Show Notes: Physical Security Consulting Lessons From the Field with Matthew Dimmick | Episode #19

Overview

In this next episode, I was honored to be joined by (the immensely knowledgeable) Matthew Dimmick CPP, PSP, CPD. He is a physical security leader supporting organizations as a consultant. He has broad experience from being an MP in the US Army, from supporting CBRN teams, and tons of experience in security consulting roles — which we’ll focus on today.

You’re going to love today’s discussion because Matt drew our attention to many less-common topics among security pros such as why design thinking and user experience are important for physical security project success. Or how mind mapping can help you prepare for your future career opportunities. And so much more.

—–


Big Ideas from This Episode

  1. “Is your web strong enough to catch the next opportunity?”

    Consider creating a mind map of your skills & knowledge to understand where you’re strong, where you’re weak, and how you can fill those gaps to be an exceptional security advisor.
  2. To be successful as a security consultant you must (a) be a self starter, meaning to have discipline and motivation (b) be a life-long learner (c) be adaptable to serve diverse clients. Plus, excellent verbal and written communication skills are required.

    If your job is to advise clients on how to protect people, critical assets, etc, then we need to understand broad trends, new technologies, and evolving tactics of our adversaries.
  3. Develop meaningful relationships with people inside and outside of your organization — including those that work in different fields.
  4. Consulting work can be volatile, you should consider having an emergency fund for times of uncertainty.
  5. Don’t be stingy with your knowledge — make an effort to help your peers and the security community.


RESOURCES MENTIONED


Use CONTROL + F to search the transcript below if you want to learn more!


Transcript from this episode (#19)

*Note: this transcript was generated using automated software, and my not be a perfect transcription. But I hope you find it useful.

Travis  0:00  
So Matt, thank you for joining me here on the podcast today. I had wanted to talk to you for several reasons. But it's really because you're so active in the physical security community online on LinkedIn, on clubhouse. And I know you just have a ton of experience when it comes to physical security projects in general. And I feel like myself and so many others out there have a lot to learn from hearing your perspective and hearing about your career. So thank you very much for joining me today. I really appreciate that, Travis. And I appreciate you having me here today. And I'm looking forward to this discussion. Thanks a lot. So to kick things off, I wanted to start with the fun hypothetical. So like, imagine I gave you a magic wand. And this one gave you the power to change any one thing about the security and risk industry. If you had that kind of power? What would you change? And why is there anything that's top of mind for you? That's a that's an interesting question, Travis. So

Matt  2:25  
I think, well, I guess first, just imagine how great the world would be if security law enforcement and emergency readiness wasn't actually a need. So

if we can have a magic wand and get rid of the need for our profession, I think that that would probably be pretty awesome.

Matt 2:46  
That said, though, realistically, I think we need to bring more systems thinking into the security industry. You know, just an approach that takes a holistic look at everything, rather than piece mealing it all. So working from a vision, using mental models, understanding culture, and belief and, you know, having that define our thinking, and build our programs off of that. I think that's that would be what I would do if I had a magic wand because I would bring more of that thinking to people.

Travis  3:24  
That's really interesting. Yeah, to bring more systems thinking, like, I'm reading a book right now called Scrum. And it's like a project management style on the book. It's by like, one of the co founders. And as I'm listening to it, there are like, so many ways that I could relate it back to current projects that I'm doing and past projects. And yeah, it all comes down to like having, like having a flexible system for approaching projects, and having to, like, incorporate and consider like all of our, like, all of the nuances of being human into the project, and like being able to adapt as projects go along. So I do think that's a really cool idea.

Matt 4:10  
Yeah, there's a there's another really good book to to look at. It's a very simple read to it's called the sprint book. And it came out of Google Ventures. And I just I find it's really, really great for problem solving. When you get down to a Travis it kind of really lays everything out in a very simple workshop style. Just maybe, maybe something for you to take a look at. Next, in your in your journey in project management.

Travis  4:41  
Oh yeah, I'll definitely check it out. And if it's on Audible, then there's like a 100% chance I'm going to read it or listen to it. Alright, so next I want to learn a little bit about the role that you do today. Could you share a little bit about your role and maybe like the typical types of projects you might work on.

