What do you get when you cross a teacher with an entrepreneur who also has a passion for cybersecurity? You get Matt Lee. Matt is the Senior Director of Security and Compliance at Pax8, where he is a force multiplier in the mission to empower Managed Service Providers (MSP) to continue to grow in their security knowledge and operability. We recently had a chance to speak with Matt about his experiences, and to offer some solid advice to those who are looking to enhance their cloud security.
Q: Could you tell us a little about your background, and how you became involved as an educator for Pax8?
A: I built an MSP with a bunch of my friends over the course of a decade. And we ultimately sold that MSP to a larger Service Provider, consisting of about a hundred-thousand endpoints under management of the Small and Medium-sized Business market. When I was at that MSP, one of the things that I found an affinity for was the ability to help close the gap in understanding around cybersecurity with the use of analogies, and with the use of experiential conversation, from my past. So, one of the goals of my mission is, if our children are going to have the same wonderful experience around technology that we did, then the only way to do that is to, is to mature.
The first thing I looked for was, who could help me elevate that mission and that journey the most. As I went through each of the vendors, there were several criteria that I looked at when I proposed this solution of working for them as an educator. I landed ultimately with Pax8 because they were the ones who were already further ahead. They already had no metal in a closet; no servers. Their infrastructure was already in a modern defensible cloud infrastructure. These were all traits that made sense to me and that made me feel comfortable as a practitioner, moving towards an educator.
Q: You approached them with your plan for improving their business, rather than applying for an existing position? That seems like a brilliant approach.
A: Yes, and it is certainly a dream to do what I do at Pax8. I'm primarily an educator. We are a cloud distributor that focuses on companies that they could bring to market that had full Application Programming Interfaces (API) that could be instantly provisioned, and from which that the support structure could flow perfectly. A lot of those things became built-in, and part of what I see as the future around cloud, cloud maturity, and cloud usage. My function is to educate around some of the needs in cybersecurity, focused mainly on the CIS Controls for MSPs that provide service to millions of end consumers of our 15,000 buying partners or so across the world.
Q: What first attracted you to cybersecurity?
A: I was the Director of Technology and Security at the MSP I founded, and
security just kept creeping into everything. When you think about the
enterprise security space, even with all their flaws, they are probably 15
years ahead of SMB market. Let that sink in. What I mean is that something
as common as Multi-Factor Authentication (MFA), it was just a normal part of
life. It's been that way for a long time for most companies. However, for
SMB market, they genuinely have never heard the terms, or fight it actively
because it is inconvenient, and if the staff complains enough, they won’t do
But when you start to work with large numbers of customers, a lot of incidents start trickling up, you start asking yourself, as a technology professional who is responsible for security, “What am I doing wrong? What's failing here?” At that point, you start realizing there's a large gap between what needs to exist and what currently exists, both from a service delivery perspective, as well as from an actual tactical technical perspective.
Q: You came from being a technology developer / provider, and then realized there were these gaps for small organizations. Was that the impetus that prompted you to move a bit further into security?
A: It's not so much learned, as survival. For example, one of the concepts that we had was a “live compromise”, in the understanding that an organization is going to be compromised at some point, whether it's a cloud, or whether it's local on premises environment. When you think of it that way, you can think about how to limit access, services, and protocols, so if one person gets compromised, the problem remains localized, rather than migrating through the entire environment.
Q: You maintain both a CISSP and a CCSP credential. What prompted you to pursue the cloud certification?
A: As one of the more “legitimizing” certificates in the world right now,
the CISSP is a perfect credential to prove a person’s knowledge and
readiness in cybersecurity. It speaks towards the breadth and at least the
width of what understanding needs to exist in the field.
The reason I pursued the CCSP designation was that it normalized the language of the cloud industry, as well as and the subjects that need to be understood as part of the cloud profession. ISC2 is one of the most respected bodies in cyber-credentialing. They move quickly by updating their tests enough to stay up to date with more common events and relevant topics. They require continuing education, and they have specific requirements for membership.
Q: Was there anything that surprised you about CCSP exam?
A: No. I thought it was literally spot on. It was challenging, but it was a good test. It really forced me to think through of all the relevant ideas around cloud.
Q: You have not pursued any vendor-specific certifications. Is there any reason why you chose the route that you did?
A: The vendor specific certifications usually have the vendors' goals in
mind. They usually align only with the vendors' view of something. I'm not
saying that's necessarily negative. But, the vendor-specific path just
didn't make sense in the global space for me and my needs. Some of those
needs for me are still valid in legitimizing me as an educator.
