A Conversation With Matthew Clapham: Making Medical Products More Secure
In this episode, Mike welcomes Matt Clapham, Product Cybersecurity Leader at Johnson Controls. Join us as they discuss the need for hardware manufacturers to adopt a new economic model in order to keep the software installed in these devices up to date and thus more secure.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
In today’s episode of In Scope, host Mike Murray welcomes guest Matt Clapham. Matt is one of Mike’s favorite thinkers on all things product security. Matt’s path started with a role in software testing, which showed him that he liked breaking things. He kept progressing toward more security-related work, got into IT security, and eventually saw that product security and security advising represented a largely untapped market. He transitioned into that line of work and has been there for over a decade, working with everything from XBox, to medical devices, to modern IOT.
Matt shares thoughts on the space he’s been working in, focusing particularly on IOT, or internet of things. IOT can be tailored to various different businesses, and it implies a network-to-physical bridge. Software is, of course, crucial to IOT organizations; however, many of them aren’t actually software companies. This situation raises the question of how to teach a company that provides a certain product to build the software that their IOT requires? Much of this, Matt explains, comes down to showing the path to success and the culture shift necessary.
How, Mike wonders, does Matt see the regulatory process (of special importance for medical devices) helping or hurting? The first point to bear in mind when considering this question is that you don’t compliance your way into a secure product or secure your way into a compliant product. The areas of compliance and security are separate, but inform each other. Regulation provides a sense of what everyone should be doing, and sets a minimum bar; this can be productive, but conversely, can also leave companies content with the bare minimum.
Customers can also influence a company’s handling of security by driving and expecting security in the products they purchase. The challenge for the customers is whether or not they will be willing to pay more for a secure product. We already see higher costs associated with greater security. However, Matt is hopeful that there will still be a minimum bar of security for a baseline product; no one should have to pay extra, he says, so that there’s no back door!
That being said, we likely need to get out of the mindset that we buy a product once and then the company has to support it indefinitely. Consumers will need to embrace a culture shift that sees routine maintenance and feature improvement as part of cost; in other words, their purchase will be of a service rather than an item. At the same time, sellers will need to navigate the challenges of quickly outdated systems and hardware, plan for upgradability, and pursue built-in redundancy.
Before the conversation ends, Mike and Matt talk about how QA provides a great background for security, and especially for product security, by allowing for an anticipation of possible problems and development of solutions for them. With his toolset, Matt is able to show developers a path forward to avoid problems before they even arise.
– Mike Murray welcomes guest Matt Clapham, who shares his background.
– What are Matt’s thoughts on the industries he’s engaged, especially IOTs?
– How does Matt see the regulatory process helping or hurting?
– Mike and Matt turn to the role of the customer in driving security.
– Are we moving toward needing to pay extra for a secure device?
– The conversation turns to issues of OS and hardware.
– The big shift will be from purchasing an item to purchasing a service.
– QA is a great background for security, especially product security.
0:00:02.9 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:21.5 Mike Murray: And welcome to this week’s episode of In Scope, The Healthcare Security Podcast. As always, I’m Mike Murray. With me this week is one of my favorite thinkers on all things product security, Matt Clapham. Matt and I worked together at GE Healthcare many years ago, but he’s now on to different things, helping make products more secure at other places, and I always tell people, I hate reading bios and I hate it when people read mine, so I’m gonna let Matt tell you about himself. So Matt, welcome to the show.
0:00:49.3 Matt Clapham: Hey, thanks for having me, Mike. I like to use the tagline that you echoed there. I make products more secure and it… If you look at my history, and my origin story, right? As some like to call it. I started out as a software tester and I learned, wow, I really enjoyed breaking things. And so then I found more and more of the things I was breaking was really bad assumptions made on the developer’s part about how code was supposed to work. And so they were more and more security related to that kind of thing, and then I got into IT security type of stuff, and then really saw that product security and security advisory like I’ve been doing for the past and decade now, was really an untapped market, an area that everybody needed help with, and so I got involved into that. So for being a lowly software tester who like breaking things, I learned more about security was right there at some of the foundations of some things like the trustworthy computing initiative, and then became a product security expert like I am today.
