No, Cybersecurity Expert Corey Thomas Will Not Tell You His Mother’s Maiden Name

No, Corey Thomas will not tell you the name of his childhood pet. / Photo by Mona Miri

If it were up to Corey Thomas, no one’s password would ever be “password.” After all, as the chairman and CEO of the local cybersecurity giant Rapid7, the tech guru understands more than practically anyone the dangers of not protecting your digital information. But the Harvard Business School alum is far more than merely your online guardian angel: Recently named a director and chair of the Federal Reserve Bank of Boston, Thomas has also enjoyed a successful career in venture capital as one of 22 corporate leaders who founded the Boston-based seed-stage firm Pillar VC. We sat down with him to talk about international espionage, the future of TikTok, and whether his kids are savvier than him on a laptop.

Before we get too deep into the interview, I have to ask: What’s your mother’s maiden name and the name of your first pet?
[Laughs.] Let’s see here…I could give you an honest answer, but I probably won’t, only because those are still the security questions that are actually getting used the most. So I’ll go with “Smith” and “Peggy.”

Could anyone guess your passwords?
I use a random password generator.

Is that the best thing to do?
It’s by far the best thing for people to do. If you look at it, humans think they’re clever. But what happens is that they end up using the same permutations of cleverness, and so it turns out that humans are clever only within a range. They replace numbers with letters or use some form of their kids’ names, or the school they went to, or their job, or something else.

Do you think hackers use the same tricks?
The reason passwords are guessable is that they’re based on words. The dictionary is guessable. Suppose you take the English dictionary and go through it, and try basic word combinations and replacements of letters with the obvious things, like Os with zeros and stuff like that. You’re likely to get lots of people’s passwords, which is why using random password generators is so much better.

Would you make a good hacker?
I’ve worked with white-hat hackers and ethical hackers, and I think I’d be decent but not great. Those people are extraordinary. But the thing I love is that, at the end of the day, when you’re trying to understand the bad hackers, the criminals, which our company does, it has a lot to do with human psychology, which just fascinates me.

You’re on the President’s National Security Telecommunications Advisory Committee. Do you guys have a secret handshake?
[Laughs.] Well if there is a secret handshake, I can’t tell you about it. But here’s the wonderful thing about government transparency. Both the mission of the organization and many of the committee meetings are open to the public. It’s fairly transparent.

Do you have President Biden on speed dial?
No.

Does he have you on speed dial?
I’ve never gotten a call from him.

As a Black man in technology, do you feel like an outlier?
Oh, that’s a tough one. I would say yes, because there should be many, many more, and not just Black men. There should be many more Black people, people of color, Latinx people, and all forms of diversity in technology. There’s just not enough of them. I do feel like an outlier, and part of my job is to actually create an environment that’s reflective of our society.

Are you a gamer?
I am not. I had to stop playing when I was a kid because I’d get obsessed. I have a slightly obsessive personality, and I would spend hours playing until my mom said, “You have to get out of the house.” That was back in the days of the Nintendo 64, so I basically stopped gaming when I was 11 or 12. There was huge value in my parents making me get out of the house and spend time outside every day, and I do think about screen time today and the danger and the societal impact of it. I do think it would be better if kids had less time on screens, but of course, I say this as my son is downstairs on a screen.

Do you try to limit it?
Yes, we do, but it’s still too much. One of the things I’m going to try and structurally do is encourage my son—my daughter’s in college already—but my nine-year-old son, I want him to spend more time outside. My wife does a great job of making sure he spends more time with friends.

Most people don’t understand what the Federal Reserve Bank is. In one sentence, what does the Fed do?
The primary job is to manage the stability of the economy by ensuring price stability and employment levels, and the primary vehicle that they do that through is interest rate management.

Do you think the Fed exerts more control over the economy than, say, the markets? How would you compare the two?
I think it depends on what time and what circumstances you’re actually talking about. I don’t take an absolutist view. Our society runs on trust, and part of what I think government does, ideally, is to create systems of trust.

Do you think there are any local banks that run the risk of going the way of Silicon Valley Bank?
I can’t comment on that, because I think only the bank auditors and regulators have enough details. That’s a deeply substantive question about, for example, what are the leverage ratios? The assets? What are the deposits? That requires a substantive answer, and I don’t have the details to answer that in a substantive way.

Photo by Mona Miri

When it comes to cybersecurity risks, who’s the worst player on the world stage? China? Russia? The United States? Who do you think is the biggest threat to the United States?
That’s a fluid answer that changes over time. I’ll just say two things. You have two dynamics. There are cybercriminals who will undermine and steal from western institutions, our economy, and our way of life. Then you have cybercrime being used as a tool in the geopolitical game. Besides Russia and China, you also have Iran and North Korea. I would not underestimate the chaos and havoc and amount of damage that can be done by states that don’t necessarily have large militaries, or even large economies, but can train cadres of hackers and experts to cause disruption.

What do you think was actually on that Chinese balloon that we shot down?
I have no clue. I’ve been trying to figure it out. What’s also fascinating is that this is not a novel or new thing. I cannot wait for the book that’s going to come out in 10, 20 years about the history of these balloons, and how often they happen.

