Interview: Royal Holloway's Fred Piper

Fred Piper, Emeritus Professor at Royal Holloway, is partly responsible for establishing information security as an academic discipline
Fred Piper, Emeritus Professor at Royal Holloway, is partly responsible for establishing information security as an academic discipline

Usually, after I’ve conducted my profile interviews with the industry’s finest, I send the dictaphone audio away for transcribing. When I met Fred Piper, I decided to transcribe the audio myself. That should give you a good idea about how the interview went. I enjoyed it so much that I wanted to listen to it all over again.

What I discovered during the process is that the audio was made up of approximately 70% conversation and 30% laughter. Oh, how we laughed.

If you haven’t had the pleasure of meeting Fred Piper, I will do my best to paint an accurate, colorful picture, requiring all the shades in the most diverse artist’s palette.

Fred and I met at Infosecurity HQ in Richmond, England. Within two minutes of meeting while ordering coffee, I’d already learned three things about him:

  1. He doesn’t sugarcoat his words
  2. He isn’t afraid to speak the truth
  3. It’s almost impossible not to like him

For a man as distinguished as Fred, he does a remarkable job of disguising just how admired and respected he is by the information security industry. He’s almost embarrassed – yet subtly proud – that people would be interested in him and his story. When I ask him at the end of the interview what he likes to do outside of work, he tells me gambling, but quickly follows with: “Why will people be interested in that?”

Fred Piper, Emeritus Professor at Royal Holloway, is partly responsible for establishing information security as an academic discipline. Whatever you do when reading the previous sentence, don’t omit the word ‘partly’. Make the mistake of holding Fred entirely responsible and he’ll shoot you down in flames. Trust me, I learned that the hard way. He’ll settle on being a team leader, or a driving force, but physically bristles at the suggestion he was exclusively responsible, comparing that to the ridiculous notion that Sir Alex Ferguson himself is capable of winning the Premier League.

“Listen”, he sighs. “I didn’t launch the MSc [in information security] – it was a team effort. Royal Holloway has got a bloody good group of people. I did not make information security an academic discipline; Holloway did. We did. There’s no one person that knows the whole topic – it requires a team effort.”

From Modest Beginnings to World’s Greatest

The idea to introduce information security into academia was first touted in 1987, when Royal Holloway approached Fred to set up an MSc in cryptography. “I thought that was too narrow”, remembers Fred, who instead proposed information security. “It was so clear that a blind man could see it – people would need to understand the broader topic of infosecurity, and learn how to handle the data or their networks.”

It took five years from idea to launch, mostly spent on getting the curriculum right – “realizing that information security meant managing the keys, peoples and processes” – and hiring the right people. In 1992, the course was launched with seven full-time students and five members of staff. “If there had been a disaster, we could have handled it on an almost one-on-one basis”, Fred recalls.

Needless to say, it wasn’t a disaster. In a rare moment of, dare I say, pride, Fred admits “It was a great degree. We prospered and there was a dramatic increase of students after the first year [and ever since]. We were the best in the world because we were the only ones in the world”, he laughs. His laugh is infectious. So we spend the next minute indulging in this simple joke.

Over the years, the syllabus has evolved to mirror the industry’s landscape. In an area as fast-moving as information security, how can Royal Holloway ensure the topics covered remain in line with real-world issues and concerns? “Simply put, you can’t keep up with the fast-moving landscape”, Fred admits. “You have to concentrate on what you can do and do it well. We’d only been going for one year before people started asking us to include extra topics. We quickly realized that we couldn’t take anything out – so we continuously add to it, but not to replace. The core of the degree essentially is the same as it was in 1992, but the options continuously change.”

A Royal Acceptance

The prosperity of Fred’s team was rewarded in 1998 when Royal Holloway was honored with the Queen’s Anniversary Prize. I ask Fred what this meant to him. By this point in the interview I felt well acquainted enough with Fred’s no-nonsense, no frills personality to anticipate his response. “It meant different things to different people. To me, it was a pain in the arse”, he says with an endearing amount of honesty. “To the college and principal it was clearly great. He actually yelled in delight when he heard the news. It made us the flavor of the month in lots of places, and we saw a surge in applications and activity from other universities trying to produce similar degrees.”

Of course, had the application form for the prize remained in the bin where Fred had so dismissively thrown it, the award would never have been granted, and his consequential visit to Buckingham Palace would not have happened. Luckily, the college persuaded him to submit the application. “I had to go to Buckingham Palace to collect it. It wasn’t the most pleasant day of my life – dressing up like a bloody penguin. But, I was delighted to receive it”, Fred smiles, seemingly oblivious to the hilarity of his recollection.

"There’s not much point in training people purely to be academics – that’s of limited usefulness"

Despite remaining faultlessly modest throughout our interview, Fred does let his guard down for long enough to admit how very proud he is of his students and the MSc. He quickly caveats this by adding, “but I couldn’t have done it on my own”.

Mathematical Roots

Fred began his career as a mathematician, specializing in finite geometries. “I was quite good at it, so I became a professor”, he recalls, remembering his 1975 appointment at Westfield College. “The main enjoyment I took from it was supervising research students, but there’s not much point in training people purely to be academics – that’s of limited usefulness”.

