Renowned information security expert Yves Le Roux has been awarded the Harold F. Tipton Lifetime Achievement Award by (ISC)2 for his contributions to the profession.
Le Roux is one of the few Europeans (and even fewer non-native English speakers) to have received the award.
Highlights of his career work include strategically guiding corporate efforts to meet security needs, extensive research and support for government policy, championing negotiations that led to the first ever joint technical committee between the International Standards Organization and the International Electrotechnical Commission, and even counter espionage.
Infosecurity recently spoke to Le Roux to learn more about his lifetime achievement award, career journey and insights into the key issues currently impacting the information security sector.
How does it feel to be awarded the lifetime achievement award by (ISC)2?
It is a great honor to receive the prestigious (ISC)² Harold F. Tipton Lifetime Achievement Award and to be placed in such distinguished ranks as those of the 18 past honorees. This is clearly one of the most significant events of my professional career. When I looked at the list of previous winners, I noted that I was the only professional from France to be given this award and one of very few Europeans. That feels like an achievement and confirms the decisions I made early in my career to look internationally.
How did you get into the information security field?
I worked to contribute to international organizations. As a scientist, you love to present and discuss your findings. This is why I contributed to various associations – (ISO, ISACA, (ISC)2 – creating development projects around my own questioning.
I started my career in 1967 developing a network between three computers. It is important to remember that the first four nodes of the ARPANET (the ancestor of the internet) were connected electronically in 1969. Consequently, I had to create the systems programs for the data exchange from scratch. I developed synchronization mechanisms for transmission protocol and implemented error correcting-code for integrity. I got the opportunity to do this after I took the risk of joining the first cohort of students studying the new, but interesting, subject of ‘programming.’ It was so new that there was a lack of high-end computers at the school. The university co-operated with industry research facilities and I got the chance to work with the French Power Utilities (EDF) Research Center, then working on an initiative to develop a network connecting the control data computers in two remote locations.
In 1970, my next position was network and security engineer in an investment bank (Rothschild) where transaction security and confidentiality were essential, and it developed from there.
“Security is a discipline that has moved forward as a community”
Looking back on your security career, what resonates with you most?
The most important feature in my career is the information security specialist ‘brotherhood’ that came together out of a need to exchange data about findings, security alerts and warnings. Interestingly, as your career develops, you move from one company to another, but you keep your links. Anyhow, you spend all your career learning and you must always be on top of the new technologies, not only for security, but also for insecurity.
Security is a discipline that has moved forward as a community. In cryptology, for example, you are not able to demonstrate your algorithm is secure. Consequently, you publish and wait to see if somebody finds a shortcut and or a way to break it. Similarly, if you develop a communication protocol, you want the maximum number of people to adopt it and you may improve it with ideas from others.
I was lucky to be able to be active with many organizations and I was supported by the companies I was working with because they understood the value of security.
“Information security teams have to stay robust and adaptable to cope with fast evolution”
What’s the biggest information security challenge currently impacting organizations?
Security policies and tactics must be based upon any organization’s business strategy. With the COVID-19 pandemic, many organizations are facing unprecedented levels of change, accelerating their cost-reduction targets, modifying their operating models and redefining their functional priorities.
It is not clear if changes will last in a post-COVID era. Working from home saves commuting, travel and real estate costs, and might even be more efficient, but takes away a lot of valuable social and creative interaction.
Information security teams have to stay robust and adaptable to cope with fast evolution. However, they must also stay coherent from a user point of view as well, so as not to be seen as a road-blocker. There is a clear balance to be struck.
Lastly, if you could change one thing about the security industry, what would it be?
When you discuss the industry with students, they consider an information security career as a techie, low-profile opportunity. Outside of the financial sector, very few CSOs or CISOs are part of the company executive committee. Consequently, we have a big information security resource shortage. As long as information security is treated as the responsibility of a bunch of specialists within organizations, companies will struggle to establish the priority needed from everyone, attract the people that can help and will fail to meet the biggest challenges. Breaking this cycle begins with how the profession is recognized. We must give more visibility to potential information security career paths.