When I ask Brian Honan what his greatest achievement is, he reaches across his desk and unpins a picture from his notice board. It’s a drawing of him with a description of his character and job description. The artist was his (then) nine-year-old son. The job description: “He catches hackers.”
Honan describes his work slightly differently. In a nutshell, he “wants to make the world a safer place”. This, he declares, is a responsibility we all have. His desire to do good is his main driver, and the reason he works so very hard.
Having studied his current CV in preparation for the interview, I’m convinced he must work around the clock to fit it all in. I’m relieved when he tells me that his other job ensures he’s home by six every night; the very important job of father to three boys, aged eleven, nine and five.
The key to juggling his many roles and responsibilities? “Prioritization and good management”, Honan considers. “My primary priority is to my business because that’s what pays the bills. I have to sit down seriously, and judge what I can do, how often, and when I can do it.”
Expertise is in the Eye of the Beholder
Honan’s day job is founder and owner of BH Consulting, an information security consultancy. “I always wanted to start my own company and work for myself”, he tells me over lunch at his office in Dublin. “I got the consulting bug during my time at The COMIT Gruppe”, where he worked as a senior IT consultant.
BH Consulting has just celebrated its tenth birthday, and Honan tells me he’s still being challenged, and always gets an adrenaline buzz each time he wins a new client. Most of all, he considers, he’s still learning. “If you’re not constantly learning, you’re dead in the water.”
No-one is an expert in this industry, he proclaims. “As Margaret Thatcher once said, ‘if you have to call yourself a lady, you’re not’”. The same, he believes, is true of experts.
Honan serves in advisory roles on a number of boards, including Europol’s Cyber Crime Center, EC3; the Cloud Security Alliance; and SANS Securing the Human. When I ask when he first realized he had the knowledge and experience required for such roles, he laughs and tells me he still doesn’t have the knowledge. “People just think I do.”
He’s being modest of course. In fact, laughing and modesty are two of the things Honan does best. One thing he’s not shy about is singing the praises of his peers. When asked who inspires him in the industry, he carefully picks four names and talks me through each. “Mikko Hyponnen is very good at delivering a message, and not trying to drag it back to his company”, he says. Next, he picks Raj Samani, CTO with McAfee, and praises his ability “to try and make things reachable to a wider audience”. Also on his list are Trend Micro’s Rik Ferguson, for his work “on the 2020 awareness campaign and engaging industry”, and finally, James Lyne of Sophos, for his work improving engagement around information security and the Cyber Challenge UK.
What they all have in common, considers Honan, is that “they’re passionate about what they do. You could move them into different companies and they’d still be the same people with the same passions”. He also honors their ability to deliver messages in an articulate and meaningful way, with a desire to make things better. Lastly, he notes, they’re all European. “It’s good to see good, strong leaders coming out of a traditionally US-focused industry.”
I doubt I’m the only one thinking that Honan’s description of those he admires could be applied directly to himself.
Indeed, his ability to articulate the infosec message is one of the things that make Honan so popular with the industry at large. The author of ISO 27001 in a Windows Environment, co-author of The Cloud Security Rules, and currently working on a book co-authored with the aforementioned Raj Samani, Honan is “passionate about sharing knowledge.”
Honan is also the European editor for the SANS Institute’s weekly SANS NewsBites, a blogger, and perhaps most widely known, a huge fan of Twitter.
“Twitter trains me to write and communicate in a more concise and meaningful way. It’s excellent for learning, and engaging with others that you would never even hope to be in the same room with”. Honan’s social media presence has earned him plenty of new business as a direct result of engagement on Twitter or LinkedIn.
Once Upon a Time in Galway
Let’s rewind for a moment though, and take a look at Honan’s formative years. Born and raised in West Ireland, Honan was one of three boys and had the ambition of being a policeman. After a year spent studying electronic engineering at the Regional Technical College in Galway, Honan took a job as a clerical assistant at Irish Life Assurance while he waited for the police to respond to his job application.
By the time they did, he was making decent money and settled into a new role. Irish Life Assurance, having realized the importance of IT, tasked Honan with the strategic planning and management of its client server platform. “Security was always part of the requirement and was significant in my role”, remembers Honan.
Perhaps surprisingly, Honan does not have a university education. I ask him whether he regrets this decision, and after some consideration he answers “yes and no”. Although he admits that, at times, an IT degree may have been useful, Honan believes that most skills are learned on the job. “The ability to execute and a passion for the field is more important”, he says. “[Not having a degree] has been a road-block to a few roles, but the way I choose to look at it, it hasn’t held me back, but it has held back the companies who could have benefitted from my skills but rejected my application because I have no degree.”
One of Honan’s many roles is as adjunct lecturer in information security management at University College Dublin. Admitting that he certainly doesn’t lecture for the money, I ask him what drives him to teach. “We need qualified experts entering the industry, and it’s important that we have these skilled professionals”, he says simply.
