Welcome to Episode 14 of the Building a Life and Career in Security Podcast.
Today’s guest is Martin Reyes
Martin started off on a help desk and worked his way up to a managerial position in information security for a big bank. I appreciate Martin’s insight having been docked down a few times and how he got right back up.
Links Mentioned In This Episode:
Martin Reyes: When I got let go, I was lost, I was humbled. I felt like my life was over. What am I go to do now? How am I going to pay my mortgage? Now am I going to pay my bills? I am married at this point so it was a really tough adjustment. Again, I think this is where I suffered from fear. Not having that confidence in myself that I was qualified to do some of these jobs.
Speaker 2: From the jayschulman.com studio this is the Building a Life and Career in Security podcast. Now, your host, Jay Schulman.
Jay Schulman: Hey it’s Jay. Welcome to Season 2 of the Building a Life and Career in Security podcast. The podcasts where you get to hear other information security professionals career journey. Last week in Episode 13 we had Nick Merker on the podcast talking about his journey from security profession to lawyers. I really enjoyed our conversation about cyber insurance. If you missed it head back to Episode 13. If you’d like to keep up-to-date with the podcast, maybe you missed Nick. Text ‘security to 33444’ to be added to the podcast mailing list and just so you know, it only captures your email, not your phone number. No one is going to be texting you in the middle of the night. This week on the podcast is Martin Reyes. Martin started off on a help desk and worked his way up to a managerial position in information security for a big bank. I appreciate Martin’s insight having been docked down a few times and how he got right back up. Here is Martin’s journey.
Martin Reyes: I guess the way we can start off is I was at … Right of college, which was a major in comp sci, computer science from DePaul University. I think it’s worth mentioning that my initial major was accounting at the time. I might be dating myself but that was where the money was, I guess when you were coming out of college. I learned pretty quickly that it’s not something that I wanted to do. Computers was something that I was very interested in, dating back to my Commodore 64. There wasn’t really a market for a job as it relates to computers. There were no home PCs or anything like that. As I switched majors to comp sci I continued to seek employment in accounting. I landed a job in accounting very early on, I would say mid-’90s and almost immediately I took a liking to the networking side of what we were doing.
They were terminals that we were entering information in as accountants, but the networking side really took my interest, so as much as I could I started working with the networking side. Slowly but surely that job evolved into me working the networking side. From there I knew that I didn’t want to have anything to do with accounting. I left that company and I went to a law firm, tiny law firm. At that tiny law firm I was a, I would say help desk/network administrator. That’s really where I really got involved in the infancy stages of information security. I really enjoyed what I was doing. Clearly, I had outgrown the law firm pretty early on; it was just limited what I was allowed to do. The budget was very small so I quickly moved over to, I would say 2 years at the law firm, quickly moved over to KPMG.
Now, when I went to KPMG, it was in what was probably referred to as the non-revenue generating side of KPMG so I was doing help desk and network administration. That job quickly evolved into network admin. I think it’s important here to point out that while I was really enjoying the help desk side of stuff, I was being exposed to a lot of different things, nowhere near to what a help desk technician would be exposed to nowadays. I quickly found that networking was far more interesting to me than the PC side. I wasn’t really expecting that so started doing networking side of things and back then it was very reactive. The one thing that we had on the horizon was Y2K, which was much ado about nothing as you know. It was very reactive. Basically, it was if a blade went down on a router that’s when we jumped in.
If we had to install … I don’t even think they were called [patches 00:04:17] at the time but we were working with NetWare 4.1 and doing patches. If a server [avended 00:04:24] we were looking at things, so very reactive. Quickly that job could become very boring as you know, very little exposure to ITS, very little exposure to IDS at the time, firewalls, all that stuff was very limited. One of the guys that I was working with is actually someone that you did a previous podcast with, Sam Monasteri. While I was in the network side, Sam was on the help desk side and Sam was telling me about the, what we can call the revenue generating side of the house, the consulting side of the house. Sam was very interested in doing something like that. For me, I was a bit apprehensive. I guess you could classify it as fear, it was fear of the unknown. I didn’t know what they did and because I didn’t know what they did I just felt like I was unqualified to do it.
