Interview: Rik Ferguson

Ferguson dreams of living in the Dordogne and making and selling pots: An unlikely answer from the ‘infosec rock star’
Ferguson dreams of living in the Dordogne and making and selling pots: An unlikely answer from the ‘infosec rock star’

Rik Ferguson, VP of security research at Trend Micro, is full of surprises. Let’s take the pottery for example. A dream of living in the Dordogne region of France, “making and selling pots out of my front garden”, is not the answer I’d expected from Ferguson, a man famed in the information security industry as a brilliant speaker, an innovative researcher, and for having long rock star hair. “I don’t know how to make pots”, he grins, “but I’d like to.”

Making pots is far from his childhood ambition to be an astronaut. Or his teenage dream of being an actor, which he abandoned at university on the realization that “everyone in drama was self-obsessed, self-absorbed, self-important.”

Ferguson describes his education and career as a “series of mostly fortunate accidents”. It’s for this reason that he doesn’t like making long-term professional plans, as he worries that will restrict his freedom, and he strikes me as a man that likes to capitalize on chance encounters.

For example, after university Ferguson was teaching English as a foreign language at a summer school. “My last duty was to escort the kids back to Paris on the bus. I packed up my suitcase and my life savings of £60, and stayed with the parents of one of the kids for three weeks until I got a job [in a bookshop] and a flat. I could practice my French living in Paris; I had a great time. I was earning not very much in the bookshop, and earning a little bit more from the band I was playing in, and getting free beer whenever we did gigs.”

His decision to study French at the University of Wales rather than computing was really down to two things. First, “I wasn’t the kid who applied myself rigorously at school and often took the path of least resistance.” With a natural ability for languages, and a desire to do a degree “not to go to work, drink lots of beer and sing in a band”, a BA in French was the path of least resistance.

Second, to do a computer science degree at that time, “you had to have already been following a science-related curriculum and have a maths qualification at the very least. I really didn’t get on with maths – it didn’t have any magic for me.” As a compromise, Ferguson studied computing as an extra subject during his first year, feeding the passion for computers that he’d had since he got his first one at the age of 11.

“It was a ZY Spectrum 48K”, Ferguson remembers – his interest in computers sparked by “computing being made available to the average home user”. Computers, he recalls, “were ‘the future that was available now’, and it felt like being part of science fiction, which was massively popular with every kid.”

Armed with Your Computer magazine, and spending his evenings “pressing away on the rubbery keys coding”, Ferguson began to hone the skills that he would later apply throughout his career.

Après Paris

Ferguson began his “first career job” on his return to the UK from Paris. Working in front-line technical support for Techtronics, he spent six years there before moving to McAfee, then a division of Network Associates, for his first role in “pure-play security”. After Network Associates went through its divestiture of brands, Ferguson found himself employed directly by McAfee, as the interface between support and development, “really fixing product defects rather than end-user configuration errors.”

It was during his tenure at McAfee that Ferguson developed an interest in cybercrime. “I wanted to know more about not only cleaning it up, but fixing it and blocking it in the first place”, he explains.

After five years with McAfee, Ferguson took a position at EDS doing “infrastructure design”, but soon missed working for a vendor. Trend Micro won him over with its reputation for innovation and “by leading industry change, turning static distribution of blacklists into real-time, reputation-based queries.

“At Trend, acquisition has always been a small point. Technology is not about acquisition of customer base. Most developments come from in-house, and I wanted to be part of a company that was forward-thinking.” 

Ferguson joined Trend Micro in 2007, and seven years later he has no plans to leave. “I’m not interested in being outside of Trend because they’ve continued the tradition of innovation. Trend realizes there is no silver bullet, and that we have to work closely together. [Trend] knows that security is a co-operative effort.” 

Discussing the company culture, Ferguson explains that “at Trend Micro, it’s alright to fail, as long as you don’t fail in the same way twice. It’s absolutely alright to try something, and that culture is just amazing”, he says.

Spreading His Wings

Ferguson’s contentedness may be largely due to the fact that Trend Micro has allowed him to explore his own career and through role evolution, find something he really loves doing. “They let me spread my wings”, he grins. Originally employed as a solutions architect, Ferguson is now vice president of security research, which his son proudly tells his schoolmates. “My son says, ‘Today at school I told my friend that my dad is a vice president of a company and he didn’t believe me’”, Ferguson laughs, visibly pleased.

There is no typical day for Ferguson, but he does concede that he often finds himself “giving presentations, being a spokesperson, and doing a lot of video work [on the Trend 20/20 series]”. Answering press questions, he says, happened accidentally and organically. “There was no plan. Somehow questions from a journalist ended up in my inbox, and I’ve always loved words, so I ended up answering them”. Not only does he love words, but he’s also incredibly good at using them. Indeed, Ferguson is one of the most articulate people I’ve ever interviewed, and that’s among stiff competition.

"Technology is not about acquisition of customer base [at Trend Micro]. Most developments come from in-house, and I wanted to be part of a company that was forward-thinking"

His answers, Ferguson contemplates, must have been good enough, as he started to receive more and more press questions. “I felt that I needed to be as informed as I possibly could if I was going to be talking to people like you, so I devoted more of my time to research. Getting involved in the criminal research side of things as part of the day job was something I really relished, so when the opportunity presented itself, I grabbed it with both hands.”

Having racked up 170,000 air miles in 2013, which makes him the proud owner of a gold card, Ferguson is keen to cap his travel at every other week this year. “I do enjoy travelling”, he tells me, “and it’s a necessary part of the job; getting out there to meet people and getting involved with the right groups means a personal commitment, as well as a professional commitment.”