0:01:36.2 MM: And you’ve worked on some of the coolest things, like you’ve gone from Xbox to medical devices to modern IOT. You’ve seen the gamut of… I hate some of our marketing terms, the Internet of Things, and the Internet of Medical Things. Maybe talk about what you… [laughter] Matt and I are on video, I saw his eye roll when I said the IOMT phrase, which my whole team has heard me rant about, ’cause it’s more about marketing than it is about truth, but tell the world what you think of some of the security that we’ve seen over the last 10 to 15 years in these things that we’re building.
0:02:10.8 MC: Well, first off, I wanna say these are my personal opinions, not those of a current or former employers. I’m an old crusty security guy who’s been working on product security a decade now. I’ve seen the good, the bad and the really ugly. So this is about my experience, at least, seeing the really ugly. Anyway, so back to the Internet of Things, it’s a good way to think of stuff that has a network. And as I always like to say, it’s all software outside of the big magnets and the fan controllers and all that stuff, it’s all software controlling it underneath. And, so when you think about the Internet of Things, it implies you’ve got some device or some networking knows how to talk on a network and do something in the physical world. It’s that network to physical bridge. Now, everybody seems to wanna put their own little extra letter in there, you could have the Internet of Medical Things, Internet of Personal Things. Somebody tried to call it the Industrial Device, Internet of Things. Put that on an acronym. That’s probably a good way to think of some of that kind of stuff, but…
0:03:02.9 MM: I think you used that as a title for an RSA talk a few years back, did you not?
0:03:07.3 MC: I put that in my talk in a number of years ago about why game consoles and modern smartphones are a good example of how we should be thinking about design of things like Internet of Things.
0:03:19.0 MM: Sorry, I didn’t mean to take you off your rant there, but people should go look that talk up. It was a great talk.
0:03:23.8 MC: It’s a great example of, hey, think about the use cases. And if we really wanna go hard core about the physical space, well, game consoles have had to think about that, how do they prevent people from hacking and stealing stuff and just being general jerks and ruin everybody’s fun by finding ways to make the hardware cheatable. And then if you look at phones, they’ve got a real robust example of how to do an app store at scale. ‘Cause they gotta get stuff from everywhere and be able to provide it to any number of different devices and across the entire install base. And then finally, they’ve gotta be able to handle all of the intake ecosystem and whatnot, and we can really learn a lot from both of those cases if we put it in the right context. Like in the case of medical devices or industrial devices or insert new IOT type here.
0:04:08.8 MM: So you said something earlier I wanna drill down into a little bit, which is that it’s all software, and I think one of the more interesting challenges in the medical device space and in the entire IOT space is that many of the companies that are doing this aren’t software companies, they don’t come from… You said something about the idea of building magnets, I remember being surprised at GE how often I was in a room full of people who were incredible, world-leading, PhD experts on how magnets or transportation trucks or any of these sorts of technologies worked, but that software was a new thing. How do you teach an organization that knows how to build spinning magnets, how to build software? That’s the challenge that you spent the last decade on, you kinda lived it, so, more than most of our audience, anyway.
0:05:00.2 MC: I’m still living it because it’s a never-ending struggle. A lot of it comes down to being able to show the path to success and how to get them from where they are today, thinking about single-use or a one-time development kind of a cost into this more modern you’re always having to adapt and update. And then showing them the path about how to get between those two points in a way that teaches them how to do better security and how to do that security at scale. When you can kinda put that out, you’ve actually laid out the culture shift necessary to get them to be able to truly do the Internet of Things, from starting out as making magnet controllers.
0:05:38.7 MM: So I’m just riffing at this point, I’m just coming up with questions on the fly, ’cause how do you see the regulatory process is getting in the… Either helping or hurting. One of the things as you were talking is… My thought was, often the success criteria in a lot of those organizations seem to be externally set, and we set them by passing the 510K with a medical device or… So you end up with this lowest common denominator, and how do you fight the, we’re just gonna check a box versus we’re gonna do the real thing, ’cause I know you’ve led that effort in different parts of your life.
