Episode 8: Cybersecurity early adopters: How the pioneers got their start | The Job Security Podcast

Introduction

Welcome to The Job Security Podcast’s Early Adopters Series—a showcase of unique and talented individuals with great stories about the early days of cybersecurity. As you know, early adopters generally represent about 13.5% of the people who have started to enjoy a new technology, and some of us go back quite a ways into the early days of the internet.

Some were there when the first firewall was lit. Others were building hardening scripts before anyone called it “security engineering.” And in an era when there were no well-trodden paths, no master’s degrees in cybersecurity, no SANS courses on penetration testing—these pioneers were teaching themselves, sharing knowledge on BBSs and pay phone meet-ups, and figuring out how to defend systems that no one had really thought about defending before.

With us today are Jay Beale, who has a storied background including tool building like PARAD!ES and Bastille Linux, many training sessions, and running companies as CEO and CTO of InGuardians. He thoroughly enjoys helping companies by breaking into places to make sure no one can break into those places.

And Greg Notch, a seasoned veteran of cyber leadership and conference community member with over 20 years of direct experience, including one of the most challenging gigs in the CISO seat—being the CISO for the NHL.

Jay’s origin story: From PhD dropout to security pioneer

Dave Johnson: What was your earliest memory in cybersecurity?

Jay Beale: So I was working at a university, and I was actually a grad student. I was a PhD student in math, and I was also working in the computer science department as a research assistant. But on the side, I was being a Unix sysadmin for the math department that I was studying in. I was having a blast, and I was learning a lot. I was basically plowing through an O’Reilly book and everything I could find online as fast as I humanly could.

And so I was having this experience where it’s like, “Wait, I’m pretty sure we got a hacker in here.” And my boss was like, “Well, I don’t know. We can do security later. Right now, I want to make sure we have a good inventory of all these systems that we have in the department.”

Jay Beale: And I’m like, “Oh my god, the priorities. I don’t get it.”

Looking back, that might have actually been the early face of threat hunting—understanding what you have before you can find where this person is. But at the time, I didn’t love the priority.

I’d been going to these things on Friday nights where people watched Babylon 5. I started talking to somebody about everything I was doing with Unix and Linux. He’s like, “That’s really cool. That’s kind of my job. Would you come and meet my boss sometime?”

So I came to meet the boss, and the boss hired me on the spot. I’m like, “Okay, I guess I’m leaving university.” The boss said, “You’re going to be a Unix system administrator, and since you have a special interest in security, we’ll let you do security projects.”

Jay Beale: My special interest was just frustration that we weren’t trying to track or repel our hacker. So the boss was like, “Okay, for the first two months, yes, you’ll do our security projects. We got a little backlog list.”

I got two, three weeks in, I’d finished the list, but they’d already added more things to the list. Over time, it was just like, “Okay, I guess he’s our security person.” They’d pull me in: “A vendor wants to sell us something. Can you see if that’s a good something?”

All of a sudden, I’m the security person. My job title never changed. But security was really common back then—this is 1999—and at least half the people I ever met working security didn’t formally have a security title. They were just a technologist in some area, and they were filling some needs.

Creating Bastille Linux: Hardening before it was cool

One of the things Jay’s university wanted him to do was write a hardening script—something to take a Unix system and lock it down.

Jay Beale: If you took a Solaris system and just base installed it, you had 65 ports that were all listening with all kinds of services. If there was a vulnerability in any of them, even though you weren’t using 55 of the 65 that were running, you were just rolling dice on whether you were going to get popped.

And I’m at a university where everything would have a public IP address. Universities had gotten on the internet early enough that they had enormous blocks of IP space, so they gave everything a direct internet-accessible IP address and did virtually no firewalling.

So I wrote them a hardening script. Then I found out at a SANS conference that there was a group of other university folks, led by the now-late John Lasser, who was trying to make a Linux distribution for universities that would be like Red Hat but locked down.

Jay Beale: When I met John, he’s like, “Well, if you’ve written hardening scripts, maybe you could write the script that would just take an existing Linux distribution. Because this is taking us a while. We’re finding out Linux distributions are a lot of work.”

