Breaking into infosec through the backdoor: Lee Munson
“It’s a horrible feeling. Knowing that you’ve lost everything. It puts knots in your stomach and you want to run away from it all. But you’re unable to move — as if you’re completely paralysed.”
It was a cold December afternoon, and I was speaking with Lee Munson. I detect an ’Essex boy’ accent in his voice, one that has seems like it has slightly softened with age. I stop and wonder how old he is. Lee has the confidence and measured tone of a mature, weathered man — but a cheeky chappie smile and glint in his eye that keep his youthfulness intact.
We are sat in a Starbucks, sipping what they refer to as coffee. I didn’t even realise my latte had gone cold, and I wasn’t terribly bothered either. Lee had explained to me how back in the mid-2000’s he found himself divorced with three young children.
“I immediately had to employ baby-sitters and take on the first job I could find with hours sufficiently unsociable that I would be free to get my kids to and from school each day. But it meant I couldn’t even afford to open my door, lest the warm air escape. Let alone go out and socialise.”
Staring into my latte, I was lost for words. You don’t often get to ponder over the hardships of others and I felt angry with myself for all the times I complained when I never had it this hard. I guess it’s the kind of character trait that you can’t put on a CV. But demonstrates commitment and tenacity to get through.
Lee continued, “So, I found myself needing to occupy a huge amount of spare time.”
“So you took up knitting?” I quip.
Lee flashes his infectiously charming grin. “My fingers are too delicate.” He says, waving his hands in front of me. “Actually, it was around that time several friends were asking me to help them with their computer issues and, one day, I discovered that one of them had been caught out by what we would now call a Nigerian prince scam — he sent a not inconsiderable amount of money to a stranger hiding behind an AOL email address.
This piqued my curiosity as much as anything else as this victim is an educated chap in possession of more than one degree and I couldn’t understand why he had fallen prey to what I thought was a pretty obvious ruse.
Then, a couple of years later, the support I was asked for took a turn — several friends found malware on their PCs and had no idea what to do about it.
Back then they were largely adverse to spending money on AV and so my mission was generally to remove viruses manually. Being somewhat savvy I turned to Google and the instructions I required were certainly there to be found but they were as clear as mud and so I took it upon myself to “translate” them into a form more easily understood.
My work was greatly appreciated by all the friends and family members I shared them with (I knew they’d get infected again and those print-outs saved me an immense amount of time) and so I had the idea of what I could invest my free time into.
The next step was to create my own website on which the intention was to share information with people I knew, as in actually knew, not strangers on the internet.
But a funny thing happened.”
Entering the Fold
“Other people began finding my website through search engines and I suddenly received a note from my host saying I was using too much bandwidth and that they could no longer host my site for nothing.
At that point I coughed up the required number of dollars for a domain name and proper hosting. I also joined Twitter and started following anyone in the field I thought was interesting, never realising that the first dozen or so people I was admiring from afar were what some may describe as a who’s-who of InfoSec.
As time went by, by the number of people visiting my puny little blog increased and some of my ‘heroes’ in the industry not only noticed me, they even began talking to me on Twitter.”
Smiling I recall the first time I ever interacted with some of the industry heavyweights. Enjoying the giddy exhilaration that comes with being in direct contact with someone whose work you admire greatly.
“Did you ever find it weird so many people had begun interacting with you?” I ask.
“Scary stuff for a chronic introvert for sure, but the worse was yet to come.”
From virtual to physical
“The first time I met Lee was at BsidesLondon. What made you come along to it?” I asked.
“To this day I don’t know why I did that. I was as petrified of meeting new people then as I am now, but on the day I met a few awesome people who took time to chat to this nobody from the retail field about the exciting industry they worked in. I especially appreciate the time and advice you, Andy and Suggy gave me!
After that conference I wanted more and so I signed up for every free conference I could find in the London area. I met more people who seemed to think I had something to contribute, more and more people followed me on Twitter, and my blog started pulling in 8,000 plus visitors a day.”
I felt my right eyebrow raise up. “That’s a lot of views you had coming in.”
Lee modestly shrugged. “Yeah, life was good in that respect.”
His comment reminded of the Steve Jobs quote about following your passion and the money will follow. I guess in Lee’s regard, he was simply following his passion and the views followed. So many personal and corporate blogs go about it the wrong way. They start off by trying to chase the views — using that as the measure of their success. SEO, paid advertising, promoted tweets, these are all strategies — but in order to work, the content needs to be genuine.