In the 1970s, Fred’s passion for mathematics was expanded into cryptography (and later information security as a discipline) when he received a call from the firm Rascal-Comsec, which was looking to hire a mathematician to assess the security of cryptographic algorithms. One of Fred’s star research students, Henry Beker, was offered and accepted the job, and he and Fred worked together learning about cryptography. One of their goals was to make it more widely understood by practitioners, government, academics and the general public. As part of the drive, Fred and Beker co-authored two books in the early 1990’s on the subject: Cipher Systems and Secure Speech Communications.

His interest in cryptography expanded into information, when, in his own words, he realized “algorithms were a very minor part of the whole thing”.

The Meaning of Retirement

Throughout the ninety minutes Fred and I spend together, he tells me he’s retired several times. I beg to differ, I tell him, learning of all the work he still does in the industry. “Retiring doesn’t mean doing nothing”, he explains to me. “It means choosing what you do”. The man talks a lot of sense.

Although Fred no longer teaches or contributes to academic research, he serves as a consultant to Royal Holloway – “loosely called director of external relations” – to help maintain the university’s external profile.
Fred, however, insists that his passion lies with the industry, not on campus. “Academia needs research-active academics”, he says. “To over-simplify it and put it crudely, I care about – and am a front to – industry, not academia.” However, his loyalty and fondness of Royal Holloway is blazingly obvious. “I want to promote Holloway and information security. What’s the point in promoting myself? I’ll be in the grave in twenty years’ time.” I’m overtly shocked and saddened by this last remark, and he laughs hysterically at my reaction.

Fred still takes three of four ‘work’ trips a year to guest lecture, among other things. He uses the word ‘work’ loosely, reminding me “I don’t have to do anything I don’t want to do. I’m retired, remember?”

Codes & Ciphers

Fred’s ‘retirement’ doesn’t stretch as far as Codes & Ciphers Ltd., the consultancy company he set up in 1985. “I’m the only employee”, he tells me, excluding his wife who “helps with the admin”.

I ask Fred what his business plan was when he launched the firm in 1985, and he finds this question amusing. “If the phone rings, answer it. If it doesn’t, do something else”, he says – blunt, honest, and incredibly sensible.

“I’ve always avoided expansion. I formed the company for two reasons. 1: To make money. 2: To understand what information security is about and to make sure that education fits with the industry.” While Fred tells me that he has enjoyed this side of his career, he never considered doing it full-time. “I’d be bored – I enjoy interaction with my students”, he admits.

"The conflict remains between security and business. The problem is that security is often seen as a
slow-down mechanism, not an enabler or money-maker"

Despite having no working website, or business or marketing plan to speak of, Fred’s phone is still ringing. When I suggest it might have something to do with his impeccable reputation, he squirms. He has no intention of packing it up just yet though; in fact, to the contrary, he insists he’ll carry on until his brain packs up. “You only get old once, so you don’t know what to expect or how much you’ll slow down. I’ll work for as long as I can.” His current limit is two-year contracts, which is perhaps a little telling for his self-expectations.

A Life Without Regret

When I ask Fred if he has any regrets, his response is instant. “I never allow myself to regret. ‘What if’ is stupid.” He does, however, have as yet-unfulfilled ambition. “I’d like to see the industry change so that people can have confidence in businesses.” He is also keen to see an agreement of certain codes of practice for the internet. “It needs to happen more likely by agreement than regulation. Maybe it’s trying the impossible, but it’s a dream – and a step in the right direction. That’s why I’m so involved in IISP”, he tells me.

A co-founder of the Institute of Information Security Professionals (IISP), Fred tells me that the motivation behind setting it up in 2002 was to recognize industry professionals. “In 2002, information security professionals were recognized through word of mouth. It became apparent that knowledge wasn’t enough – more was needed”.

Paul Dorey, he recalls, raised the issue that not all organizations could afford to send staff to do an MSc. As an alternative, “the IISP offers a badge that represents a high level of knowledge, skills and competencies.”
While Fred happily talks (off the record) about “verbal idiots” well known in the industry, he insists that “good, solid people outweigh them”.

Making the World a Safer Place

Fred has recently been in discussion with one of our recent interviewees, Michael de Crespigny, CEO, ISF, in order to pursue this objective. I asked de Crespigny about this conversation. “Fred and I are discussing ways that ISF and IISP can work together to make information security more attractive as a career choice – to respond to the current skills shortage – providing clearer maps to show individuals how they can prepare themselves for challenging work and a rewarding career.”

This, de Crespigny and Fred agree, does not happen by osmosis. “It requires clarity about skills and career path development to attract and develop people fit for this growing challenge”, de Crespigny says.

Fred summarizes in one simple sentence: “You need wider scope to make the world a safer place.”
He concurs that there is a very real skills gap in the industry. “The conflict remains between security and business. The problem is that security is often seen as a slow-down mechanism, not an enabler or money-maker.”

So, in Fred’s eyes – as in many – the information security industry still has a long way to go to make the world a safer place. I’m confident that he will be around to witness and contribute to the progress for some time yet.

It’s right at the end of our time together that Fred finally admits that he’s not actually all that retired. “Would I be here if I had really retired?”, he asks me rhetorically, while shaking his head and grinning. His reluctance to throw in the towel is something that we, as an industry, should be grateful for. As much as it will pain him to read, the (cyber) world, at least, would be a little less safe had it not been for the drive, foresight and determination of Fred Piper…and his team!

What’s Hot on Infosecurity Magazine?