In our last Q&A, we heard from cloud and DevOps aficionado Chris Belyea. This week, we sat down with Don Mills, cloud architect and cybersecurity guru. Don shares what inspired his career and how he got started in cybersecurity, and touches on today’s trends and challenges industry professionals are facing.
Get to know Don Mills, Chief Information Security Officer
What inspired you to pursue a career in tech?
The inspiration came at a young age. I got my first computer when I was eight years old. It was a TRS-80 Color Computer that my dad bought me at a local Radio Shack. I taught myself everything I could about it. Eventually, I got a first-generation IBM PC clone (8088 with turbo button of course) and learned all about MS-DOS.
Life happened though, and then I went a long time without touching a computer. Eventually, I got one in the 90s, and I hooked it up to the fledgling internet via a SLIP connection and started studying how everything about the internet worked.
How did you get into the security side of tech?
Ever since I saw the movie WarGames as a kid, I knew I wanted to be a hacker. It had a lasting impact on me…it was like watching a black art, and I desperately wanted to be able to practice it. But when I was coming up, there was no knowledge of how to get into security. You had Phrack magazine, 2600, or various text files with information you’d find in random places on BBS’s and whatnot—but that’s it. Without educational courses or even books on the topic, there really wasn’t a clear path to learning anything. Even today, almost everything I know is self-taught. Beyond a training class or two, I’ve never been officially instructed in anything technology related.
When I began my career, I was working with an ISP in Petersburg, Virginia. This company had this gigantic Sun Solaris box—which was a super high-end computer at the time—that I had never seen before. I jumped in and starting reading the military training manuals laying around there and learning Unix (Solaris). Then they got hacked and I was able to forensically determine the details and track down the steps of the attacker. I was hooked!
Soon, I came across my first book that included Linux software on a CD in the back (Yggdrasil with kernel 0.99). Everything took off from there.
What sort of projects are you working on today?
I’m currently helping one of our clients develop an enterprise Identity and Access Management (IAM) system. It’s challenging because they don’t have anything in place currently, and they have a legacy-type way of doing things. I’ll have to pick out all the different requirements that will be necessary for all their applications to work with such a system and then move to the second phase, which is where I will make a recommendation, design the system, and architect how they will migrate their core applications over.
I’m also working on another project concerning internal technical training for a client. It’s a follow up to an earlier project SingleStone did, and I’ll be providing expertise around cloud and other technical training matters.
Finally, and to me most importantly, I’m working on SingleStone’s internal security program. I’ve been able to draft a series of our first security policies to review and discuss with the Senior Leadership Team. I’m hoping to continue this process, as well as start to socialize these to my fellow employees.
You recently wrote a great article on service meshes, have you used them or any other “trendy” tech recently in a project?
Well, that article was really prompted by me wanting to write about another subject, which is AWS AppMesh. I piloted that out for our Team Insights project as a method to control network traffic at the container level and to provide tracing insights for AWS X-Ray. So, when I have the time to pull it all together, I will have more article(s) in that series that deal with AWS AppMesh as a service mesh at a very deep technical level.
What about cybersecurity trends—what’s hot right now?
Traditional Security doctrine has spent decades focusing on a “fortification” strategy, where all the effort goes into building secure networks and segregating them from the outside (and each other) to provide walled-in areas where at-risk and poorly designed applications can be sheltered. That’s why terms like “Blast Radius” are popular, they can somewhat describe the area of effect that a compromised system can exploit in this strategy.
But that is rapidly going to become an untenable security model in our new reality of microservices, remote workers, and SaaS/PaaS services doing a large part of what those old internal applications did. So we have to shift our priorities to applying security policy at the endpoint, application, and device-level…and not just at the network perimeter.
Long story short, people are realizing they need to write their applications so they can get to it from anywhere, and then move the security from “trying to build this castle around it,” to front to back, everything is secure. Move from what I used to call the “M&M theory of security,” where it’s a hard candy shell, but there’s nothing but gooey chocolate on the inside.
