Why Physicists Choose Information Security

"Different to physics is the fact that there is always a human element involved and that it is hard to control the 'wetware'." - Andreas Bischoff
"Different to physics is the fact that there is always a human element involved and that it is hard to control the 'wetware'." - Andreas Bischoff
Peter Berlich
Peter Berlich

The history of 20th century information security begins with mathematicians, cryptographers and cryptanalysts, like Alan Turing. Other disciplines have made their mark with contributions in their own field, such as Nobel Laureate Richard Feynman who helped lay the foundations for quantum computing in 1981.

Physics is one discipline that many information security experts have on their resumes. What is it that attracts scientists to seek a second career in information security, and is there anything in particular that makes them successful? Business coach Ryan Pritchard summarizes this question: “How does being a physicist influence the way you make decisions?”

"Different to physics is the fact that there is always a human element involved and that it is hard to control the 'wetware'."
Andreas Bischoff

In an article published in Infosecurity Magazine several years ago, a well-developed curiosity and eagerness to learn were highlighted as defining personality traits of information security professionals and scientists alike.1 Physicists working in the information security field shared their views on what attracted them to, and what qualified them for, the security job market.

One connection seemed obvious enough: Much of what makes information security tick is mathematical or engineering work. A scientific or technical perspective will help the information security manager understand technical aspects of an issue with greater ease. On the other hand, a purely technical perspective is limiting, and a business and people focus is indispensable when solving information security problems.

In a 2008 Wired article, Bruce Schneier (himself a physics undergraduate ) postulates a unique ‘security mindset’ as one that is constantly challenging convenient assumptions and, by force of habit, is constantly engaged in Gedanken (thought) experiments on how things might be broken.2,3

Schneier does not concur that ‘a physics mindset contributes in any particular way to security’. However, he acknowledges a benefit in physicists’ proficiency with mathematics as an asset when studying cryptography.

Much like in the information security industry, there is no single job profile for physicists, although a characterizing element is their foundation in mathematics. Their use of advanced information technology is another. The world wide web was a product of physicists’ desire to share information, even though nobody could have anticipated its wild success at the time.

Whilst the spirit of the scientific community is one of knowledge sharing and open discussion, data assurance is critical to protect valuable data from loss or falsification. Prominent research facilities make attractive targets for attacks, for their sheer size and perceived openness.4 A robust IT infrastructure is a prerequisite for operating experiments of the scale present in modern research facilities.

New Challenges

According to the American Institute of Physics, 5755 people graduated from undergraduate programs in physics in the US in 2007, along with 140 PhDs.5 Given the time and effort they have already invested, a career switch – at graduation or later on – should be strategically motivated. Salary considerations and the availability of job opportunities are important, however can’t compensate for the motivation that comes with job satisfaction and a development perspective.

Information security consultant Gerhard Schimpf says he went into IT because he wanted to learn more about it, and originally had the idea to move back into his field of solid state and computational physics later. Schimpf however, stayed in IT and IT security for most of his professional life, and now says that he wouldn’t go back, unless he could stay connected to computer science.

So why pick information security for a second career? According to Andreas Bischoff, a senior security consultant, coming from a Postbox position at University of California Riverside and former vice president at a technology computer-aided design (TCAD) company, it was his eagerness for being confronted with new challenges that made the job interesting. In his own words: “It is never a boring field and there is always something new coming up.”

Generalists

A scientist, by nature or training, will have an affinity to problem solving, especially when it can be done in an objective and quantifiable manner. Bischoff says that his education enables him to quickly analyze a problem from different angles and bridge the gap between a problem’s technical complexity and presenting it to a non-technical audience. Dr. Wolfgang Haidegger, a security consultant from Austria, concurs: “My studies enable me to find my way into any technical subject rather quickly and dive deep, whenever necessary.”

“Physicists have ended up in lots of disciplines, and they have been quite successful”, says Dr. Wietse Venema, a physicist and co-author of, among other things, the SATAN and TCT toolkits.