Daring to dream
“At this point you’ve still got 3 young kids. You’re still working in retail and you’re blogging to fill your free time. But you’ve also become addicted to security conferences which are cheaper than a movie and provide free coffee.” I half pause to gauge Lee’s reaction to me slipping in a Marla Singerquote. Nothing, so I continue, “This is the point at which most people would pat themselves on the back for a job well done. But you went a step further. How did that come about?”
Lee makes air quotes while saying “People” “suggested I should consider a career in the industry. Oh How I laughed.
But, hey, if someone asks to see my CV, who am I to refuse? And so I sent off a few copies and waited.
The response, though not unexpected, shattered me… I had no useful skills to offer.
Blow them, thought I, don’t need the validation and never honestly thought I’d get a job in InfoSec anyway.
And so I responded in the only way I knew — more hard work, more research and more blog posts.
Two fingers in other words.”
It was nice while it lasted
It’s not about how many times you get knocked down, but how many times you can get back up. That’s sage advice if you’re portraying a boxer in a Hollywood movie, but it’s a lot more difficult to sustain in real life. Ultimately, everyone reaches their breaking point. Lee explained when he reached his.
“I continued for a while until, one day, i woke up and my kids were older, I’d never given them much, and that included my time.
I lined up a part-time job in retail paying minimum wage, even though I was a manager in my full-time role, as that was all I could find.”
“You were going to go cold turkey just like that? I mean, didn’t you feel emotionally invested by then?” I enquired.
Nodding slightly, Lee responded, “I felt a pang of guilt though — nearly everyone in the industry had been extremely good to me and so instead of just disappearing I wrote a blog post and published the link on Twitter.”
I recall reading the post Lee mentioned. It caught me by surprise, but in hindsight, it shouldn’t have. It’s not like many people weren’t aware of Lee’s personal situation and the fact he was blogging for the love of it. Lee’s pang of guilt was nothing compared to the guilt I felt at that time. Here was a guy that had given so much and I hadn’t even taken the time to ask for his CV to forward onto a contact.
But the goodbye message didn’t just resonate with me, Lee says that in the weeks that followed he’d spoken to literally thousands of people via DMs, emails and phone.
“Brian Honan offered me the chance to be his social media manager. It was hardly a full-time role but it was enough to keep me blogging and away from a second ‘real job’ I would have hated.
Very soon afterwards I received a message from Anna Brading at Sophos, asking if I would like to write for NakedSecurity.”
“Did you play hard to get?” I joked.
“Of course I did. I told them to let me think about that” Lee said before letting off a big laugh. ” I most definitely did not say!
“And so I found myself writing about InfoSec all the time — and I was being paid to do it — cool!
But even that wasn’t enough. I’d not had a social life of any description for twelve years by this point and anyone who knows me is aware that I have the social skills of a hermit, and I knew I wanted to change that.”
It was at this point in our conversation that I truly began to appreciate the drive and passion behind Lee. It would have been easy for anyone to settle into their comfort zone at this point or any point up till this one. Yet he wanted more — and kept trying to achieve more. If I could pinpoint his success down to one trait — I’d say tenacity. It reminds me of the quote, “Hard work beats talent when talent doesn’t work hard.”
An offer you can’t refuse
“I was at the European blogger awards ceremony in 2015 during which I picked up a couple of accolades. It was here that Thom Langford mentioned he may have an opening for me and asked if I’d be interested in discussing it further.
Fast forward to November 2015 and the discussion I had that evening transformed into something tangible — I can now call myself an information security professional, thanks to Thom Langford.
How cool is that?” Lee says beaming with a huge grin.
It’s impossible not to be happy for Lee. Even if he is overly modest and giving far too much credit to Thom for his success.
“For someone working in the wrong industry, with no relevant qualifications and no certs, I’ve done rather well I think.”
I let out a laugh. “Rather well is a bit of an understatement! But in all seriousness, what do you think was the biggest factor in helping you overcome these odds?”
“Luck for the most part — the people I got to know were the right people, not only in terms of influence, etc., but also because they had the patience and kindness to give up their time to an ‘outsider’.”
The reference to luck offends me. Lee worked hard to get where he is. He had every opportunity to do anything but pursue his interest in security and helping others. He took advantage of the opportunities such as attending conferences and networking with peers presented themselves.
“How can you say luck had anything to do with it?”
Lee flashes his cheeky chapie grin, too modest to acknowledge my comment. I continue.
“You never gave up. Kept on dreaming and kept on working until you got what you deserved. That isn’t a story of luck — that’s a story of hope and motivation.”