CV Fraud Sinks NZ Security Expert

News from New Zealand is that their top military scientist quit when “lies” were found on his resume

NEW Zealand’s top military scientist has quit, it was announced today, after allegations that his resume falsely claimed he was an ex-Marine and an Olympic bobsledder who raced against Jamaica’s “Cool Runnings” team.

Lieutenant General Jerry Mateparae said chief defence scientist Stephen Wilce had resigned, a day after TV3’s 60 Minutes made the allegations about him.

The program also accused him of claiming to have designed nuclear weapons guidance systems.

Those are highly visible and easily verifiable claims. It is an embarrassment to the country.

Was he qualified and capable? Did he do a good job? These questions no longer matter after he had to admit he knowingly misrepresented his experience — he lied. A bobsled team in the Olympics? Easy to look that one up, and not too smart for a security scientist.

This reminds me of a more common style of CV obfuscation I have found in the security industry — years of experience. When did Internet security start? It is hard to say, which makes it easy for people to move the line.

I claim sixteen years of experience on my CV because 1994 was when I was hired into a full-time job (Staminet, a subsidiary of Space Applications) after I finished my graduate degree. I worked with computer and network security before then but only as a student so I do not count it in my professional experience.

With that in mind I recently met a security expert who told me he aims to “put audit firms out of business”. He started a website called cloudaudit.org. We had a brief discussion at VMworld about it that left me feeling a bit puzzled.

He mentioned he had experience with audit, but I think he meant he has been audited before. Does being audited qualify someone to reform audit or is there a conflict? I found it hard to get a clear picture of his experience and perspective on audit in order to understand his “put audit firms out of business” comment. Later I searched online for his name.

Two years ago he had over 15 years experience, according to the 2008 BlackHat presenter’s page.

…currently Unisys’ Chief Security Architect…over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems’ chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy.

Today, just two years later, his experience miraculously grew five years to 20:

…20 years of experience in high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud.

I checked BlackHat again. On their 2010 site he gave himself over 19 years experience — four years more after only two years.

…over 19 years of experience in high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud.

No olympic bobsleds yet, but it seems the jump from 15 to 20 should be reason for concern. I am not going to split hairs over a year here or there, but a four year variance is unsettling. I did a quick graduation date to double-check. Unfortunately LinkedIn only revealed another vague and potentially sliding timeline:

University of California, Berkeley
Electrical Engineering & Computer Science

1988 — 2000

Twelve years at the UC and no degree? This is not getting better, but still no olympic bobsleds.

This person said to me he is on a mission to transform the world of audit, yet his experience ironically is hard to audit. On the positive side I see glowing recommendations and what seems to be a devoted group of business colleagues, partners and friends. Should that be sufficient? I might say yes except I also noticed that LinkedIn says his career started November 1993, five years after starting at UC Berkeley. That means it would be 17 years of experience today, versus the 19 or 20 years mentioned above. So 15 was probably accurate two years ago and 17 is the right number for today. Where did 20 come from? 19?

At the end of the day, aside from trying to make sense of any self-description or LinkedIn profile, I have not seen any audit firm experience or something to answer my original concern. Why put audit firms out of business?

I’ve done 3 start-ups (and the odd up-start,) raised venture funding, lost my ass, made it all back again, been a CEO, CISO, CTO and still haven’t figured out what I want to be when I grow up.

I wanted to get perspective but instead I pulled up more questions than answers in a quick search for a resume online. Normally I might let it go but the Stephen Wilce story suggests that a quick search probably will not be sufficient.

8 thoughts on “CV Fraud Sinks NZ Security Expert”

  1. I guess I am a bit of a dinosaur… in that I can trace my security experience back to the days of the 300 baud modems, data being stored on floppy disk that were the diameter of a small coffee table and data being inputted using ‘punch cards’.

    My resume would probably raise red flags if someone were to briskly try to wonder how it was that I was working for the military – while at the same time working for law enforcement. Oddly enough… my ‘normal’ job during the day was with the miltary and by night I was putting in a full work day (evening) with law enforcement. Yup I was working for about a five year period doing military by day… law enforcement by night… grabbing a quick sleep… and repeating the process over and over… day after day… and also including weekends.