From Theoretical Physicist to Head of ENISA

Dr. Udo Helmbrecht is president of the German Federal Offics for Information Security (BSI)9 and will become executive director of the European Network and Information Security Agency (ENISA) in October.10

Dr. Udo Helmbrecht studied physics, mathematics and computer science in Bochum, Germany and obtained a doctorate in theoretical physics in 1984. He joined MBB (today a part of EADS) as a systems analyst and went through a succession of management positions, becoming information technology program manager in MBB's military aircraft product group.

In 1995, he was appointed CIO of Bayerische Versorgungskammer, and in March 2003 went on to becom the third president of the Federal Office for Information Security (BSI). His upcoming transfer to ENISA was announced in April.

Infosecurity Magazine: Dr. Helmbrecht, what made you pursue a career in physics, and what made you move on years later?

Dr. Udo Helmbrecht: I have been fascinated by the subject from early youth, and was always reading and experimenting. It was a logical decision from there to choose physics. As things were, I ended up spending many nights working on computer programs. During the work on my PhD thesis, I took on the lead of a group developing numberical software. When I had finished my PhD, I stayed with IT. My physics education always was an asset in my career though.

IM: Your next decision point, as for many of our readers, was the move into a full time management role.

UH: It was a progressive development, and at one point I had to make a conscious decision between two roles. There is no way back from a management role to a technical career, even though it's sometimes tempting to think of it that way.

IM: Specifically, what made you pursue the role as head of the Federal Information Security Office?

UH: It was an interesting job offering and a unique opportunity. Naturally, IT security had been an important topic, also in my previous roles. From the options I had at the time, this is where I saw the biggest potential, in contributing to a more secure ICT world. I believe that we are successful in achieving that with our work at the BSI.

IM: Where is your technical and scientific understanding still of use today?

UH: In a leadership role it is crucial to fully understand teh implications of a decision. I'm the head of a technical government agency, and we need technical knowledge also on the executive level. Perhaps equally important is the ability to explain issues and use the right examples with others who are not technical experts. Raising public awareness of security issues is an important aspect of the BSI's work. I might also, for instance, help members of the German parliament (the Bundestag), to make informed decisions on important questions such as the new German electronic passports, using biometric technology. As lawmakers, after all, they have to be legal experts, but not technical ones.

IM: Where will information security take us next?

UH: Information technology has matured to the point that it can be exploited by professional criminals. This is a development we have to take into account and protect ourselves from. We are developing a solid foundation for information security education and research in universities. The situation is not unlike the one we had in IT forty years ago, when universities opened their first computer science departments, and look how far we've come. We have a number of technological opportunities ahead of us. I am thinking of quantum cryptography and quantum computing, and the ways they might change encryption and decryption. I believe that research and development in this area will yield a rich benefit.

IM: What is your most important lesson learnt?

UH: Always ask the question: 'Why?'

He sees two key strengths at play: “The first factor has nothing to do with physics, and everything [to do with] crossing disciplines,” he says. “Cross-disciplined people come with an ‘outsider’ perspective, and for this reason they may see opportunities and problems that ‘insiders’ may not see”.

“The second factor is related to physics”, continues Venema. “In my training I learned the basic principles of many things. I never became an expert in any particular field, but I knew enough so that I could dig deeper into a topic when I needed to solve a problem. This has not changed after I crossed over to computer science. Each problem is a learning opportunity.”

Dr. Udo Helmbrecht, head of the German Federal Office for information security, is also a physicist. Asked about his most important lesson learnt, Helmbrecht says: “Always asking the question: ‘Why?’”

All About People

Perhaps unsurprisingly, the (ISC)² Career Guide lists the following traits as essential for security professionals: Conceptual and analytical skills, and the ability to effectively relate security-related concepts to a broad range of technical and non-technical staff.6

Becoming an information security leader means more than just applying analytical skill, though. It means finding pragmatic, practical solutions. Commenting on the business perspective, Lampros Tsinas, a physicist and security program manager at one of the world’s largest reinsurance companies, quotes as an initial obstacle, being “too focused on the ideal solution, instead of the business-oriented one”.

