I saw the sad news yesterday, via Alec Muffett that Ross Anderson had passed, which is an enormous loss the the IT security community (and the industry more widely).

I didn’t know Ross very well, so the obituary from his friend and colleague Prof Bill Buchanan OBE provides a much better summary of his work and impact. What follows are just a few personal reflections.

Ross did a great deal to shape my work and my career path, and I’m thankful that I got to meet him a few times along the way. I’ve previously described ‘Security Engineering‘ as “the bible of infosec”, and through that work Ross was impacting the world I worked in before I ever heard his name.

I got to meet Ross for the first time at one of his Workshops on the Economics of Information Security (WEIS). That series of workshops came about from Ross’s prodigious talent for picking up different lenses to look at the world of security through – in this case the lens of economics, leading to his seminal paper ‘Why Information Security is Hard – An Economic Perspective‘. My first encounter with Ross was a little prickly, as he had a huge distrust of banks, and by extension the people who worked for them; but I kept going back to WEIS, and over time our conversations became more collegiate*. My favourite memory of him was after WEIS 2010 in Cambridge MA where he invited anybody hanging around to join him for dinner, bringing together a wonderful slice of the community to talk shop over giant sushi boats. I wish I had a photo, as the happy relaxed Ross that evening was Ross at his best.

Through WEIS I got to know folk like Allan Friedman and Tyler Moore who are leading efforts to make us all more secure.

A few years back I found myself meeting a CISO for the first time and spotting a copy of Security Engineering on his bookshelf. I knew we’d get along just fine.

I’d hoped to see Ross again, and maybe chat to him about the Horizon scandal. I’d have also wanted him by my side as an expert witness if I ever got entangled in any legal trouble to do with computers. He’ll be sorely missed; though it’s a sign of the quality of his leadership that there are so many people that will continue his great work.

RIP Ross.

* After a conversation with Ross and Hal Varian about side channel attacks I recall thinking of an attack against pre-emptive execution in CPUs (like Meltdown or Spectre) which I dismissed at the time thinking the geniuses at Intel and Arm would have everything under control. Never assume – verify.