Unusual Journeys Into Infosec Featuring @kelley12matt

In this next chapter of the series we plug into the network of self discovery to find out whoami and take command and control of that old enemy ImpostorSyndrome.exe (literally no idea how I’m still coming up with these terrible puns). I think Michael Jackson said it best in his song Man In the Mirror:

I’m starting with the man in the mirror
I’m asking him to change his ways
And no message could have been any clearer
If you want to make the world a better place
Take a look at yourself, and then make a change

This time I interviewed the wonderful Matt Kelley (@kelley12matt) back in January this year. He reached out to me after I tweeted about wanting to write this series.

I had been following Matt for a while, we first started speaking on Twitter after a massive Threadzilla in September 2017. I’ve always found Matt to be very knowledgeable and open to discussing a wide range of topics.

He recently presented for the first time at his local ISSA. He has some very good articles published on Peerlyst (especially on Impostor Syndrome), and in my opinion is a rising star.

Here is his story.

I’m not a former hacker or programmer, and it was tough for me to get past. -Matt Kelley 2018

CyberSecStu (CSS): My vision for this article (or series), is to help break the illusion that you have to follow a certain route to have a career in Infosec. You have an interesting background, where did your adventure into Infosec start?

Matt Kelley (MK): I started in technology in 1998 doing Layer 1 — installing data cabling. I use that as a frame of reference for my younger staff; replacing Type-1 and thin net infrastructure with brand new Cat 5. Soon after I started, I was splicing fiber optic cable for CATV plant.

I was in that space for nearly ten years, changing companies a few times, but always ending up as a supervisor or lead. From that time, the biggest benefit that I received was taking desired results from blueprints or a customer and figuring out how to make it happen. As with most construction, there were always instances where you had to think on your feet. I was laid off in January of 2007, ran out of unemployment and had to build houses and work landscaping until that one opportunity appeared in the paper.

The position was for a Telecommunications Technician position at the largest resort in my region. Two things got me the job: I was available right away and I was able to relate my previous experience to the basics of maintaining a phone network. I had no idea what I was getting into!

The job was operating a Nortel PBX with 1300 stations on property, but also distributing service to another group of PBXs at other properties for another 1100 stations. In a lot of the country, that is the size of a small Telco exchange.

I had to hit the ground running. Layer 1 I had under control. It’s just wires, right? For the system level, I had to read every manual and live in the best tech support forum at the time, Tek-Tips. Teaching yourself the operation of a big PBX like that is no easy task, but I somehow managed it. Anyway, this job was my opportunity to go in house and be part of IT.

Absolutely changed my life. After 4.5 years there, I left for my local Telco. That was almost the biggest mistake of my life. Terrible environment, work was doing mostly install work in different Telco exchanges, boss hated me. What else could go wrong? Workplace injury that took me years to recover from. Thankfully, the parent company of my previous employer contacted me about filling the Telecom Administrator position that they hadn’t been able to fill.

This new position was more like real IT, not the 4 person shop I was in at the resort. I now had responsibility for what I previously did, but also for 2 casinos and government operations — 2400 stations in that phone network. “Other duties as assigned”. This can be either terrible to see, or an opportunity in the making. Another position that they hadn’t been able to fill was Network Administrator.

At this point it is late 2012, and you don’t have phones if you don’t have network. I took my meager amount of experience with 3Com(!) switches and was able to maintain minor changes on a large Cisco network, but I wasn’t confident in the ability of the network to stay up. A vendor of mine brought an engineer up to show off the new Avaya switch technology, called SPB based on the 802.11aq standard.

Amazing stuff and tech. I was sold. I told my boss that we needed these switches so that we could maintain voice operations over our large network. That is how I got into networking. We eventually hired a Net Admin, but he was National Guard and kept taking deployments. That left me to keep everything running, along with the phone network.

In 2014, my boss was promoted to Director. I applied for, and was selected to fill, the IT Manager role. This is where my InfoSec adventure really started. I started by reviewing all of our compliance requirements, which in this position was basically everything — private industry to government. I had to start aligning our internal operations to take security into account.

It was all important, but there wasn’t really a sense of immediacy. That changed when there was a breach in our industry and our CEO asked about our security status. Uhhh… Fortunately, this was just when we were doing budgets for the next fiscal, 6 long months away.

A Security Administrator and a bunch of tools were on tap. In the meantime, we used that event as a tabletop exercise to perform an actual assessment internally. The results were ugly but informative. InfoSec became my primary focus, in addition to all of the duties that come with having 20 staff reporting to you. I started writing policies from scratch, focusing on our main compliance requirements first.