0:06:11.3 MC: I like to say you don’t compliance your way to a secure product, and conversely, you don’t secure your way to a compliant product, they’re different focus areas. Now, that being said, compliance or certification directives can help with that minbar, here’s the things that everybody is doing and you should be doing too, and a great example from my current space is IEC 62443, it lays out a great set of processes like threat modeling and static analysis, stuff like that, that you would expect everybody to be doing, and so if you wanna say that you’re certified to that level, to that directive, then you have to be doing all of those things. And so there’s a certain amount of, “Hey, this is what everybody should be doing. So why aren’t we doing it?” And if you’re not doing it, what does that say about your organization, ’cause customers that care about that type of thing are going to be asking for, “Hey, show me your certification on this standard.”
0:07:00.6 MC: So it helps drive that minbar of everybody’s level. But on the flip side, it does make people tend to get to the point of thinking, “Oh, well, we hit the minbars, so that’s all we have to do.” And as I like to say in some of my previous roles, when you aim for the minbar and miss under the minbar, that’s not a good place to be.
0:07:22.3 MM: Right. So something that came to mind again as you’re talking is the challenge that you mentioned, the customers that care about that. What role do you see the customers having in this whole area? And specifically one of the challenges I’ve seen over the years is the customers want the vendors to do certain things, but do they wanna pay for it?
0:07:40.6 MC: I’m trying to think of, there are so many different things to unpack there, the customers absolutely are driving and should be driving, they should be expecting a secure product, you don’t buy a medical device and expect it to get hacked, you assume that it’s gonna do it’s job and do it’s job well and be able to protect itself and all that type of thing. So there’s certainly the customer expectation there. The challenge though is, okay, are they willing to pay that additional effort, that additional overhead to be able to make that happen? I was thinking, there was a great presentation of the panel at DEF CON this year, where they were talking about medical device security and whatnot, and it was important, the one thing that I carried away from that, is somebody asked and said, “Okay, who’s willing to pay more for their healthcare?”
0:08:19.9 MC: And we think about it, that’s one of the things we’re gonna have to contend with as we get into this more secure device as well, I would love to be able to do that and eventually it will get cheaper, but in the short term, it’s gonna have to make that trade-off of, “Okay, to have this and do it at the degree that you expect it to be, is not something that can be commoditized.
0:08:40.3 MM: We see it in the Cloud lately with Microsoft, for example, and Google does this too, but I just happen to know Microsoft. You get better security features if you pay for E5 Office 365 than you do if you pay for a lower tier of Office 365. Do you see a world where we start to pay where it’s like, if you want the secure device, it’s 15% more than the one that has all the default hard-coded passwords in it. Is that a world we’re moving towards?
0:09:05.9 MC: God, I hope not, because there should be a minbar in terms of we shouldn’t expect to have to pay extra to not have back doors. Those kinds of things, I think are kind of like the bare minimum. And back to the certification thing, I don’t know you can certify that kind of an expectation, but it should be, you just don’t do certain things like that. Now, additional stuff that requires routine maintenance, maybe that’s where you get into the, “You didn’t pay for it.” And I think one of the important shifts that we have to do to be able to get to this better updates and across medical technology and whatnot, is get out of the mindset of you buy it once and then the company has to support it.
0:09:42.1 MC: We’re stuck in this mindset of, “Well, I bought a big insert industrial unit thing here, and I spent a lot of money when I bought it, but I expect the company to keep updating it and adding new features and whatnot for its entire 25-year lifespan.” No, bits get old quick, and if you want the bits to be refreshed regularly, you need a service plan that pays to refresh the bits, ’cause the hardware, the iron might take a long time to break down, but those bits broke down every month.
0:10:08.6 MM: By the way, that’s a really… I think you’re gonna hear people steal that comment because, bits get old quick, is something that I think, again, going back to the question that I asked at the beginning, these organizations that are good at building things, to steal the IoT moniker, in some of my experience, they have that same expectation that, “Well, I designed this magnet and it works the same way it worked 15 years ago, as long as we’re gonna roll it off the assembly line the same way. What do you mean the bits get old quick? This magnet thing is good forever.” And I think you talked about culture change, for me, it’s, how do we get these organizations to understand that what you just said, the bits do get old quick and it’s gonna change the economic model.
