Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is cosponsored by Synopsys and IEEE Security and Privacy Magazine. For more, see www.computer.org/security and https://www.synopsys.com/silverbullet/. This is the 134th in a series of monthly interviews with security gurus, and I’m pleased to have today with me Kelly Jackson-Higgins. Hi, Kelly.
Jackson-Higgins: Hi, Gary.
McGraw: Kelly Jackson-Higgins is executive editor at darkreading.com. Kelly is an award-winning veteran technology journalist with over 20 years of experience as a reporter and an editor. Publications Kelly has been associated with include Network Computing, Secure Enterprise magazine, Communications Week, Virginia Business magazine, and a few others.
Kelly’s coverage of computer security, aka “cyber,” is award-winning. Kelly has a B.A. in English from William & Mary, where she played on the women’s soccer team. She lives outside of Charlottesville, Virginia, in a semi-empty nest due to college, kind of just like me. There are no kids left, right?
Jackson-Higgins: Right. Yeah, well, one comes and goes. She always visits on weekends.
McGraw: We’re down to zero. So there’s milk in the refrigerator; that’s the main thing.
Jackson-Higgins: Yeah, you’ve got to have the food there just in case.
McGraw: Exactly. So as the executive editor of one of the most important security website outlets, you have a really unique perspective on the security industry. How do you separate the signal from the noise when it comes to news and security?
Jackson-Higgins: That’s a great question, Gary, because that gets harder every day. We get so much thrown at us, and there’s so much going on, as you know, so we really have to...Every day I spend...Early in the morning, I’m in here sort of, I guess, triaging, as I would describe it—looking at things we’re working on, longer-term things we’re working on, new things that are happening, and determining whether it’s something that’s really real and impactful and will be interesting to our readers. So I have to sit there and figure that out every day and then find our folks to cover the things or, in some cases, write them myself.
It’s definitely challenging. We never have a day we don’t have something to write about. A lot of things do get left on the floor just because there’s just too much, which is a good thing. It’s not a bad thing.
McGraw: I mean, it is a good thing, but, you know, how much more is there now, and how has it grown over time? I’m sort of interested in that.
Jackson-Higgins: Yeah, well, I know early on, like, when we first started...It’ll be 11 years in early May, which is incredible to me. I can’t believe we’ll be 11 in early May. I was looking back at some of my really old stories back in 2006 and...so long ago, and—
McGraw: I used to write for you guys back then, remember?
Jackson-Higgins: I know. You were one of our bloggers, yeah. So back then, you know, we had...Things were so new. Like, you know, a new malware variant was a huge story or a bug. I remember H.D. Moore’s Month of Browser Bugs was a really big story.
Now we’ve kind of matured where we have these bug bounty programs. Now, specific ransomware variants are a big story. But in terms of back then, there weren’t a lot of big data breach stories. They were kind of few and far between.
But that’s what’s really, I think, picked up over the last few years too, is the actual attack—attack groups, attack targets. So there’s more influence to write about too, in addition to the technology. And I would say the technology’s evolved a lot in some ways but not much in other ways.
McGraw: Yeah, that’s funny, and I’m sure that you get pitches from vendors all the time. “This is the most important story on earth, and our little thing seems to help.”
Jackson-Higgins: Yes, everyone’s product is going to fix everything and is not hackable.
McGraw: So far, untrue, all these things.
Jackson-Higgins: Yeah, exactly.
McGraw: So I want to ask you a little bit of a tricky question with regard to that. What role do advertisers and sponsors play in Dark Reading’s coverage?
Jackson-Higgins: Actually, none. The only thing we have on our site that would maybe answer that question, we have a sponsored column section, where sponsors might write something that we don’t, you know...have anything about the concept, but we don’t edit it for that. We just edit it for copy editing.
But in terms of what we cover, I personally try not to pay attention. That sounds naïve and possibly lame, but I try not to pay attention to who’s advertising on our site not that it would affect me, but I just feel like I don’t want to think about it.
McGraw: Don’t want to know about it. Yeah, that...no, that seems like a reasonable policy. Hard to do, but reasonable.
Jackson-Higgins: Yeah, yeah. It’s not like we don’t know who’s advertising, but that definitely does not impact what we cover.
McGraw: That’s always a tricky bit. I mean, you know, journalism has changed an absolute ton in the last 20 years. I know you wrote for your high school paper and you wrote for the college paper, and I’m interested to hear from your perspective what’s changed or maybe what’s not changed when it comes to journalism in the last 20 years.