IRISS was Born
The creation of IRISS, the Irish Reporting and Information Security Service, in 2008, is considered by Honan as his greatest achievement. Ireland's first CERT (Computer Emergency Response Team), IRISS is a not-for-profit that offers a range of services and information for protecting information systems and making the Irish internet space a safer environment.
“IRISS is a service, something that was needed by the country here, and the reception has been brilliant”, Honan says with pride. “To me, that has been wonderful.”
Without government funding, Honan has recruited a group of 10 volunteers who are assigned shifts in which they monitor and respond to infosec concerns and emergencies. As head of the CERT, Honan co-ordinates with other CERTS, runs 10 meetings a year, and organizes an annual conference in November to raise both awareness and funds. Its greatest achievements, Honan relfects, include botnet takedowns and awareness campaigns.
IRISS epitomizes everything that Honan believes in: making the word a safer place, and giving back to society.
The Usual Suspects
In the summer of 2013, Honan applied to sit on the EC3 advisory board, and was elected to serve alongside several industry experts that I term a “hall of fame” and which Honan jovially calls “the usual suspects.”
“My goal is to look at ways that CERTs and law enforcement can work better together. Currently, companies are wary of approaching law enforcement about cybercrime, because they fear a leak is going to get them into the press.”
The advisory board meets face-to-face several times a year, and Honan reveals that he learns something new at each and every meeting. “Whenever I attend any meeting or conference, if I don’t come away with a new insight or a new way of looking at things, I consider it a failure.”
New insight is exactly what the information security industry needs, Honan believes. To be more precise, “a complete shake-up. We’re caught between being the cool, hipster, tecchie hacker dudes, and being taken seriously by the business.” Sadly, says Honan, “we’re failing at both.” The key, he believes, is communication and perception.
“We often present security in a negative way to the business. We’ve always been in the shadows, always said no, and people only come to us when there’s a problem.” Instead, information security should present itself to the business with real-world examples of what a breach could mean in business terms. “Say ‘There’s a weakness in our security which if not fixed could cost the business X amount, in breach of the Data Protection Act with a fine of X, Y, or Z’”, he advises.
Honan declares that the very best thing about the information security industry is also the worst thing. “We’re all in the same shit together, and we recognize that”, he reflects. “What can be considered community and camaraderie in good times, can evolve to turning on each other very quickly when times are hard.”
Most of the time, he says, “people are willing to share, willing to learn and willing to reiterate.”
| "We’re caught between being the cool, hipster, tecchie hacker dudes, and being taken seriously by the business...Sadly, we’re failing at both" |
The flip side of that coin is the division of the security community in the wake of controversy. Honan uses the ongoing RSA boycott as an example. “We’re very quick to criticize, and maybe that’s because we, as individuals and as a community, demand a high standard of ourselves.” When those standards are not met, “the industry is quick to air their disappointment quite openly.”
This is demonstrated by a ‘blame the victim mentality’ in the industry, explains Honan. “In the physical world, if a burglar broke into a house, we’d instantly cast judgment on – and blame – the intruder. In the cyber world, if a criminal hacks into an organization and steals data, we blame the organization for having inadequate security.” This mentality, he believes, is one of the industry’s greatest downfalls.
Cyber 007
Asked to reflect on his career and consider any regrets he may have, Honan looks contemplative. “There are undoubtedly decisions I’ve regretted, but if you’re not learning from your mistakes, you’re not learning”, he says wisely.
Having said that, Honan openly admits he wishes he had invested more time and resources into becoming a better developer. “But it was never something that I enjoyed, so I stuck to the infrastructure side of things.”
On the journey back to the airport, I ask Honan what’s next for him. “I have no plans for winning or achieving anything”, he says candidly. “But like all business owners, the next step is to make sure the business continues to grow. I’d also like to find ways to better contribute towards keeping people, businesses and society more secure.”
If Honan had taken a different career path, he’d have liked it to have been as a Formula 1 driver, or the next James Bond – “move over Daniel Craig”, he jokes. Despite never fulfilling his more realistic ambition of becoming a police officer, I think it’s fair to say that Honan has made as much – if not a greater – impact on the security of citizens than he could have in the police force. His ongoing passion for securing the safety of his nation is incredibly admirable. No wonder his son thinks he is a hero.
But consistent with his statement about the importance of continued learning and challenges, Honan admits that he would be very tempted if approached about a role “which has the opportunity to do a lot of good.
| "We don’t work in security for the money. If we did, we’d be wearing a different colored hat" |
“I’m not driven by money; I don’t do what I do for financial reward. We don’t work in security for the money. If we did, we’d be wearing a different colored hat”, he laughs. “A lot of us in the industry have the skills and the capabilities to do what the bad guys do. We just have an ethical and moral compass that’s more aligned to the good than to the bad.”
As I agree with his last statement and utter the sentiment that we should all be thankful that Honan and his peers think this way, he looks at me with a huge grin. “Well, somebody’s got to. I don’t think I’d like prison food either, and this body would just be ravaged in prison.”
The rest of the dictaphone recording is our uncontrollable laughter. Brian Honan, ‘hacker catcher’, it has been an absolute pleasure.