0:10:52.7 MC: I think there has to be a carrot and stick approach and the carrot is saying, well, okay, so say you have some install, one time install fee for some big thing, ’cause it’s a one-time cost to put it in the room and build the Faraday cage around it and all that, but then you’re gonna have this ongoing maintenance, and part of that maintenance could be physical to make sure that the helium stays topped off on the magnet, and part of that maintenance could be the bits that go in the box, the operating system, the controller firmware, the features and the applications that actually make the device human usable, that’s the kind of stuff that should be refreshed because you get new features and capabilities, and that could be a part of the way that you can help sell this or promote it, is like not only are you getting the routine maintenance, but you’re getting the feature improvements, the AI capabilities that weren’t thought of when the device came out 10 years ago, but now our capable given that same piece of hardware and at the same time, we’ll make sure the magnet always works.
0:11:47.4 MM: So how do you solve the OS issue? I’ve been talking about this in a lot of talks that I’ve been doing of… Okay, I always use our former employer as an example. Say I built a CT scanner in 2005, well, the computers that control that spinning magnet were state-of-the-art circuit 2005, probably a Pentium 2 with maybe a gig of RAM and probably running Windows XP. Well, the spinning magnet still works today, but even if you wanted to put Windows 11 on there, good luck with that, good luck getting that hardware to run that system, how do we… So that’s the one that I’ve been sticking my head in a lot, I’ve asked our friends at the FDA, I’ve asked everybody this question, and you have lived that world across game consoles and all of that. You got any thoughts on that sticky thorny problem of like, okay, even the hardware couldn’t run the updated OS, but even if it could, you’ve got… You’re way past the patch life cycle of that original operating system, like you’ve got all these challenges because the magnet lasts a heck of a lot longer than the bits do.
0:12:53.2 MC: A couple of things that I think would be helpful there, for starters, when you put something out brand new, I know it’s risky and it sounds really scary, but you gotta make sure your parts are as modern as you can make them, and then addition to that, you gotta make sure, you have extra wiggle room because right now adding in 20% CPU performance overhead might seem like, “Oh my gosh, that’s an extra $2.50 a unit.” Okay, but great, it’s gonna save you a bunch of problems further down when the next Spectre or Meltdown comes in and saps 1.5% of your performance because of the change in the way the kernel works. So if you plan for getting as modern as you can stomach when you put it out, so that you have as long of a long-term support life cycle for your components, and then additionally, design in some wiggle room changes like that, or just making better use of the CPU cycles to add new features and capabilities and higher resolution and whatnot, won’t be as big of a problem. That’s furthering your ability to justify why you now have medical device as a service kind of a thing.
0:14:00.6 MM: By the way, that’s a really great point and runs, flies exactly in the face of every product manager I’ve ever talked to at an IoT company, you said the comment about $2 a unit, you know that that is the way they have thought for 100 years, is how do I get the cheapest possible price on every single component in that device, and what you’re proposing is entirely almost a re-work of that thinking, like you said earlier, culture shift.
0:14:28.0 MC: There’s a time where if you’re in a commodity market, in my $2.50 example, that could be a lot. And here’s a real world one that I lived, right? Look at Windows XP, the upgrade version was like $90 street price. It didn’t have a DVD playback codec when it first came out, because $2.50 for a playback codec is a lot of money on a $90 piece of software. So they had to make it extra in add-on. Now, people said, “Well, what about macOS, macOS has free DVD playback.” Yeah, but you’re spending, I don’t know, $1,500 for a computer. That’s a big difference and that’s a much smaller slice of it. So similarly in this kind of case, again, these are all made up numbers, but if you’re talking about arguing over a 25-cent TPM to get the security benefit versus a $250,000 ultrasound unit or something like that, we’re having the wrong conversation.
0:15:24.3 MM: But we both had that conversation.
0:15:24.4 MC: I know, and I’ve had similar conversations in other locations, and part of that is that if you started out with a company that made big giant magnets that spun really fast to make electricity in a hydro-electric dam and that was a pretty simple and straightforward, as long as the magnets were spinning and the rectifier was working, it was making power, right? To a world where everything is all connected, everything is all managed, everything is all talking to each other, there’s a big shift there in that going from, “I bought the generator unit five decades ago,” versus, “I bought a service that I’ve been paying for two decades,” That shift I’ve seen in other areas as well, look at the way sales had to shift for selling cloud cycles versus licensed copies of an operating system, ’cause it was you just resolding… You sold individual units.