Jackson-Higgins: Oh, yeah, that’s an understatement. It has really dramatically shifted. You know, back in the day, your biggest concern was reporting on your story, and you had this long process of editing and, you know, the layers of people. There could be like three people editing your story, and it would take a while to get it published. You had the print side of it.
When we first started out, Dark Reading was always online-only, so we had that sort of as our advantage to start out. A lot of pubs had to switch to that. I remember the days when you would write stuff for the print pub and the “leftovers” went online.
McGraw: It wasn’t called premium content?
Jackson-Higgins: No, it was just, “Oh, throw that up on the web.”
McGraw: Yeah. I remember writing columns that were actually published on paper, back in the day, and then when I switched to you guys, it was like, “Wow, this is just web-only. Holy cow.”
Jackson-Higgins: Yeah, I think we don’t have the luxury of time anymore. I will say that. And because, in our industry especially, things are changing so dramatically all the time—like the threats are changing, there’s something new happening all the time—that, you know, you’re constantly under the gun to crank stuff out, think on your feet.
I think journalists in general, we’ve learned that the thrill in this business is not just about the reporting. You have to have an online presence. You have to have a social media presence. You do talks. You moderate panels. Your public speaking becomes part of your persona. A lot of skill sets that may not have been trained at we’re learning on the job. At least I know in my case, that was something that was a bit of an eye-opener a few years ago. It was, “Wow, I’m not just a writer anymore.”
McGraw: That’s right. “I’m a media personality.”
Jackson-Higgins: But it’s good. I mean, I would tell my kids, “You’re getting your job, then your career’s going to evolve and change, and you’re going to be learning, all the time, new skills, and you’re not doing one finite set of things anymore, and that’s actually a good thing.” So it can be challenging at times, but I think it’s a good thing.
McGraw: Yeah. I don’t know. How important is social media to your work, would you say?
Jackson-Higgins: Well, interestingly, I was one of the first Twitter members—I mean, Twitter users or whatever, members, I don’t know what you call it, members of Twitter?—back in the day, and back then, a lot of people—
McGraw: Tweeters, they called them Tweeters.
Jackson-Higgins: Tweeters, yeah. I remember you were resistant to Twitter for a while. I remember that.
McGraw: Totally. I have to tell you the reason I started using Twitter is because we sold a company that I was an advisor to, to Twitter. And so I had this pre-IPO stock, and I had to decide like, jeez, I had to use the product and make everybody else use it. So I swore I was going to stop using Twitter the day I got rid of all that stock, and of course, I got addicted instead.
Jackson-Higgins: Well, you know what I think’s interesting about Twitter is our industry is so Twitter-centric. There’s so much conversation going on. A lot of times, news is happening on Twitter. So to me Twitter is like my right hand. I mean, I have it up all day. I don’t necessarily tweet every five minutes, but I definitely do communicate when there’s a reason to. But basically I am stalking people online, what’s up on Twitter. I think Twitter, it’s a really good...You know, it has its pros and cons, obviously. It’s not a great place to have a long conversation, but I think it’s a way to keep your hand on what’s going on, and I like that about it.
It’s definitely been a huge part of my job and work state. We expand a little bit to our Facebook page and our LinkedIn groups, but I think for most people in security, it’s going to be all about Twitter.
McGraw: Yeah, there are some new ones coming up. Have you heard of Mastodon?
Jackson-Higgins: No, I haven’t heard of that one.
McGraw: Yeah, there are people who are talking about that now. Who knows? I mean, the whole thing surprised me because, like you said, I was always very resistant to the idea of “even less thought out” stuff. But it turns out if you follow the right set of people, it can be incredibly useful and very, very fast. Stuff does break on Twitter, and two days later, we’ll read about it in the Post, and it’s like, “Wow, that’s two days old.” Yawn.
Jackson-Higgins: Well, I’ll say every major news event that I’ve seen in the past 10 years or was interested in on Twitter I saw first on Twitter. Much of the stuff that I saw in the world happen I saw first on Twitter before I read it anywhere else, so yeah.
McGraw: Right, interesting. So slightly different question: What’s more fun to cover, technology or business? Or is that sort of a red herring question?
Jackson-Higgins: You mean in terms of business of our industry or business in general?
McGraw: You get to make it up, what I mean.
Jackson-Higgins: OK. Well, I think for me it’s a combination because I think our industry is the most interesting one out there right now. So to me, when you’re combining the effects of a cyber attack or the effects of what a particular threat group is doing and how you’re battling it or not able to battle it and the techniques they’re using, I think that’s interesting, so it’s both. I guess for me it’s both the business and the technical piece.
I wrote some general business pieces back in the day, and they were fun to do, but to me, they weren’t as challenging as this. Every day, to me, this job’s challenging.
