Interview: Graham Cluley

Written by

Writing a computer program is just like writing a story”, Graham Cluley tells me as I sit down with him in a quaint restaurant in central Oxford. Intrigued? So was I.

I knew a few things about Graham before meeting him for the first time; I knew he was an accomplished speaker, I knew he was a knowledgeable and experienced member of the information security community, and I knew he was regarded as a thoroughly nice and approachable man – but I didn’t know he had such a passion for storytelling.

So how did the Hampshire-born lad with a love for a tale end up in the tech industry? Well, as seems all-too common when I speak to some of the biggest names in the sector, it certainly wasn’t planned, but it is a captivating story.

“The first monumental thing that happened in my life was my father dying of cancer when I was about six or seven years old, he was in his early 40s,” Graham says. “That had an impact on my life in a number of ways, particularly on decisions I’ve made (for better or worse). I don’t remember my father very well – I just remember him being ill – but I’ve always imagined how he felt about having three young sons and not knowing what was going to happen to them. That, in a way, put me in a frame of mind where I often thought about legacy, and how I might be remembered. What little dot might I leave on the world?”

As the years passed, Graham’s mother re-married “an amazing guy” who took on three growing boys, somebody who still plays a big part in his life.

“He was fantastic! He worked in the meteorology office in Bracknell and was in charge of their computing department. This housed one of the biggest computers in the country (if not the biggest).”

"I often thought about legacy, and how I might be remembered. What little dot might I leave on the world?”

In 1980, when Graham was around 10 or 11 years old, his stepfather brought home a little computer called the Sinclair ZX81. It had a measly 1 KB of memory and a rubbish keyboard, but it was Graham’s first introduction to computers.

With a bit of help from various computer magazines, it wasn’t long before Graham caught the coding bug and spent his time on the ZX81writing his own computer games, which he would give to his friends to play.

Why games? I ask. It always came back to a notion of telling a story, he says.

“As a writer, you start off with an empty page and you’re going to tell a story. You are creating something and you’re finding a way to communicate that to other people.

“It’s the same thing with computer programming. You start with nothing, it is your creation, and you are the God of that creation. You control every single element of it, which is a wonderful thing for somebody who is a bit of a control freak like me.”

His games were something that he could show off to people, he adds, and it was fun! “I’ve never been very good at playing computer games, but I really enjoyed writing them.

“It’s yours and you can be proud if it – I found that I loved computer programming!”

A Rebellious Streak

That love for writing computer games only grew as Graham’s journey through education meandered. By his own admission, he endured a slightly “rebellious streak” during his A-Levels (which he failed badly) and, as a result, the option of going to university did not appear to be in the script.

Luckily, he took the advice of his mother and enrolled on a two-year college computing course where, with access to a Prime minicomputer, he wrote a big adventure text game called ‘Derek the Troll’.

“It was popular with the students, but less popular with some of the lecturers”, Graham laughs. That might be because he lampooned many of them in his game. “Derek, who covered the accountancy side of the computing course, got mercilessly lampooned.”

He would later port the game to a PC at the college and discovered something called shareware, which allowed him to freely distribute his programs to thousands of people. Before he knew it, people were sending him money in exchange for hints and tips about tough parts of the game.

That money would only stretch so far though and, as Graham’s time at college came to an end, the realities of the working world hit home.

“I went to so many job interviews for all kinds of software companies,” he explains. “They would ask me ‘Well what have you done?’ and I’d explain that I’d written a lot of games, but I remember one asking me if I would stop selling my games if I went to work for them. Well, why would I do that?”

As it turns out, it was a slice of good fortune that landed Graham his first big break. “One day, I turned up at my house, and there was a parcel on my doorstep. Inside was a copy of Dr Solomon’s Anti-Virus Toolkit and a letter from Dr Alan Solomon himself offering me a job as a programmer.”

This was in response to a message that Graham had posted at the end of one of his games in which he asked fans of his work to send £10 to put towards a trip to France to see his then girlfriend, with the dream of going to the local supermarket and buying a trolley full of cheesy biscuits for her. What a romantic.

Well, there was no £10, but Dr Solomon had included a packet of cheesy biscuits to seal the deal. Graham was sold – at around 22, he became the first programmer of Dr Solomon’s Anti-Virus Toolkit for Windows.

From Tech to Talk

After spending time building the program in the lab, Graham took a trip to the network show in Birmingham in 1992 to see it launched. It was there that he first crafted the next string to his bow: the art of public speaking.

“I saw these sales people demonstrating the program and I thought they were showing off all the wrong stuff – they weren’t showing off all the buttons and the cool things. So I had a go! People said ‘Ooh he’s quite good at presenting’ and that was the seed for me to switch, very slowly, from being a programmer to being a spokesperson for the company.”

Graham explains that the industry has always suffered from the problem of marketing people failing to really understand malware, despite being great communicators. On the other hand, you’ve got the guys in the labs who do know their technical stuff but struggle being on stage, talking and presenting.

“So I was kind of the missing link,” he says, “I wasn’t awesome at marketing and I wasn’t awesome at programming, but I was good enough at both. The programmers hated me for it though!”

