Interview: James Lyne

James Lyne: Hacker. Uber geek. Insomniac. Cyclist. Gamer. SANS instructor. Public speaker…and, as Eleanor Dallaway discovers, that's just for starters

Despite both living in Oxfordshire, I meet James Lyne in San Francisco and spend more than two hours being thoroughly entertained by one of the most self-deprecating, intelligent and hyper human beings that I’ve had the pleasure of interviewing.

James is the most confident, bubbly ‘introvert’ (his description, not mine) that I have ever met. When he tells me that when he first started out in this industry he found any type of communication, let alone media or public speaking, excruciatingly difficult, it’s almost inconceivable. Here’s a guy who has built an impressive career on the exact notion of communication: translating technical security flaws in a comprehensible way.

Whilst you and I would call it ‘an impressive career,’ James refers to it as his “passion and hobby.” I can’t emphasize enough how much James loves what he does – it literally radiates out of everything he says and does. “My work is my hobby, I would do this stuff even if I didn’t get paid, but don’t tell anyone,” he laughs, later admitting, “I do get tired sometimes. The saving grace is that I love it – I couldn’t keep my schedule up if I didn’t. There is so much cool stuff going on and I don’t want to miss a second of it.”

I wonder if that FOMO (fear of missing out) plays into James’ self-confessed insomnia. Given that he gets four hours of sleep on a good night, he has many extra hours in his day to cram in additional reading, “playing with new tools” and gaming. “I love sitting there at two in the morning unpicking interesting malware samples, playing with cool exploits and reading new papers”, he says.

I love sitting there at two in the morning unpicking interesting malware samples and playing with cool exploits

A Hard Day’s Night

It’s not just his nights that are busy. James breaks down his days and work into three areas: research, dealing with the press and outreach.

Of the research part of his role, James says: “Trying to keep up with infosec and tech is like having a hose-pipe connected to your face.” An analogy that doesn’t do his love of it justice. “There’s just so many smart people doing so much amazing work and whenever a new paper or tools comes out, I always want to sit down and spend a few hours reconstructing it until I have that ‘a-ha’ moment”. Sometimes, he admits, he’ll spend a week of his life playing with one tool.

Then there’s “dealing with the press,” which as I know only too well, “happens when it happens and it’s not always at convenient times.” James explains that his main objective in this part of his role is to “be the voice of reason.” The public speaking part of his work requires a thick-skin, adds James. “As many people who think you are great, the same amount of people will call you a pillock. Maybe sometimes that’s deserved; I’ve done plenty of things where I deserve to be called a pillock.”

Finally, and an increasing focus for James, is the outreach piece and “trying to translate this industry into accessible, sometimes entertaining but at least watchable, presentations and talks that help people outside of our industry.”

Balancing the three is definitely tiring, admits James, who has not been home for more than a day and a half in over two months. “I’m in the business of failing to keep up with all three but trying really hard, because I think it’s important that you break those boundaries down.”

So this is what James does now. What I’m really interested in, however, is how James’ background and childhood have shaped who he is today.

As a child, James moved around a lot. His father designed cities so the Lyne family spent time living in Hong Kong, Australia and other countries, but their base was always in Oxfordshire. “I started travelling and I never really stopped,” he reflects, “a constant theme of being a road warrior.”

The young James Lyne was “a problem child. I’m quite a problem adult actually”, he laughs. He describes his young self as “hyperactive, disrespectful, a total nightmare.” The only part of this description that rings true to me is the hyperactive bit. I’ll give him that. The rest seems implausible.

“It’s true,” he says seriously, “I really struggled with people. I remember being told I’d never amount to anything in a parent teacher review meeting.” How wrong they were.

At the age of about nine or 10, the Lyne family got a computer, which, although he didn’t know it at the time, would shape the course of his life. “Something just flipped inside me”, he explains. Within an hour, James had broken – and then fixed – it. 

The Black Hat Crossroads

Lyne spent a lot of time as a teenager hanging out in hacking forums and taught himself a lot. His definition of ethics back then, was, in his own words, “fuzzy. I don’t think many 14-year-olds have excellent judgment about the world or make the right decisions. I certainly didn’t epitomize those traits.”

Having developed the kind of hacking skills that could have been used for good or bad, James recalls a series of interventions. “I had interventions of sorts that made me realize that these skills could actually be valuable and that I could hack stuff and help people at the same time.” This was a novel concept to James who admits he was “very close to potentially being on that boundary of going the wrong way and ending up on the path of no return.”