    So although a resume may give red flags… it sometimes pays to explore any qualms that might arise when reviewing a resume that has anomalies. You will either catch a liar… or you may find the catch of the year ( the good kind ).

  2. what you’re trying to say is you had the chance to pick this guys brain but you failed to come up with any sensible question so you decided to link whatever you can find on him online to another oddball story?

    Whoever it is you’re talking about (*cough* The Hoff *cough*), I don’t believe he needs any introduction, linkedin typos and ‘online bio’s’ granted.

  3. Hi Davi.

    So since you’re clearly into accuracy, let me clear things up since you didn’t bother to reach out to me first with your concerns:

    1) When we spoke, I didn’t say I wanted to “…put audit firms out of business.” What I said was that I “wanted to put audit firms out of the data collection business and back in the data analysis business.”

    2) I don’t have every job listed on my LinkedIn profile, and the variance in some of those bios is, quite frankly, out of issues with my own concerns for how I quantified experience. Given that I started my first network/security job in 1990 (not listed) that makes 20 years.

    3) You *did* spot an error on my linkedin profile, however. My time @ UC Berkeley was from 1988-1990, not 2000. No degree was listed as I didn’t get one. Thanks for pointing that out, I’ll fix it.

    4) In terms of my audit experience, I ran a network security consulting company (it’s listed on LinkedIn as NodeWarrior Networks) wherein we did pentests, audits, etc. I got my CISA and CISM during that time. Further, when I was at WesCorp we did our own internal audits and those of business partners.

    I could get pissy about this, but in the grand scheme of things, I’ve gone through more background checks than I care to discuss and frankly, trying to look smart on a blog instead of reaching out to me since we clearly follow one another on Twitter and have met more than once now is lame.

    If you have questions, I’d be more than glad to answer them for you

    /Hoff

  4. Marq, yes sir. I think we are all aware of our own oddities and have a story to tie it together, especially if we have to go through any kind of background check or apply for security roles. No story is the same but we’re more on the hook than most to keep ours clean. Just have to wonder how Wilce was able to go so far with such an obvious flaw he could not support. Olympic anything is going to have a very public record that can be verified.

  5. /Hoff,

    I know you can be eloquent in style and to go much further than attacking messengers with “lame” and “trying to look smart” so first thank you for holding back. If you are asking for responsible disclosure I see your point. I would usually contact people directly first to clarify vulnerabilities and flaws and then negotiate a reasonable public release date.

    I guess I really did not disclose anything that was not already public to anyone, though, so it seemed odd to have a disclosure notice for something already disclosed. As you say, you have been through a lot of background checks. Nonetheless you have a point and I will remind myself to send a courtesy message so you can edit/clarify my statements. It probably will be email instead of Twitter though. Twitter seems worse, not better, for everyone involved. It has an even higher likelihood of misunderstanding since the text is so brief.

    I wrote down in my notes that you said “out of business”. I suspect if you hadn’t said it that way I probably wouldn’t have searched for audit experience. But it’s always possible I misheard. Thanks for replying and clarifying.

  6. Wremes,

    Thank you for your comment. You appear to believe a failure to probe on the part of an investigator or auditor (“failed to come up with any sensible question”) gives those who are investigated the higher ground.

    You also appear to believe that mistakes are inevitable and excusable if someone is “known”. You said “I don’t believe he needs any introduction, linkedin typos and ‘online bio’s’ granted”.

    However, New Zealand clearly disagrees with you as Stephen Wilce was asked to step down. I believe they are correct. We have an obligation to keep our record/resume accurate, no matter whether someone asks the right questions or not.

  7. George,

    I am open to hear your explanation. I would say the difference starts with confidentiality – public and private. Another difference could be with non-repudiation.

    Why do you call a public version of a CV crap? Isn’t it used also for vetting?

    I always hear the trend is going the other direction and job applicants today in all fields should be aware that public information, especially a public CV, will be used in the vetting process.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.