E72 - Stu Hirst

Welcome to the Human Factor Podcast, Hosted by the people hacker Jenny Radcliffe. Warning: you may reveal more than you think.

JENNY: Hi everyone, and welcome to this episode of the Human Factor Podcast. Today's guest has been so patient with me; we've had to reschedule this so many times, because his schedule and my schedule have been insane, but I've been dying to speak to you. So welcome to the Human Factor, Stu First!

STU: Thank you very much; great to be on.

JENNY: You know you've done a few of these things lately - and I know that you're well known,  certainly in a few areas of the business - but for those people who don't know you yet, do you want to just introduce who you are and what it is that you do for me?

STU: Sure. So Stu Hirst, I'm the Head of Security Engineering at Photobox at the moment. Been in InfoSec about seven or eight years; been in IT for about 20, it seems to have flown by! I was a mainframe developer before I joined security, which again just seems like a completely different life; and yes I started at (UNCLEAR) 'Trainline' as a tech analyst about seven or eight years ago, and moved into security when I was there by chance, really. I guess if people know who I am, it's probably from the work that I did at Skyscanner; spent three great years there building their security team and then moved on. I try and do as much of these kind of things as I can; I really enjoy doing them, really enjoy being part of the community, and it's great just to share learning and speak to awesome people. The more of these things I can get involved in, the better.

JENNY: One of the things I always ask a guest is, you said just then that you got into it sort of by accident. Did you want to get into technology; were you always someone who enjoyed tech as a kid?

STU: Yeah; I guess like any young boy I had computers at home. I remember having an Amiga 500 and a Spectrum Zx as a little boy, but I was always into football and sport; the same things that the young lads are normally into. Then I did my GCSEs in England; I did my Highers up in Scotland; then there was two job offers. I had a careers officer that came to the school; Lothian and Borders Police at the time were looking for fingerprint officers, which was a really interesting field.

JENNY: How cool is that?

STU: Yeah, actually my father did that job very early in his career; then joined the army, and then became a policeman when I left school, so it was tying up with his career a little bit. Then the other job was a Trainee Mainframe Developer for the Royal Bank of Scotland at the time.

Now, RBS - this was back in '98, I think - so RBS wasn't the huge animal at that point that it became - and it just looked like an awesome opportunity. I'd only done a little bit of coding - Pascal, I think it was, at high school, which kind of shows my age a little bit - and it just looked like a really good opportunity. I was in with about 20 graduates - we were actually joining at 17, but we were put on a graduate program - just looked really exciting. I didn't really know what else to do, to be honest; it was either that or go to university, and I wasn't really sure what I wanted to do at university. Then I had 10/11 years at RBS. Security was never massively my remit there; I worked for internet banking for a few years while I was, and we worked on the code for the card readers that we now all love as part of banking. There was little snippets of things as part of those roles, but it was mainlyIncident Response. Then at the Trainline I was doing more sort of third-line support, SQL server - not particularly very good at those kind of roles - and I was involved in the music industry as well in my spare time, so that was taking up a huge amount of my time. It was only really... I remember the security guy at Train Line was leaving, and my boss at the time asked me if I wanted to pick PCI Compliance up. I went on a week's security course, and I wouldn't say I immediately fell in love with security. It was just something different, something new; I really didn't know anything about it, and it's taken me a long time to even get to the point of knowing some of the things I feel I need to know.

JENNY: When you say that, the security industry's really only what it is now - and evolved in the way it's evolved is the last seven or eight years - I mean, it wasn't something that people were really picking as careers back then; unless it was the police or the military, right? 

STU: Yeah. think the pace at which things have moved, I've certainly felt that well even just the last few years. The organisations that I've been in - so Trainline; I was NCP for 11 months, and Skyscanner - there really weren't many security people, and it wasn't uncommon; and probably still isn't actually, for smaller internet businesses to only have one or two security people. Now it feels like we're working with bigger teams, we've got big recruitment drives and everything's gathering pace, but I only feel like that's been the last few years; and I'll be brutally honest, I'm not a veteran in this industry. There's so many smarter people than me, and I've had to invest a lot of time in trying to learn this stuff. I've been in environments where I don't really have a choice; I'm either one of two security people or whatever it might be, and you've just got to pick things up as you go along.

JENNY: But you enjoy it. The thing is now, if you're not a complete newbie in the industry, we're all sort of ended up picking it up as we went along. I was surprised on the social engineering point of view, the way the industry all of a sudden embraced it seven or eight years ago; certainly in the UK.

STU: Yeah; the enthusiasm is what drives me to do what I do, really, and I haven't experienced that in other roles I've been in. The RBS is one of the great, great environments to learn and pick up tech, if that's your thing.

The end of an transcript is marked by the “END OF TRANSCRIPT” sign at the bottom of every page.