McGraw: Yeah, and I mean, certainly the technology and the business of computer security or cyber security has gotten bigger and bigger. And the business aspects alone require coverage of their own in some sense. But you can’t do it without have a technical clue; otherwise you just get spurious coverage.
Jackson-Higgins: Right, and that thing is, yeah, really it’s fun to me to drill down on some of these things because, you know, you’re learning about it and you get sort of a body of knowledge, but then there’s always new things happening you get to learn about, so I like that too.
McGraw: Mm-hmm. Politics and security are intersecting these days more than ever, and I’m wondering how, as the person in charge, Dark Reading approaches thorny, unresolved issues like crypto backdoors and WikiLeaks and Snowden and Russian information warfare and so on.
Jackson-Higgins: Yeah, that’s a good question. You know, the Snowden thing, early on, was a little bit of a challenge for us because, well, first of all, we didn’t have the original documents, like some of the ones that were leaked. So we were trying to parse out what would an enterprise security person want to know about this? How would this affect them?
So we were a little less on the privacy aspects and more on the insider threat stuff, for example. I mean, how your company wouldn’t become the next Edward Snowden and that kind of thing. We looked at—
McGraw: “Don’t get Snowdened.”
Jackson-Higgins: Yeah, exactly. I mean, we did a little bit of the privacy stuff, but I think for our readers, the more interesting pieces were the takeaways, what this means for their organizations. I mean, “If the NSA is getting owned, what does that mean for me?” That kind of thing.
McGraw: Right. How about things that really take kind of a technical versus political stance, like crypto backdoors? Do you guys worry about that issue, or do you try to ignore that?
Jackson-Higgins: I don’t think ignore it. I think we haven’t done as much on that. We did cover the WikiLeaks stuff around the election time. But remember the election hacking was another animal in cyber espionage, which we cover regularly. I thought that was really interesting stuff, so we definitely covered that from the perspective of the threat groups and how Russian hacking groups were changing their game a little bit against the U.S. I thought that was really interesting.
Crypto backdoor stuff we’ve covered, but, you know, I guess our readers are more interested in it from the security aspect, so that’s kind of the angle that we’ve looked at.
McGraw: Well, yeah, it’s hard enough to build applied crypto that works without trying to put a backdoor in it and not screw that up.
Jackson-Higgins: Well, it seems like I’ve been running on about encryption forever, and in some ways, we’ve not really moved the needle too far, right? We’re still moving in that direction, but it’s taking a really long time for encryption to be a normal, everyday thing.
McGraw: Yeah, it’s because it’s hard. And people who try to make it easy don’t do it right, generally speaking. So there’s like a whole bunch of broken crypto on your phone, broken right now.
McGraw: We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
Do you think that fake news is, at its heart, an information security issue?
Jackson-Higgins: The stuff that we saw purportedly from Russia, you mean, like—
McGraw: No, not necessarily just from Russia. I just mean disinformation, the fake news thing.
Jackson-Higgins: Well, I think part of the problem right now in our industry—and just in general with journalism being so rapid-fire, online, quick to get things up—is there is some misinformation that gets sent out early sometimes when things happen or when news breaks.
Sometimes, publications and people get it wrong, so that’s always the tricky balance. It’s being time-sensitive on a story but also making sure it’s accurate and you really drill beyond the face value of the development or the topic. We see people jump to conclusions a lot in our industry. Especially...that’s probably the downside of Twitter, is people tend to sort of throw out their thoughts before they really thought it through sometimes and—
McGraw: Hot take.
Jackson-Higgins: Exactly, exactly. There’s some fun to that, but there’s also some danger to that.
McGraw: I don’t know. It gets hits. I mean, BuzzFeed has kind of built their whole little world on that.
Jackson-Higgins: We try...You know our goal is to be more...This has sort of been our unique value that we’ve tried to build as really having a more in-depth, “looking beyond just the face value” of the news for a big story. It’s really kind of stepping back and looking at it from different angles. So that’s not just news itself but what it means to organizations, to readers, and the big picture. That’s the fun part actually.
McGraw: Mm-hmm, that’s a good answer. So, our kids have all grown up and flown the coop, and I wonder how being a tech-savvy mom impacted your journalism.
Jackson-Higgins: My journalism or my kids?
McGraw: Your journalism. Well, I don’t know. I think your kids impacted your...maybe it was the other way around. Who knows?
Jackson-Higgins: I don’t know. I don’t know if I was tech savvy right away.
McGraw: Oh, come on.
