#5: Kevin Nassery

September 30, 2015

Welcome to Episode 5 of the Building a Life and Career in Security Podcast.

Today’s guest is Kevin Nassery. Kevin is currently a Managing Consultant at Cigital. Kevin started his career in high school playing around with the local ISP and parlayed that into a networking and security career.

Kevin and I talk about dropping out of college (and going back for a degree later), the foundations of a security career, and comparing consulting to working for a company. Kevin Nassery [powerpress]

Links from the show:

[content_toggle style=”1" label=”Show%20Episode%20Transcript” hide_label=”Hide”] kevin nassery: After high school I went to college and kind of this was the dot com days and then quickly kind of became a college dropout and went to work for Global Center in Exodus Communications. Speaker 2: From the JayShulman.com studio, this is the Building a Life and Career in Security Podcast. Now, your host, Jay Schulman. jay schulman: Thanks, it’s Jay. Welcome to another episode of Building a Life and Career in Security Podcast, the podcast that lets you see how others grew their information security careers. Today’s guest is Kevin Nassery. Kevin has a really interesting career path, dropping out of college, joining the workforce and then going back to get his bachelor’s and master’s degrees and transitioning from consulting to corporate life. Here’s Kevin’s journey in his own words. kevin nassery: I was always a computer savvy kid, as long back as I could remember with my dad showing up with the first kind of IBM 8088 and I wasn’t so much interested in ever playing games with computers so just always kind of in the operating system in the weeds with it. Broke a lot of stuff on my dad’s computers and I remember my brother being mad that he couldn’t print his reports and things like that. Always in the weeds technically. In junior high and high school, I got more into the UNIX and systems administrations, just kind of playing around at home with I think the first version I had was Linux-Colonel 2.011 kind of like Slackware 3.6 for the people out there, 3.5. Getting involved with that really to set up services, see how things work and that kind of naturally transitioned to spending time at the internet provider that was across the street from my junior high. Hung out there, just as a customer and interested in UNIX and seeing some of their system. This is kind of early ISP in 1995, 1996 and that naturally led to a job there. They kind of saw this kid hanging out and hired me to be assistant administrator at the ISP. That was kind of my technology start, then, got into security. Actually at the ISP, we had an incident where we were breached through a NFS vulnerability in kind of 1997 or 1998. We were breached, the attacker kind of did some destructive stuff in terms of deleting some drive trees and things like that. That was kind of my first real incident and from there, really started looking at how it happened, buckling down and minimizing attack service, implementing some router ACLs as well as service monetization and kind of improving the patching strategy for the ISP. After high school, I went to college and kind of this was the dot com days and then quickly kind of became a college dropout and went to work for Global Center in Exodus Communications, kind of a quick acquisition of Global Center right out as I started. There, I had the best job in the world where I would show up and there would be a big data center cage fenced in, filled with boxes of servers and load balancers and networks and I just started putting together people’s environments based on a visio diagram of what they wanted and kind of server configuration, OS work, some app level work and the network load balancer and security stuff with firewalls as well. Built a lot of that and really throughout my career, I’ve kind of always been interested in security as a way to touch multiple different technology areas, whether it be systems, networks, storage and now it’s software security, where I’m at today with Cigital. jay schulman: Kind of missing a little bit from your story is the ideas that you actually went back to school. You call yourself a college dropout but you end up with your degree. You want to talk about the thoughts you had in going back and getting the degree? Did you really think it was necessary? Why did you do it? kevin nassery: Yeah, absolutely. That’s a good point. I was still going to school part-time when I was with Exodus, but really I ended up having to drop out because I took a job as a consultant which required me to travel. At the time, I was 19 or maybe 20 and I had been really successful with just my experience and background. This is a couple years later, coming back and I landed a full-time job as an enterprise architect with Classified Ventures in Chicago, doing kind of again, an infrastructure but also leading the corporate security initiative from an engineering perspective. When I had that job, I started looking at my career path and what were the kinds of jobs I wanted out there? For me, I just never wanted it to ever be an issue or a talking point. I did some research and DePaul University had a program that