#11: Sam Monasteri

November 11, 2015

Welcome to Episode 11 of the Building a Life and Career in Security Podcast.

Today’s guest is Sam Monasteri. Sam started his career working in networking at the Sears Tower before transitioning into information security and now is the leader of security for an aerospace company. Sam predicts you might disagree with some of what he has to say, and that’s okay with him.

[powerpress] Links Mentioned In This Episode:

[content_toggle style=”1" label=”Show%20Episode%20Transcript” hide_label=”Hide”]

Sam Monasteri: You know what, I’m well aware of that, and when I was answering the question, I was, like, if enough people hear this podcast, I’m going to get some feedback on either view. Recorded: From the JaySchulman.com Studio, this is the Building a Life and Career in Security Career Podcast. Now, your host, Jay Schulman. Jay Schulman: [inaudible 00 = 00 = 22] Jay and welcome to another episode of Building a Life and Career in Security Podcast, the podcast that lets you see how others grew their information security careers. Today’s guest is Sam Monasteri. Sam started his career working the networks in the Sears Tower before transitioning into information security and building a strong career now as the leader of security for an aerospace company. As you heard from the introduction, Sam predicts you might disagree with some of what he has to say, and that’s okay with him. Here’s Sam’s career journey in his own words. Sam Monasteri: I really started off my career with IBM [inaudible 00 = 00 = 54] school when I graduated from [inaudible 00 = 00 = 56]. I started there just being a service tech, switching up what they called back then [inaudible 00 = 01 = 04] terminals. My original degree from [inaudible 00 = 01 = 07] was really in electronics, but early on, I knew I wanted to be on the PC side of things, information technology because it always was an interest to me. From there, I ended up moving on because it was really just a part-time position with IBM and once I graduated, I wanted to move more into a fulltime job. I ended up working in a industrial controls company. It was at that time called Electronics Systems, USA. I was really responsible for all the industrial controls at Sears Tower and then the furnace systems, which were a network that really ran up 30 floors for the Sears Tower that the security officers monitored and the engineers for the tower monitored. It was a unique situation because [inaudible 00 = 01 = 57] at that time, where all the different controllers are together to really speak in one particular language or protocol, and then the engineer or security officer can view all the statuses of, let’s just say, chiller temperatures, wind speeds, along with … if you’re talking about the security guards there [inaudible 00 = 02 = 15] see anybody who swipes in throughout the building on one particular terminal, but you might have 10 or 15 different systems integrated. Back then, in the late ’90s, that was big. From there, they made a name for themselves and [inaudible 00 = 02 = 30] bought them and bought the rights for their product. Around that time, I decided to leave. I moved on to KPMG. I was at KPMG for approximately eight years and between leaving ES USA and moving to KPMG, I really knew that I wanted to stay on the PC side of things or the information technology side of things. I really got great background at ES USA for industrial controls experience and really getting an understanding of how those work and in different environments, but I still want to concentrate on the server client side and the project management piece of things, so I accepted a role at KPMG on the helpdesk side where I was on that side for about four years. I did helpdesk, special projects and a lot of projects related to security. From that point, from internal helpdesk at KPMG, I knew that I really like information technology, but I really started to think about security more to it, and really risk management. That was something that also piqued an interest, career-wise. About four years being at KPMG, I saw an email come through requesting, or actually stating that they had an open position in the information risk management team at KPMG related to security. It turned out to be more or less a pentester role. I applied for it and I ended up getting the job. I really think that the transition from internal to client side was one of the biggest pieces of my career that really enhanced my career and really built my resume up and shined it to prove that I could speak in front of people, and then also write reports and demonstrate my ability to be a good pentester. I stayed in that role for about four years and at that time as well, I was going to [inaudible 00 = 04 = 23] to get my bachelor’s in the evening. It all worked out really well because I ended up graduating from [inaudible 00 = 04 = 29] that time as well, and then I ended up moving on to [inaudible 00 = 04 = 34] Union, accepted a manager role on their security audit side. That really was a great experience as well where I really focused for the first, I believe, 18 months or so, on vendor security assessments and that’s key for that particular organization because they are [inaudible 00 = 04 = 51] Union. They own the US credit database so they share that information with everyone, but anytime you share that type of information, which is personal information, security assessment had to be performed. It really gave me a really good understanding of the different data flows and technology that’s used in different environments, and then, having to understand or at least recommend security controls that need to be in place before they could use that type of information. Another great experience was [inaudible 00 = 05 = 22] Union. In [inaudible 00 = 05 = 22] Union, I moved to my first director role for Affirmative Insurance and that one is another public company where I was in charge of an outsource team of infrastructure and security, individuals. I was there for