Sam went, interviewed, they picked him up right away, and Sam started working over there for about 6 months. He may have worked there much longer, but he was there for 6 months and he told me, “Listen, you can do this job, you should come and do it.” Just out of interest Sam set up an interview for me with one of the managers over there. I went … I remember this vividly. I went and I sat down with the manager on a Friday afternoon and it was just a pre-cursor I thought to an interview, just to get my … To see what is it they did, what the expectations would be, what success would look like? Then from there I would make a decision as to whether or not I wanted to interview them. Did that Friday, Monday morning I come in, my boss calls me into his office immediately. As soon as I put my stuff down I go in, he’s like, “Hey, listen the [RM 00:05:58] side of the house wants to make you an offer.
I’m like, “Wow, I didn’t even know that was an interview,” I reluctantly accepted and I went over. From there they just threw me to the wolves, basically. It was baptism by fire. We didn’t necessarily have focus area, I was just doing I guess what you can say RM, so risk management. I was doing ITGC, I was doing application control testing, I was doing [socks 00:06:25] testing, I was doing, what was back then considered to be [seventy 00:06:29] work.” A little bit of everything. I did HIPAA, I did PCI, a little bit of everything. What I found was that I slowly … It didn’t happen overnight, I was qualified to do the work. I didn’t know what I was doing, it took some time. I had the … I was fortunate enough to be surrounded by people who were very smart and very willing to help. Just point me in the right direction, that’s all I really wanted and let me learn on my own.
That happened pretty quickly where I started getting all the work with KPMG on the consulting side, sorry, and getting sent out on jobs. It was my first real exposure at travel so traveling, the expectations, all of that stuff, it was just night and day compared to my previous job and I found very quickly that I liked it. I really liked going to a client, staying with that client for 2 to 3 weeks and then moving on to something else. When I say something else it could be something completely different. I would be working at a supermarket one engagement and the next engagement be General Motors and then the next engagement would be a grocery store chain. That kept me on my toes and every single time I went into a new place it was always something interesting, something else new to learn. It really excelled my career and what it also did was, it was because there was no real particular focus, it also helped me see other areas that I found very interesting. As I was in the RM practice, something that evolved pretty quickly was an information protection practice.
It was a very small group of us and we started doing web penetration testing. That was something that I was always interested in but never felt like I was qualified to do. Again, Sam was the first one to go over and I followed him soon after and we’re talking about weeks instead of months time. The work was fascinating to me, I loved it. Back then it was identify and exploit as evidence and I really liked that a lot. We had a tool kit, again, I had the benefit of having some very smart managers to walk me through it. Very interesting stuff to me; I loved it. Then eventually, now we’re talking about a period of maybe 3 to 4 years that I’ve been doing this. As the information protection grew and we started getting more and more engagements, the travel started getting to me. It was generally Sunday night through Friday evening; I was home a day.
At the time I was dating my now wife, then girlfriend, so it made it very difficult to develop a relationship when I home just once a week and I felt like we were long distance, being away from my family whom I’m very close to. All of this started creeping into my head. As much as I loved the work, as much as I loved the comradery of working with the people that I had been working with for so long, the travel started getting to me. Despite the travel, I really enjoyed the work and I felt like this was a means to an end. I was learning a lot so quickly. It was being crammed down my throat, and because I enjoyed it so much I didn’t see it as work. I was learning as I went; it was fascinating stuff to me. It just kept feeding my interests. The more I learned the more I wanted to learn.
