Jack Koziol has always had a hacker’s curiosity. When he was a kid, he would take apart VCRs to see how they worked. Years later, he began to try to take apart software to find their software vulnerabilities.
Today, Koziol is considered a pioneer and expert in ethical hacking — the practice of manipulating software for good, and to find bugs and weaknesses to proactively prevent cyberattacks. He was the author of “The Shellcoder’s Handbook,” a seminal book on ethical hacking published in 2003, and founded the Infosec Institute, a certification hub for those interested in a career in cybersecurity.
Today, Infosec works with Fortune 500 companies, state governments, and the Department of Defense on cybersecurity training programs. Its Madison headquarters houses about 80 employees, on top of 70 in Chicago, and is rapidly growing. And at a time when privacy, politics and national security are at threat from “black-hat hackers,” Koziol said that the demand for cybersecurity professionals is greater than ever.
Tell me more about your first job in cybersecurity — I understand it played a pivotal role in how you became an ethical hacker.
I worked at Harris Bank (starting in 2001), owned by BMO Bank, and I worked in the security department there. I was the only cybersecurity person there at the whole bank at that point. This was a long time ago.
How many would they have now?
Five hundred, maybe a thousand. There's really been a lot of growth. Cybersecurity positions is the fastest growing job code in history that's ever been tracked by the Internal Revenue Service. Back then, though, it wasn't. My boss actually told me back then, there'll never be more than one person doing what you're doing at the bank.
Why weren't companies more concerned about cybersecurity?
I think companies didn't understand the risk. Also, over the last fifteen years, we've seen everything coming onto the internet. Cloud computing, everyone's life is now on the internet … the world has changed quite a bit over that period of time. I think company's were just waking up to what the risks were.
The other thing that happened over the past ten years is a lot of the breach laws that have been put in place have forced companies to disclose the information that they've been breached. When I worked at the bank, there were several breaches. The MO was to quickly push them under the carpet, to make sure that nobody ever really talked about them. Now there are laws where that's illegal. All that comes out to play, and we hear about it everyday: Yahoo was hacked for a billion users, Marriott was breached for four years and 500 million users were compromised in that period.
So how did you start ethical hacking?
When I worked at the bank, I wrote a couple books. One of them sold a lot and did really well ("The Shellcoder's Handbook"). That was the first book that taught people really how to exploit software from the ground up. A lot of that information was known by the bad guys. And the good guys, they weren't on with that information.
How did you become familiar with how the bad guys were operating?
A lot of intellectual curiosity, and just trying to figure out how things work. There was a lot of discussion of it on the internet back in the day. And initially, I worked at the engineering lab back at the UW, and there were a lot of us who were really curious about how all that worked.
So the book ended up being a major hit. Did that play a role in your decision to launch the Infosec Institute?
Yeah, I saw there was a lot of need, a lot of demand for individuals and businesses that want to learn that information... So I decided to quit my job at the bank, and everyone told me it was the worst decision -- you shouldn't do this. My father-in-law told me it was a terrible idea -- like, why would you leave this cushy bank job? But it ended up being a good move for me personally.
I did everything from the start: I did the sales, I did the cold calling, I did the marketing, I taught the training classes, I wrote the materials. Now we’re a company of about 150 people.
What does it take to be good at ethical hacking?
You have to want to learn how things work. If you don't have a base understanding of how a network works, you can’t really understand how to secure it.
You also have to be a person who really likes changing. You can't learn how to a cybersecurity system or process works, and expect it to be effective in two years from now. There was a study released last year that found cybersecurity skills have a two-year half-life. So everything I know in 2019, if I could know everything there is to know, half of it would be useful in 2021. So you have to be the type of person where you enjoy life-long learning.
One thing that's a trend is, over 90 percent of cybersecurity incidents (occur) because there was a lack of awareness or because there was a lack of cyber skills. If you do the root cause of a lot of cyber security issues, there aren't enough people. That’s the big trend in the industry right now. There's 2 million unfilled cybersecurity jobs right now, predicted to grow to 3.5 million in the next two years.
You say lack of awareness -- are institutions still not recognizing the risks when it comes to cybersecurity?
What companies have realized is cybersecurity isn't just the person in the data center with the blinking lights' job. Everyone that works in a business has a responsibility to practice good hygiene. When they see a phishing email, to recognize it and not click on it. When they see an email that says, hey, the CEO asked you to go and buy some gift cards with your corporate credit card, to know what to do in that situation.
Are there things that the state of Wisconsin or the U.S. government should be doing about cybercrime?
The first one is information sharing. If one state's election authority is breached, there aren't good lines of communication to another one. Hackers exploit this disparity of information. If this state gets breached, or it gets closed up or fixed, they know that information may not be shared to another. We're making a lot of strides on that, and things are getting better than what they used to.
In terms of regulation and laws, there's a lot of room I think for our lawmakers at the state and federal level to catch up to, with technology concerns. You could see this when then interviewed Mark Zuckerberg. They asked him, how does Facebook make money. And it's like, ads, senator. Like, come on!
And if you think about it in terms of cybersecurity, these are the people that are writing laws and putting things in place to protect our nation's infrastructure and our commerce. They need to get up to speed, or we need to elect people that understand these issues that govern a lot of important things in our society.
Your website has a slogan: "Together we'll put cybercriminals out of business.” Are you an optimist about the ability of institutions or people to become cybersecure to the point where cybercrime stops being profitable?
It is possible. I think over time, over the next 20 years, we can skill people up. We can put the right people in place. We can get the right processes in place. We can get the right technology. And we can glue it all together, and make it much more difficult for criminals.
Do I think cybercrime ever go away? No. But I think it's possible for organizations to make themselves secure against those types of things.
I think we're past peak of cybersecurity damage. I think things can get better. And I think that's done by investing in people.