I could go full-time with as well as continue to work full-time. I’ll tell you, college is a heck of a lot easier when you’re 25 and have your act together and have very crisp objectives about your lifelong education plan. Did my undergrad there and then followed up with their combined master’s degree program in computer information and network assurance. jay schulman: Thinking back, you liked the idea of working first and then going back for your degree? You’d do it over that way? kevin nassery: It was absolutely the right decision for me and I wouldn’t even say that it was a decision. I always had a difficult time pacing myself along with the class so my first attempt at college was very much, I would either show up at 10% of the classes and try to ace the test or fail the test. I’m not a very good traditional student in the sense that every week, I’m doing and setting down and doing the regimented work. It’s either always too fast or too slow for me. With going back as an adult, I could figure out how to engineer my college plan a little bit more closely to my objectives. I would sign up for even additional classes and then figure out which ones were going to work with my tempo and speed. I think I struggled with being a young non-traditional student and then was able to make it really work for me as I kind of matured and had a lot more understanding of the objectives I want. I would say that I had a lot more flexibility at DEPaul as well in terms of being able to build a curriculum for myself that really was specific to what I wanted to do rather than their traditional computer science program which, the University of Illinois in Chicago has a great engineering department and computer science program but it was at the time, still pretty traditional computer science. jay schulman: I don’t know if it’s fair to say that you spent half your career as a consultant and half as kind of the traditional corporate employee. Do you want to talk a little bit about the differences between the 2 and how you’ve been able to make the transition between the 2? kevin nassery: It’s not something that I consciously really engineered my career for but I was aware of it going back quite a while at this point. I started at the ISP and then at Exodus, I was in the professional services group doing a lot of consulting. I think as a consultant, it’s great to work with a ton of different customers, see 40 different ways to solve a problem but you’re also only really ever able to work on kind of superficial problems or analysis. At different times, I’ve always gone back and find a way to really make an impact on an enterprise over the course of a longer period of time and see [inaudible 00 = 07 = 49] through. That’s been really rewarding to see. Quote Robert [Ee-rohd 00 = 07 = 52] and say, hey, I’ve got all these ideas and I’ve seen these 10 customers do this the wrong way. What’s the right way to do it? Then I actually try to build programs and make an impact on a real organization over the course has time has been super valuable. I don’t know if I’ll always continue in that kind of periodic going back and forth between consulting and working within an organization. The consulting skills are also super applicable where these days, technology and security people especially are always consultants within the organization. I’ve found it to be really good. If it’s an accident or by design, it’s been really good for me. jay schulman: Let’s talk a little bit about the decisions that you’ve made. One of the questions that I ask everybody is, has there been a point in time in your career where you really agonized about a specific decision and ultimately, it went the right way? kevin nassery: I think that first, I went to college and by kind of November break and somebody had come to speak at my engineering orientation class and they were just switching job roles from Encyclopedia Britannica to this new data center and getting this thing off the ground. They came to speak to my Engineering 101 class, at the University of Illinois in Chicago. They had kind of mentioned they were building a team and it sounded like a lot of the stuff I had done before at the ISP. I got his attention after class and it turns out that we knew somebody mutually. In my hometown where I ran the tech side of the ISP, the guy who was running the university program for Quincy University in Western Illinois, he actually worked at this new place. I didn’t know that. We had some mutual connection there and it kind of gave me a foothold. I interviewed for that, it went well and lo and behold, I had a real legit job as a network engineer for Global Center and Exodus and I had to really figure out, that was not my initial kind of career plan. I had planned to maybe even do grad school or have kind of a more academic approach to my career. Both of my parents have advanced degrees. My father’s a physician and my mom has a PhD in immunology. Going home to Thanksgiving dinner and telling my parents that I was thinking about taking this full-time job was really something that I spent a lot of time figuring out if it was worth the impact. I didn’t really know at that point what was going on with my college career. That