about approximately two years, really worked hard on the compliance side to get them close to as compliant as possible for [inaudible 00 = 05 = 43] actually and then also, at the same time, make sure the right security controls, policies and procedures that were in place, and then also work from a governance standpoint to have some oversight on those controls just to make sure things were sustainable. After Affirmative Insurance, I moved on for an education corporation, a short stay there. I was there for about a year. I was director of security governance reporting to a CISO and that was also a really good experience. It gave me some insight on how the education field works and how a public company really relies on their numbers and really relies not just on a brick-and-mortar school, but almost a 95% ratio of website-type schools so it really gave me a good perspective of that type of business. My main responsibility there was leading a team of security governance professionals that we had a lot of oversight on from anywhere between security control to security awareness compliance, stuff like that. Lastly, the position I’m in right now where, again, I’m head of security, director of security at Woodward, Incorporated. What we do there is we’re aerospace defense company. I’m a leader of [a team of five, and again responsible for the overall security, risk and compliance for the organization. We’ve found there are a lot of different regulatory compliance requirements so [inaudible 00 = 07 = 16] actually HIPAA, along with PCI and then ITAR as well. ITAR is it’s really any type of military information or military product that needed to be secured, and it can’t leave the country, only US citizens can access it, so there is a lot of regulations around that. From a security perspective, again, responsible for all the policies and procedures, security controls in place, and then, risk assessments throughout the organization. One thing that’s big now in the manufacturing industry is IOT, internet-of-things, so anything from a manufacturing standpoint is now becoming connected, ton of analytics is being performed on those machines. Not only is it analytics, but on also service. Instead of having a service person jump on a plane and service something from Germany in the US, they can remotely connect to devices in a manufacturing organization and look for indicators that basically are saying, hey, you know, this particular machine is wearing out or we’re going to need to do some maintenance on it. Then they can walk through a machinist or an engineer on how to maintain it over the phone, or do it remotely, rather than having somebody jump on a plane for 15 hours and then endure all the costs associated with that. Right now, I’m still at Woodward. I’m enjoying it and I think it was a great career move. Jay Schulman: If I can go back all the way to the very beginnings, you were super hands-on for a while, even at KPMG doing pentesting, and then more of a governance thereafter. Did you have a tough transition from the very technical hands-on to being less hands-on? Sam Monasteri: No. I believe that my career transitioned me to that point. I think really from the point of being very hands-on when I was at IBM and let’s call it Electronics Systems USA, I think the transition really happened when I was at KPMG where I was hands-on, but yet, then I had to sort of put that hands-on behind me, think about risk, think about recommendations, do a lot of research on the web, and then assist or author a report for our customers, I just think that, for me, my career it transitioned moving from hands-on to a least amount of hands-on work worked out perfect for me. Jay Schulman: Yeah, that’s a really interesting way of looking at it. That’s great. Among all of this stuff, you have probably given me a laundry list of regulations that you’ve had to help companies abide by. How have you been able to keep up from a regulatory standpoint from everything? From HIPAA to GLBA, and you just mentioned ITAR at the end, how have you been able to do it? Sam Monasteri: Well, I think that there’s a few things that I use. First of all, I always try to keep up-to-date with all the regulations from just joining specific web access, mainly free ones. You can find them out there that’ll keep you up-to-date, like PCI 3.0, PCI 3.1, any changes in ITAR, any changes in HIPAA or HITECH. I try to take advantage of all those web access I see out there. One thing that’s really good that just really stay up-to-date on it is using Twitter. I don’t typically tweet too much out there, but what I do is I follow a lot of industry experts, a lot of regulatory compliance experts and organizations, government organizations. It’s really where I try to keep up-to-date. It’s current and if it’s something that sounds like it’s interesting and it may affect the organization I work for, I click on the link and I read up on it, and then I probably will do some further investigation later on. Jay Schulman: That’s a great tip, thank you. I do that myself, but it’s good to know that other people do that, too. Thinking back to your entire career, has there been a point where you really were agonizing about a particular decision and, in hindsight, you’re so glad that you went the way you did? Sam Monasteri: Yeah, that’s such a great question. I think every organization I worked for there’s always been that decision that you feel like is going to make you or break you. Being a security practitioner, it’s really about balancing that risk and making sure that your members or your users or your employees can still be productive in doing their jobs. I think that’s a challenge that happens to me in my environment every day, and I think that’s what makes me love this profession so much. Thinking back, I think it’s really about social networking. It’s a dilemma that I’ve ran into the last two or three organizations I’ve worked at and it’s mainly about Facebook. It’s one of those very controversial topics. Do we let people access