So I wrote that script, and it ended up being really useful all over the place. That’s kind of how I got into security—falling into it because I was interested, and having that really lucky situation where people are like, “Okay, you can keep doing that thing you’re passionate about, because we have need.”

Greg’s journey: From game cracker to NHL CISO

Greg Notch: I was recruited out of college to be a Unix sysadmin, and that was how I started my entire technology career. Security was always the job of the people running the systems or the networks. At least a certain subset of people were all about, “How could this go wrong? And how do I keep that from going wrong?”

I don’t know how far back to set the wayback machine—cracking game protection on Apple IIe, maybe in college writing a kernel exploit for NeXTSTEP that bypassed NFS security controls, or later some Solaris hacking, just maybe working on the Xbox Media Center team doing things where systems were vulnerable and it was interesting how the machines would fail and how you could get into them.

Greg Notch: On the professional side, I think really my security career began—this is a story I can tell now—I was working for AltaVista, for those old enough to remember the time before Google. I worked on the team that built data centers for them, infrastructure and networking.

We had a situation where we had a malicious insider, somebody who was writing the thing that crawled and built the index that you would search against. They fired this person, but he had written a backdoor into his code. The backdoor allowed him to destroy the index, which set the company back. There was real business impact.

It was the first time I ever saw business impact for cybersecurity up close. I worked on the investigation with the team. We hired folks from outside who were professionals to come in and do the investigation. I had a front-row seat to that, and I was like, “This work is interesting. The defensive side of this is actually really interesting. It’s a much harder problem than offense in some ways.” And I saw the consequences up close.

Greg Notch: It kind of informed my opinion: Yeah, the offensive stuff and breaking machines is cool, but the defensive side is also very, very interesting. I better keep that in the back of my mind.

Fast forward—I was working in media entertainment at the NHL. Security hadn’t crested the wave where CFOs and management cared about it. It was something your tech people kind of took care of. Sure, banks and other rigid industries had solutions, but it wasn’t like everybody needed it.

Then the Sony breach happened. The CEO’s emails are in the New York Times. Execs are getting fired. All of a sudden, board of directors—even in media entertainment—started to pay attention. There were real consequences.

I remember when the Commissioner of the NHL was like, “We better do something.” And so I put together: “Hey, we should probably hire a person who’s done this before, hire some people, here’s some tools you should maybe buy.” And then they were like, “When can you start?”

Greg Notch: So my first security job was on top of my other two jobs. That was when I sort of crossed that threshold where security became something I was focusing more than part of my attention on.

The pre-internet knowledge sharing era: BBSs, pay phones, and pure curiosity

Greg Notch: The cool thing about those early communities—and you still see pockets of it—was rooms full of people with insatiable curiosity about how things work. Pre-internet, or pre-ubiquitous internet, information sharing was like, “Hey, I found this thing” on a BBS with people. I remember distinctly when Aleph One’s “Smashing the Stack” text file dropped on a BBS I was on. Those early communities, whether on BBSs, by pay phones in Citicorp, or at HOPE, you just get a bunch of people insanely curious about how technology works, maybe a little mischievous, maybe a little socially awkward.

That brew launched an entire thing. Then the internet took off, and all of a sudden people who weren’t using computers before—everyone had a computer. The security field grew alongside it.

Greg Notch: I remember those really interesting and intense conversations with my fellow nerds: “Wait, did you figure this little piece out? You have a manual for that? Hey, can you share that with me?”

There wasn’t really any malice. I go back to Bugtraq—it wasn’t a bunch of people being malicious. If Bugtraq existed right now on the dark web, it would be called “The Calm.” The malice wasn’t there. It was just people sharing information, trying to help each other understand the systems they were using. Sure, there were some malicious actors, but there was nothing to steal, or very little to steal, so it was a pure pursuit of knowledge.

Dave Johnson: My first security conference was HOPE 2000, and I was too young to go by myself, so I had to take my dad. So he worked at Texas Instruments, worked for the Air Force doing aircraft repair. He liked computers—worked on some early punch card-based computers. I brought him, and I learned so much. I found so many other people because I had been doing security stuff for about three years back then.

