Reflections on 35 Years in Cybersecurity

Rick Tracy
Rick Tracy
March 30, 2022 • 5 min read

When I started in the cybersecurity field approximately 35 years ago, things were much different. For starters, the term “cyber” didn’t even exist – we called it computer or network security, not cybersecurity.

There was no such thing as vulnerability scanners, firewalls, intrusion detection systems, intrusion prevention systems, advanced persistent threats, supply chain risk management, or ransomware. The phrase “cyber hygiene” would have made people laugh, and there was no such thing as zero trust. There was no need for complex passwords, much less multi-factor authentication. The only cloud that existed was in the sky. Any focus on security was a nerdy IT issue, not the business concern it is today.

Personally, I was influenced by books such as The Cuckoo’s Egg by Cliff Stoll and Firewalls and Internet Security by Cheswick and Bellovin. After reading these two books, I was hooked and became a cybersecurity “lifer.” With the advent of the internet, I, like many others, imagined a day when computer security would matter not just to those of us in the IT field, but to everyone. I’ve witnessed that vision become a reality, with state-sponsored cyberattacks, zero-day attacks, ransomware attacks and attacks against critical infrastructure and supply chain now taking center stage in our public discourse. Today, cybersecurity, cyber warfare, and cyber defense are even considered legitimate warfighting capabilities.

In the late 1980s and early 1990s, computer and internet security were much like the Wild West. There were so many unknowns, danger, and, of course, endless opportunity. 

In the very early days of computer security, it was mostly the U.S. federal government and financial institutions such as large banks that seemed to care about computer security. The industry was driven by legislation like the Computer Security Act of 1987 that triggered a number of requirements for the federal government.  The Computer Security Act morphed into what we know as the Federal Information Security Management Act in 2002, and has continued to evolve since then.

With these pivotal pieces of legislation, the government created a model that industry could replicate to manage security via standards and frameworks. However, as crazy as it might seem, it would be nearly ten years before regulatory security requirements like the Health Insurance Portability and Accountability Act (HIPAA) were enacted, and nearly 20 years before international focus in the form of ISO 27001 came into play. The industry is still in its infancy, but it’s amazing to see how much things have changed since I started my career in this field nearly 35 years ago.

Reflecting on just how far we’ve come over the past three decades, I have some thoughts on how to approach the years to come:

  1. Expect the unexpected:  Cyberattacks today are disrupting critical infrastructure and being used to shut down power grids, disrupt pipelines, contaminate water systems, and ultimately help wage war. These outcomes were hard for many of us to imagine 30 years ago. But what will happen as artificial intelligence and machine learning technologies mature and are used in harmful ways? It’s hard to predict, but we must focus on the future.
  2. Don’t think that today’s solutions will be adequate for tomorrow’s cybersecurity problems: Consider, for instance, two early security technologies: antivirus and signature-based security detection systems. While these technologies were incredibly useful when first introduced, most would agree they are largely useless today. Security technologies must evolve to address emerging tactics. If you are a product vendor, be prepared for your magic widget to be rendered obsolete unless you have an eye on the future. Continuous innovation—and evolution at the speed of relevancy—is essential.
  3. Beware of hype:  Years ago, a security expert professed that encryption was the answer to our computer security problems. We now know this isn’t true. Encryption is obviously helpful for protecting data in transit and at rest, but is only part of a broader cybersecurity strategy.  Recognize there are no silver bullets. Years ago, the hype was around defense-in-depth, yet now you rarely hear the term. Today it’s all about Zero Trust. Time will tell how well it will age.

I am fortunate to have had a front-row seat and the opportunity to watch the industry evolve, perhaps providing my own meaningful contributions along the way. That said, it’s time for me to step aside and let the next generation of talent spearhead us into a new age of security.

With the evolution of advanced technology like artificial intelligence and machine learning, it’s impossible to imagine where things might go from here – the possibilities are quite literally endless. However, one thing can be said with certainty: the next 30 years are as uncertain as the past 30. There will be even more uncertainty, danger and opportunity. I’m anxious to follow along, but I’ll be doing it from the sidelines. To all of those carrying the torch forward, please know that I’ll be rooting for you.

Rick Tracy
Rick Tracy
Former Senior VP and Chief Security Officer
Rick Tracy is the former senior vice president and chief security officer at Telos Corporation.
Read full bio
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
James

Happy Retirement Rick! Enjoy those extended golf sessions you will be having.

Frank Johnson

I read The Cuckoo’s Egg shortly after it came out and really enjoyed it. What was notable to me then, but especially impresses me 30 years later, is that Cliff Stoll wasn’t an IT security or computer network professional. He was an astronomer, an end-user, whose curiosity about a 75-cent error in his department’s computer usage account led him into this pursuit. It delivered the message early on that one doesn’t need to be a computer science major to excel in the cybersecurity field.

Congratulations, Rick, and best of luck.

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.