Meet the Channel: ESET's Stephen Cobb on His 30-Year Cyber Education Mission

We sat down with ESET‘s senior security researcher, Stephen Cobb, to talk about how the energy surrounding user cybersecurity education isn’t new, and how MSSPs can benefit from his experience. It’s our latest edition of Meet the Channel, a recurring Channel Futures column that examines channel trends through the history and experience of those who work in it. 

Channel Futures: Your security training resume goes back more than 30 years. What were the conversations surrounding enterprise security about in those days?

Stephen Cobb: In 1987, I was training IBM users on how to use their new, shiny personal computers, and I was asked to do some network installations. As I was installing my first network, I realized that it was a Pandora’s box. There were lots of good reasons to connect computers: share information, make computers more powerful. Essentially, the sum is greater than the parts in the network. But on the other hand, people didn’t want to share all of their information. One of the fundamental challenges to cybersecurity to this day is how to share some of the information with some of the people, but not all of the information with all of the people.

I’d written pretty successful books on things like how to use spreadsheets. In 1991, I wrote a book on LAN security, and no one bought it. I’d sold tens of thousands of the how-to-use-spreadsheets book, but it turned out that the 3,000 people who’d bought the LAN security book were the only 3,000 people in the world who were interested in the subject. So I got to know a lot of people in this security outside of the data processing world — security in a post-mainframe world, if you will.

Stephen Cobb

Stephen Cobb

In 1996, I formed a consulting company [InfoSec Labs] doing pen testing, architecture and training for companies that were newly connected to the internet, and then [in 2001] I founded another company around privacy and fighting spam, in addition to teaching security awareness, which I later sold to Symantec.

CF: How does that experience play out with consulting with the channel on security?

SC: Well, In 2011, I went to work with ESET, which combined several things I was interested in: the ability to do research in a company that had a very good reputation in the industry and had a strong commitment to educating the market, and the community and consumers, around security. Today I have a team of five researchers, and we study the threat landscape. That research informs a number of aspects of ESET’s role and participation in the channel.

On numerous occasions I’ve gotten to speak to organizations that are MSP customers. ESET’s approach to the channel is collaborative. We like to educate the channel where we can around issues of security. Clearly with the shift toward the MSP model, partners are now being looked to by their customers as a source of security knowledge and expertise, and we’ve helped foster that in the MSP community. I’ve been to talk to groups of lawyers, of accountants, of dentists, and so on. Then my team provides a watching brief around new threats. We write about things on WeLiveSecurity.com, which is technically an ESET property, but it’s really a place where ESET researchers publish. All the ESET research in terms of things like reverse engineering of malware, honeypots and other botnet tracking activities, etc. My group passes that through to the public.

CF: The number of threats that come across your research on a daily basis has to be almost inconceivable. How do you sift through them to determine which you need to flag?

SC: We apply also what someone on my team calls the Who Cares-O-Meter. If it’s consumer- or business-targeted, why should the victim care? And what is the implication of this? Frankly, a lot of the malicious code emerges in other parts of the world before we see it in America. For example, a year ago there was the malware that was used to turn off power in Ukraine. We didn’t have to apply too big of a Who Cares-O-Meter there, but there were still people wondering why, if it happened in Ukraine, we were talking about it. So we explain things like that all the way down through the tracking of malware statistics.

CF: Today, it feels like the cybersecurity conversation is heavily rotated toward educating careless users, but your consultancy InfoSec Labs did awareness testing back in 1996.

SC: The first companies we did awareness training for were AT&T Wireless, [the company that handled IT for] the NYSE, Microsoft, and other large companies — because that’s how security evolved. The first companies to really get concerned about digital security were the phone companies. Close behind were financial companies. Then the core infrastructure or platform companies. Today those would be Google, Twitter [and] Facebook, but back then, Microsoft had gotten into trouble with the [Federal Trade Commission] around privacy and security. I actually did some consulting for the FTC because in the ’90s, that’s where things started to bite in large organizations.

CF: How has that imperative evolved in 12 years?

SC: Even back in the ’90s it was clear most people were going to have to know about this. That turning point was really when the internet became a consumer product. Then another spate would be the smartphone. By 2010, pretty much everybody became a computer user. Certainly, that’s true now. You went from having to bribe employees to come to training with gifts and prizes and food, because back in the mid-’90s you were talking about protecting a company’s computers. By the early aughts, computer ownership was more universal, which made it more important for everyone to know about security. As computer use at work expanded from work to personal use, you had to educate everybody. By 2010, [the ESET Foundation] was already active in that education area. We’d started an initiative called “Security Our eCity” community-wide in San Diego. We’d go talk to schools, churches, civic organizations and such for free because fundamentally, security is a people problem, then a process problem, and then a tech problem. ESET has great technology and is working hard on process and deployment of that technology with solutions like management tools, but the people part has still to be addressed.

That’s why we provide the free security awareness training. The big challenge for MSSPs is that no one wants to pay for security tools. No one. Persuading [an end user] that it needs more protection is something we try to tackle for them, like why this problem exists. What is a dark market? What really is cybercrime? We try to explain the scale of opposition you’re dealing with when you’re trying to protect your information. What drives cybercrime? Data. If you have data, then [a bad actor] can make money off of it.