EPISODE 074 – Step into a Cybersecurity Time Machine

Cybersecurity strategy is not the same as it was 40 years ago. In this episode, Jeff Man, Sr. Information Security Consultant at OBS, joins host Nabil Hannan to discuss his extensive career in cybersecurity. They explore Jeff’s invention of the cryptologic cipher wheel, becoming an expert in security fundamentals, and advice for aspiring cybersecurity professionals navigating today’s work landscape. 

Show Notes: 

• 01:30: Inspiration Behind the Cryptologic Wheel 
• 05:59: New Cybersecurity Strategies for Old Problems 
• 14:25: The Future of AI  
• 22:06: Hacking Education for the Next Generation 
• 25:42: The Value of Mentorship 
• 27:18: Advice for Newer Cybersecurity Professionals  

Transcript between Nabil and Jeff

Topics covered: AI, cryptologic wheel, cybersecurity strategy, risk management, mentorship 

This transcript has been edited for clarity and readability. 

Nabil Hannan: Hi everyone, I’m Nabil Hannan, Field CISO, at NetSPI, and this is Agent of Influence. Today we have with us Jeff Man. Jeff, why don’t you start by telling us a little bit about yourself and where you are professionally?

Jeff Man: Sure. I’ve been in the InfoSec industry for over 40 years, so I’m considered an old-timer. I do several different things these days. My day job is as a consultant and advisor for OBS Global. I primarily do PCI security assessments. As a side gig, I co-host a podcast called Paul’s Security Weekly. I’ve been doing that for about 10 years. Because of my background and experience, I speak at a lot of conferences and often talk about the way things were, the way they should be, and the way they could be. My background is primarily from the National Security Agency. I was there from about 1986 to 1996, during the early days of the Internet and the transition away from industrial and mechanical systems into all things digital. It was a unique time, and I had the opportunity to work on some pretty interesting projects.

01:30: You invented the cryptologic wheel. Can you share a bit about what inspired that creation and how it impacted the industry? What legacy has it left behind?

Nabil: One of the things that stands out from your long career is that you invented the cryptologic wheel. Can you share a bit about what inspired that creation and how it impacted the industry? What legacy has it left behind?

Jeff: When I started at the NSA in the late ’80s, I worked in the Manual Cryptosystem Branch. We were responsible for producing all the manual cipher systems—the kinds you mostly read about in books today, or encounter in CTF exercises: Caesar ciphers, simple substitution ciphers, and so on. There’s also the one-time pad, which was literally a pad of paper with random characters printed on it. It served as a key. You’d write out a message by hand, letter by letter, and then use a simple algorithm based on what’s called a Vigenère table, a square grid with A–Z across the top and side, filled in with alphabet offsets. That would produce unique three-letter combinations (plaintext, key, and cipher) and it also worked in reverse.

One of my early “customers” was U.S. Special Forces. They used these one-time pads and memorized the three-letter combinations. I was working with them to upgrade their communication systems and, as a personal aid, I created a cipher wheel to replicate the three-letter Vigenère system. Long story short, they saw what I was using and liked it. I found a way to get them manufactured. Back then, the NSA supplied all cryptographic systems, so we had 15,000 of them made and distributed to U.S. Special Forces. Over time, I learned they called it the “Whizz Wheel.” As far as I can tell, it was in use into the early 2000s, until encrypted phones and more advanced systems became common.

In 2018 at DEF CON, I met a retired Green Beret who had used the wheel. He was excited to meet me, told me how valuable it was to their missions, and even helped get me an honorary lifetime membership in the Special Forces Association for the contribution. I spoke at their annual convention a couple of years ago. I’d never seen the actual production model, but they got me a few. One of which was donated to the National Cryptologic Museum at the NSA. It turns out the wheel was quite important to their mission, and that’s given me a bit of historical recognition.

Nabil: That must feel validating, to know your work had such a critical impact across so many organizations and operations.