0:16:13.8 MC: Well, now everything’s in the cloud or up somebody else’s data center, and so now you’re selling CPU cycles effectively, but if you’re still rewarding your sales people on selling the big magnets and they don’t get a piece or have any motivation to sell the magnet as a service, your own change, your own internal organizational need for change is gonna stop you from being able to make that culture shift across the board.
0:16:39.0 MM: And so, and I think I know the answer before I ask the question, but do you foresee a world where… And you mentioned the phone and game console example earlier, where down the road, those control units become effectively fungible. I built this thing with a Pentium 2 on Windows XP, and 10 years later, I walk in the door and as part of your quarterly maintenance, I drop in a brand new, kind of like when you go from the iPhone X to the iPhone 11, you log in and suddenly all your data’s there, and everything just kind of works and you just go forward. Is this where you think we’re going?
0:17:16.3 MC: I think we can, if organizations are willing to, and I certainly have a bias for certain cloud providers, but if you look at the major cloud providers, they’re all creating an IOT basic kit that has some sort of device, that’s an example, it’s a sample device, but it could be customized or built into your particular ASIC platform, but they give you all the pieces, parts you need to just put your layer on top, so if you have that as a base that you can basically follow their upgrade cycle and your software is designed to just be a module that snaps on top of and is a well-behaved citizen, and that’s one of the challenges I’ve seen with software just not being well-behaved on the platform it’s on, but as long as your software is in there, then snapping out underlying hardware chunk should be, should in the operative word, be relatively easy.
0:18:02.5 MC: Now, there are some gotchas, if you look at real-time operating world, because it’s not so easy to swap out the controller on a compressor unit when you’re talking about, it’s the thing that keeps the oil refinery from exploding, you’ve got to take maintenance window, you gotta plan for that. And also, quite frankly, across the IoT space, at every level, we need to plan for that upgradability, we need to design in the redundancy and capabilities necessary, so you can swap out one of those components with only taking minimal downtime, or doing it in such a way where there’s enough redundancy in the components as a whole that you could take one of the compressor units offline, fix it and do an update, whatever you gotta do, bring it back in, test to make sure it’s working and then cut back over to the other one, right? So that you can do those rolling upgrades and bring that along, but largely across the IOT industry, I’m not seeing that today.
0:18:51.4 MM: Nor am I. And I think that the bigger challenge for the medical industry is gonna be getting regulatory and all of the QMSs and all of that stuff to even contemplate the ability to build in this modular, the hardware can be swapped out and it doesn’t constitute a complete redesign and a recall of the device, I think we have a lot of moving parts to get there, don’t you?
0:19:13.6 MC: Absolutely. And regulatory space, we touched on earlier, a point I didn’t quite get to, there’s a place for regulation to help with that, similar to the certification. To encourage, to promote, but they also have to be able to adapt to that world and say, okay, look… And to the FDA’s credit, the United States FDA, say, look, with respect to cybersecurity, you just need to patch your stuff. Just fix it, it’s not a change in the medical use, you don’t need to re-certify, you gotta make sure you don’t break anything ’cause we’re still on to you if you break something, but just patch your stuff, get it done, get the cybersecurity fixes out there, because that’s more important than worrying about the formalities there.
0:19:48.4 MC: Like I said, we need to make sure we’re doing it, and that kind of goes back to my, circles back around to my earlier point about upgradability, right? We’ve gotta make sure we’ve got the right stuff in place to say, even in a heavily regulated, heavily validated, heavily certified environment like a medical device, we can still do all those routine maintenance type of things that we take for granted in the cloud or in a modern client workstation, we can still do those and not have to worry about saying, I’m not sure the results from that last scan are gonna be valid or not.
0:20:14.2 MM: 100%. I’m gonna take us a totally different direction, you know my love of career topics. I have always believed, and you are my favorite example of this, that QA is a phenomenal background for security people and especially product security people, and yet I don’t see that many people who start in QA and end up doing what you’re doing. How do you think that that’s helped set you up for the success that you’ve had in all of your various roles?
