OASIS Board Member Spotlight: Q&A with Duncan Sparrell

The OASIS Board of Directors comprises industry leaders who are integral to the organization’s success. In our Board Member Spotlight Q&A, gain a better sense of who they are and why they serve the OASIS community. 

Meet Duncan Sparrell, a seasoned network security evangelist with more than 40 years of expertise in conceiving, developing, and delivering state-of-the art software platforms. A strong advocate for the cybersecurity industry, Duncan was named an OASIS Distinguished Contributor in 2021 for his significant impact advancing open standards and open source projects.

Can you tell us about your current role at sFractal Consulting?
I jokingly refer to myself as “Chief Cyber-Curmudgeon,” which is an evasive way of saying that I have retired from a long career as Chief Security Architect at AT&T and am currently channeling my experience into a broad passion for boutique consulting at the intersection of cybersecurity, standards, and software. 

When did you join the OASIS Board, and what inspired you to join?
My tenure on the board began in July of 2022. Besides serving on the Executive Committee, I also serve as corporate secretary and chair of the Governance Committee. Since my retirement, I have steadily ratcheted up my involvement in the OASIS Open Command and Control (OpenC2) Technical Committee (TC), and I’ve pursued global initiatives like the Open Cybersecurity Alliance (OCA) and its Posture Attribute Collection and Evaluation (PACE) sub-project, software bill of materials (SBOM), and the Common Security Advisory Framework (CSAF) TC. I’m very honored to have been tapped to serve on the OASIS Board of Directors where I can further this work and broaden my efforts to support developments across the broader standards ecosystem.

What types of skills/expertise do you bring to the board?
Claiming to be strong on technical skills is a hard sell at an organization like OASIS, where so many individuals excel in the technical, but my head’s big enough that I’ll still claim a certain expertise. My background is steeped in the development of open source projects built around collaborative software development and securing the cyber infrastructure. I also bring the business perspective to the table. There is often a communications gap between the technical, policy, and business communities; I feel comfortable in all three spaces and can translate across them. Being retired, I am not beholden to any corporate interests, so I feel I can represent what is really best for everyone.

How do you hope to make an impact as a board member during your term?
OASIS is member-driven and has well-developed processes for creating standards through consensus. My experience serving on OASIS TCs has imbued my thinking with a notion that innovative work and revolutionary discourse will naturally bubble up from those well-supported communities. It’s my role as a board member to provide stability, sustenance, and encouragement for the spaces within our organization where those processes thrive, and to push the staff and members to think strategically about what will be the OASIS mission in the future. I’m very familiar with the organization, its standards, the challenges it faces, and the energies it channels. I hope to bring this tribal knowledge as a reinforcing influence on a board chock full of talented, visionary, and capable directors. 

How did you first get involved with OASIS?
I first got involved through STIX and TAXII while I was still at AT&T and while STIX/TAXII were still U.S. government projects. In the telecommunications world, we’re very interested in both cybersecurity and international standards, and I’ve been involved with that co-evolution since 1980. You can imagine my delight to discover OASIS when the U.S. Department of Homeland Security suggested it as a more open forum for developing STIX. 

What are your thoughts about the OASIS community? What are some of the key aspects of OASIS that sets it apart from other organizations?
The OASIS community is extremely functional, but also collaborative and congenial. The OASIS staff and processes facilitate this in ways that other SDOs I’m involved in struggle with. One of the key aspects that both sets OASIS apart and is key to the facilitation I mentioned, is that OASIS is the most transparent.

What excites you about OASIS and why are you passionate about its mission?
My worldview has been deeply informed by the work I’ve done in cybersecurity dating back to the first Gulf War. That perspective makes it very difficult not to acknowledge the challenges that loom on our collective cyber horizon. I’m particularly excited about the new avenues of development that OASIS is working on, such as ESG (Environmental, Social, and Governance), which is a hot topic in corporate boardrooms today. 

What are some reasons why companies, organizations, and individuals should bring their projects to OASIS?
OASIS is a fulcrum organization. We are purpose-built to help both enterprise and research initiatives shape their visions into something tangible and robust. People value OASIS because of our framework, which facilitates this development in a way that is extremely functional, but also collaborative and congenial.

Where do you see OASIS going in the future?
OASIS already covers a very broad waterfront, and I see it broadening even further. One thing about standards is their impact is largely invisible and occurs long after the development of the standard. OASIS standards like SAML, XACML, and MQTT are the underpinnings of the internet that most people don’t even realize they are using hundreds of times per day. I feel recent standards like STIX and CSAF will have a similar impact over the next decade and will drastically improve the cybersecurity landscape along with the many other cybersecurity standards OASIS is currently developing. I see ESG as the next horizon where OASIS will have a tremendous impact.

What professional accomplishments are you most proud of?
If pressed for Cliff’s Notes on my working life, my one highlight per decade would be:

  • Writing software (back when we literally wrote 1s and 0s in pencil on graph paper) that handled over 1 trillion phone calls.
  • Getting agreement on one worldwide voice coding and packetization standards when I believed I was the only person on the planet that thought we wouldn’t inevitably have separate standards for the U.S. and Europe.
  • Being awarded the U.S. Intelligence Community Seal Medallion for counter-intelligence/counter-narcotics/counter-terrorist efforts that truly made the world a safer place.
  • Being awarded the AT&T Science and Technology award for my early cybersecurity work creating the first Security Operations Center (SOC), a term I coined.
  • Being an early advocate of software transparency and concepts like software bill of materials (SBOM).
  • Being awarded the 2021 OASIS Distinguished Contributor Award for my work in open standards.

What’s a fun fact about you?
There’s something in the water, apparently, in my hometown of Scituate, Massachusetts, that provokes its native sons to pursue the time-honored tradition of genealogy. I, too, caught the bug and have now spent an inordinate amount of time charting out the lines that connect my daughters to their Yankee and Scottish ancestors.
I enjoy the stories, not just the ‘who begat whom’. Upon meeting at my parents wedding, my one grandmother remarked “My ancestors came over on the Mayflower,” to which my other grandmother replied, “I came over on the New Caledonia.”