed.
Cole’s quick to dismiss any claims he’s a bit flighty, though.
“With Lockheed Martin, I was the go-to trouble-shooter. So if there was any issue or problem with security, or if we got locked up on a contract for not having property security, I was the go-to person."Eric Cole, Security Consultant; SANS Curriculum Lead; Father; Virtual CSO; and new Infosecurity Europe Hall of Fame Inductee
Cole enjoyed being what he termed "the fire-fighter fly-away team" working across all the different divisions, and trouble-shooting some of the issues with the aircraft electronics, he recalls.
“But then McAfee recruited me, where they wanted me to come in as a CTO, and do something similar to TSGI – help them capture the intellectual property, increase the overall net worth, increase the value add.” Cole worked for McAfee for about two years, “and then, of course, they got acquired by Intel, and I decided that I wanted to go back to the start-up.” At this point in Cole's story, he returned to Secure Anchor Computing, where he has been ever since.
Over that time, Cole learned an important skill; if you can’t communicate, forget rising to the top of the information security tree. As a young pup at CA, he realized pretty soon that being the smartest kid in class does not make you the most effective.
“I showed them all the issues, problems, this and that, and literally, after thirty minutes, he stopped me. He said, ‘Leave,’ and I said, ‘Why?’. He goes, ‘I’m going to call your boss, to have somebody come in here who can speak English.’ And I quickly realized at that point that I failed. So I learned analogies are a great way for people to learn.”
Home time
So when all’s said and done, does Cole have time for any regrets?
“I’m not home enough. I do look back at how quickly the kids are growing up, and while I do have a great relationship with them, you always wish you could spend more time with them,” he says.
“You always wish you could be home more. So that’s the one regret. With everything I’ve accomplished, I wish I could do a slightly better job, but I’m hoping over the next five years to readjust and do a better job of balancing the family work/time better.”
Cole jokes that the very technologies that have helped facilitate his career by virtue of their flaws have also allowed him to communicate with his beloved kids: “FaceTime is not near as good as real time, but it’s much better than no time,” Cole says. By the way, he’s only wearing the ‘Dr Who’ tie because they asked him to. Enough said.
So what for the future? Maybe off-ramp one of those two full-time jobs?
“I love teaching, and I would love, as a dream job, to be a professor in MIT. I’ve always loved MIT, the geek in me has always liked that,” he admits. “That would be my retirement, because I joke I will not retire, and my wife jokes that, if I ever retired, I would drive her crazy, because I just can’t sit still.”
In reality we all know that’s not going to happen any time soon. Watch out world: Eric Cole has a start-up in him.
“I’ve had ideas for products for a while, and I feel that I owe it to myself to try one more start-up, where I’m one of the founders from the beginning,” he says.
“Now, where that fits in, I’m not sure yet. I haven’t figured out that part of the equation, but before I’m really ready to slow things down, there’s just so much opportunity out there.”
Cole says he likes coming to Infosecurity Europe each year to check out the vendors, who’s hot and who’s not, and what key themes and technologies they’re talking about. This year apparently it’s all about log analysis. As he leaves London to board yet another transatlantic flight, Infosecurity is left pondering one thing: why doesn’t he just jump into his TARDIS? There’s surely no other way one man can cram so much into his days.