Profile Interview: Professor Alan Woodward

Professor Alan Woodward is a renowned information security expert, advisor and academic. Michael Hill learns all about his journey from physics graduate to visiting professor at the University of Surrey, and everything in between

The power of education is something that should never be underestimated, and one man who has made noteworthy contribution to learning within the information security field is Professor Alan Woodward.

Alan is a cybersecurity academic who, for the last 15 years, has used his vast, real-world information security and technical knowledge across both the public and private sectors to support cyber-related academia through teaching, mentoring, advocacy and research.

He is a visiting professor at the University of Surrey’s Department of Computing, and Alan believes his hands-on security understanding (which you’ll soon learn more about) puts him in a unique position to share tangible insight within the academic sphere.

“I guess I’m the definition of a professor really – I know a little bit about a lot!” he quips.

Interestingly though, Alan’s journey to becoming a cybersecurity academic has been, in his own words, “somewhat chequered in many ways.”

In fact, it was one that aptly began when he himself was a budding student studying physics at Southampton University in the early 1980s. He explains that, whilst the objective nature of physics was the perfect match for his highly logical and engineer-like mind, it was some more technology-focused experiences in the latter stages of his degree that set him on his trajectory towards information security.

“One of the things I did in my final year project was to use a computer – well, that probably sounds silly nowadays, but we didn’t use computers much then! That got me very interested in how computers operate, and I ended up doing post-graduate research, primarily in signal processing.”

By that time, personal computers (IBM PCs) were just starting to become available, Alan explains. “We were able to put all sorts of different cards into the back of those to do signal processing, and that’s how I got into computing in general.”

As Alan was completing his post-graduate research, he was, by chance, asked by a UK government agency to investigate a particular signal that it was struggling to recover and decrypt.

“They asked me to take a look at recovering the signal as they couldn’t do it – which I did, and it turns out I was able to. To cut a long story short, they offered me a job, and I ended up working for the government in a number of different roles, all involving increasing amounts of information security and signals intelligence.”

“I could be a perpetual student – I love learning new things, although I’ve only got so much RAM in my head”

A Job that Really Matters

In those days (the mid-80s) much of that work focused on cryptanalysis and intercepting various types of pre-commercialized internet signals such as radio, telephone and satellite traffic, Alan explains.

Part of that endeavor included working in the submarine domain, where he worked on a new type of underwater detection system. “Of course, submarines communicate through sound, so I was being introduced to all sorts of technologies that were particularly difficult to reverse. How can you take something that basically looks like noise and get a signal out of it and decrypt it?”

Alan gives a fascinating glimpse into what intrigued him about that particular type of work, explaining it required him to tap into the mindset of those who had built such systems to understand their assumptions about what made them secure. “If you can work out what assumptions they have made, then you can start to take them apart,” Alan explains. “People that build things quite often don’t think that somebody will ever try to take them apart. I’m not very good at building things, but I’m very good at taking things apart, and in security, that is key.”

Alan reflects that, when it comes to his time in government, what really resonates is that the various jobs he did really mattered. “The jobs I did had immediate impact, and the ones I particularly enjoyed were the ones with urgent operational requirements; you had to quickly understand those requirements, build something and get it out there. It wasn’t just about having a project deadline because a contract said so – it was about having a project deadline because something really mattered.”

Of course, due to the sensitive nature of much of Alan’s government work, details regarding many of his contributions to security, covert communications and forensic computing will never reach the public domain. Nonetheless, he looks back fondly on a number of “significant achievements” whilst working at the national level.

However, come the early 90s and the fall of the Berlin Wall, the UK government’s requirement for intelligence officers lessoned, and so Alan made the decision to move on to pastures new.

Into the Private Sector

Alan explains that the next step he took in his career was partly inspired by his then commanding officer, whom he followed to a company called Logica; a multi-national IT and management consultancy responsible for telecommunications infrastructure projects including the design of the SWIFT network for international money transfers.

At Logica, Alan worked with large systems in a variety of areas such as air traffic control, energy, utilities and the military.

“My roles were quite varied, from the very technical installation of some of the most powerful systems of the time in new facilities, through to being the design authority on such systems and on to negotiating the multimillion pound contracts that lay behind the work,” he explains.”

Alan recalls the significant technological advances he witnessed during his time at Logica and the impact they had on the information security landscape we see today, chiefly involving the growth of interconnected systems.

“It was about this time that the internet was commercialized and TCP/IP became the de facto networking standard,” he says. “This rest, as they say, is history. Everything you see today in infosec began to evolve back then.

“Some of the tricks of the trade for protecting and breaking into systems may have changed, but the underlying methods have remained remarkably similar. The common factor throughout all of it was that people were in the loop.

“We had to ensure that the systems were fault tolerant, even if under attack. Some systems just cannot be allowed to fail. We had to develop a whole series of new techniques which have become almost common place now.”

Interestingly, Alan divulges that perhaps the greatest challenge he faced then revolved around the physical installation of the types of systems he was working with.

“People tend to forget these days, but the type of powerful systems I was working with then required huge halls, air conditioning and chilled water to run. Think of a data center today and imagine that for just one system.”

Alan left Logica in 1997 to help grow a young company called Charteris alongside some former colleagues of his. Charteris was named so with the notion that every employee would be highly experienced with the majority Chartered Engineers or the equivalent in IT. For the record, Alan is a Chartered Engineer, Chartered IT Practitioner and a Chartered Physicist.