Jeff: Absolutely. InfoSec came out of the military, and back then it was all about national defense. People have told me that using the wheel literally saved lives. That means a lot.

05:59: Risk management is one area where that’s still very true. What are your thoughts on that? Are there new cybersecurity strategies you find promising for dealing with these long-standing issues? And why do you think some of these problems are so persistent?

Nabil: It’s an honor to be speaking with you, knowing the kind of impact you’ve had. Now, with your 40+ years of experience, one thing I’ve noticed, even in my shorter career, is that many problems we face today are the same as decades ago. They’re often just rebranded to seem modern, or tied to current technology, but at their core, they’re recurring challenges. Risk management is one area where that’s still very true. What are your thoughts on that? Are there new cybersecurity strategies you find promising for dealing with these long-standing issues? And why do you think some of these problems are so persistent?

Jeff: I have a few thoughts. I’d frame it this way: these are the fundamental problems of security. Forty years ago, the focus was mostly on keeping secrets. It was fairly straightforward, hard-copy documents and secure communications. At NSA, a lot of our work was about securing communications, transmitting commands to troops or gathering intelligence and getting it back securely. The key was protecting something of value, often human lives.

In today’s world, especially in the private sector, security is more about protecting an organization’s ability to make money and control costs. The fundamentals haven’t changed, but the context has. We’ve introduced more complexity, more data, more systems, more instant access, and haven’t done a great job protecting any of it. I boil it down to two main issues: most people think security is someone else’s problem and employees assume that if they’re using a system, it must already be secure.

At RSA this week, I’ve noticed conversations starting to shift. People are finally talking about those fundamental issues, things we’ve been discussing for 30 years. The rise of AI has caught people’s attention. It’s causing organizations to pause and think more carefully. Plus, breach reports (like the Verizon DBIR) keep showing that attackers are succeeding the same way they have for decades. Not much has changed. I give talks using a slide deck from 1998 that warned companies about connecting to the Internet and needing data security. I reused that deck last year for several presentations. The reactions? Lots of head nods. People recognize the same problems still exist. It’s a little chilling, honestly.

Back then, it was payroll data or trade secrets. Now it’s our thoughts, our movements, our voices. We’ve expanded the scope, but the core challenge remains: protect what’s valuable and control access.

If I have a pessimistic moment, it’s that this feels like a losing battle. But I’ve been more optimistic this week. There’s a sense that people are realizing tech alone won’t save us. We can’t just buy a tool and assume we’re secure. It comes back to fundamentals, education, and context. With that understanding, organizations can make better decisions about where to invest, technology, people, and processes. I try to avoid buzzwords, FUD, fear-based marketing. Too often, we see companies with all the latest tools still get breached. Usually, the root cause is a failure in the basics, things that aren’t flashy and don’t come with blinking lights.

Security should start with fundamentals, then you can layer in the tech. But tech alone won’t solve it.

At the end of the day, I tell my clients: I’m not here to change your mind. I just want you to think about it.

14:25: You seem to have strong opinions on AI. What are your thoughts on where we’re headed, and are there other areas we should be focusing on?

Nabil: That’s powerful. And given how much you emphasize the importance of data, it’s clear organizations still struggle with basic hygiene, like data integrity, classification, and inventory. Doing that programmatically and at scale is still a huge challenge. With AI now in the picture, especially when companies want to train models on their own data, those hygiene problems become even more critical. If you don’t have a clean foundation, no amount of new tech will help.

We’re here at RSA in San Francisco, and it’s hard to go two steps without seeing another AI-based solution. You seem to have strong opinions on AI. What are your thoughts on where we’re headed, and are there other areas we should be focusing on?

Jeff: Yes, AI is the buzzword, again. It was last year too. The difference now is that people have actually built something. Last year it was mostly marketing: “Yes, we do AI.” This year, there’s more substance. But we need to distinguish between the hype and what AI actually is, what it can do, and what it’s doing today.