Also, applications themselves are changing, they used to be these gigantic monolithic blocks, now, they can be made up of 20-30 different parts that all interconnect and talk to each other. Knowing how to secure and protect all of that, where there might be 40 different things talking to 40 other things, and a customer load kicks up and now there’s 60 of each—figuring out how to protect, secure and make sure all of that is doing what it’s supposed to do…that’s where things are headed today.
Tech is so everchanging, there’s always something new. Did you ever study something that ended up not taking off?
At one point I was one of the world’s leading experts in a networking technology (Programmable Flow from NEC) that just never caught on. I was so excited, I was the only person that ever got it set up and working without assistance; so the people who developed the technology were flying their developers from Japan to spend a week with me; then they flew me to Canada to set it up for a huge customer and I thought, “man I’m really there,” …then yeah, nothing came from that. Sometimes you make mistakes. Luckily for me most of my decisions have paid off: sticking with open source, Linux, security—that whole ecosystem lived up to my predictions…despite all the people telling me otherwise at the time.
Do you have a favorite project you’ve worked on?
There are two that I can think of immediately. I was able to help develop the cloud curriculum and intro to cloud training, and then deliver the training with Ryan, for one of our clients. Then, for that same client, I developed and taught an encryption in the cloud class. It was super fun and challenging.
What challenges are cybersecurity professionals facing these days? What should those looking to break into the industry be aware of?
If you want to get into security or architecture, you’re going to have to develop a thick skin and the ability to go against the mob mentality. It’s very hard as human beings to take an opposite position, and stick to it—to be unmoved by the pure force of everyone else’s opinion. You will also find that often the people you are trying to help will have vastly different thoughts on a technical subject than you and will try and call you out on things.
There’s going to be situations where you’re sitting in a room full of people and either you’re telling them something they do not want to hear or you are telling them something they didn’t think of themselves that they should have. It’s hard.
For me, it often also ties a little into imposter syndrome—people think they don’t have enough knowledge or know-how, but you’ve got to overcome those self-doubts and give the client the honest truth. Often having to be the “expert” in the room is a tough job.
Imposter syndrome and self-doubt is something I’m sure many people experience. How have you overcome it?
“Measure three times and cut once,” is a motto I learned in shop class, and it’s just as true today. So, personally I deal with self-doubt by always trying to be as absolutely certain as I can, especially if I’m making a technical statement in front of a customer or my peers. Now, this approach has its drawbacks, in that it requires more thought and research. But what you never want to do as an architect or security professional (or anyone really) is get caught in an incorrect or false statement. If you already have imposter syndrome or self-doubt that is going to shatter your confidence into nothingness.
So if I’m stating a “fact”, I better be 100% sure that it’s true. If I’m not, in the flow of conversation, I’ll use qualifiers like, “I vaguely remember,” or “I’m fairly sure.” Sometimes you just have to say, “I don’t know, but I can find out for you.” But, if you’re stating something as a fact and putting yourself out there as knowledgeable, you need to be triple sure that it’s true, otherwise, you’ll get caught on it which makes the problem (and your credibility with the customer) 1000x worse.
Who’s your dream client for SingleStone?
My dream client would be some high-end gaming company like Riot Games or Epic Games. Someone we can help set up the backend cloud for some new game. A lot of these companies, especially Riot Games, are topnotch DevOps shops. I would love for us to get a shot at something like that. Plus, it would be a fun industry to work in and could get us a lot of attention.
What’s your favorite part about working at SingleStone?
It’s the people. I have nothing but the highest respect for the people that I directly work with and talk to on a regular basis…they put up with me and the “eccentricities” I bring to the table. We always seem to get it together in the end! And honestly, I really feel some sort of affection for every single other person in our company. I’ve felt more supported, cared for, and valued at SingleStone than probably any other place I’ve ever worked.
What inspired your career in tech or cybersecurity? Did you have a “WarGames” moment like Don? Do you ever find yourself dealing with imposter syndrome, and if so, how do you cope? Let’s get the discussion going, comment below or send us a message.