Dave Johnson: My earliest cybersecurity memory: I’m 11 years old, trying to log into a machine with Novell NetWare on it at my elementary school library. It won’t let me. But I noticed that if you right-click on the question mark in the top left corner, it gives you a dropdown asking what you want to open it with. I’m like, “What do you mean? Open with Explorer?”

I selected that, and it opened a tunnel with write access into the rest of the machine. I could change all the permissions I wanted, and then I had full access. I could print stuff for free, which was amazing considering the cost of printed materials.

No roadmap, no degrees: Building security knowledge from scratch

Ben Baker: It seems like a common story from people who’ve been in security for a while—cyber security as an evolving discipline. For a while, people were trying to figure out what it was and how to go about it. A lot of people seem to fall into it, and before they know it, they’re swimming around in the water and suddenly, “Oh, this is what I do now. I guess I’m the security guy.”

Greg Notch: To the title of this podcast—those early adopters, if you want to call it Crossing the Chasm—there was no well-trod path. There was no “you can go get a master’s in.” There wasn’t even SANS. There wasn’t “you could go take a course in pen testing.” There certainly wasn’t a master’s in cybersecurity you could go get. There was none of that.

It was just: You know Unix. Or you’re a Windows hacker. And you were either a networking guy building an ISP, or you were a Unix guy building scalable systems in some way or another. I mean, even the conceptual stuff didn’t exist. There was no kill chain, there was no CIA triad, there were no 13 domains of NIST, no 853. None of that art existed.

Jay Beale: We were early enough that you got to participate in creating those and creating the kind of lists that became the standards that became the hardening guides.

Stumbling into leadership: From technologist to manager

Ben Baker: You both have joked about stumbling into leadership opportunities. But a part of that is you both teaching yourselves how to do the job while you’re doing the job. As a non-cybersecurity practitioner, those two things feel connected. In cybersecurity, it seems like you always have to be curious, always trying to tinker and figure out how things work, learning and changing. Leadership is the same way—you just need a little bit of charisma. It seems like you both were teed up well for leadership just through your innate curiosity.

Greg Notch: Being a techie made this helpful. There are books—Jack Welch and others have written about leadership and management. There was prior art in a lot of ways. MBAs existed. There was at least something to grab hold of. But on the security side, even the conceptual stuff didn’t exist.

Jay Beale: On the leadership side, at least there are lots of books. A lot of leadership stuff came up for me—you’re a kid in junior high, there’s a group project to be run, you get chosen to lead the thing. It just seems to keep happening over and over again.

But I don’t want to claim charisma. I think for leaders, maybe it’s systems thinking, or just giving a rat’s butt about something that other people haven’t found a voice to say they care about. But probably more than charisma, I think the central skill might be empathy.

Jay Beale: When my business partners in InGuardians gave me the CEO role, I had that same experience. One of my biggest blind spots—I think every leader I’ve ever talked to has shared this—it’s very humbling. Everyone thinks you get some kind of role and you’re going to order people to do things. Actually, the ordering probably happens far less than it ever could have at lower titles.

It’s a lot more influence, a lot more figuring out what people actually care about and trying to line up who cares about this with where do we have a need.

Systems thinking applied to people: The hardest problem to solve

Greg Notch: That curiosity is a major advantage in leadership, coupled with empathy. The thing is, the system that you become curious about is not hardware, software, networks—it’s human interaction and how groups of people work together, what motivates people, recognizing that they don’t all think the same way I do.

You learn those systems about people and recognize there’s infinite variation. That’s the hardest part of being a leader. I feel like the more I do it, the more I realize I know way less than I did before. It’s like parenting—the more I do it, I’m like, “I know way less than I did before.”

Greg Notch: People who tell me now, especially technical people who are like, “Hey, I want to be a manager, I want to be a leader,” I’m like, “Cool. Tell me the last three books you read for work.” Invariably, they’ll tell me some Python book or some AI thing they’ve been reading. I’m like, “Cool. What’s the last book on team dynamics, or human psychology, or leadership in general you read?”