That said, I do think AI presents a big opportunity. There’s so much data out there, and machines can process and sort through it far more efficiently than we can. That’s valuable. Throughout history, every innovation has had the potential for good or evil. Back in the Cold War days, it was a constant cat-and-mouse game: one side innovates, the other catches up. AI is no different. It’s just another tool, one that can be used well or badly. It’s up to us to figure out how to harness it effectively. And the depressing part to me is that the more technology advances, the more the gap grows between understanding how to use it for good and how to protect it. That gap keeps getting wider, both in terms of vulnerabilities we’re introducing and the potential for misuse, even without vulnerabilities. It just keeps getting farther and farther apart. Keeps us all employed, though.

Nabil: Job security is a good thing. I look forward to that every time I see new issues pop up especially with new technologies like AI. It’s something we’re going to be working on for a long time.

Jeff: For me, I’ve tried for many years to be technology-averse, to not focus on that as much. Most of us have heard the idiom: people, process, and technology. Far and away, the emphasis is always on technology. The people context usually gets reduced to “the stupid humans,” the users.

To me though, after 40 years, I think the key element is the process, just having the context in place to know what’s going on. But even before that, and this is what I try to explain to my clients: have a purpose. Why are you doing all this? It’s not just “we have to secure all the things and everything has to be perfect,” which is what drives the industry that fuels this conference.

That’s another thing I try to hammer home. This overarching umbrella idea that “everything must be impenetrable” is really not what we should be aiming for. Nobody can afford that, not even the large companies that are basically nation-states now. They have a lot of money to throw at it, but even they can’t do everything that can and should be done.

Nabil: Yeah, when building and prioritizing things whether it’s security or anything else, I think you really hit the nail on the head. Start with the why. Have the right context before you do anything. Lead with the why so you can come up with an acceptable, happy medium, because you’re never going to have something that’s perfectly secure. That’s almost impossible if you want any sort of functionality or feature capabilities in a system.

Jeff: A couple of years ago, I was going to conferences. I get hung up on words and their meanings. I boiled all this down to what I call the risk equation, something I learned many years ago. Risk is a function of vulnerabilities, threats, and what we used to call countermeasures, let’s call that “security.” I went around asking people to define these terms. They’re thrown around so much they start to get used interchangeably, even though I learned them as distinct elements of an equation. One year, I asked people, “What is security?” And it floored them. People didn’t have an answer. I’m like, “We’re experts in this. Tell me what it is.” The best definition I got from someone was, “It’s an emotion. It’s a feeling.” I like to say it’s a verb. It’s something you do, not a state you achieve.

I’d even argue that all that isn’t really “security.” Security is what you do after you’ve done all that, once you’ve implemented the basics.

Nabil: If I could offer a different version: I see security as one of the “-ilities” of a system like scalability, reliability, availability. Unfortunately, I don’t have an easy way to turn “security” into an -ility, but I still think it fits in that group.

Jeff: Go to a bar and slur your words, and you might come up with something.

22:06: You’ve done a lot with Hack4Kidz over the years. Can you share a little bit about that and why it’s something you’ve focused on?

Nabil: Now I want to shift gears. I love talking to our guests about what they do outside of security and their day jobs. You’ve done a lot with Hack4Kidz over the years. Can you share a little bit about that and why it’s something you’ve focused on?

Jeff: Yeah. I got involved after meeting the organizers of Hack4Kidz some years ago. They heard about my background. Hack4Kidz is a nonprofit that teaches hacking skills to young people, usually adjacent to a larger hacker conference. So, hackers bring your kids, and we expose them to lock picking, tearing apart old hardware, crypto puzzles, math puzzles, all the things you’d see at a grown-up hacker con. I was invited to speak one year, to talk about cryptography. Right before COVID, they invited me to join the board. We discussed what my focus would be. I wanted to expand access to a more diverse group especially underserved communities. These conferences usually happen in cities, but the kids who attend tend to be the children of people coming in from the suburbs, not kids from the city itself. I wanted to reach those kids, those who have the same creativity, ambition, and potential, but fewer opportunities. That’s been my focus. I joined right before COVID, which sidelined things for a while.

