Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Life of: A Research Director

Name: Tod Beardsley

Job Title: research director, Rapid 7

Bio: Tod Beardsley is research director at Rapid7. He has over 20 years of hands-on security knowledge and experience. He has held IT ops and IT security positions in large footprint organizations such as 3Com, Dell and Westinghouse, as both an offensive and defensive practitioner. Today, Beardsley often speaks at security and developer conferences.


Tell me in one sentence what your job is about

My job is to pursue, promote and protect the social good by securing common technologies that we all rely on for commerce and culture.

What was your route into cybersecurity?

I ran a dial-up bulletin board system in the late '80s that was primarily concerned with distributing hacking materials: issues of Phrack magazine, colored phone box design plans, things like that. I was about 14 when I started that, so I've kind of always been in security, one way or another. I did a little contract work for virus cleanup in high school and my first full-time, professional security jobby-job was at Dell IT when I took it upon myself to get the patch and configuration management of Dell's e-commerce site under control in 2000.

How do you describe penetration testing to somebody who isn't in the industry?

Ever seen the movie Sneakers? It's an excellent period piece about life in early 90s San Francisco, with a really unique soundtrack and an amazing ensemble cast. Also, it's about penetration testing; the characters have a small business where they're hired to break into banks, steal money, then promptly return it with a report on how they did it. That's pretty much penetration testing in a nutshell. Also, sometimes you have to fight Ben Kingsley.

If you could work with any client on any project, who and what would it be?

I still believe that it's possible to have a reasonably secure mobile handset that costs less than $100, is useable for four years, and is available to literally anyone in the world. Any organization that's working on narrowing the global digital divide, I'm down with.

What's the best thing about your job?

I get to work with a lot of remarkably intelligent, clever, fun and interesting people, all over the world, on a daily basis. Since I work in security, most of these people are themselves at least little bit subversive and are therefore fascinating to interact with.

What's the worst?

I'm occasionally depressed that everything is broken, all the time. But, then I get over it and get to work fixing what I can.

When Rapid7 acquired the Metasploit Framework, it could have easily gone the wrong way. Rapid7 could have sucked all the cool out of it and wrecked the community that was built up around openly sharing vulnerability details
Tod Beardsley, research director, Rapid7
Tod Beardsley, research director, Rapid7

What's your proudest achievement?

When Rapid7 acquired the Metasploit Framework, it could have easily gone the wrong way. Rapid7 could have sucked all the cool out of it and wrecked the community that was built up around openly sharing vulnerability details in order to better understand security. Instead, Rapid7 has fostered and embraced the open source (and general openness) nature of the Metasploit community, thanks to the work and attention of many, many people, both inside and outside of Rapid7. I like to think I'm one of those people.

What's your biggest professional regret?

I feel like I could be doing more to focus specifically on at-risk populations and how they interact with, and trust, internet technologies. People are exploited by the powerful all the time, in most of the world, and I know that there are internet-based technologies and platforms that can make that job of exploitation much, much more difficult.

Who do you really admire in the industry?

I admire anyone who takes on the unpleasant job of reporting vulnerabilities privately to vendors, especially when that software vendor is someone who works in the same company. It's an often combative, adversarial experience, and many people take vulnerability disclosures as personal insults. I have some practice in this area, but for people doing it for the first time, it can be pretty rattling. I think this is the major reason why people go the full disclosure route, because reporting vulnerabilities publicly is a lot easier than taking on the hard work of actually finding a fix.

If you could change one thing about the information security sector, what would it be?

The infosec community has a habit of telling people that their security is broken, but we often fail to make doing the right thing easy. We're still stuck in this paradigm that trades security for usability, or usability for security; if it's secure, it must be hard to use. I'd like to see information security professionals get a little better at some basic design principles, so that the easy and intuitive usage of software is also the safe and secure path.

Statements like, "I found this bug in 10 minutes," should be read with a subtext of, "I found this bug in 10 minutes, plus 15 years of experience with thousands of other bugs."

What's the most misunderstood thing about information security?

I think the most misunderstood thing about security is that software vulnerabilities are due to stupid programmers, lazy administrators and evil managers. We suffer from hindsight bias when it comes to individual software bugs -- all bugs are obvious when you see them and the fixes tend to be pretty ‘easy’ once you know where to look. The fact is, everything is ‘easy’ when you already know how to do that thing. Statements like, "I found this bug in 10 minutes," should be read with a subtext of, "I found this bug in 10 minutes, plus 15 years of experience with thousands of other bugs."

What would surprise people most about the job that you do?

As a director of research, I don't spend nearly as much time writing code and hacking things as I used to. However, the time I spend instead doing ‘boring’ work like project management, aligning people to a common purpose and teaching security to non-security people is deeply fulfilling. Management people and projects is also way easier than writing code that compiles.

If you weren't an infosec professional, what would be your dream job?

I started undergraduate life as a pre-law major and I have a bunch of attorney friends, so that's probably where I'd end up. Lawyers are in a position to do a ton of social good, get to nerd out on technicalities and find creative solutions to difficult problems that have a direct effect on people's lives.

What’s Hot on Infosecurity Magazine?