You see a bunch of them like, “Yeah, but I’ll just figure that out.” Like, no, no. This is a whole discipline of its own. If you want to get really good at that, you have to be a student of people, teams, companies, finance, even—in the way that you were about assembler op codes, TCP headers, and all the bits and bytes.

Greg Notch: How do I smash this stack? My memory corruption vulnerability now is like, “How do I motivate someone during this one-on-one? How do I find out what’s important to them?” But still achieve the goals we’re trying to achieve with the company. The curiosity part is super important.

I think a lot of people miss that. I think it gives people who are hackers an edge, because the percentage of very curious people who work in this industry is very high. So I think that’s kind of a secret weapon.

Curiosity killed the cat, but satisfaction brought it back

Dave Johnson: There’s an old phrase: “Curiosity killed the cat.” The part we’ve forgotten—removed around the time we became a specialist society—is the phrase: “but satisfaction brought it back.”

We are very much in our industry in the “satisfaction brought it back” category because we are curious. We understand risk, but we also understand that with risk comes new adventures, new discoveries, and then you move on to the next thing.

It can be addictive when you’re smashing said stack and you accomplish that. Now your threshold for difficulty is higher, and you’ve got to try new things. While you were doing that, you learned other stuff. Or you share it with somebody and teach it to them. While you’re teaching them, you learn more things you hadn’t thought of because they ask questions you never thought to ask.

The importance of community and knowledge sharing

Jay Beale: When I thought I was pursuing a math PhD and thought I was going to become a professor and switched tracks, somebody recruited me. The first question I asked was, “Yeah, but I’m really attracted to university because I want to learn. I want to constantly learn, and I like teaching too. I really like teaching. So if you get to learn in this area you’re in, or do you just learn for the first year and after that, it’s just doing the same thing?”

It’s like, “Oh, you’re gonna like it here.” That’s our ethos.

Ben Baker: Little did you know—constantly learning. You can’t not learn.

Greg Notch: Everything I ever learned and know and knew about software exploitation and network stuff is no longer valid.

Dave Johnson: There wasn’t much ability to find information in the early days. But there were people willing to teach and share, and now there’s even more than ever. That in turn can teach us stuff I didn’t want to ask.

The one constant in cybersecurity: They’re always gonna get in

Ben Baker: Time check here. We got about four minutes left. As a non-security practitioner speaking to two gentlemen who have been in security for quite a long time—no offense—what is one thing that’s true about security back when you entered that still remains true today in an industry that’s constantly changing?

Greg Notch: You’re always gonna get in. With sufficient motivation, time, and effort, they’re gonna get in.

Jay Beale: Very depressing sometimes that way, isn’t it? Means our field gets to stick around forever, or hopefully a long time.

I think it’s one we’ve highlighted over and over again: it’s all about learning. You’ll end up teaching yourself a bunch, but you’ll learn from other people, and then you’ll pass it along.

One of the coolest things about what we’ve done: Greg and I both started out on BBSs way before I got access to the internet. BBSs were one of those big places where a huge amount of what we’re doing socializing is saying, “Hey, I learned this thing. Let me tell you about it,” and everybody else doing the same thing.

Jay Beale: I think that’s the great thing. When I thought I was pursuing a math PhD and switched tracks, the first question I asked: “I’m really attracted to university because I want to learn. I want to constantly learn, and I like teaching. Do you get to learn in this area you’re in, or do you just learn for the first year and after that, you’re just doing the same thing?”

It’s like, “Oh, you’re gonna like it here.” Do you get to learn? You have to learn constantly.

Frequently asked questions about early cybersecurity adopters

What was the cybersecurity field like before formal training programs existed?

Before master’s degrees in cybersecurity, SANS courses, or even the term “CISO,” security was typically handled by Unix sysadmins, network engineers, or curious technologists who taught themselves. Knowledge sharing happened on BBSs, at pay phone meetups, and through pure experimentation. There were no standards, no frameworks like the kill chain or CIA triad, and no well-defined career paths. People learned by doing, sharing discoveries with peers, and building tools to solve problems they encountered.

