Standing Out in the Security Crowd: Jerry Bell's Path to Success

Show Notes

What does it take to build an online community of 50,000 cybersecurity professionals? Jerry Bell, founder of InfoSec Exchange and former CISO for IBM Cloud, reveals the journey behind creating one of the most influential Mastodon servers in the security world.

When Twitter underwent significant changes in 2022, Bell's Fediverse server, which he'd quietly maintained since 2017, suddenly became the landing spot for thousands of security professionals seeking a new digital home. The explosive growth from around 100 users to 50,000 within a month created both technical and human challenges. "The technical aspects, while challenging, don't hold a candle to the complexities of moderating a community that large," Bell explains, detailing the balancing act between enabling free expression and maintaining community standards.

Bell's contributions to the security community extend well beyond Mastodon. As the host of the Defensive Security Podcast since 2011, he pioneered professional-grade security content when most security podcasts were either consumer-focused or entertainment-oriented. This content creation directly contributed to his career advancement, eventually helping him secure the position of CISO for IBM Cloud. For aspiring security professionals, Bell offers three key pieces of advice: prioritize human networking over resume submissions, develop a deep understanding of networking technology regardless of specialization, and find ways to differentiate yourself through content creation or community involvement.

Whether discussing persistent cloud security challenges like misconfigured S3 buckets or sharing his journey from factory maintenance worker to security executive, Bell's story demonstrates how creating content and building communities can transform a career path. What digital footprint are you creating that will make hiring managers recognize your name when your resume lands on their desk?

Socials

• Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
• Follow us on Twitter: https://twitter.com/SecChipmunk
• You can find us online at: https://securitychipmunks.com

Chapters

• 0:00: Introduction to Jerry Bell
• 1:20: Building InfoSec Exchange on Mastodon
• 5:40: The Defensive Security Podcast Journey
• 11:50: Cloud Security Challenges
• 15:29: Jerry's Path into IT
• 19:12: Photography Passion
• 21:24: Career Advice for Security Newcomers

Transcript

Speaker 1: 0:00

is from a cooperative project for acquiring skills essential to learning. Welcome to another episode of the Security Chip Months podcast, where we keep chipping away at it. I'm your host, Edna Johnson, and today I'm joined with Jerry Bell.

Speaker 2: 0:18

Thank you for having me, edna. It's really a pleasure to be here and an honor, and thank you to everybody who is interested in listening to me talk. So it's great to be here and an honor, and thank you to everybody who is interested in listening to me talk. So it's great to be here and I was really tickled when you invited me here. So thank you again.

Speaker 1: 0:35

Oh, thank you. I'm so glad to have you on the episode and having you here on the podcast. I've been following you on TikTok and then I learned about your own podcast, so it's been really exciting to learn about your background and your journey in cybersecurity, and it's really impressive actually. So I appreciate you jumping on with us.

Speaker 2: 1:02

Oh, I've been lucky for a very long time, I guess, is the way I would say it.

Speaker 1: 1:07

Yeah. So one thing that I learned about you and I was super excited to hear that is that you run the Fediverse server infosecexchange.

Speaker 2: 1:20

I do. I started that server back in 2017. So we actually just passed our eighth birthday and it's been kind of a wild ride. After Twitter kind of imploded back in 2022. There was a mass exodus from that platform over to the Fediverse, and prior to that it had been 50 to 100 people and kind of within the span of a month it went from 100 people to about 50,000. And that was a really exciting time. Exciting time, but I was really happy to be able to contribute to helping the community kind of find an alternate landing place.

Speaker 1: 2:14

Yeah, I mean it's so impressive because I remember that time when InfoSec Twitter moved from Twitter to your server, infosec Exchange, and it's a great community there and I know that you have a lot of people that have joined it in the last few years, so it's pretty cool. So has there been some growing pains going through that?

Speaker 2: 2:48

going through that, or, um, early on, early on, there, there certainly was, um, you know, obviously the capacity to run that many uh, you know that many concurrent people is is uh not cheap yeah, and so so it was.

Speaker 2: 2:56

There's a lot of, uh, you know, kind of juggling of of systems and trying to keep up with, you know, with, with the demand, while not breaking the bank, because I, I mean, I've I funded it personally for a long time but eventually I, I, you know, crossed the threshold where or donations were paying for it. Now I, you know, I've I've kind of gotten a, I would say a happy, you know, consistent and a stable capacity. Happy, you know, consistent and uh and stable capacity. Although, you know, recently, the, the, the amount of of, uh, people has kind of been waning and, and I would say, very recently, starting to go back up. So it's, it's, uh, it's, it's a little bit inconsistent but has been quite a, you know, quite interesting to be part of.