certainly was a thing that ended up being the right thing for me to have done and I think my parents probably knew that better than I did at the time even because outside of the initial shock, they both agreed that it was the right thing for me. jay schulman: That’s fantastic that you had supportive parents. I can imagine many people having the opposite experience. “What are you doing with your life, dropping out of college?” Kind of the reverse question here, a lot of what you’ve talked about have really went well for you. Is there something that in hindsight, you’d want to do over if you could today? kevin nassery: I’ll say that I have been the source of a lot of major network and system outages in my day. All of those days and looking back and pretty much all of the down spots in my career, whether it be just the daily grind of a project gone bad or me causing some type of major network outage because of a mistake, those are probably the days in my career that I ever learned the most from. I will say that one lesson that I certainly did learn that made a real difference in me making the next steps of my career was related to just how I tried to influence people. For the first several years of my career, whether it be just youthful enthusiasm but every conversation that I had or debate that I had, I tried to make very scientific and technical. You got to realize, in technology, there’s a lot of people that aren’t going to completely grok a purely technical point by point argument and put it together because they just don’t have the end to end background to put all those pieces together. You don’t just have to be right about what you’re saying and you’re not trying to build a mathematical proof. You have to influence people and that requires trust and relationships and a communication style which is a lot more about, does the person believe in you and believe that you have the right solution to this problem? Less about whether or not your solution adds up to being right on paper in some theoretical world. jay schulman: I’m going to try to make an interesting transition here. You talking a little bit about being too technical at some point, you have this interesting philosophy that I’m going to bring up because I hadn’t really thought about until at some point in the conversation we had, you did. That’s security people like their gadgets. Do you want to talk a little bit about that philosophy? Because I think it’s really interesting. kevin nassery: It’s how I got into security was I would be building a network and as a quality of that network and there’s a lot of mentors. A lot of that first incident in my background at the ISP, where I built something that was fairly quick to deploy, I learned some lessons maybe organically there, which security isn’t that 10% of things that we spend 90% of our time talking about in terms of the products, the features out there. Security is a quality of what we’re doing in all these different engineering space. It’s intrinsic to those spaces just like availability and performance I think are good metaphors for that. The 80% of security that’s most interesting to me is the security that’s a quality of whatever we’re doing, whether it be building software networks or anything else. Those additional controls that we layer on top and kind of add to the equation really don’t move the bar too much for my taste and it’s certainly disproportionate to the way most enterprises and organizations are building the program. Measuring the success of security executives is a lot about project delivery and success and completion. It’s a lot easier to purchase something and successfully deploy it and take that as a solution to something than to make a substantial impact in the way we’re managing a technology or a piece of our information systems at an engineering level. jay schulman: I’m sure that a lot of people have similar backgrounds to what you have or are in similar situations. If they want to reach out to you, what’s the best way to get in touch? kevin nassery: I’m on Twitter, @knaussery. Certainly, they can email me as well at kevin@nassery.org and I’m always excited to talk to people about new problems. Anything they’re passionate about, I get pretty passionate over as well too. jay schulman: Awesome. Thanks for doing this today. kevin nassery: Hey, thanks for having me here. jay schulman: Thanks to Kevin, for joining us today. Kevin’s start in technology with his dad bringing home a computer reminds me a lot of how I got started. There’s a link to Kevin’s Twitter profile in the show notes and make sure he knows you heard him here on the podcast. If you have any comments or questions about today’s podcast or want to join me to talk about your career journey, shoot me an email at podast@jschulman.com. If you found this podcast valuable let me know by leaving a comment in iTunes. Thanks for listening to this episode of Building a Life and Career in Security Podcast. Please subscribe to the podcast on iTunes or at jschulman.com/podcast. Speaker 2: Thank you for listening to the Building a Life and Career in Security Podcast with Jay Schulman. For more information, and to subscribe, go to jschulman.com. [/content_toggle]