Later, I would modify these documents as more compliance fires came up, but not as planned out and comprehensive as I would have liked. Typical IT, one fire to the next. During all of this time researching, I started to look at certifications to lend credibility to our efforts. At that time and from that vantage point, CISSP was number one, with CISA/CISM as a close number two.

We increased our training budget to account for one of them. We hired our Sec Admin, whom I had a really good relationship with. We grew up together and had known each other since 2nd grade. The paths that each of us had taken to get to that point couldn’t have been more different. We were able to make really good progress in improving our security though. Vulnerability scanner, log server, monitoring, NG firewall. Regretfully, he was a “Super Admin” and was thrown at other projects.

That left me to backfill his role, keeping me squarely in the InfoSec realm. In late 2016, we both ended up taking the CISSP course and certification. We both passed. I was a bit surprised at first, since I was never very technical — I came from Layer 1. But I was very strong on the theories in CISSP, especially risk and policies. If I answered more than a few questions correctly in the Crypto section, I would be amazed.

CSS: How important has Twitter been for you?

MK: Most security articles and what have you always included a Twitter handle. I dusted off my unused account and started following people, including yourself. Mind. Blown.

It is intimidating to know that there are so many smart people out there that you might as well be a toddler at a Tool concert. So, there I was, informed and certified and enthusiastic about learning more, more, more. I had an open campus license for Stormwind and I used it. DFIR, CEH, CCENT/CCNA. I started watching videos on Cybrary. Every week I would appreciate what the industry was facing, and how little I really knew.

***A quick note here on the CISSP. A lot of people dog it as a junk cert, which is their opinion. The whole point of training though is to inform in order to apply in practice. The course is fine, particularly for what I was doing as an IT Manager.

What I was finding, and disappointed with, was a real lack of resources on GRC. That was my pain point at the time, early last year. I continued working away, but I was starting to think about writing again, this time about InfoSec rather probably poor poetry or scifi.

I had attended an event called Gaming and Leisure Roundtable in 2015 and 2016. It is put on by Gaming and Leisure magazine, and hosts C-level executives from across the country from the the hospitality and gaming industries. I asked the publisher if they were looking for new contributors for the magazine. Six weeks later, I had submitted my first article ever. “Securing the Sovereign Nations — GRC for Tribal Organizations” was published in the winter edition last month. My second article, “InfoSec from the Beginning for Executives” will be published in the spring edition.

After writing that first article though, I had the bug and also a severe case of Impostor Syndrome.

It literally took me nearly a month to read what I had submitted again, I was so worried about it. I ended up writing a short piece on Peerlyst about that experience. That brings us to now. I am currently trying to mature our security program and teach a new Sec Admin. I am going to continue to contribute to G&L for another article or two. I also have a few CFP ideas to write up and submit for this conference season. Hopefully you will see my name come up soon, in a good way!

CSS: This is really interesting stuff, Matt and I think everyone even veterans still get impostor syndrome! What is your thoughts on impostor syndrome, and how how do you think it affects noobs?

MK: Impostor Syndrome is pretty prevalent for those new to IT in general, much more with Infosec specifically. I’m not a former hacker or programmer, and it was tough for me to get past. With all of the knowledge out there in the industry, it is always a question of “what do I have to contribute”.

CSS: Given that you have a networking background and then moved into Infosec, what advice would you give someone today that is just starting out?

MK: Forget what you think you know! At least if you come from a technical role. Coming from telecom/infrastructure, I knew I was dumb and clueless. I also knew that I could pick up what was driving conversations — nearly always business. I put myself in GRC because that was what was needed and what I could perform in really well. There is no comparison to getting your hands dirty though.

CSS: Is there anything else you would like to add?

MK: Just that there is always room for more people. We all bring different perspectives to the table. But if we keep hiring the same types of people, we are always going to remain with the same type of problems.

The key lesson from Matt Kelley’s story is that Impostor Syndrome can be a problem, and might put people contributing actively in conversations for fear of not being knowledgeable enough!

I even still have bouts of Impostor Syndrome, but remind myself that I can’t know everything, that making mistakes is the foundation of learning and becoming better.

The key to getting over Impostor Syndrome is to actively engage, learn off others and to contribute. But most importantly don’t forget this one rule, especially when speaking to very experienced professionals, they once were a noob, and also probably felt like an impostor, so don’t be afraid of engaging!

Main Image Credit : The awesome piece of artwork used to head this article is called 'Don't Step On My IP' and it was created by graphic designer Jamie McLennan.