We’ll jump and it’s 2008. I’m still working in information protection, enjoying it as much. The travel is definitely getting me to now. Now, I find myself in the Christmas season, so November, December. I’m at small bank in North Dakota, it’s either Sioux Falls or Fargo, I can’t remember which. I flew into one city and then I had to drive an hour and a half to the other. At that point we had started … KPMG started offering our information protective services catering to our clients, so one of the things that we were doing now was we didn’t want to impact production hours so we’re going to move to non-production hours. Instead of doing my testing during the day, sometimes on a development environment or a testing environment, I was doing testing on production environment from 11pm to 5am. Another piece of that was, our clients were starting to say, “Listen, we appreciate you identify exploiting, let’s just to keep it to identification at this point, we don’t need you to exploit.”
For me exploiting was more than half the fun so that took something away from the enjoyment that I was having with the job, so North Dakota, during Christmas, working 11pm to 5am, basically the graveyard shift. During that trip is when I decided, “You know what, I’ve had enough of this. It’s been great. It’s been great and if I had to do it all over again I most definitely would,” but I decided it was time to move on. At that point in 2008 my good friend, Sam, had moved on to a credit reporting agency located in Chicago, Illinois and he told me about an open position. They were looking for a third-party security risk consultant, so submitted my resume and I’m sure with the help of Sam, got the job. I reluctantly gave my 2 weeks to KPMG and moved over to the credit reporting agency and one of the first things I notice immediately was that there was a completely different culture.
Where I think consulting is very competitive, a lot of type-A personalities, the expectations are very high. You become what I would sometimes refer to as becoming institutionalized where you work at such a frantic pace that you become used to it. Your churning out 40 hours of work in 3 days because you’re at … You’re in another city in a hotel room. It was a big adjustment for me, one that I was warned about but one that I was not definitely prepared for. Some of the first tasks that I was assigned, the turnaround time that were asking for was 6 months and I would knock it out in a week. That’s not me tooting my own horn, that’s just me saying, I understood what the expectations were at the consulting firm and it was hard to break that habit. Going to a … This credit reporting agency at the time was a privately-held agency, very small, very small budget.
Information security was not, I wouldn’t say a priority over there, so it was tough to come from an industry where it was so prevalent and so … It was a must-have, it was a requirement. I would say it was requirement where there’s acts and regulations but when you think about CRAs if you’re public you have some requirements that you have to be. If you’re not, if you’re privately-held, there isn’t really anything that you need to adhere to other than CRA, maybe some HIPAA, maybe some PCI, but for the most part, not much. I learned quickly that it was a culture in which I needed to adapt to. Rather than trying to bring my team … I was the manager, I’m sorry, I should have mentioned that; I was a manager. Rather than bring my team to work at a pace that I was used to working to I gave into the culture and I started work as everybody did, so if you can’t beat them, join them kind of thing.
From there, that was 2008 when I joined them. 2010 I was unexpectedly let go from CRA. I didn’t see it coming and I think this is the important piece of it. I think while I was at KPMG I got caught up with the people that I worked with, and this is not good or bad. I got caught up with their priorities. They were very title-driven, they were money-driven. Success was climbing the corporate ladder as quickly as possible and they would do anything to do it, you know. Basically just short of anything to get there, where they needed to go. I adopted that kind of … Even those weren’t my priorities going in I adopted those priorities, they became my priorities. When I got let go, I was lost, I was humbled. I felt like my life was over. “What am I going to do now? How am I going to pay my mortgage? How am I going to pay my bills?” I am married at this point so it was a really tough adjustment.
Again, I think this is where I suffered from fear. Not having that confidence in myself that I was qualified to do some of these jobs. If you think back to 2010 the market wasn’t very good at all for jobs, information security or any other job if you can remember back then. It was pretty tough for me. I probably took it much harder than I should have in hindsight, but it really changed me as a person and how I saw my career. Fortunately, we’ll jump ahead about 3 months. I had a colleague that I had worked with at KPMG and he was servicing HSBC, who was one of their clients and they were looking for somebody just like him. They said, “Hey if you know anybody, please get me their resume.” He was kind enough to give me a call, he knew I was looking. I sent my resume over and in a matter of 2 weeks they hired me.