Q: Did you notice any specific benefits of achieving the CCSP credential?
A: ISC2 credentials are widely recognized in the industry. The way that I
created my role was I had the ambition to say, “we need live education; a
community presence around cybersecurity education; the ability to share and
educate.” But, we also need the ability to help our clients and partners at
Pax8 to be able to articulate the complex and sometimes difficult
cybersecurity conversations they need to have with their client base.
If I have to convince a Board of Directors about a cybersecurity decision, I definitely want to go into that battle with those ISC2 credentials.
Q: What would you say is one of the biggest challenges you faced in your career?
A: Just learning the way I learned meant learning through loss. That's
probably common for most cybersecurity professionals. We learned because we
were thrust into the perils of protecting an organization from cybercrime.
Now, the challenge is with the way that organizations implement their cloud
solutions. Whether their environment is fully cloud-based, or they are using
a particular function as a service. Some of the biggest challenges for cloud
today is that there is a purer definition that's much more functional from
how we deliver security. There are all kinds of technical concerns, but in
the SMB world, this really is a much higher level of security delivery than
they could ever have achieved on their own. In the enterprise market, the
retention of legacy items creates a challenge. The great task is how to
develop towards both of those interests at the same time, and how do you
write architectures that speak towards both?
On the other side of that coin, if you're a cloud provider who has offered a SaaS solution, but it's built on a monolithic application that doesn't have a secure development life cycle, then I suffers from a tech debt. There may be a technical debt that is hiding behind a curtain of SaaS, and accepting responsibility, but not actually fixing the responsibility in a lot of cases. So, you have this juxtaposition that exists. There is a shared responsibility model, but both sides have to own their responsibility. The challenge is to find ways to do that. The CCSP materials give a person a great way to talk about proper cloud architectures and concepts. It provides inarguable terminology that is easily verified in the cloud industry.
Q: How do you make sure your skills continue to grow, and how do you build your knowledge and keep it fresh?
A: Since I speak with a lot of vendors, it gives me the opportunity to look at their technology, and to understand where they're trying to solve a problem. That allows me to continue to learn the changes to the industry, and the technology. I'm involved either directly as a security purveyor inside an organization of new vendors, or indirectly through people that just reach out to me. I love to continue learning, and recently I also have been advancing my red team skills. I actively stay in touch with a lot of my “hacker” friends to continue expanding my knowledge.
Q: What personal achievement are you really proud of?
A: After one of the more notorious breaches of a company where a friend
worked, I helped him, from a suicidal perspective. I then wrote an email to
the directors of the MSP where I was working at the time which outlined my
single greatest fear for the company. I feared that we may be the next
target for an attack, since our revenue made us an attractive target.
Fortunately, they responded positively, and we were able to build something
magical, enabling reporting, enabling capabilities, and meaningful
protections, but more importantly, fix our own house. We were able to defend
and respond to 67 named incidents inside our organization and reduce loss. I
was quite excited about being able to build that from that one email.
Q: Are there any people in particular who inspire you?
A: I wouldn't specify it as anyone in particular. There are so many people
who I would love to mention, but the list is rather long. One of the
greatest things happening in cybersecurity today, contrary to just a few
years ago, is that there weren't as many people capable of inspiring and
driving, educating, and raising up the tide around cybersecurity. But if you
go look, now you can find so many. I could literally name 50 or 60 people
without any hesitation. There are so many people that inspire me on a daily
Q: What's your next ambition?
A: For me, it's the mission that matters. The mission is simply that we have so much in the SMB and MSP space to improve to self-regulate, to build. It's about getting a voice and continuing to broaden that voice, and to be inclusive, and to drive others to have a voice for enabling and empowering the MSPs. It's all about continuing that mission. If you look at what we see from a cybersecurity perspective, with geo conflict, intellectual property rights, as well as actual interruption of operations, and critical infrastructure, we start thinking and acting more globally. We have to continue to change and grow.
Q: What do you think is one of the most important areas of focus for a person who wants to pursue a career in cloud security?
A: Learn. Just go, and learn as much as you can about every part of cloud security. Go learn, go play, go test, go try, go read, and go listen. Find somebody's content that you enjoy, and find resources that inspire you to love what you're doing. There are so many cool things in cloud security, so go find what vein in cloud security you want to be involved in, and just stay passionate about it.
Matt offers some great advice for anyone who wants to embark on the journey towards becoming a Certified Cloud Security Professional. His experience, and his dedication are valuable and inspirational.
Want to learn more about CCSP?
To learn more about how the CCSP credential can help you gain expertise and advance your career, download the Ultimate Guide to CCSP .