Chair’s Message | Some Weeks are Harder than Others

Oct. 22, 2021

Dear Cybersecurity and Privacy community,

It’s been over a year since I started writing these letters to generate discussions that I hoped would build the SCP community and keep you up to date on developments in our growing school. Every week, I try to be upbeat. That’s typically easy because we have made steady progress these past months. Every day, I get more confirmation that the answer to the question I asked my first day on the job (“What makes SCP distinctive?”) is the combination of rigor, real-world impact and open, collaborative spirit that is the particular strength of a Georgia Tech education and about which I have written so often.

Some weeks are harder than others. A few weeks ago, responding to feedback from a recent graduate, I wrote about what is missing in our curriculum and what we planned to do about it. This week, my inbox was filled with proof that we are still only midway through the sometimes arduous process of building a school. Anecdotes are not data, but when I hear the same story over and over again, I want to see what’s going on. More about what I found out in a few minutes. First, I want to tell you about the 20/20/60 rule and why it is important to get out of our own way.

As CTO for Hewlett-Packard, I learned a simple lesson from my predecessor Joel Birnbaum (father of the first commercially successful RISC architecture). Like Joel, I handled all R&D around the world, and I was often dazzled by the brilliance of the HP engineers who came up with ideas like ink jet printing (which was successful beyond anyone’s expectations,) and phase change memory (which was not.) Every single patent was aimed at a well-understood market, the key ingredient for efficient product development. This meant technical risk and market risk were effectively constrained, and for sixty years HP led the industry in creating new product categories. Yet, most new ideas never made it. Joel asked why and discovered that technical and market risk accounted for only 40% of total risk. Most risk (about 60%) was bundled in what he called organizational risk –the likelihood that existing organizations and decision-making would be unable to function. In short, we would not be able to get out of our own way. This led to the 20/20/60 rule which forced us to concentrate on that 60% by clearing bureaucratic clutter out of the way. 

We know that the 20/20/60 rule also applies to SCP. Nevertheless, I get emails like one this week from a graduating cybersecurity master’s student who wants to join her cybersecurity classmates at commencement but cannot because SCP does not yet have the right code. Instead, she will walk with Interdisciplinary students with whom she rightly points out she has little in common. It is hard to create a community when the three-letter code that is the price of admission, does not exist.  I have another bundle of emails from recent graduates who –like the student who was surprised to have not learned about resilience in class—suggest many topics they would like to hear about in their formal coursework.  Why aren’t we developing those courses? You guessed it: SCP does not yet have the necessary three letter code. It’s a small consolation to the affected students that we will at some future date figure out how to pry the elusive codes from the offices where are currently stuck. First, we must figure out how to get out of our own way. Feedback from students and recent graduates is crucial, so please let us know how we are falling short of expectations. 

Since we are talking about community building, let me remind you of our plans for a student town hall. While I am proud to see students stepping forward on their own initiative to help plan events like the student town hall, I hope the momentum isn’t lost. We are still looking for student led activities, so if you have something you want to see take root in the school, let me know. 

I also wanted to update you all on the status of SCP Chair search. As you may or may not be aware, I agreed to oversee the launch of this new school last year as interim chair. Throughout the course of this year the College of Computing has been conducting interviews for someone to fill the role after I step down. It is my understanding that the candidate pool has been narrowed down and a new chair should be in place sometime next year. We will of course bring the new chair in to meet as many of you as we can manage, and I look forward to watching the continued growth of the school after I take a step back.

Other events and activities:

  •  I will be holding open office hours again starting next Wednesday. You are welcome to drop in virtuallyor in-person. During this time, you have my undivided attention, and we can discuss future events, curriculum suggestions, what’s happening in the world of cybersecurity and privacy and more. I hope you will join me on Wednesday, Oct. 27, from 12:30 to 1:30 p.m. in the Chair Suite (Coda room 962A.) or at our usual BlueJeans location (see the SCP website for meeting ID) 
  • Second, on Monday Oct. 25 from 11 a.m. to 12 p.m. SCP will host a webinar entitled “Ransomware and Beyond: Demystifying Ransomware and Defending Against Future Attacks,” Milton Mueller, Nadiya Kostyuk and Joseph Jaeger, along with Trevor Lewis from Professional Education, will serve as panelists. The panel will also take questions from the audience. Registration is currently open, and I welcome you to take part in the discussion.
  • This week we are doing something a bit different for our weekly lecture series. We will be previewing some of the work that has been accepted to the ACM Computer and Communications Security Conference (CCS). Ph.D. students Jonathan Fuller, Carter Yagemann and Sena Sahin will each be giving lectures on their work. Carter will be discussing and demonstrating a technique he has developed to discover and explain novel vulnerabilities in real-world software. Sena will present her findings on how to strengthen typo-tolerant password authentication. Jonathan will give an explanation on the program he and other researchers developed that can covertly monitor and disrupt botnets. This will be a great exercise for our students as well as a great insight into the work being done at SCP. I look forward to seeing you there.

As always, please let us know what’s on your mind and stay active in SCP,

Richard DeMillo

Chair, School of Cybersecurity and Privacy

Charlotte B. And Roger C. Warren Chair of Computing

Visit me at

Follow me @rad_atl and @richde