HSBC where I’m currently employed, I did a little bit of everything. It felt like KPMG in a lot of ways. I’ve done privacy there, I’ve done mergers and acquisitions, I’ve consulted on compliance and legal calls for contracts, third-part security risk. I’ve done application security, I’ve done security testing, I’ve done some EGRC. Right now I’m considered what is a risk steward, so if you think of 3 lines of defense I’m second line right now, so a little bit of everything. What it’s really done for me is it’s really helped me to understand where it is that I want to take my career when I’m thinking of my next steps, where I want to go next. All of it has been fantastic, I wouldn’t trade it for the world. The good times and the bad times it’s all really helped shape my career. I was too young to see it when it was actually happening. Now that I’m older, I can definitely appreciate it.
Jay Schulman: Thank you for talking and in the minute I write down all these different questions as you tell your story. I was definitely going to ask you about being laid off from the credit reporting agency. Yet you’ve tied it together so well talking about the fear and everything so thank you for digging deep to talk about that. Can you talk a little about, and I think it’s really interesting because you brought it up and I see it quite a bit myself is what it’s like to switch between that type-A mentality, everybody running at light speed, and an organization that is just happy to show up to work? How were you able to make that adjustment? You talked about just letting the team run it instead of pushing the team to run like you. How did you manage it personally?
Martin Reyes: It was tough, it really was. When I first came in I felt like I didn’t want to join them. I was working diligently as soon as I came in and it wasn’t to make an impression, it wasn’t to prove my work or anything along those lines it was just what I was used to. What I started noticing is 4:30 I would pick my head up and everybody would be gone. The building would be vacant, basically. It’s hard, you could turn one person at a time, you could get someone on your team but when have some dependencies on other people and other groups it makes it really difficult. I had all these great ideas, these ideas that I felt like could really improve the information security posture at this place.
I would go to my manager all excited and say, “Hey listen this is that we can do; this is what we can do.” “Okay, listen. I appreciate your ambition, I appreciate your determination but we just don’t have the money to do it.” That took the wind out of my sails. Much when I moved from the network administration side to the consulting side, it was being adaptable. I think that’s something that I wouldn’t say it’s a lost art but it’s definitely an art. You’re going to have to learn to adapt. You can’t necessarily give up your morals, you can’t give up your work ethic, but you definitely have to adapt. While I say that I did concede and start … I was started leaving at 4:30. It was nice after working 60 hour work weeks and flying back and forth all of the country. It was nice to get up and leave at 4:30 and not have 17 people calling me, asking me where I was at 6:00 in the evening, so it was a nice break. To be honest, it was a nice break.
There was still a part of me … When I talked about your work ethic, there’s still a part of you that you just can’t give up all of it. Once you understand what your work ethic is and it doesn’t, again, it doesn’t have anything to do with your drive or your ambition, it’s just who you are. Understanding who you are when it comes to your career is vastly important to me.
Jay Schulman: You talked a lot in the same context about how you, or that you had to learn all along the way, especially KPMG I’m guessing and HSBC as well. You made a specific comment about, “Point me in the right direction and I want to learn by myself.” Do you want to talk a little bit about how you were able to pick up all of these different skills and techniques over the years?
Martin Reyes: It’s funny you should ask me that. When I got to HSBC they really didn’t have a place for me. They know they needed somebody but there was a lot of transition going on at the time where … When I say that, I say that at the sea level so I think they had plans for me when they brought me in but those plans changes when they started seeing the changes at the top. They put me on a global information … Or identify access management team and it was not something that I had ever done before, especially for an organization this size. As long as you have that foundation of information security and what it is that you’re trying to do I think it’s fairly easy to learn, at least it was for me.
One thing that I needed to learn that I didn’t necessarily possess at the time when I walked into HSBC is the confidence. I didn’t have the confidence as I said. I think as I talked to more and more people, everybody goes through this. You get appointed to a new job or you go out and you’re looking and you’re reading job descriptions and you’re saying, “Oh, I can’t do that. I can’t do that, that’s for somebody who’s in a completely different field from me, I can’t do that.” That was me, that’s what I was doing at every single turn. One of my first managers at HSBC had a very interesting thing to say to me when he came in. He was one of these guys who came in when the sea levels changed. He’s like, “One of the first things I did when I came I here was I was looking at resumes and I looked at yours and I just have a question for you. I’m like, “Sure, shoot.”