The chance to have his voice heard really did spark something in Graham and it wasn’t long before he was writing and speaking regularly which meant, once again, he was telling stories to an audience.

“The happiest years I’ve spent in this industry were those six or seven years at Dr Solomon’s”, he says nostalgically.

“I’ve never been very good at playing computer games, but I really enjoyed writing them"

Pastures New

However, all good things must come to an end, and it was a business shake-up following McAfee’s acquisition of Dr Solomon’s in 1998 that ultimately led Graham to start a new chapter in his life.

“I left after about six weeks [of the takeover]” due to a lack of confidence in management, he explains, and after taking some time out to consider his options, Graham went to work for Sophos, which was still a very small company at the time.

Most of his time was spent running Naked Security and engaging with the media and helping Sophos “punch about its weight” when it came to press coverage.

“I was there for around 13 years, which was too long,” he admits. “I should have left around five years earlier, because by then, the challenge was gone and it was boring. I have a very low boredom threshold – which I’m not proud of.

“That actually turned my mind towards my father’s death and this idea of legacy. When I left Sophos I was about the age he was when he died, and I thought if I don’t go now, I’m going to be here as an old man and everyone will always remember me as the guy who used to work for Sophos. So I thought: I need to go.”

Go where? To the garden, Graham says. He had a young child, and a wife who didn’t work, but no clue what he was going to do next. A brave decision, I say – “a reckless one”, he corrects me.

“It was an impulsive decision. It was a sunny day and I wanted to be in my garden, but in reality, I had a family to support. I did have this incredible safety net, which was that people knew me. I was really lucky that many people got in touch and said there was a job for me if I wanted it, which was great to know, but I don’t think any of them would have inspired me very much, because I wanted to do something different, something for myself.”

So, after a few months of pondering writing a book, becoming a professional chess player or even questioning whether he was going through a mid-life crisis, Graham saw the opportunity to make some money out of writing online news, advice and opinion, and after figuring out some of the finer elements, his own security blog took off. The site now attracts more than 100,000 unique visitors every week.

What followed was also the birth of his podcast series Smashing Security, which discusses computer security and online privacy, something Graham co-hosts with friend and former colleague Carole Theriault.

“To be honest, it’s the most fun thing that I do. It’s the thing I’m most passionate about (at the moment). It’s always about fun for me. That’s why I left McAfee and that’s why I left Sophos, because I wasn’t having fun. That, for me, has always been a bigger driver than money, and it’s going well, it’s going really well!”

"My biggest pride is still a computer game I wrote when I was about 21 years old, it was called Humbug"

THE Graham Cluley

With a career in which he has been so successful in both the enterprise sphere and when going it alone, I wondered if Graham would struggle to pick his proudest achievement since he was first introduced to that ZX81 back in 1980. However, he chooses one that stands out.

“My biggest pride is still a computer game I wrote when I was about 21 years old, it was called ‘Humbug’. It was a text-adventure game, all in words, so perhaps modern millennials wouldn’t have the patience for it”, he jokes.

Graham lights up as he explains that, in Humbug, the player is sent to stay with their Grandad, an eccentric inventor, for the Christmas holidays. As they arrive at their Grandad’s, there’s no sign of him, and so the player must embark on an adventure to find him. The way in which you navigate through the game is not with a mouse, you type instructions, and every time you type one of these instructions, the game will come back to you with text and will understand you. “It’s interactive fiction,” he says, “it is a book, but in a computer form.

“It was something different; something deeper than Space Invaders. It’s more artistic. It’s telling a story, there are other characters that you meet, you talk to people, you steal things from them – it’s highly complex. I still receive emails and tweets occasionally from people asking ‘Are you THE Graham Cluley who made the game?’ So that’s my proudest thing. If I was to fall down dead tomorrow, I’d think yeah, that was good. Forget all this computer security stuff”, he smiles.

So what’s next? Well, Graham’s current exploits with his blog, podcast and speaking engagements take up a lot of his time and energy – long may that continue – each provide content which is not only insightful but often entertaining, and the cybersecurity community is a better place as a result. So I don’t want to know what the future might hold for Graham Cluley the security expert; knowing Graham, that will take care of itself. I want to know what he’d love to do next with his life if he could do anything. His answer, of course, would be to tell another story.

“I’d love to do something outside of security, and if I have one regret, it’s that I’m not comfortable enough to make that jump just yet. It’s a complete cliché, but I’d write a book for kids. I have this wonderful situation now of having a young boy, and being able to re-live my childhood with him through reading, discovering all these amazing stories which are out there. I’d love to add another.”

It seems to me you already have quite a story of your own, Graham!



Graham has worked in the computer security industry since the early 1990s, beginning his career as a programmer at Dr Solomon’s where he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Subsequently he was employed in senior roles at Sophos (where he founded the Naked Security blog) and McAfee. In 2011, he was inducted into the Infosecurity Europe Hall of Fame.

Graham now works for himself as an independent security blogger, podcaster and speaker and has made thousands of international media appearances on TV, radio and in print.

In his spare time, Graham loves playing chess, watching Doctor Who and reading to his young son.

What’s hot on Infosecurity Magazine?