JD Rogers wrote his first computer program in fourth grade, did some hacking in high school, and to this day calls cybersecurity a mind game.
As Chief Information Security Officer of American Financial Group, he plays the part of security evangelist for more than two dozen business units.
Based in Cincinnati, Ohio, he has a passion for InfoSec that shines through. No wonder he's on the Advisory Council for SecureWorld Cincinnati.
Thanks to JD for sharing his knowledge with our nationwide group of information security leaders, the SecureWorld community, in this question and answer session.
SW: If you had to choose, what’s the one security practice people can adopt that would have the greatest impact?
JDR: I think people can get lost in all the noise and shiny objects that are in the security world now. It’s easy to get caught up in we need the latest X and Y, and have you seen this latest threat and hack. But at the end of the day, I don’t think you can ever go wrong with focusing on the basics.
If you have a good understanding of your assets, and you know that they are all patched and built to a good standard configuration, you can avoid 90% of the attacks. That is not the sexy, fun stuff, but it’s the stuff that keeps out ransomware and malware. It’s the stuff that if you get good at it, you can begin to really focus on detecting the more advanced attacks, because you turn down the noise and don’t have to chase the latest issue that makes all the media stories.
SW: What wisdom would you share with someone just getting into this industry?
JDR: I think you have to love this industry, because it’s a lifelong commitment to learning and experimenting. I think you will get exhausted and frustrated if you enter this field because it’s the new hot thing and there is money to be made.
The ones that last and enjoy their careers are the ones that love to figure out the why and how of all this stuff. Why does this technology work this way, and what happens if I do this? These are the questions that drive the curiosity that fuels the exploits. If you understand that, you can understand how to defend them and fix them.
I often get asked, “Wow, you must be stressed all the time with your job?” I always am able to answer, “No, it’s actually pretty fun.” I think you can answer that way if you love the mind game that is security.
SW: What made you get involved in InfoSec?
JDR: I was blessed to just grow into it out of a natural love for it. I wrote my first program in the fourth grade on an Apple IIe, and was hooked on computers from then on. I remember my friend’s dad got the first PC I had seen—I think it was a 286—when I was in middle school. We would stay up late at night basically war dialing the Dallas metro area looking for bulletin boards to see what we could find and get into. I hacked my high school computers, and went on to study computer science in college.
Once I entered the work force, I bounced around in different IT areas, because I loved programming, servers, networking, databases, workstations, etc. I wanted my hands in all of it, but couldn’t pick one. About that time everyone was moving to the internet and this thing called security started to form. I jumped on it, and it’s all been a blast since then. I went to my first Black Hat / DEF CON conference I think the second year I was in security. I think that was Black Hat #2.
SW: What do you call the best restaurant in Cincinnati and why?
JDR: So, I’m located in Cincinnati, but I chose to answer this question in the city of Dayton, Ohio. I was up there for an InfraGard meeting and went to an Asian restaurant called Ginger and Spice. When I looked on Yelp it had a solid five stars. Not one review was less than five, and it had over a 100 reviews. I hadn’t seen that before, so I figured I would try it out.
I almost didn’t eat there because when I got to the place it looked like an odd version of Chipotle. But since the reviews were so high, I figured what the heck. It turned out to be some of the best Asian food I've ever had! I highly recommend it. I try to stop by each time I’m in Dayton.
So now you know you might find JD at Ginger and Spice if you time it right. You can also find him on LinkedIn anytime.