This is our first interaction. He’s like, “Why are you here?” Like, “I’m not sure what you mean.” He’s like, “You’re overqualified to be doing what you’re doing.” That, when he said that, before he said, “You’re overqualified,” when he said, “What are you doing here?” I felt like he was telling me that I was underqualified, which is what I kind of felt I was feeling at the time, and he told me, “You’re overqualified.” I really took a long, hard look at myself and I looked at my resume when I got home that night. I’m like, “Wow, I’ve done a lot of stuff. I’ve done a lot of good stuff.” I know a lot and every single one of those things that I had listed on my resume I felt like I could not do when I walked in the door. I think everybody goes through that. You just have … As hard as it is, you have to get passed it. You’re going to learn. You’re going to pick up these things. “You’ve been doing it for your entire career,” that’s what I had to tell myself.
One of the other things that he told me during that meeting that I’ll never forget. It’s cliche and I’m not a big fan of cliches but he said, and this is the first time I had said it, “You need to get comfortable being uncomfortable.” I didn’t know what he meant at the time but when he told me that, I was like, “Okay, but whatever that means, that’s what I’ll do.” He started putting me on these things so … HSBC did not have a privacy practice so he said, “I want you to start a privacy practice here at HSBC.” We’re talking about a global organization and the U.S. did not have a privacy practice, so he’s like, “I want you to put one in place. I want you to lay a foundation for privacy practice.” I had no idea anything about privacy. I was like, “Okay, I’ll give it a try.”
I started reading stuff, reading as many articles as I could, books, talking to people, talking to people in compliance, talking to former KPMG colleagues and I learned. He instilled that confidence in me. I think it was there but he just brought it out in me. Once I did that. Once you’re able to tackle something that you feel like you weren’t qualified to do, everything else becomes much easier. Instead of looking at is as a challenge, I started … I stopped looking at it as a challenge and started looking at it as an opportunity. I know there’s going to be times, and this happened at every single job, that you’re going to fail. You’re going to fall flat on your face. It happens to everybody. You look around and you see these highly-successful people, it’s happened to them.
I’m sure there’s … I’m sure it’s happened … We know it’s well-documented, it happened to Bill Gates, it’s happened to Steve Jobs, it’s happened to Warren Buffet, it’s happened to all these people in this field and fields even beyond this. Wildly successful people, it’s happened to all of them so it’s how you see the challenge. Is it a challenge or is it an opportunity? You have to look at it as an opportunity otherwise you’re probably destined to fail if you don’t look at it as an opportunity. I had to get over my fear, he helped with that and after I was able to successfully lay a privacy foundation at HSBC, everything just became, “Okay, I could do this, I do could this, I could do this.” It really helped me with my confidence and from there I was able to tackle things and see them as opportunities instead of challenges.
Jay Schulman: I think I must like cliches because I usually say, “It’s not that you fell down, it’s how you got back up,” so [crosstalk 00:24:23]-
Martin Reyes: Yeah, definitely.
Jay Schulman: We ask everybody 2 questions and normally I can predict which part of their career there going to answer but I actually can’t do this with you. I have a couple on the list so throughout your career … It sounds like you’ve actually made a lot of tough choices and a lot of things that you might have agonized over but that things still went your way and still turned out for the best. Choosing just one, perhaps, is there one thing that you remember as being something that you really agonized about but all worked out well in the end?
Martin Reyes: Yeah, moving from network administration to the consulting side of things. I don’t know how else to put it, I was comfortable at network administration. I knew it well, there wasn’t very many things that were going to happen that I did not know how to resolve. The hours were sweet, there was no travel. I think, basically, I was content there. I wasn’t being challenged and I don’t know that I had ever thought about that before. People would tell me that in conversations, I would read that in articles but never knew exactly what it meant. When I moved over to the consulting side it really pushed me to, I think, understand what my potential is.
