sans [sanz] /preposition/ without; lacking.
Updated: Feb 5
Last week Alan Paller, a true security industry giant best-known as the founder of the SANS Institute, passed away. He was a brilliant technologist and businessman, unstoppable national advocate for cybersecurity action, and behind-the-scenes supporter of countless good causes. For over two decades, Alan was my friend, mentor, and save-the-world co-conspirator. Here's my "how I met Alan" story.
I think it was the Fall of 1999, I was the Chief of an NSA Division (maybe 35-40 people) specializing in security analysis for defense. Late on a Friday afternoon a folder arrives on my desk. By the color and size, it was correspondence from the Office of the Director, NSA (a 3 star General, so this is a Big Deal to me, son of a career Army Sergeant). I open it up, inside is a SANS poster, and a note from the Director’s Executive Assistant. The General wants to know what you think about this poster, get back to us as soon as possible! “What?” I glance up at the room full of cubicles, and I can see numerous SANS posters hanging on the walls. As a friend at SANS quips, “Some people say that SANS is really just a poster company, and we only teach classes so that we have something to put on the posters.”
My first thought. Some fat-cat businessman must have been playing golf with the Director, hands him this poster as a sort of business card, don’t-forget-me thing, and the General goes back to the office, tosses it at his Assistant and says “figure out what this is”. Which then starts a bureaucratic chain of correspondence, action items, and administrative panic that eventually cascades into my inbox late on a Friday.
Good grief, most people are gone, what to do? What the heck, I look up a phone number for the SANS Institute, and just dial. The phone was answered by this guy Alan. I immediately find myself in a wonderful back-and-forth conversation about the security business, NSA, the industry etc. This guy is one of the most skilled conversationalists I have ever had on the phone. Several times I had to pause (I am NSA-trained, remember), and ask myself, “Is this guy pumping me for information?” “Should I be talking to him?” “Is this too sensitive a topic to discuss with an outsider?” But frankly, it was just too interesting to stop. After 40 minutes or so, we agreed that it would be great to get together sometime, and that was that.
Several months later were the first big public “Denial of Service” attacks against ebay, yahoo, etc (?January 2000?). People inside the Agency were running around in circles, what’s going on out there? But no one seemed to know. “Hmmm, that guy Alan seemed to be very sharp and well-connected, I’ll call him.” So I invited Alan into the building for a private chat. I also invited in the Technical Director of a neighboring Group, an internal start-up on defensive operations.
So we get Alan through security, up to the conference room with the two of us. And then I got to see Alan in action…
Alan: “Before we start the meeting, I just need to know one thing. What is the name of the NSA bureaucrat that I need to get fired, for holding back great NSA research from the public?”
Alan: “You know, who do I tell the White House to fire for holding back public defense in order to defend his bureaucratic rice bowl?”
This goes back and forth, and starts to get very heated (especially with the other NSAer). And then there was a lightbulb moment when I figured out what he was talking about. I had been peripherally involved in an issue with an employee who had made some amazing (and untrue) claims about a new approach to network attack detection, and had gone out into the public with his ideas (Later I found out that he had “gotten to” one of Alan's leadership team with a partial and inaccurate tall tale, who had then told Alan).
Me: “Alan, I finally know what you are talking about. You don’t know me from Adam, but I promise you that what you heard has absolutely no basis in fact. Can we agree to put this story on the table for another day, and get back to the subject of the meeting?”
Alan looks me right in the eye, pauses for a moment, and says “OK.” And the meeting goes on, productively and helpfully for both of us.
As I escort Alan out of the building, he stops in the lobby, “You are doing some really interesting work here. I’m on my way down to meet with a number of the Congressional staffers. What paragraph would you like to see in the next Defense Appropriations Bill that would help advance the work of your group?”
Instinctively, I look around to make sure no one from Legislative Affairs was in the Lobby. There would have been audible gasping, I am sure.
“Alan, thanks for the offer, but I can’t really think like that and work that far outside of the system. But thanks anyway.” “OK, let’s talk soon.”
It was a head-spinning, low-to-high, and serendipitous start of a wonderful friendship with one of the most amazing and inspiring people I’ve ever known. And so we did talk again soon, and often, starting a couple of decades of adventures together.
A world without Alan is a much sadder, much less interesting place. But the world is a stronger, more secure, and much better place because of his time with us.
Tributes to Alan Paller:
Center for Internet Security: https://www.cisecurity.org/press-release/remembering-alan-paller-cis-co-founder-and-board-member/
photo courtesy of Lynn Castle Baker