“We all wanted a company that was adding value and not built on the model of many others where a bus load of graduates turn up,” he says honestly. “We found that we were called into situations where others just didn’t have the experience to resolve the problems. Someone outside the company once referred to us as the ‘Red Adair’ of IT. Our goal was to do interesting work and to stay relatively small, but to be the best at what we did.”

Charteris was floated on the stock market in 2000, although Alan maintained involvement with the company for many years as a director with the aim of upholding its core vision of providing quality over quantity.

“With external investors, it could be difficult as everyone wants growth and profit, and sometimes there were situations where we had to tell clients that we couldn’t help them and walk away. That’s not always consistent with growth and profit, but it’s the only way to build trust, and in the long-term, trust and integrity are far more valuable than any short-term profit.”

This very much chimes with what Alan said earlier about his time in government and his passion for work that truly matters, and it’s clear he admirably maintained that same approach throughout his time in the public sector.

“I’m not very good at building things, but I’m very good at taking things apart, and in security, that is key”

An Academic at Heart

As you’ve learned, by the mid-2000s, Alan had garnered substantial experience of working within technically skilled and challenging facets of information security, all with increasing complexities as the power of the internet evolved. That vast knowhow was recognized by a number of organizations that asked Alan to become an advisor, an example being Europol. He was part of an initial three-person external advisor panel that helped Europol assess the threat landscape and outline how it might be met by law enforcement agencies across Europe (work that has expanded and continues to this day).

It was also during this time that his career first extended into the academic sphere. “I’d kept in touch with quite a few people still in academia, and some of them knew that I worked in cyber. They asked me how I felt about coming into universities to do some guest lectures, which I started doing.”

Tellingly, he explains that, were it not for the government’s job offer and subsequent foray into the private sector, he believes his career journey would have taken him into academia from the beginning.

“I then became a mentor for a PhD student and got involved in applied research, particularly in digital watermarking, a lot of which was being done at the University of Surrey. They asked me to become a visiting professor and continue the work I was involved with.

“I got drawn into the university and research sphere for a number of reasons,” Alan explains, but he reflects on a particular matter of importance that first attracted him to academia and the opportunity to become involved in academic work.

“One of the things I felt very strongly about at the time – and I realize this was 15 years ago – was that I could already see that there were not enough people coming into computer science and, most importantly, cybersecurity. What I wanted to do was to try and encourage more people to consider cybersecurity as a career path.”

As part of that ambition, Alan has worked extensively alongside the University of Surrey to encourage people into cybersecurity by highlighting and promoting the types of training and education that can open doors to career paths in the industry.

“It’s interesting that, even after all this time, that is still evolving,” he adds. “I think one of the most compelling aspects here – and something that I often speak to the National Cyber Security Centre about – is whether the cybersecurity industry should move towards having a certified status. If so, which professional body should look after that, and should universities then have training programs that are approved by those bodies to lead people on, in the same way they do with Chartered Engineers at the moment, for example?”

Alan believes that positive steps are being taken in that regard, with efforts to make cybersecurity a more viable and accessible education and career choice for all comers bearing fruit. Despite that though, he admits that “we will still fall short with regards to the amount of expertise we need in the field.”

“For me, it’s about being a mentor and not just teaching – guiding people and introducing them to what real penetration testing is like”

The Power of Learning

Another compelling aspect of Alan’s work in academia has been his involvement in teaching and mentoring students studying computer-focused courses on various aspects of cybersecurity.

“I don’t teach entire modules or anything like that, but I go in and teach specific things, such as labs on how to use Wireshark, for example,” he explains. “The thing with a lot of computer science degrees is that they are very theoretical, so it’s good to get students in the lab and show them how to do things. For me, it’s about being a mentor and not just teaching – guiding people and introducing them to what real penetration testing is like. They’ve got all the theory, but they need somebody like me to come in and help them to mold it.”

Alan explains that is the true purpose of a visiting lecturer – to provide students with the type of insight that helps to bridge the gaps between what they traditionally learn in the classroom and how it can be applied in the real world.

I ask Alan what aspects of teaching and mentoring he’s found most enjoyable over the years. “Well, first I’ll tell you the bit I’ve tended not to enjoy,” he says with a frank smile. “Sometimes you get students that are doing a particular course, but they don’t actually seem all that interested in it. That can be quite soul-destroying; you can be lecturing in front of a hall of 100-odd people, and some of them are sat on their phones or talking – I feel like reminding them how much they are paying for the course!”

In contrast, Alan explains that he has found teaching students “who are really into it, keen to learn and constantly asking tons of questions” highly-rewarding. “Those that ask ‘why’ this or ‘why’ that make you think more deeply yourself. Why do we do the things we do?

“I suppose, underneath any type of lecturing or teaching that I do, the thing that makes it really enjoyable is that it proves to myself that I understand what I’m teaching. It’s very easy to convince yourself you understand something, but do you understand it enough so that when somebody asks a question, you can take a detour or dive down into it a bit?”

What’s more, Alan adds, being slightly “longer in the tooth” means he can actually give people a bit of a history lesson about why certain security missteps have been taken in the past, and what can be done about them. “It’s about collective knowledge and that’s what we really need to pass on to the next generation, otherwise it’s lost.”

Well, one thing that certainly will never be lost is Alan’s own appetite for learning. “I could be a perpetual student – I love learning new things, although I’ve only got so much RAM in my head,” he laughs. “I never, ever want to stop learning and I like getting my hands dirty, because there is always something new to learn in security. I hope I will always be in a position where I can continue to learn.”

I don’t doubt it, Alan!

What’s Hot on Infosecurity Magazine?