Speaker 1: 3:45

Yeah, that's really neat. So, as far as the community, I know that there's a lot of InfoSec people on the InfoSec Exchange, so I know that there's been some updates with the tweets or not the tweets, the toots sorry, the quote toots and all that. So moderation-wise has it been going pretty well.

Speaker 2: 4:17

You know there's anytime. You have a bunch of people in kind of the same room together, you're going to have some issues and yeah it's really no, no exception.

Speaker 2: 4:30

Um, I'm not going to say it hasn't been a problem. I would say the technical aspects, while they've been a challenge, really help. Don't hold a candle to the complexities of moderating a community that large. You know you don't want to. You don't hold a candle to the complexities of moderating a community that large you don't want to be. Well, let me say it differently you want to enable people to express themselves and communicate freely, but not everybody has the same idea of what that means the same idea of what that means.

Speaker 2: 5:06

Yeah, and so it's been. I will say it's been probably the largest aspect of the largest challenge of running that community, for sure.

Speaker 1: 5:16

Mm-hmm, thanks. So I also learned that you host a podcast, the Defensive Security Podcast, and you have for many years. So tell me about the podcast and what got you started in podcasting.

Speaker 2: 5:34

So a long time ago, in a universe far, far away, I was more on a CIO trajectory. I was more on a CIO trajectory. I was with a company called Internet Security Systems from the late 90s until the mid-2000s. Sometime in the mid-2000s our company got bought by IBM and an interesting thing happens IBM doesn't really need its own IT, a new IT function or a new CIO, and so I kind of got labeled the security guy and so, even though that really wasn't what I had been focusing on, security was part of my responsibility set there. But you know, it kind of morphed into more of my, my, my identity at IBM, and I at the same time was getting into listening to podcasts and also at the same time we started to see a really large change in awareness of of, you know, more advanced threats. So you know there was the.

Speaker 2: 6:47

Aurora attack with Google, mandiant had just released its APT1 report and there was just this freight train of really complex attacks and at the same time I was kind of taking on more responsibility for protecting customers at my employer and things like incident response and whatnot, and I found it odd at the time there really weren't any what I'll call corporate security podcasts. There was like information security daily, which was cool, but it was. I would call it the podcast, the security podcast, equivalent of like the morning radio zoo. You know it was fun, but it really wasn't all that informative.

Speaker 2: 7:36

And then you had things like Security Now, which was very consumer oriented, and so I was a little disappointed that there was this gap, gap in you know, on the one hand you had, you had a lot of stuff coming out, a lot of change happening in the industry, and nobody was talking about it, and so I, um, you know, it took me probably a year to get it started and the the most complicated part was finding the right music okay, yeah, and that makes sense, like finding music for podcasts is hard and then, uh, you know, that was my, that was my excuse for a long time, but then I got, you know, got it off the ground and it has been one that was back in.

Speaker 2: 8:20

I think I started in 2011, 2012, that time frame and I took. I took some time off. I I um around 2020. I got a new job and my co-host fell ill about the same time and we took a couple years off and about a year ago, we, we, we restarted it. So it's been uh, it's been been going again okay, wonderful, that's really good to hear.

Speaker 1: 8:48

yeah, I, I understand we why people be taking a break from podcasts, because I've done the same with this one. Life happens, but that's good that you're continuing it. So, with hosting a podcast, have you found that, like you're getting? Does that help you in your career, like making connections and meeting new people? Do you feel like it certainly has.

Speaker 2: 9:17

I would say it really helped elevate me to the position that I ultimately got to. My most recent assignment was as the CISO for IBM Cloud, which was just a huge, huge environment, and I was in that role for about four years and left and I have been unemployed now for about a year. Unemployed by my own choice my own, you know, by my own choice, um, but you know I will say what. The one one thing that is super important and I suspect a lot of people are, especially those who are just coming into the market right now, are probably feeling a lot of uh frustration and and um, dismay maybe about, uh, the job market. And you know, things like podcasts really help differentiate you. In my experience, it has always been a benefit if, um, if people know who you are right if you know it obviously helps if it's for a good reason.