Matt 5:02  
Sure. So I'm a senior security development manager for a company called STV Incorporated. And that's a, it's a national architectural and engineering firm. And we specialize in transportation systems, and critical infrastructure for the most part, so horizontal and vertical. Essentially, like yourself a security consultant, just maybe a slight difference is that I'm fortunate enough to be involved in a lot of greenfield projects. So a lot of projects that are at their earliest stages of design. And I get to watch them as they grow and get implemented and kind of help shepherd them through completion. So that's, that's pretty neat. One of the things that I really liked to do and, and I fill this role a lot is I get to be embedded with clients, and I assist them with ideation, problem solving, I do technology, scouting for them, help them oversee procurement and implementation, or assists with program development. So that's, that's probably the most interesting part of my role is when I get to do those types of things.

Travis  6:25  
That's really cool. Yeah, that's interesting how you get to work? Yeah, across so many areas. And I've talked to other people working in architecture and engineering, like I remember, like I've talked to Shawn Aaron's in the past. And those all sound like really interesting projects that you all get to work on. And it's like, you mentioned, so being involved in the technology side, like helping find solutions, you're involved in security consulting side, you're working with the architects and engineers? Like, I'm just kind of curious, is there any? How do you manage your knowledge around these different areas? Like, do you? Do you use like a OneNote? Do you have like, lots of folders on your desktop? Like, how do you manage all of these different? I don't know, like, disciplines of thinking and knowledge, do you have any kind of system that you use?

Matt 7:16  
So I can, I can talk about that a little bit, a little bit later, too. But I do a lot of mind mapping, if that, if that makes sense. And so you look at that, that core area, and you build branches off of that, and then sub branches off of that. And it gives you a really good picture of how everything is interconnected, right? It's like this, this spider web of knowledge. And having that in front of you makes it easier to identify opportunities and identify considerations for improvement. So I use that. And then another thing that I played around with is, it's called obsidian, which is like a second brain tool. And that would be similar to in Evernote, or OneNote, or any of those any of those types of tools. I haven't dug into that one as much, because I use it for studying and things along those lines. But But definitely, definitely mind mapping is something that I've gotten into that and I put, I put just about everything into infographics that are easy for me to understand, and sometimes share those.

Travis  8:37  
Nice, yeah, those are awesome suggestions. I feel like it wasn't until like, I don't know, kind of like a little later in my career when I started be more systematic about like how I'm saving time, like saving and cataloging, like information that I get from one course to another course are things that I'm just like researching on my own. So yeah, I just have like a fascination about how, how people collect and store all that information so that they could use it later. Like, especially when they're someone like you who's working on like, such diverse projects across different disciplines. So for me, that's fascinating. Next, I was curious to learn. So what did your career path look like leading up to your role as a development manager today? Like, was it a standard path? Was it something that kind of changed along the way?

Matt 9:29  
So is any career really a straight line? If, if my career is an example then then it's certainly not. So I think if we, if we look at kind of the sports analogy, right, there's, there's an audible right which is you call one play but and you see an opportunity down the field, right, you see an opening that you can exploit. And so you call this audible and take advantage of it. I think that that's been my career in a nutshell is identifying opportunities and taking advantage of them. One big audible for me, just as an example. So I was I was in the military. And I was a military police officer canine handler. I got to do a lot of interesting things, including protection details for POTUS and the Vice President, the Joint Chiefs of Staff Secretary of Defense. And, you know, as, as part of that I was having a lot of discussions around weapons of mass destruction. And you know, some of the stuff that the federal government was doing in that space, and terrorism. So I went to the National Guard when I got out of active duty. And I went to the recruiter, because a friend's father of mine who was in the FBI, suggested that I learn Farsi and Arabic. And so that I went there with the full intent of becoming, you know, an interrogator to do interviews in Farsi and Arabic. And the National Guard recruiter actually laughed at me a little bit, and said, We have no need for that. In the National Guard. Now, you know, you think back that this is 1998. So, you know, we've had, we had the initial attack on the World Trade Center, right, but 2000 2001 hadn't happened yet. And, you know, the whole world didn't change. And so I thought back on some of those, I guess, some of those trainings and some of the opportunities and some of the discussions, and I went with the US Army Chemical school. And when I went to chemical school and came back, there was a program that was just starting in, it was called Civil Support Teams, or CSTs. And they were basically the people that put on the funny suits, and go down and try to figure out what's killing everybody. And I put in my application for it, the team was only going to have about 13 people on it, initially. And I got I got lucky and and selected for it. So that took my attention, I took my field from law enforcement as a military police officer. And it kind of shifted it into emergency management. The other thing that it did, though, is it kind of taught me the value of self educating, and really diving into learning, because we were getting asked to do all kinds of stuff that, you know, typical folks at our level in the military wouldn't get asked to do, because there were so few of us. And so we were going in briefing senior senior officers. I helped develop the military support annex for the for the New Jersey State Emergency Operations Plan. We were just doing we were doing so much stuff. But there were no ready courses or ready classes to send us to. And so we were throwing ourselves in the books, we were throwing ourselves in the FEMA independent study courses. We were taking EPA courses in hazmat, anything we can get our hands on. So learn how to do what we had to do. We were pretty much on our own for the first for the first year and a half or so. So anyway, that's a quick, maybe not so quick. But that's one of the one of the audibles that I called was from law enforcement and interrogations and shifting more into that emergency management space for a little while.