There is one man in particular whom we can thank for convincing James to play for ‘our team’. “In one of my first jobs, Mike Hobbs was a bit of a tech and business father figure to me. He put up with a lot of my BS and childish antics early on in life and put me on the straight and narrow. Sophos played a large part in that too, but it was Mike who was the seminal person catching me at the right time.”

There’s a wonderful serendipity around his chance encounter into the industry, but at the same time James finds it concerning that he just “got lucky by running into the right people at the right time. I lucked out on a path that got me into this industry when I demonstrably had the skills.

“I don’t want other people in the same situation to have to luck out. There’s a really undefined fuzzy path of how you become a security practitioner.” This, says James, is a real problem.

“It’s important that companies reconsider what good talent looks like. If employers continue to demand five years of experience or computer science degrees, they will miss out on amazing talent,” he says. “That could have been my story”, says James, who skipped university all together. “Granted, I’ve worked damned hard in my career to build myself to where I am today, but I can’t say that I got into this industry because I worked harder than others. I was lucky.”

“Being on Bill Maher with Snoop Dogg was pretty strange. It was a seven or eight minute interview talking about the state of security and after, the producer said they were surprised they’d found a geek that could talk.”
“Being on Bill Maher with Snoop Dogg was pretty strange. It was a seven or eight minute interview talking about the state of security and after, the producer said they were surprised they’d found a geek that could talk.”

What do Paxman, Snoop Dogg & Cameron Diaz Have in Common?

Had fate seen him down a different path, he may not have had the opportunity to meet the host of famous people he has. “Jeremy Paxman was actually really cool, a media legend”, he says casually when talking about his appearances on Newsnight and subsequent pints at the pub with Paxman.

“Being on Bill Maher with Snoop Dogg was pretty strange. It was a seven or eight minute interview talking about the state of security and after, the producer said they were surprised they’d found a geek that could talk.” I’m still laughing at the thought of James perched next to Snoop Dogg when he drops his next bombshell: “I met Cameron Diaz at the TED conference. I was standing next to her for a few hours, speaking about security, watching Bono. That was kind of weird.” Kind of weird, James? I am speechless.

I ask him who he’d like to meet if he could meet any living person, and without hesitation, he cheats. “I’d build a time machine to meet Alan Turing, Aristotle or Newton.” Trust a hacker to find a way around a challenge.

“Of course, according to Twitter, I need to go and meet Peter Capaldi because everyone’s proposing I should replace him. That was a good compliment – that I’m the bastard step-child of Michael McIntyre and Doctor Who”, James laughs. The time machine answer makes more sense now.

It seems the perfect time to ask him about his appearance on Late Night with John Oliver, where they use a clip of James talking about encryption. A huge fan of the show, I’m totally star-struck by this. “You know when John Oliver wants to use your clip, you’re in for a ridiculing. Let’s be honest, with hair like this, as ginger as I am and the things that I tend to do on stage, I deserve a good ribbing.”

A Nerdy Introverted Upstart

James joined the support team at Sophos nearly 12 years ago. “Before Sophos, I was very introverted, I had the technical skills but I actually had to learn to talk to people and communicate.” For that reason, James considers it one of the most valuable experiences of his career.

“I joined Sophos very young, and they provided me with a huge number of different opportunities and put their faith in me to develop my career both technically and as a business professional. They coached me through many screw-ups and my many lapses of judgments through the years. I was very fortunate to land in a company that had a set of managers that would put up with a nerdy introverted upstart and helped me grow into what I’ve become today.”

The loyalty that Sophos has shown James has, of course, been reciprocated. It’s no exaggeration to say that James could probably land a job in any infosec company he wanted. So why Sophos? “I’ve been extremely fortunate that they value me unrelentingly questioning ‘how and why’. It’s special because they always try and do the right thing. Yes, we’re a company that wants to make money, but we care about quality and we want to do this right.”

James is also a certified instructor at the SANS Institute and has been working with them to get children interested in cybersecurity while simultaneously changing the hiring mind-set of government and employers.

As part of this objective, they have created a hacking game for 11-18-year-olds. “It has been a monumental undertaking with a really bizarre ‘A team’ of people working on it,” he says. “We brought together a mix of security people and wildcards who are in no way related to our industry, and the result has been unbelievable.