Speaker 2: 10:28

But you know, I would say it has really added to my professional success for sure.

Speaker 1: 10:39

Yeah, that's excellent, and it also gets you used to speaking to people from different walks of life too, right?

Speaker 2: 10:47

Yeah, for sure, we haven't done a ton of interviews. A lot it's mostly back and forth between my co-host and I. We did start a second show where we do interview people. That's kind of on hiatus at the moment, okay. But yeah, and I will say that was another reason that I started this I am probably about the most awkward person you can imagine socially, so it has also been a big help for that.

Speaker 1: 11:22

I think that's very true for a lot of people in tech having that awkwardness, it just comes with having nerdy interests, I think.

Speaker 2: 11:32

Oh, for sure yeah.

Speaker 1: 11:36

So you mentioned the role you had at IBM was cloud security. So that's so interesting. What do you think are the most challenging things in cloud security today?

Speaker 2: 11:52

The complexity and unknowingly making mistakes that get bit. So you know, if you look back in time, one of the most significant challenges which, by the way, is still still a challenge even today are unsecured as three buckets. It is such an easy mistake to make Um. Now I think that the providers are starting to turn around. You know to come around and make things more secure by default, but you have a huge amount of you know stuff that's already out there, um to the point where there's actually on our, our Mastodon instance, there's a, there's a, an account called the bucket challenge and you know they, their, their whole thing is is trying to identify, through some kind of clever means, unsecured buckets that contain sensitive data. And then they try to cut you know the con, like they're not doing it for um, for fame or or money or or to be nefarious, but they're actually like trying to get to the owners to get that turned off, which has been a big problem. So I would say that's probably the most significant one. And then, uh, you know, beyond that it's it's really really related to the complexities around IAM and each provider has a little nuanced take on that. But I would say those are kind of the two biggest issues.

Speaker 2: 13:26

Now I will say as the CISO of a cloud provider.

Speaker 2: 13:31

I've been out for a year, so I'm always optimistic that things continue to get better.

Speaker 2: 13:38

One of the big problems we had was companies who thought that or had some deep misunderstanding of what you get when you buy, when you put your stuff in cloud, and so I've had an unfortunate number of instances where customers didn't realize that they were responsible for patching their own, the virtual service they set up in the environment, and then something bad happens virtual service they set up in in the environment, and then something bad happens. And you know they're, they're um, they're left wondering well, what, what happened? And so, um, I, I don't know if that's you know again, I don't know how, how deep of a and and broad of a problem that still is, but there's been in at least in my experience, there's been some, you know, disconnects in who's responsible for what yeah, that kind of reminds me of like the os top 10, where you keep seeing the same problems you know, every time they publish a new one, it's like seven of them are the same over and over and over again, because it just keeps being the same problem for like a decade later.

Speaker 1: 14:52

So, yeah, I definitely understand how that can continue, even though you're trying to do better. And I've noticed in environments, misconfigurations happen a lot. So that is definitely something to look out for, but it's good to be reminded of it and continue talking about it so people can try to do better and make their environment safer Absolutely Very nice. So your background how did you get into IT? What was your start?

Speaker 2: 15:49

basically couldn't afford to keep going and so I started working at a small family owned factory and, uh, as, as a maintenance person of all things, and um, uh, you know, I I had a pretty big aptitude for all things mechanical and electrical and um, quickly moved into kind of project engineering where I was designing, you know, material handling, equipment and whatnot.

Speaker 2: 16:13

Again, this was like a 150 or 200 person company and the again this, keep in mind the context, right, this was like 1993 and PCs were not yet kind of common in business settings.

Speaker 2: 16:32

And so the IT person, they had a little mini Unix computer. The IT person was the owner's son and the owner was in the process of retiring and had to replace himself as the IT person and so I guess at some point expressed an interest in computers and so I took over maintenance of their legacy system and then I moved them to PCs and that was super exciting. I learned a ton because I was the application developer, I was the person that ran the backups, I was the person that pulled the cables and built the PCs and everything. So I learned an absolute ton, but it was more kind of a security generalist type position. And then I went to work for a little internet security sorry, internet service provider in Michigan who focused on commercial customers, so they were like T1, like not residential stuff, and I went there to be a Unix administrator and quickly rose up the ranks. Ibm bought sorry, iss Internet Security Systems, bought that company and probably within the span of two years I was the director of IT at ISS.