Travis  14:05  
Yeah, and I feel like you mentioned, like, seeing the value of self education. And I feel like in the security industry, it's so much more important to, since the security industry is less mature than other industries, really, self education is I don't know, I think it's like one of the biggest factors for someone being like a valuable contributor to the projects that they work on. So I think that's a really cool lesson to learn so early on, that translates greatly insecurity,

Matt 14:40  
I have to agree that that is something that you will benefit from, from the moment that you learn it. It's hugely, hugely important to be successful. Right. You've got to keep your nose down and keep learning.

Travis  14:57  
Yeah, I couldn't agree more. And so you mentioned how you had one of your early roles was working as an MP was. Were there any other early or late influences that got you down the road to working in security? Or was it just having worked as an MP and that kind of got you down the path?

Matt 15:21  
Well, so I mentioned some of the influences already, but it was, you know, so my, I had some very good friends very close friends when I was younger. And I spent a lot of time with their families. One, his father was a Special Agent with the FBI, he worked at the bomb data center and a bunch of other places, and led that and another was an NYPD detective, right. So that was that encouragement, or that, that influence that made me initially choose going to the army and choosing going into the military police field. I think when we look at at, you know, that mid career influence, so and maybe not mid career, it was still probably early in my career now, but I think of it but September 11, changed a lot for me. So I first went up as a response with the Civil Support team as a guards person. When my time ended with the guard, I was I was working my my actual job. My day job was a DOD police officer at Fort Dix, civilian police. And I left that to go do a FEMA contract, basically, at Ground Zero, to assist with the response and recovery from those attacks in New York City. And, you know, I was there, I was there a lot, I got to know a lot of people. But one, one thing kind of sticks out in my mind from that period. So I remember I was working at the Family Assistance Center. And it was Christmas week. And they were bringing kids in. You know, when the little girls were getting Barbies, most of the boys were getting Legos and things along those lines, that were all all donated. And I had an explosive detection canine at the time. And so these donations would come in, or the teddy bears that were placed along the wall, they would come in the memorial wall with all the flowers, boxes, and everything else that was dropped there, all of that stuff was being searched regularly. In case there was another attack. And I remember, a boy approached me with his mother, of course, and the boy was probably about the same ages, as my little boy at the time, who's now who's now all grown and often the Navy, serving the country. And, you know, the the boy came up, and he just he wanted to pet pet the dog. And you know, so I let him Let him pet the dog. And he and his mom were there. And I remember they went to, to leave. And the boy asked his mom, you know, kind of innocently, if daddy would be home in time for Santa. And your mom got visibly upset as they were walking away. And that kind of stuck with me. And I kind of decided at that point that one of the things that I wanted to do was try to prevent that from happening again. And I was going to, you know, kind of start working towards that goal. That makes sense.

Travis  19:00  
Yeah, that does. Wow, yeah, that's a that's a really tough story. And I can think like, even even to like the peers that I've worked with, so like I was a MP reservist in the Marine Corps, from like, 2009 to 2015. And I feel like so, myself included, and so many of the other Marines around me, at least the MPs, like so many of them were influenced by the 911 attack, and we're all a bunch of Californians, like we're 2000 plus miles away from the actual incident, you know, didn't actually see anything except what was on TV, what we read in the papers, what the culture had around us, but I feel like that just had like such a wide ranging impact on like, I mean, on everyone on your cohort on like my cohort who was like, and like I don't know, for fourth grade when it happened? Yeah, it's just amazing. The impact and the influence that one event has on an entire generation. So yeah, I, I can definitely relate.