Jackson-Higgins: I mean, I think I’ve always been interested in technology, so I think I was an early adopter to a lot of things. And I tend to be a little paranoid. Like for a long time, my Twitter feed was private, and I realized that wasn’t super helpful, I suppose, involving conversations on Twitter. So I had to open it, and that was like a big moment.
Jackson-Higgins: And I’m one of the people on staff who’s always bugging people about...reminding them about security best practices and things like that. And my kids will tell you that I annoyed them forever about security, but they’re both very security savvy. They both use ETM, they make strong passwords, they’re telling their friends what they’re doing wrong, so—
McGraw: That’s hilarious, and they learned that from you, presumably?
Jackson-Higgins: Yeah, oh yeah, because...not my husband.
McGraw: Well, did the tables turn? Like in my house Jack learned an absolute ton from me, and then he started teaching me about stuff. He demanded we switch to Macs; he tells us what phones to buy to this day. Did that happen at your house too?
Jackson-Higgins: Every once in a while, I get the “Wait a minute. You told us to do this.” We have those moments where you cut a corner. But I think I drilled it in them pretty well, because they take it pretty seriously, and I think they honestly appreciate why and understand it. And they’ve become a little bit paranoid sometimes. I don’t know.
McGraw: Well, they grew up with this stuff, so they actually see it a little bit differently than we do. Although, I mean, I started using computers at 16, so that’s pretty young, but zero is a lot younger than that.
Jackson-Higgins: Yeah, no, I dove in early, before it was easy to use and hated a lot of technology back then, and then as it got easier, I appreciated it a lot more. I was always interested in how things worked, even as an English major. I was tinkering with applications all the time.
McGraw: That’s good. I got a degree in Philosophy, which is even more useless than English, so I don’t know what to tell you.
Jackson-Higgins: Hey, I think they’re both very useful in this industry. I argue that liberal arts is actually a big help in this industry in terms of thinking and...I mean, look at you.
McGraw: Joking aside, I totally agree with you. And I think that one thing that happened in computer security is that people came from a lot of diverse fields and all came together to really change stuff about 20 years ago. And I hope we don’t lose that. I hope it doesn’t become over-professionalized in a sense that people with a really unique perspective don’t get listened to as we go forward.
Jackson-Higgins: Yeah, well, I remember the early people...I remember we did some profile pieces on Dark Readings early on to kind of get to know people in the industry, and so many of the pioneers I read about either dropped out of high school, dropped out of college, you know, were just learning as they went along. They were basically building the industry themselves by just doing it, you know.
So I think that creativity and that mind-set of creating like this industry sort of started out as...That’s still a big piece of it, and I think that’s something...You’re right, I don’t think we should lose that. I think that’s a big element of why we are where we are today in history.
McGraw: Cool. So a little bit of a difficult question. Sitting on the journalistic side or the journalist’s side of the table in tech gives you a whole bunch of power, and so I’m wondering if you experience the same kinds of sexism that other women in tech experience even if you’re on that powerful side of the table.
Jackson-Higgins: Yes, absolutely. I mean, over the years, I’ve had various experiences. When I was younger, I was not very good about standing up for myself or speaking out about it. But I think women today are much more empowered. You’re seeing that a lot in the news lately and just in terms of the whole movement of victim issues. And I feel like that’s something now I’m more comfortable dealing with than I was maybe 20 years ago.
But yeah, unfortunately, it’s a thing. People will make a comment. You know, I’m usually the only woman in the room in a lot of cases. And I grew up with two brothers, and I was a tomboy, so I was used to being the only-girl-in-the-room-type thing. So I don’t really worry about it, but it does come up sometimes, and you can definitely sense comments or the way people may talk to you or treat you. And it’s a shame to me that’s still happening, but I think women are getting better at speaking up about it now, so I think that’s really important.
McGraw: That is important. Are there things that we should do collectively to eradicate this problem? Do you have any ideas for that?
Jackson-Higgins: This is something I think about all the time, and I’m actually in the process of working on a panel for Black Hat about diversity. It’s such a big question. There are so many cultural issues that are hard to beat. You know, people grow up thinking a certain way, or they subconsciously judge somebody based on, you know, what they look like or what sex they are and that kind of thing.
And there’s always some sort of preconceived notions and biases. To me that’s a tough thing to break. But I think the more it’s talked about, the better. I mean, that’s one thing I’ve noticed, is now this is more in the topic of public conversation in our country and in our society and in our security community. I think that helps a lot.
I think it makes people more aware of, that it is an issue and even just checking your own biases at the door. Everyone has their own biases too, right? Whether they want to have them or not. So I think that’s really the key, is just keep talking about it. I don’t know how you fix it, but I think awareness—and that sounds so hokey, but awareness—and just being open about it is half the battle, I think, in the end to sort of changing the mind-set, changing the behaviors.
