Roughly two and a half years ago, I used Twitter to find several dozen infosec-related individuals to follow – people that I believed would help me better understand infosec. One person I came across was Lee Munson.
Lee is a well-known and highly respected person in the information security community, and those accolades are well earnt. Lee’s journey into infosec is an interesting one, so I decided to interview him and find out a little bit about it.
Hi, Lee. Thanks for putting some time aside to speak to me. So, let’s dive straight in: what was your job title three years ago?
Evening shift manager at Wilko (retail).
And what’s your job title today?
Senior associate, Information Security.
That’s a rather significant change in roles. Have you always had an interest in information security?
I’d say my interest in infosec dates back about ten years or so. I certainly had an interest in computers for a long time, though – my dad bought me a ZX81 way back when.
Did you hope that someday you’d turn this interest into a career?
In the beginning it was very much an interest – I can’t say ‘hope’ because at the time I didn’t see any way that someone like myself, lacking in certs and qualifications, could ever find a way in. It’s only in the last 2.5-3 years that I allowed myself to even think of it as a possibility.
Do you remember that one moment when you thought “I want to do this for a living”?
Realistically, that would have been around 2.5-3 years ago when I put a certain post out on my blog saying I was quitting. It was only then, when I saw the reaction, and read and listened to all the supportive comments coming my way, that I thought… “maybe it’s on”.
I remember that post. It was one of the first of your articles that I read. Did you ever expect to receive such a reaction from your readers?
People may not believe this but I hit the post button and thought there would be no reaction – I genuinely believed I was walking away from infosec for good at that point.
Well, I bet you’re so glad you hit publish now!
You bet I am!
Tell me a little bit more about your website: why did you originally create it?
I originally created my website to help a few friends and family members who were having issues with their computers and phishing emails. I took to the web to find the answers – which were certainly there – but found the articles to be very technical in nature and not at all suited to people outside of the IT field. Thus I began learning as much as I could and then writing about it in a way I thought my dozen or so contacts could understand.
How did you feel when you noticed that the infosec community were engaging with your site?
Of course I was pleased to see that but also a bit nervous – I never chased after traffic and I never wanted recognition of any sort – and all of a sudden I’ve got some pretty important people citing my work and commenting on it. To this day, I still don’t really get why and nor do I understand why my site became as popular as it did. Can’t say I’m unhappy about it though.
Well, your site definitely paid off.
It certainly did – it’s only recently that I’ve come to realise the significance of the amount of traffic I was receiving – previously I didn’t think it was all that.
You’ve now left Wilko and are working as a senior associate. What’s that like?
Hmmm, first infosec role – it’s early days of course but what I can say is that I absolutely love it! My role is very much about security training and awareness (which is awesome – I can carry on helping people increase their own knowledge of security, which will help both themselves and the business), which, if I’m honest, was probably the only way in I had, but now I’m there I’ve got the opportunity to work hard within a very supportive company and then see where that takes me…
It’s great to hear that you’re loving it. Did you spend much time applying for infosec roles and, if so, did you have many challenges?
Ha – that’s a question.
Based on what I said earlier, I never went too far out of my way to apply for infosec roles. If I’m honest, the main reason for that was because I never felt I had a chance of getting any of them, being an “outsider”, as it were. That said, a few particular people went WAY beyond the call of duty in trying to get me something – in nearly every case, however, all the conversations I had led to nothing, despite high interest from potential employers. I’m not sure why that was so, but have heard it’s common within the industry. Prior to my current role, I was offered one full-time role which I turned down as I didn’t feel it was a good fit at the time.
Is there anyone in particular who kept you motivated to continue pursuing an infosec career?
I’m wary of answering that as I WILL forget people but, off the top of my head, the following people need a mention: Brian Honan, Graham Cluley, Raj Samani, Neira Jones and, of course, Thom Langford.
Last question. Is there anything you’d like to say to those currently trying to break their way into infosec?
If someone like me, who has no certs, no relevant qualifications and who was working in an altogether different industry, can make their way into the infosec industry, then I believe almost anyone else can, too. I substituted a keen interest and passion for all of the above, and, bar one blip, a never-give-up attitude. At the end of the day, I got exactly what I wanted through sheer determination and hard work (both of which are underrated these days, in my opinion), but how much easier would it have been if I had studied the right subjects and pursued a career in IT? If anyone reading this wants a career in infosec, there really is no better time than now to carve one out but they need to make sure they are doing it for the right reasons as it’s not for everyone. And one last thing: don’t underestimate the power of networking – everyone says it’s key but, in my case, it really was – I wouldn’t be here today if it wasn’t for a handful of infosec superstars and a few thousand more special people who’ve supported me all the way.