How did early security practitioners learn without formal education?

Early adopters learned through insatiable curiosity, O’Reilly books, online resources, hands-on experimentation, and community knowledge sharing. BBSs were critical for information exchange—people would post discoveries, share techniques, and collaborate on understanding how systems worked. Security conferences like HOPE provided rare opportunities to meet fellow enthusiasts in person. The learning was self-directed and driven by genuine interest rather than career planning.

Why was the BBS community so important to early cybersecurity?

BBSs (Bulletin Board Systems) were pre-internet platforms where technologists shared information, discoveries, and techniques. For early security practitioners, BBSs provided access to a community of curious people exploring how systems worked. Knowledge sharing was the primary motivation—people posted findings not for profit or malice, but to help others understand technology. This collaborative culture laid the foundation for modern security communities and information-sharing practices.

How did the role of CISO emerge?

The CISO role didn’t exist in the early days—security was typically an additional responsibility for IT staff. As Greg Notch experienced, high-profile breaches like Sony (where CEO emails appeared in the New York Times and executives were fired) created board-level awareness that security had real business consequences. Organizations realized they needed dedicated leadership for security, which led to the formalization of CISO and security leadership roles.

What skills from early security work remain valuable today?

Insatiable curiosity, systems thinking, the ability to teach yourself new technologies, pattern recognition across different domains, and knowledge sharing with the community remain foundational. Early practitioners also developed strong troubleshooting skills, the ability to work without a roadmap, and comfort with ambiguity—all skills that translate directly to modern security challenges where threats constantly evolve.

How has the transition from technical work to leadership changed?

Leadership in cybersecurity requires applying the same curiosity and systems thinking that made people good technologists—but to human systems instead of computer systems. Understanding team dynamics, motivation, communication styles, and organizational behavior becomes as important as understanding TCP headers or memory corruption. The biggest surprise for many technical leaders is that influence and empathy matter more than technical authority or ordering people around.

What advice would early adopters give to people entering cybersecurity today?

Never stop learning—cybersecurity requires constant education as threats and technologies evolve. Share your knowledge generously with the community, as others did for you. Develop both technical depth and the ability to communicate clearly to different audiences. If you’re interested in leadership, study people and organizations as seriously as you study technology. And remember: you’re entering a field where even veterans are still learning every day.

Key takeaways

The early days of cybersecurity reveal important lessons for today’s practitioners:

There’s no perfect path: Early adopters stumbled into security through curiosity and necessity, not careful career planning. The field evolved around people solving problems they encountered, not following established curricula.

Community and knowledge sharing are essential: From BBSs to modern conferences, sharing discoveries and helping others learn has always been central to security culture. This collaborative spirit continues to drive the field forward.

Curiosity is the core skill: Whether you’re learning new attack techniques, understanding cloud security, or leading a team, insatiable curiosity about how things work (and break) remains the most valuable attribute.

Learning never stops: Every early adopter emphasized that cybersecurity requires constant learning. Technologies change, threats evolve, and yesterday’s expertise becomes tomorrow’s history. The ability to continuously learn matters more than what you already know.

Empathy and systems thinking transfer everywhere: The same analytical approaches that help you understand technical systems can help you understand human systems, organizational dynamics, and leadership challenges. Skills from security work translate more broadly than you might expect.

They’re always gonna get in: With sufficient motivation, time, and effort, attackers will find a way. This sobering reality means security work will remain relevant for the foreseeable future, and perfect security is not the goal—resilience and effective response are.

For those of us who came later, we stand on the shoulders of early adopters who built foundational tools like Bastille Linux, created hardening standards, and established the collaborative culture that defines cybersecurity today. Their stories remind us that the field was built by curious people willing to learn, share, and help others—values worth preserving as cybersecurity continues to evolve.

This transcript has been edited for clarity and readability.

For more cybersecurity insights and stories from industry pioneers, subscribe to The Job Security Podcast on Apple Podcasts, Spotify, or your app of choice. To learn more about how Expel’s managed detection and response services continue the tradition of expert-led security operations, reach out to our team today.