McGraw: I buy that. I mean, that’s sort of sunlight-as-the-best-antiseptic approach.
Jackson-Higgins: Yeah, and I think when I was younger that it wasn’t talked about. That’s why I, a couple times, should have spoken up but I didn’t. I just kind of let it go, you know. I’m embarrassed. I should have maybe said something to somebody that that happened, or I should have told this guy that was an inappropriate comment or whatever, but I didn’t. I just kept quiet, and that was stupid, but I didn’t know that’s how it was handled.
McGraw: Right. With that, you think that was partially just the way things were back then and they’re getting better?
Jackson-Higgins: Yeah, I think so. I think people just didn’t talk about it, right? So, you can look back at some issues I saw on college campuses as well. That’s definitely a topic of conversation now where it wasn’t when I was in college. You didn’t talk about it, except you whispered about it, or you heard stories about it. You didn’t really speak up.
So that’s why I think talking about these things and doing it in the light of day is probably going to help. It won’t fix things, but it will definitely make it easier to handle it when it happens.
McGraw: Mm-hmm. So now, a completely off-the-wall question: When you played soccer at William & Mary, did you predate U.S. women’s national head coach Jill Ellis, or did you play with Jill Ellis?
Jackson-Higgins: I played with Jill Ellis, as a matter of fact.
McGraw: Cool. Do you still keep in touch?
Jackson-Higgins: I sure do. I’m going to see her tomorrow. We have a big soccer anniversary weekend at William & Mary for the first time to commemorate the beginning of the program, and she will be there. So we’re all going to be catching up this weekend. I have a core group of teammates who are still really close all over the country, and we get together at least once or twice a year. And we see Jill probably every two years now, but she keeps in touch with us, and we will see her this weekend.
McGraw: Very cool. That’s neat.
Jackson-Higgins: We’re very proud of her.
McGraw: No doubt. And then the last question: What book are you currently reading? I just started Daniel Suarez’s new book, “The Change Agent,” last night, which is kind of ridiculous science fiction fun stuff. But what do you like to read? What are you reading now?
Jackson-Higgins: OK, you’re going to laugh at me. I was an English major, so I still like to read like literature.
McGraw: Oh, me too, I read a bunch of literature.
Jackson-Higgins: For some reason, I’d never read Maya Angelou’s “I Know Why the Caged Bird Sings.” I just finished that this week.
Jackson-Higgins: And I’m getting ready to do my second pass at “Trinity,” which was one of my favorite novels years ago, about Ireland. We just had a trip there last fall, and I wanted to reread it after having been there. So I’m getting ready to read that again. It is a very long book, but it’s awesome. At the same time, I’m usually reading a nonfiction book, and I’ve got like three of them in the works. One of them’s Bruce Springsteen’s book.
McGraw: I’ve heard that’s good, actually. I’m not a big Bruce Springsteen’s music fan, but he’s an interesting fellow, for sure.
Jackson-Higgins: Well, I have been a huge fan a long time, and I’ve heard him do some readings of the book, and it’s really well done, so I started reading that. My daughter got me that for Christmas.
McGraw: That’s great.
McGraw: What are the other two nonfiction ones?
Jackson-Higgins: Well, there’s actually another book. One of my favorite authors is Toni Morrison. There’s a book I just got from her. It’s called “Conversations with Toni Morrison.” I’ve read all of her books at least twice, so I’m just reading her voice, interviews she’s had. And then, let’s see, what else? OK, my pile is too big.
McGraw: Sorry, yeah, I have a hard time remembering myself. Like I just read this great book that I gave to Amy, and she’s reading it, and I can’t remember the title of it.
Jackson-Higgins: Yeah, I can’t find the other one, but I usually have like a couple, two or three books going at the same time, so that’s kind of how I do it.
Jackson-Higgins: I tend to read older fiction. I tend to not be reading the newest books, so I’m always behind.
McGraw: But a big reader. Your English-major roots didn’t go away.
Jackson-Higgins: No, they did not go away, I still appreciate my good literature.
McGraw: Very cool. Well, thanks for your time today. It’s been a really interesting conversation.
Jackson-Higgins: Yeah, thank you, Gary. It was great. Thanks for having me.
McGraw: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is cosponsored by Synopsys and IEEE Security and Privacy Magazine and syndicated by Search Security. The January/February issue of IEEE S&P Magazine includes our interview with Marie Moe, a Norwegian researcher who hacks her own pacemaker. Show links, notes, and an online discussion can be found on the Silver Bullet web page at www.synopsys.com/silverbullet. This is Gary McGraw.