Matt 20:14  
It's certainly changed the playing field at the end of the day, so that was an audible that we didn't call on ourselves. Right. But it changed the direction for a whole lot of people for a very long time.

Travis  20:29  
Yeah, yeah, it definitely did. And then, as we think, as we go back to your career, can you share? Like, can you share how a failure or an apparent failure has set you up for a later success throughout your career? Like, do you have any favorite failure that you've encountered over the years?

Matt 20:51  
Interestingly, I'll go back to the Civil Support times. And who would have thought that learning chemical weapons and biological weapons and emergency response would take me to Wall Street. But it did, I ended up going to, you know, fast forward from 911, and, you know, working the canines, and, you know, going down to Fort Dix and training soldiers before they deployed, you know, around 2005 or so I got a, I got a call about a team that AIG had formed, that needed CBRN or chemical, biological, radiological nuclear specialists to provide emergency readiness for their home office, which was about five, maybe seven buildings in downtown New York. And so I threw in an application, you know, weighing in a prayer, one of those things where I barely met all of the qualifications, I think there was actually a few that I didn't meet. And, you know, I didn't really expect to get a phone call back, but I did. I went up had a couple interviews. And before I know that I was, in my, I was in my mid 20s, with my first job on Wall Street. And, you know, that was, it was quite a ride. And, you know, while I was there, I did all kinds of interesting things from the Emergency Readiness portion to I took over offshore security compliance, so I had 1500 locations, and 129 different countries that I had no responsibility for. We were just, we had the opportunity to do a lot of really interesting stuff. And then the 2008 financial crisis happened. And, you know, I, I found my roles and responsibilities shifting from global compliance to, you know, more of the emergency medical role that we were there for some psychological emergency response for people that were losing pretty much everything. And then I found myself being one of those people who, you know, not long before Thanksgiving, that year, was also laid off. And if you haven't been through one, you know, getting getting laid off kind of impacts a lot of things. And one of those is is your, you know, your ego, right? It's your ego, it's your identity, right? It's all everything is kind of focused around that. The other thing is finances, which we'll talk about a different time. But all of those things come together, and you feel like a failure. Right? And we're seeing a lot of that, you know, today, in today's economy, right, where things are changing, things are shifting, you're seeing more and more layoffs. And you're seeing that feeling of you know, a layoff is a failure. But what I found is that it's really not. It's not personal, right. And I think once you get past it being personal, then you have a chance of making good things out of it. So I took some of the things that I learned while I was at AIG, I I learned the importance of doing risk assessments and I did them in a few foreign countries. I learned compliance work and said hang up, setting up programs and stuff. And I was able to turn that into a consulting business with an organization that I was that I was working for already. And so, you know, my bump was not as bad as some, if that makes sense. So you try to look for the positives in those things that you view or failure. And over the course of Gosh, I've been doing this probably over 25 years. Over the course of that, it's almost like the, you know, the stock market, you have that volatility where things drop, but eventually, it continues to make its way up. And I think a career is very similar. As far as other failures, right? So think about, like innovation. Right? So failure during innovation is critical. And I absolutely love it, right? I, I really like failing when I'm trying to do new things. Only because it means that I'm pushing boundaries that other people may or might not be pushing, right. So if I'm, if I'm trying to technology in a new way, and it doesn't work, then I know that I've pushed that technology as far as it can possibly go, or as far as my understanding of it can go. And so either I have to increase my understanding, which leads to learning, which just is a great outcome. Or I know what that technology can do it when it can't do. So I can recommend it or not, depending on what a client's need is. So that's my, my view of failure during innovation. And in that space, probably one of my favorite ones was it was probably back in 2011 or so I took a Vigo virtual presence robot, or virtual presence machine, it was a telepresence robot. And I had this crazy idea to use it, to check people's identification, to patrol hallways, and to serve in security operations centers, right. So I thought, well, you know, we have a few crisis management people, but we can't be at all of our clients sites. What if we had these robots that could drive around and assist if there was a CBRN incident going on, for example? You know, or if there was a bombing going on, or if there was whatever. We could support a lot of people by doing that. And I thought it was a great idea, right? I was like, wow, this is this is going to be so cool. And so I went out and I got a Vigo I think it was like $5,000. And I would sit in my, I would sit in my office or sit at my home. And I would drive this thing around the the offices, and I got a lot of interesting feedback, right. So I got some feedback that it was really creepy to see my face driving around the office. You know, some people just didn't like that particular aspect of it. You know, some of the clients that that saw the demonstrations and stuff and had the had the briefing, you know, didn't see a benefit coming over the coming over the regular phone, right, like so. Why can I just pick up the phone and call you Why do I need this thing was some of the feedback. And then there was some there was some more technological ones, like one of the clients we tried to set a demo up with had stadium stairs in their soc. And so our robot could only help one level out of three in the, in the stairs, another you needed elevators to get to it. And so where we would have the robot docked, it needed somebody to help it up the elevator. So these are the things. These are the failures, I guess that you don't really think about when you're trying to apply technologies, until until they actually present themselves. Now, for that one, we never got to a viable product. So we never got to something that we were able to sell. But I look now 10 years later, and robotics is just starting to come into its own. And so even though it's a failure, I take the early innovation, kind of as a kind of as a win to