0:20:40.5 MC: I think in my role, it really helps to have some level or some part of development background, right, ’cause if you’re gonna go talk to a team that’s making something, you gotta know roughly how it’s made well enough to be able to speak the same taxonomy, the same language. My time in QA is the thing that I leverage to be able to do that. I was six and a half years as a software tester, and I did everything from client software like Microsoft Works up through enterprise centralized services, like Active Directory Rights Management Services, so I’ve seen that spread, that gives me the ability to kinda see the challenges and the testing challenges, but one of the things that I really enjoyed breaking stuff and so that inquisitive mindset, that challenge, the game challenge of saying, oh, I’m gonna find a way to break this in three clicks, and then I’m gonna go and brag to my test peeps and say, Hey, I broke it in three clicks. Oh, yeah, well, I broke it in two clicks.
0:21:29.3 MC: We can have that kind of a competition. That really drove me to wanna really figure out ways and see the trends there, and that exploratory mindset adapts really well to something like security testing or penetration testing, because now we’re saying, taking that same idea of pushing the norms, testing the assumptions, but putting a just a security spin on it. So throughout my career, I’ve been able to go back to that and say, Hey, how would I break that? And then being able to say from the experience of having developed stuff, I can say, Oh yeah, that’s how I would fix that, right. And be able to put those two together, so every time when I’m doing a consultation with a product team, be able to take that, I know how to speak the language of development, I know how to say, Here’s how it could break, what could go wrong, and here’s what we can do to fix it from what I know and based on your particular nuanced product set, and so this is the path forward that we can take to prevent the problem, prevent it from happening in the first place.
0:22:24.3 MM: I’ve always thought that that career path is when we should emphasize as an industry more because of everything you said, the instincts you get in understanding how software is built badly, give you such good instincts for helping a product team secure it, but like you said, that is pen testing, is having a mental model of how the product you’re testing works and thinking, Oh, well, if I do this, I bet the developer didn’t expect me to do X, Y and Z right here, let me do that. And I’ve always… It’s one of the things that I always valued about working with you is you have just incredible instincts around those things, and I think it comes from your QA time, also comes from just the way your brain works. But it’s one of those things that I think if you’re out there and you’re a QA person and you’re thinking, What do I do next, cybersecurity might be a good career for you. And Matt’s a great example of it.
0:23:15.5 MC: Well, thank you, I think it really helped.
0:23:17.5 MM: So Matt, I could talk to you all day, obviously, but we need to let the listeners get off to whatever their busy world is, but where can they find more of you if somebody wants more Matt Clapham in their lives, where can we find what you’re up to?
0:23:31.4 MC: So on LinkedIn, I’m not terribly active, but I do occasionally put a tip there, you can follow me on Twitter, I’m usually scrounging and finding interesting insights about product security and other things, so you can follow me @ProdSec, I nailed that handle, I’m really proud of that one. And you certainly, right now with the whole situation of where conferences are at, I’m not sure I’ll be traveling any time soon, but I do like to try to get out to the security conferences and really bring that insight, that experience from QA all the way forward to how we can prevent it today to the audiences there, at things like RSA and others, so when things start to get a little more in-person again, I’ll probably start to get back out involved on those.
0:24:08.2 MM: And I look forward to having lunch or dinner or something when we get to be in the same spot again. Matt, thanks again for coming on today, this has been brilliant, and we’ll chat soon, but thanks again.
0:24:19.4 MC: Hey, thanks for having me, Mike. Really appreciate the opportunity.
0:24:23.6 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Matthew Clapham is a rare blend of both product development and enterprise operations, Matt is the Product Cybersecurity Leader for access control, video surveillance, fire detection, and fire suppression at Johnson Controls. Matt leads a team who make on-premise, connected, and cloud-hosted solutions more secure across the building management space. Previously a Director of Product Security at GE Healthcare, Matt helped build the group from its founding. He has also been a software tester and security program manager at Microsoft. As the Security Advisor to all things games, he brought the SDL to entertainment and Xbox. He’s well versed in common software security foibles and how to overcome them. Matt is a frequent speaker and author of articles on IT, security, games, or some combination thereof. He holds degrees in engineering and music from the University of Michigan, Ann Arbor.