Sophos Asia Pacific managing director, Rob Forsyth
From IT recruiter to head of the Sydney Olympics' industry relations and human resources, Rob Forsyth hasn't had the most straightforward career. Now managing director of Sophos' Asia Pacific offices, Forsyth remains a key contributor to the Australian security industry, having been involved in the Federal Government's recent Cyber Security Awareness Week, as well as sitting on the boards of the Internet Industry Association (IIA), Australian Computer Society (ACS) and the Internet Society of Australia (ISOC-AU).
As he wraps up his tenure on the IIA's board, Computerworld Australia talked to Forsyth about the difficulty of running the Olympics and the ethical side of cyber-security.
Can you give us a brief run down of your career?
My history is just about everything - I was an IT recruiter for 10 years. During that time I also ran an operating lease finance company with about $250 million operating leases. I ran a chain of restaurants, I was a steward with Qantas for five years, I was planning industrial relations during the [2000 Sydney] Olympics.
After the Olympics they retrenched me. I had actually accepted a job with the Athens organising committee, but decided not to take the job when I found out they smoked in the office - they have a "smoking is optional" policy. I'd been sick with throat cancer so I wasn't about to do that.
And what got you into IT?
I've been involved on the edge of IT during the ten years of recruiting and also providing lease on computer equipment, it's hard to be involved in any aspect of business without touching IT but the opportunity to provide security on the Internet is clearly, and unfortunately, a giant growth area.
I'm definitely not a geek, I'm more on the humanities side - I enjoy the people. It's all about getting people to be the best they can be, finding ways to resolve challenges.
Is there a particular reason you chose cyber security?
Over the last 10 years we've seen that become an imperative for more and more organisations to look at. It started life as script kiddies writing viruses for notoriety and now has been moved into really severe organised crime, purveying the worst of the world's cyber criminality and we're about to go through another evolution of that. With the National Broadband Network (NBN), if we suddenly begin to deliver 100 megabits per second (Mbps_ to the premises, perhaps the remote and disadvantaged communities that haven't been involved in the Internet to begin, and having the worst of Eastern European criminality introduced to them by the government, we are going to have to embark on education, we have to embark on legislation plus very good technology.
I suppose I was drawn into where that was heading nine years ago, but it is only going to get more critical.
You've been involved in several of the key industry representative bodies; any reason why?
I was on the [Australian Computer Society] Branch Executive for six years. I suppose there was a vested self-interest first of all: It enabled me to leverage a lot of relationships over time as a recruiter and it gave me some street cred rather than just being a body shop. The other thing the ACS has been predominantly involved in is education; they've talked for many years about the computer driver's licence, seminars and forums for non-academic education. I think it was the education aspects and the way in which computing was becoming very mainstream that drew me into that, plus the personalities.
I think the Internet Industry Association (IIA) is a very credible organisation. This will be my last year - there is a finite six years so I end in February. I'm currently deputy chairman and treasurer.
The role of the IIA is to assist government rather than contest government, and consolidate industry opinion to allow government to react to that common consensus. Bringing the industry together provides benefits to the industry but also to govt for legislation. [Senator Stephen] Conroy's announcement to delay the filter project while the industry deployed a voluntary code just for child abuse material i think is one example of that.
The issues covered by ISOC-AU are much more technical on occasions; ICANN type issues. They are certainly heavily involved in the way the NBN will be rolled out.
[The IIA and ISOC-AU] complement each other like the sound of two hands clapping. They move in similar circles but they certainly don't have big overlaps.
What do you see as the biggest priorities for security firms such as Sophos at the moment?
We're focussed a lot on what used to be called zero-day attacks, and we've developed solutions that don't look at signature-based detection, but look at behavioural-based detection and pre-execution.
Software has become predictive rather than reactive so it is in front of the game.
I don't think we'll always have to wait entirely for the crime, the difficulty is enforcement in a legal sense, rather than just blocking. More higher-profile gaol sentences for cyber criminals will come over the following years, and that will generate publicity and perhaps eventually begin to bring the two major cybercriminal organisations to book - being the Russian Business Network (RBN) and Canadian Pharmaceutical.
The products have moved away from what was possibly IT geeky into more mainstream; they've become much simpler but also more comprehensive. The products have evolved along with the threat and continues to evolve along with the threat.
Us and all of our competitors battle not to be antivirus companies anymore because it tells 10 per cent of the story. However, if someone grabbed you at a barbeque and suddenly said to you "what do you do for a living" and they weren't technical, anti-virus is probably the easiest hook to hang your hat on.
Sophos has grown locally from eight to 160 people since you joined. How much more do you expect to grow in the coming years?
We're recruiting regularly, but it's not rapid; it's consistent. We've just opened an office in Auckland after having staff work from home previously.
We've augmented those in Melbourne and Queensland, while Sydney and Canberra have ben static. So it's been about moving people to the periphery rather than building a big headquarters here. We have 65 staff based in North Sydney.
What do you look for in new hires at Sophos?
We're looking for various skills in assembler languages. We often find that someone who's a programmer will take 12 months to become a reverse engineer of that. We tend to grow our own technical skills, we don't find those in the market, nor would we ever expect to.
Given that the threat has changed so much in the last nine years, I think it's unrealistic to expect people to come out of the egg ready to tackle tomorrow's problem. We spend a lot of money on training those customer engagement people both here and internationally, and we tend to do very much in-house technical training.
We will not hire anyone who has been proven to be a hacker. If they own up to that or if we establish that internally, that will disqualify them from a job. It's not for legal reasons, it's for moral reasons and it's just for common sense - if that person lacked the common sense that they thought releasing a virus into the wild was an interesting thing to do for academic purposes, I think it's a failure of intelligence.
What advice do you have for those trying to get into the industry?
If there was a strategy for an IT graduate to get a job, I would say it would be to get out there. Don't just sit behind your desk sending resumes through Seek; go and talk to companies, talk to individuals who work in those companies. Volunteer your time without pay.
On occasions I'm approached by people who seem to believe an employer has to do all of the work in the interview and has to do all the interviewing. It's really up to the employee to do the interviewing about the employer.
I think it's about getting engaged and putting yourself out there.
Broad-based general IT skills are great in broad-based IT, but to get into specialist providers you're going to need specialist skills. Have very deep specific skills in one area so the employer can access those skills.
Specifically in Sophos labs, the skills they would require would be a deep knowledge of assembler language and a desire to reverse engineer, which is quite different to application programming.