Speaker 1: 18:16

Wow.

Speaker 2: 18:17

And then, a couple years later, ibm came along. It has been, I guess, I'll say. You know, I can never not remember being interested in computers Like the first one I had was a VIC-20 when I was probably like 10 or something like that.

Speaker 1: 18:38

Yeah. So, it's just been in my blood for decades. Okay, great, well, that's awesome. So photography I'm noticing the picture behind you and it's reminding me of. You have a lot of great photos that you take and you've shown your work on TikTok and your flowers and everything. So what got you into that?

Speaker 2: 19:13

and what's your favorite camera? Oh goodness, you know I have had on and off love affairs with photography for quite some time. You know, we, we bought a film camera when, when we first had kids. This was a long time ago. My kids are, are all married and and whatnot now.

Speaker 2: 19:37

But, um, I got big into it in about 2010 and I just didn't have time and interest to keep it going and then, I would say, about four years ago, the bug bit me again and I really like taking pictures of flowers, like I, you know, I, I, um, I, I'm, I. I'm a imposter in the photography community on TikTok, because you have a lot of photographers who take portraits and they shoot weddings and that sort of thing, and I can't take a picture of a person to save my life. But I love taking pictures of orchids, of daisies, of you know of. We have a place at the beach down in Florida and I take sunset shots and whatnot. So that's really my jam. My favorite camera is right now I have a Nikon Z9, which is a super big mirrorless. It's very large and because it's so big, I can hold it easy in my hands.

Speaker 1: 20:55

Very nice. That's so cool. Yeah, your photos are just amazing. I know you're saying you're not as great as some other people, but I've seen your pictures. They're incredible.

Speaker 2: 21:09

Thank you.

Speaker 1: 21:10

Yeah, absolutely so. Final question what is advice that you think people need to hear in cybersecurity today that are starting their careers? What's something you would like to share with the listeners here?

Speaker 2: 21:28

So I guess a couple of things. You know, cybersecurity is a broad field, it's almost as broad as IT itself. And so I, you know I, as someone who has a fairly large social media presence, I have lots of people asking me how do I get in, how do I advance, and whatnot. So this is a common question and it has gotten a lot more complicated in recent times with AI, I think, kind of throttling the demand for junior people or entry-level people. But they're still there, they're still our jobs. It's just it's not as plentiful as we've seen. Budgets for security organizations is, for the first time, really starting to slow down and, in some respects, starting to shrink.

Speaker 2: 22:27

But for people, I would say, say for people who are either just getting into it or looking to advance, my advice number one is you know, networking and I I'll clarify, like networking from a, a human side, is super important in terms of getting jobs. You're doing doing the resume battle is not, is not very productive. It's a difficult way to land a job If you, if you're able to find contacts that can help you. You know, get, get your first role. That's going to be your most. You know, get, get your first role. That's going to be your most you know, the most successful way forward.

Speaker 2: 23:10

I think networking, in terms of the technology, is also a super important skill set for any kind, any type of person. I think it's important for any person in IT, but in particular, for security, and I say that regardless of role. Whether you're a GRC person or a pen tester or an executive, it doesn't really matter. Having a deep understanding of networking is really, really important.

Speaker 2: 23:41

And then the third thing is, like I said before, finding a way to differentiate yourself, and whether that's by starting a podcast, writing a blog, starting a TikTok channel, doing something that makes you a recognizable name that people know you are, when, when their resume lands on, or your resume lands on their desk, that it's not a difficult choice, right? They, they, every hiring manager googles their prospective candidates, right? What are they going to see when they google you? And that's what you really want to focus on. In my experience, you know there's lots of ways of doing that. You know contributing to open source projects. Again, you know blogging, making videos. There's sky's the limit. But you know, become a, become an expert to the extent you can in some aspect, because that is really what's going to differentiate you and and help you land not only land your first job, but also kind of go up the go up the ladder as as you, as you progress in your career.

Speaker 1: 25:02

Wonderful Well. Thank you so much, jerry. It's been a pleasure having you on the episode and for our list.

Speaker 2: 25:11

The pleasure is all. The pleasure is all mine. I really appreciate being here, thank you yeah, thank you.

Speaker 1: 25:16

And for our listeners, please make sure to like, comment and subscribe. Press all the buttons. All right, we'll see you next time.