In information security, technical problems always have a people aspect. Bischoff remarks: “Infosecurity is similar to physics in terms of complexity. Different to physics is the fact that there is always a human element involved and that it is hard to control the ‘wetware’. But this is also a part of the job that makes it very interesting.”

Career switchers, in other words, need to prepare for their new role. Further education and training may help the progression, be it by acquiring an information security certification (which more than half of the respondents had taken), an MBA, or by undergoing company internal training. Academics, after all, have already proven that they are adept at formal training and learning, and many will bring with them the ability to later teach what they have been taught.

Would they be able to obtain the personality attributes emphasized by Schneier? Look at it the other way round – the chances are that those who choose security as their new field will already have a security mindset. Those who succeed certainly would.

Success

The influx of people with a diverse career background certainly is enriching and has almost become a defining element to a profession like information security, which is undergoing constant change and where routine is not part of the job description.

The scientifically trained mind brings a number of important, highly transferable skills and characteristics into this job market. They include an affinity to problem solving, lateral thinking and the ability to manage even pressing issues with objectivity, simply because that’s how they operate.

On the other hand, making the switch from an academic role to a business-oriented security role brings with it an adaptation process for the individual that an employer will do well to support and facilitate. In this, physicists are probably no different from engineers and technologists undergoing the career development into a non-technical, managerial position.

The people interviewed for this article have found a high degree of job satisfaction in information security, indicating a relation between the two professions that goes beyond the superficial semblance of ‘technology-related’ roles, and reaching into what motivates a successful security manager.

So where do the scientists-come-security-professionals position themselves? Schimpf says that while science has proven a high prestige factor, he squarely puts himself up as a security professional. Haidegger resonates: “[People] see me as both. They know my approach will be academic, but the results are practical.”

Thinking like a physicist, in other words, is a habit that sticks.

Dr. Peter Berlich, CISA, CISM, CISSP-ISSMP is a physicist by education, later to move on to become a manager of information security. During his doctoral thesis he spent three years on an assignment to European Organization for Nuclear Research, CERN in Geneva/Switzerland, where the World Wide Web was invented.7,8 He was a Board member of certification organization (ISC)² and of Information Security Forum and is currently spending time at Henley Business School to further develop his business career.

References

  1. B. McKenna: "The Physics of Information Security", Infosecurity Today 5/6 2004
  2. B. Schneier: "Inside the Twisted Mind of the Security Professional", Wired, 2008-03-20, www.wired.com/politics/security/commentary/securitymatters/2008/03/securitymatters_0320
  3. S. Varghese: "Talking security with Bruce Almighty", IT Wire, 2008-02-01, www.itwire.com/content/view/16422/1090/1/0/
  4. E. Blair: "Hackers Penetrate CERN Network, Almost Access Large Hadron Collider", eFluxMedia, 2008-09-16, www.efluxmedia.com/news_Hackers_Penetrate_CERN_Network_Almost_Access_Large_Hadron_Collider_24453.html
  5. Statistics research page, American Institute of Physics, accessed 2009-07, www.aip.org/statistics
  6. "(ISC)2 Career Guide, European Edition", (ISC)2, 2006-10, www.isc2.org/uploadedFiles/Industry_Resources/careerguide06_euro.pdf
  7. CERN homepage: www.cern.ch
  8. CERN: "World Wide Web @20": info.cern.ch/www20/
  9. BSI English homepage: www.bsi.bund.de/english/index.htm
  10. "Future ENISA ED elected", ENISA, www.enisa.europa.eu/pages/02_03_news_2009_04_03_new_ED.html (retrieved 2009-05-06)

 

What’s Hot on Infosecurity Magazine?