But the plan now is to launch “Hack4Kidz Urban,” a version of the event that’s tailored to underserved urban communities. I’m really trying to create a repeatable model. It needs to be organic, homegrown, run by people in the community. Not just bussing in kids from outside, but focusing locally. It’s in the works. We have a prototype planned. I live near Baltimore, in Maryland. I’ve got contacts now in the Maryland Department of Commerce. I’m also friends with Harry Coker Jr., the new Secretary of Commerce in Maryland, he used to be the National Cyber Director at the White House. He’s onboard with the vision, and he’s in a position to help us make it happen. So, the goal is to build a working model in Baltimore and then replicate it in other cities around the country.

24:58: I hate to do this to you, but does Hack4Kidz have a catchy jingle, like some of those other “for kids” groups?

Nabil: I hate to do this to you, but does Hack4Kidz have a catchy jingle, like some of those other “for kids” groups?

Jeff: Not that I know of, but we should work on that.

25:42: For me, mentorship played a huge role, both having great mentors and mentoring others. I’m curious, what role has mentorship played in your career?

Nabil: When I talk to folks who’ve been in the industry a long time, one thing that comes up a lot is mentorship. For me, mentorship played a huge role, both having great mentors and mentoring others. I’m curious, what role has mentorship played in your career?

Jeff: Interesting story and I’ll try to make it quick. When I was a kid, my family loved doing puzzles. On beach vacations, my dad would bring Dell Crossword Puzzle Magazines. They had crossword puzzles, crypto quizzes (basically Caesar ciphers), logic puzzles, lots of variety. We especially loved the logic problems, and we weren’t allowed to write in the magazine. So we’d each take turns using the little table, or “cheat sheet,” to solve them. Fast forward years later and I’m working at NSA in the manual cryptosystems office. My mentor was a crypt analyst from the operation side of the house. And he was the one that talked me into the interview for the job and he was there as a mentor teaching me about cryptography and cryptanalysis. He also taught me how to play pinball, we’d go on lunch breaks and play the machines together. One day at lunch, he was working on something, and I asked, “Hey, what are you doing?” He said, “Oh, I’m writing logic problems.” He was writing them as a side job. I said, “No way, for Dell Crossword Puzzle?” He said, “Yeah.” And I thought, wow, I’m in the right place. Fun story, right?

Nabil: Just shows how small the world is and how things come full circle.

Jeff: Absolutely.

27:18 Is there any advice you’d give to someone trying to get into cybersecurity today?

Nabil: Before I let you go, is there any advice you’d give to someone trying to get into cybersecurity today?

Jeff: Yeah, I get that question a lot. Specifically, people ask me about getting into pentesting. One of the other things I did at NSA was start learning how to do pentesting. So, I get a lot of people saying, “I want to be a pentester or a red teamer,” or just generally, “I want to get into cybersecurity.”

What I usually tell people is: find ways to expose yourself to as many aspects of this industry as you can because there’s a lot to it. Not everyone gets to be a pentester, even though we tend to hold that up as the ultimate dream job, either that or being a CISO.

But at the very least, aim for one or the other. At the end of the day, having a job where you’re doing something that’s fun and challenging. For me, I see everything as a puzzle. That’s what keeps me engaged. To me, that’s a more satisfying way to live life as a human, rather than just chasing the highest paycheck.

Nabil: Love it. I think that’s great advice. And I think most people trying to get into cybersecurity will really appreciate hearing that. You know what they say: it’s not a job if you love what you’re doing, right? That’s the bottom line.

Jeff: Exactly.

Nabil: Well Jeff, thank you so much. This was fantastic. I’m really glad we had this conversation. Hopefully we get to do it again soon.

Jeff: Really appreciate it. Thanks.

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please fill out this short form to submit your interest.