“It’s about 300 hours of hacking challenges, hundreds of thousands of lines of code, it has been a monumental undertaking,” James explains. “We took security problems, things that we do as security professionals, and took the skill, the tool and boiled it down to the thought process behind it. We want them to get the fun of the industry, the thrill, and we want their brains to go in a way that can have an adverse impact on the system. If we embed that context earlier, we build better security people, developers and more rounded technologists.”

The first program was run with 5000 children in the Middle East. “The government there are really progressive on wanting to do something about the cyber-skills gap so we started there. We’ve been doing a lot in the UK as well, and now we’re trying for bigger deployment.”

The hacking game asks players to register to play as an agent at the Cyber Protection Agency, the fictitious online virtual agency created. The game gives players an emulation – James’ character, Agent J, has a monocle. Of course.

“There are multiple levels, and players start at headquarters on the basic levels ‘in training’. There’s a field manual where we teach them various training models. Players get badges for finishing them, then they go into the challenges. Some of the scenarios can get quite bizarre – kids love it”, he gushes.

“By the time kids get to level six, they’re actually using a real Linux terminal to run various parts, they’re doing real stuff that security practitioners would do.” He calls it one of the coolest projects he has ever worked on. Perhaps he sees himself in so many of the children that are finding their sparkle in front of a computer.

His advice to anyone starting out in the industry is to be passionate about one part of security and be hands on. “Just learn – there’s so many amazing conferences you can go to, so many cool presentations, so many things to watch. Throw yourself into it, absorb it, master the skills and in parallel just keep applying for those roles, keep talking about your practical experience and show your passion.”

According to Twitter, I need to go and meet Peter Capaldi because everyone’s proposing I should replace him. That was a good compliment – that I’m the bastard step-child of Michael McIntyre and Doctor Who

Study More, Suck Less

Don’t be mistaken in thinking that James’ sparkle is limited just to tech. His list of passions include skiing, running, cycling, pulling bikes apart, reading and travel. He recently did a cycle tour of Sardinia, cycling 936 kilometers in six days. “I love exploring and seeing interesting places, but after a patch of doing that, I’m ready for my computer, to look at some malware and see what’s going on.”

When we talk about the future, James says he wants to “study more and suck less”, considering himself a perennial student whose thirst for knowledge is insatiable. He’s keen to throw himself more into the development aspect of bringing up the next generation to the industry and enjoys his work at SANS greatly. “At some point I’ll probably have to re-write the IT GCSE too”, he says grinning.

One thing he’s sure of is that he is on the right ‘side’ of the industry, “having the opportunity to research, reverse engineer and have an impact on the industry both in technical research and as a communicator.”

When I ask if he can see himself as an end-user, he’s adamant that he can’t. “It’s not me, I love my keyboard time doing stuff and endlessly breaking things. I think my temptation to get my hands dirty constantly might be challenging with the busy and generally overloaded CISO role.”

In a parallel universe, James can see himself as (predictably) a video games programer, or (less predictably) a librarian “at a really awesome library and on the condition that I get enough time to borrow the books myself.” I’m sure you won’t be surprised to learn that his favorite genre is non-fiction, he’s currently enjoying tomes on quantum physics and mathematics.

Alternatively, he says, he’d like to be a hipster bike builder and “grow a cool hipster beard.” Almost as random as his recent obsession with growing a bonsai collection or interest in hydroponics to grow tomatoes and peppers six-times their normal size.

No wonder he doesn’t sleep much – he doesn’t have the time.

Generally, as long as James is being “a massive geek”, he’s a happy man. “If I could just geek out all the time arbitrarily, that would be superb”, he grins, but he’s totally serious.

I want to end by sharing something that James says to me during the interview when explaining why computers are so amazing: “There’s this orchestra of tiny mathematical operations of great simplicity that occur at such speed that they go up to that screen with the keyboard function, and the network and wireless, and the clock moving with beautiful graphics and amazing features, but all of it boils down to such simplistic transformation, and such a believable and comprehensive velocity. That is not only technologically remarkable but it’s beautiful, I mean it’s incredible.” This strikes me as so very poignant, not just because it’s an incredible way of articulating something so scientific, but because I imagine James’ brain works in a similarly extraordinary way. James Lyne, you are truly one of a kind.

What’s Hot on Infosecurity Magazine?