Facebook? Do we let people access LinkedIn? Do we let them access Twitter? Quite frankly, I think LinkedIn is one of those social networking sites that, from a security perspective and from a business and professional perspective, I think it’s proper. I think to answer your question, the agonizing decision was either to block Facebook or let Facebook through and I think still looking back, I’m happy with blocking Facebook for majority of different reasons and one is because it’s more of a social site than a professional site. Is it needed in the business environment? It might be from a marketing standpoint, it might be from a pure communication standpoint, but for the average day member or user, it’s probably something that is a very hard decision for me to look at and say, yes, this could be used throughout the organization. Jay Schulman: You’re probably the first person to come up with such a controversial question that they agonized over and I’m sure that just as many people who would agree with you would also disagree with you, so a very good choice on your questions. Sam Monasteri: And you know what, I’m well aware of that and when I was answering the question, I was like, if enough people hear this podcast, I’m going to get some feedback on either view. Jay Schulman: Absolutely. Up until now, everything has been absolutely perfect. Everything has gone your way. Is there something in particular that, if you were to do it all over again, you would do it differently? Sam Monasteri: Professional-wise, I really liked the path I followed and it’s never planned. You sort of just followed your path. I think, for me, I would have probably got my bachelor’s a little earlier in my professional career, rather than waiting a little later, and that’s just only because it’s personal preference for me. I think as long as you get your degree when you get it, it can help you out considerably in your career, but for me, I just felt like that it was something that I wish I would have had a little earlier in my career. Jay Schulman: It’s interesting you bring that up because your path, starting with some education, getting your bachelor’s degree later on, in some way or another, actually matches a lot of people that I’ve interviewed so far. Thinking today to people that are just getting into the field of information security, how important do you think a bachelor’s degree is? Sam Monasteri: I think a bachelor’s degree is key if you want to be, and I’ve seen this in a lot of organizations and this might be controversial as well, but in order to get promoted to a manager, a lot of organizations require a bachelor’s degree. I think breaking into the security field is key with a very strong security certification and potentially an associate’s degree or something like that, but if you ever want to excel into management or upper management or be an executive somewhere, you’re going to need to at least have a bachelor’s at a minimum, and even potentially an MBA. Jay Schulman: One last question. I’m looking at your work history and it was interesting because when you talked about the Sears Tower, and thank you for still calling it the Sears Tower, when you talked about the Sears Tower, to me that’s very much the internet-of-things, as we look at it today. Here’s this building that is connected in so many different ways and now, in your current position many years later, you’re dealing with the internet-of-things. Is there some particular area of the internet-of-things that you’re concerned about in general? Do you think that this is going to be a huge issue going forward, or do you think that, from a security perspective, we kind of have it managed? Sam Monasteri: No. I am very concerned about it. You know when the internet, 15 to 16 years ago started to talk about bringing everything into the internet, electronic banking, uploading checks, images of checks, everything that you can think of, I was concerned about the internet back then. Now, we’re talking about IOT and IOT is just another layer of risk. IOT is another layer of risk, maybe we call it Internet 3.0 or Internet 4.0, but there’s so much more information now being pulled into IOT, specifically from a remote perspective. If you don’t control it, there could be an abundance of IP floating through all those IOT-type devices and systems, so it has to be controlled, security has to be built in prior to deploying and selling that to the customers, unlike what is happening with the internet at the start. The internet is a network that was built on trust, not security, and what we have to do is we have to learn from the mistakes from the internet and build on trust and security into the IOT. Jay Schulman: Love the insight there, thank you, and thank you for agreeing to the interview today. If listeners liked what you had to say and wanted to connect with you, it sounds like following you on Twitter might not be the best way to hear what you have to say. How can people reach out and connect with you? Sam Monasteri: They can reach out to me on Twitter, but they can also reach out to me at sammonasteri@gmail.com. Jay Schulman: Awesome. Thank you. Sam Monasteri: Thank you. Jay Schulman: Thanks to Sam for joining us today. I met Sam at KPMG, and interviewed him for the role in the information security group. I’ve been lucky to have seen Sam grow in amazing ways throughout the past 10 years. Hopefully, you’ve picked up just a few things from his journey today. If you have any comments or questions about today’s podcast, or want to join me to talk about your career journey, shoot me an email at podcast@jayschulman.com. If you found this podcast valuable, let me know by leaving a comment in iTunes. Thanks for listening to this episode of Building a Life and Career in Security Podcast. Please subscribe to this podcast on iTunes or at jayschulman.com/podcast. Recorded: Thank you for listening to the Building a Life and Career in Security Podcast with Jay Schulman. For more information and to subscribe, go to jayschulman.com.