Any thoughts on the controversy surrounding TikTok?
Yes. It’s a complex issue. The first thing I would say is that I’m a huge believer in open markets, and so I think that’s an important consideration. The second thing is that social media, especially as it relates to children, is a threat to society. People should have free and open access to social media, but I think that damage can be done to kids by building a worldview based on strangers’ opinions and the algorithms that adults come up with to create addiction validation. The insecurity it creates in children is unhealthy. I say this not as an expert but as someone who’s actually paying attention to and reading what lots of experts are saying, including the surgeon general, who does some amazing work and is incredibly thoughtful in these areas. But specifically, with TikTok, the concern is that the messages being delivered may not be healthy for American children or Americans in general, because they actually are influencing how we look at the world. It’s not just the fact that it’s a Chinese company. It’s the fact that social media has a huge influence on how we think, and TikTok could be even more corrosive than some of the other social media platforms.

How much of what you do is classified, and what kind of security clearance do you have?
I cannot comment on that one.

Do you consider yourself a geek?
I used to, but lots of geeks I respect have told me I’m not a member of their club. The issue is that geek requires some depth, and part of my job is to actually enrich myself by learning a broader perspective, so my depth has gotten very shallow.

Are you better than your kids with technology, or are you just gobsmacked by how innate it is for their generation?
I look at my son, who’s nine, and it’s just a natural part of what he does. He will be far ahead of me technologically. I’m an engineer by training, and my daughter, who’s a sophomore at Vanderbilt, is learning how to program statistical models. She asked for my help, and I was kind of saying, “I have no clue.” I know computer science, and I’m the CEO of a tech company, but she’s a better programmer than I am.

Do you see AI as a major threat to cybersecurity?
Well, it’s just technology, so it’s a major threat and a major advantage. It’s just an evolution. That’s all it is.

What James Bond–like tech do you hope to see soon?
Oh, excellent question. I will say this is super childish, but I still want my hoverboard that was promised in Back to the Future. And a flying car. As a child of the ’80s, I’m a little bit irritated that we haven’t delivered on those basic promises.

I’ll counter that by saying I grew up watching Star Trek, and they had these little computers in their hands that they could communicate with, and ask questions, and be transported somewhere, and my iPhone can do most of that.
The other thing is, if you were a fan of Knight Rider, it’s very soon that you’ll be able to talk to your Apple Watch and tell your car to come pick you up. There are some great advances that have actually happened.

Do you have any feel for what the next big thing is going to be?
I’ve never had a feel for what the next big thing will be or even what my next big investment would be, and part of that is intentional because I like to stay open and process the opportunities. When you predict, you become wed to your own idea, and you stop listening and being curious.

Do you regularly do a digital detox?
Yes. Last week, I actually bought a hardcover book, sat down, and read it with my coffee. Now, it was only a day, but I embraced it with excitement. It was a day of reading, and coffee, and whiskey, and you know, it was a very fun day.

Do you think we’re heading in the direction where we’ll look at analog things with wistfulness or nostalgia, the way we look at spinning wheels?
I hope not. I love books. I love libraries. I just think books are amazing, and one day, I’m going to actually build my own library.

As in a lot of things, but even more in tech, people kind of age out. You’re at the top of your game now, but it’s a young man’s game. How long do you see yourself in this kind of role?
I’m in my late forties, and I think the way I see myself is that the benefit I bring is not about what I do myself. It’s the ecosystems that I’m a part of and the perspective that I help build. I don’t have to be the master of anything. But there’s zero need to stop learning and adopting and adapting. No one should stop that. So my goal is to stay relevant but also to expand the community in which I’m adding value. I want to be part of highly impactful ecosystems, and there’s no reason I can’t do that for another 20 or 30 years.

Photo by Surasak Suwanmake/Getty Images

By the Numbers

Unwelcome Intruders

The good news and the bad in Boston’s fight against cybercrime.

3

Number of Iranian nationals indicted last September for allegedly plotting a thwarted cyberattack against Boston Children’s Hospital.

2,983

Number of cybersecurity job listings posted within a 10-mile radius of Boston on LinkedIn at presstime.

7,805

Number of Bay Staters who reported being victims of cybercriminals in 2022.

226 million

Amount, in dollars, these victims lost in 2022 as a result.

2.2 billion

Amount, in dollars, invested in cybersecurity firms in Boston in 2021 alone—a nearly seven-fold increase over the previous year.

First published in the print edition of the September 2023 issue with the headline, “Cyber CEO.”

Previously

• The Interview: Film Actor and Macbeth Star Faran Tahir
• The Interview: The ‘Quin House Cofounder Sandy Edgerley
• The Interview: Crime-Fiction Writer Dennis Lehane
• The Interview: Novelist Hank Phillippi Ryan
• The Interview: BECMA Head Nicole Obi
• The Interview: GBH President and CEO Susan Goldberg
• The Interview: MIT President Sally Kornbluth
• The Interview: Boston Public Library President David Leonard
• The Interview: CNN Anchor and Correspondent Audie Cornish