Engineering Serendipity

As a special advisor to Europol’s internet security advisory group, EC3, and advisor to various UK government technology forums, Ferguson is dedicated to making the world a safer place. “One of Trend’s main goals is to create a world safer for exchanging digital information”, he adds.

Ferguson admits that his three children, aged between four and ten, give him additional motivation to “keep abreast of technology to understand what they’re doing and give them the right advice as they grow up. Having kids completely changes your life anyway”, Ferguson tells me, admitting to “crying at dumb stuff” since the birth of his firstborn. “Being a parent definitely gives you more drive to make a safer place.”

Speaking of making the world a safer place, I ask Ferguson whether individuals are more or less secure than ten years ago. “In all honesty, I think we’re less secure, because we adopt technology and think about the security implications afterwards”, he concludes. “We’ve already seen fridges sending spam”, he notes, referring to risk surrounding the Internet of Things, “and that’s just the beginning.”

Like many of his colleagues in the industry, Ferguson believes that awareness is fundamental to creating a safer online world. “The key challenge is making information security relevant to people in other spheres. This industry is very good at talking to itself, but we really need to get it baked into the education curriculum right from the beginning. You achieve that by making it relevant to people.”

Ferguson’s main technology concern is that we’re at the edge “of a time when, for the first time in its history, the internet could be something which begins to shrink people’s horizons, rather than expand them”. The element of serendipity that currently effects our use of the internet will be dispelled, he explains, “because your content service provider will be so informed that they only supply relevant content to you”. While this has its benefits, Ferguson is more concerned that “people will miss out on those chance encounters and discovering new things.”

It’s the responsibility of technology and content providers, he says, to “engineer in this element of serendipity that will be removed from the experience of interacting with information in general.”

Reflections on the Industry

Although Ferguson names information security’s “friendly and supportive” community as its best attribute, he declares its merger and acquisition culture as its worst. “It goes through phases of expansion and contraction. There’s this explosion of innovation where there are many small companies coming out with point technologies and solutions to individual problems”, which is when practitioners feel excited to be a part of it, he says.

“Then everything gets acquired, and it all shrinks back down again. It’s these periods of acquisition that I find depressing, you feel like everything is becoming part of mega corporations. But [these times are] almost always followed by another Big Bang.”

Ferguson does not believe that European governments call upon the industry enough. “The public sector can benefit from the agility of, and the investment, of the private sector”, he observes. Although he has never worked for the public sector, while at EDS Ferguson worked mostly on public sector projects, including securing access to the violent sexual offenders’ register. This, perhaps, scratched the public sector itch that many information security professionals get, and Ferguson concludes that “the government is best served by me staying where I am.”

The disconnect between private and public sector is not the only one to haunt the industry. “There has always been a disconnect between education and the commercial world”, Ferguson argues, declaring much of what is learned in the classroom to be of theoretical value, not practical value.

“Yes there’s a skills gap in the industry, but some of the blame for that has to lie on the doorstop of the employer”, he says. “Employers need to be more willing to take a risk on someone who doesn’t have, for example, a computer science degree, because there are plenty of applicable skills you can learn in any number of parallel disciplines that make you the right person for the job”. For him, employment experience absolutely trumps what someone studied at university. “Be less selective on paper, and more daring in interview”, he asserts.

I ask Ferguson if he could hire anyone in the industry to work on his research team who would it be? His answer makes me laugh out loud. Without missing a beat, he replies, “Justin Bieber, to stop the little bastard from singing.” He then toys with many of his peers as a possible answer, including Brian Honan, Mikko Hyponnen and James Lyne, before finally settling on Jack Daniel. “An absolutely fantastic guy”, he says about Daniel. “He really knows his stuff, he’s really grounded, and he has the best beard and best name ever!”

More Fortunate Accidents

When I ask Ferguson to contemplate the future and ask him where he sees himself in five years’ time, he stresses that he expects his life to continue along the trajectory of “mostly fortunate accidents”, but that he hopes to still be at Trend Micro. He doesn’t make long-term plans, he tells me, “because I feel like it gives me more freedom. I don’t want to constrict myself to certain goals”, he says.

Later in the interview, however, Ferguson remembers that he does have one career ambition: to be more involved in national or international policy-making. “I think there’s a real lack of expertise there, and I would love to be more involved in framing better legislation and better international co-operation.”

One constant that has never been – and never will be – an accident, is Ferguson’s devotion to, and investment in, music. Now living in Warsaw, Ferguson has had to leave his band, Clearly Deluded, in the UK. He’s not ready to quit music though, nor will he ever be. “I’d love to start a blues band”, he tells me, his eyes lighting up. “I’m old enough that I don’t have to rock anymore.”

Making music and writing songs has been a perpetual joy in Ferguson’s life since he was 18. He sings but also plays the guitar “good enough to write a song. It has been a passion of mine forever, and that’s because of my dad”, he states fondly. Ferguson and his late father would spend entire evenings taking turns to pick out a vinyl – “it was still vinyl then – it’s still vinyl as far as I’m concerned” – and sitting quietly, in front of the coal fire with a glass of whisky, just listening. “They were great, great evenings”, he remembers.

With the warm memory hanging heavily in the air, it’s a perfect note to end on. I hope that the pottery in the Dordogne works out for you Rik, but for the sake of us information security journalists, and the industry as a whole, make sure you have Wi-Fi – we’ll be looking for answers.

What’s hot on Infosecurity Magazine?