“Thinking Evilly, Acting Ethically”

Duncan Sparrell’s actual job title at sFractal Consulting is “Chief Cyber Curmudgeon.” The unique sobriquet is of his own creation—a nod to both his irreverence and his storied career as an outspoken advocate for cyber-security. Though technically retired, Duncan has channeled his eternal passion for software development and strategic thinking into a patchwork quilt of consulting, lectures, pro bono advising, and mentorship. Behind his on-going quest to shore up cyber defenses is a long and storied career dating back to the pre-internet age.

"sFractal Consulting was born through Duncan’s desire to give back to the community after a long and successful career in cybersecurity."

Duncan coined his mantra “think evilly, act ethically” during his tenure in the intelligence community, where his efforts earned him the Intelligence Seal Medallion in 1994. It could be argued Duncan was a ‘benevolent (as opposed to malicious) insider’ as far back as 1984 when he began his work supporting counter-intelligence, counter-narcotics, and counter-terrorism. “I needed to think like the bad guy so we could design systems to catch or thwart them.” In 1990, he was in the right place at the right time with the right skills (and clearances) to be tapped to support the Air Force Information Warfare Center preparing the battlefield as part of Operation Desert Shield in the first Gulf War.

Seeing the pre-internet cyberwarfare battle space first hand was an eye-opening experience that inspired him to look at his own infrastructure from a very different perspective. Soon after, Duncan brought his vision for cybersecurity to the private sector. His experience as part of a military cyber-attack team was integral to his work in what would become AT&T’s Chief Security Office. There, he implemented the first Security Operations Center (SOC), coining the term in the process. For his troubles, Duncan was awarded the AT&T Science & Technology Medal.

According to Duncan, one key to preventing cyberattacks is by reducing attack surface through vulnerability reduction and implementation of a Software Bill of Materials. “Software Bill of Materials (SBOM) is tactically important because it allows you to know whether you may be impacted by known vulnerabilities and allows you to react when new vulnerabilities are announced,” he explains. SBOM is also important strategically because it allows users to perform root cause analysis and drives suppliers to higher software quality that helps find the issues earlier in the development process.

So too, Duncan believes automation is key to cyberdefense. “We need to respond to attacks in real time. That will take standards like OpenC2, STIX, CACAO and alliances like the Open Cypersecurity Alliance,” he says. His vision isn’t limited to the immediate future. Much of Duncan’s efforts focus on the far horizon where future technologies and security intersect. “Quantum is still a long way from impacting day-to-day operations, but it will be a major disruptor to how cybersecurity is performed. It’s not too early to begin monitoring and planning.”

Duncan’s consulting resume includes both public and private clients in the telecommunications, transportation, and technology spheres. His drive to make the world a safer place has brought his skills to Fortune-10 companies, startups, and everything in-between. In more than one instance, Duncan has focused his attention on a client’s software supply chain and recommended changes to their processes which resulted in reducing software vulnerabilities that reach production, thereby reducing operating costs. For several clients, Duncan has analyzed the state of their cybersecurity defense with a view to increasing automation to reduce potential attacker dwell time, greatly mitigating possible damage, and minimizing reducing probability and magnitude of cyber losses.

At the end of the day, Duncan’s laurels pale in his comparison to give back to the community that has given him so much. “It is my great privilege at this stage in life to have more time to devote to the cybersecurity topics that forever hold my attention. I had a great career and now I’m just trying to give back to the community, doing things I enjoy that I feel will make the world a safer place,” says Duncan. IE