I don’t know that I had a good handle on that, so I guess the one thing in hindsight if I could go back is to not let fear dictate what it is that I was going to do. Fear of the unknown, I didn’t know what the consulting people were doing and I was fine with that. Asking the hard questions and so I owe a lot of that to Sam. Sam was our guinea pig. He went over first and said, “Hey, you can absolutely do this job.” In hindsight if I could go back, the one thing I would change is I would have gotten into consulting much sooner than I did.
Jay Schulman: It’s not only that he was the guinea pig, he pushed you, right? He was the guy that-
Martin Reyes: Yeah.
Jay Schulman: Pushed you forward so lucky to have that. In all of this, even a couple examples of where you did fall down, you certainly got back up really well. Is there something that if you had to do it all over again, you’d do it differently?
Martin Reyes: What I would do differently? Yeah, I think it would go back to the fear of stop. I would stop letting fear dictate my decisions. I can’t do that anymore, especially at my age. I wished I would have recognized that much sooner than I did. Whether going back to the CRA when I was let go from the CRA, there was lot of time of self-reflection and I was angry at first. Actually I was angry pretty much the entire 3 months I was out of a job. When I think about that, people … I remember riding down in the elevator on my last day and there was a few of us, and the HR person said to us … I thought at the time it was cold-hearted.
She said, “Think of this as an opportunity. Think of this … This could be the best thing that’s ever happened to you.” That was the last thing I needed to hear at the time but when I think back like, wow, she may have predicted exactly what happened. I think that served so many different things for me. The self-reflection, the understanding, the confidence, the getting past my fears, the humbling, all of those things that came with that. If you would have asked me 2 weeks after it happened, I would have said, “No way.” Now as I look back at it, it’s definitely one of the best things that happened to me.
Jay Schulman: Thank you, I’m sure it helps everybody. It happens to everybody at some point in their career where something like that happens and it’s great to her your story of getting over it and it really does sound like it was a transitional moment in your career and puts you in the right direction.
Martin Reyes: Yeah.
Jay Schulman: Good. Anything else that you want to add that we haven’t talked about today?
Martin Reyes: For your listeners I would just say not to let fear dictate whether or not you pursue something. See it as a challenge, see it as an opportunity. Sorry, don’t see it as challenge, look at it as an opportunity. Everybody fails and everyone, when … I can’t speak for you, Jay, but I think everybody’s a little reluctant when they go in, “Hey, am I qualified to do this job? I think it’s natural, I think the longer you work the more you realize just how much potential you have. I’ve had the privilege of working with a lot of great colleagues and even the ones that were not so great, you still learn something from them. When you fail, I think, or when you fall I should say; when you fall you also learn something. You learn, “Okay, I can’t do it that way the next time.” It’s a constant learning process and just you can’t be afraid.
Jay Schulman: Absolutely, and I’d add on to that because I certainly have had that experience where I’ve walked into a job and been like, “How am I going to do this?” Is that often times they’re not hiring you because you can do the job but because they see the potential in you to do the job. They know that you have something to learn and they believe you can learn it. Sometimes that’s all you need to understand to go and do it well. Martin, I much appreciated all of the questions and answers today. Thank you very much for joining us.
Martin Reyes: Thanks, Jay.
Jay Schulman: Thanks, Martin. It’s interesting, the questions I ask everyone are designed to make our guests get little bit more insightful about their career. Martin has already done a lot of the soul-searching, personally, and I valued his insight into his own struggles, which ultimately, I believe has helped him grow his career. Thank you for listening. If you’d like to keep up-to-date on the podcasts, text ‘security to 33444’ to be added to the podcast mailing list. As always, I promise not to text you or even keep your phone number. Thanks for listening and talk to you next week.
Speaker 2: Thank you for listening to the Building a Life and Career in Security podcast with Jay Schulman. For more information and to subscribe, go to jayschulman.com.