Travis  29:57  
Yeah, that's so funny because now you see companies is like Knightscope that are raising millions and millions of dollars to do something very similar to have robots that are doing patrols and that are feeding information back to G sock. So, yeah, that that's interesting that you were testing it like that early on.

Matt 30:17  
Yeah, I just wish we had LiDAR, like back then that would notice the stairs, right? There's a, there's a robot too. And the name is going to escape me. But it delivers like toothbrushes and stuff to hotels out there in California. And it, it, they integrated access control with the elevators, for the robot. So they even figured out the robot problem, right. So there's just some really smart people out there that come across these problems and solve them pretty quickly. Which is, it's just amazing.

Travis  30:53  
Yeah, that's a really cool idea. And get, and I'm sure, I'm sure the robot that you had going around their offices was more tasteful than like a Boston Dynamics robot going around their offices. That's just Just what I would think initially. But you mentioned innovation. And as I thought about that, like innovation and the need for failures, that kind of reminds me, I saw an interview with Elon Musk, I think the interview is probably like five or more years old. And they were talking about oh, like, this rocket blew up, and that rocket blew up. And he was like, well, that's part of the process, these rockets, the first several are supposed to blow up, and we just learned from them. So kind of like just accepting, there's going to be failures, and to just bake that into the process and to make learning and refining. To just make it part of the process and to get the greatest benefit from it. Also, you mentioned getting laid off. Like that's something that's very timely. And I saw a post a while ago, I think it was from Meredith Wilson, the founder of emergent risk. They're like Intel, like strategic Intel company based in Dallas. And one of the things that she mentioned in her post online was that the only reason or like one of the big influences in her starting her company, which is very successful, and looks like it's growing dramatically, was when there were layoffs back in the day when she was working in the I think was the energy sector. So yeah, it's very possible that many people in the security industry today that are getting laid off, that might be great influence to to like to influence them to start their own their own consulting business. So yeah, out of something so horrible, like getting laid off, especially around Thanksgiving and Christmas, you know, something good can still come of it. So I do love that point that you make.

Matt 32:57  
Yeah, it's, again, it's, I think, probably the most important thing. And it's difficult. But the most important thing is realizing that it's not, it's not about you, per se. I mean, I was one of 63,000 out of 106,000 that eventually got laid off. You know, that is a that is a huge chunk of the population. And, you know, so understanding that somebody else's view of your value is in what sets your self worth. I think that's the critical thing to understand when you're going through that.

Travis  33:44  
Yeah, that's an excellent point to keep everything in perspective, because I think it's easy for us to, like, tie our identity to our jobs. So just being able to put it in perspective, and then also having like, a network of people around you to help you when you're going through tough times. Yeah, that's just so important. Next, so I wanted to ask you this. So there's lots of young and aspiring practitioners listening today. What advice would you share with them when it comes to pursuing roles that are similar to yours? Like, what kind of advice would you give to someone that was interested in pursuing security consulting?

Matt 34:24  
So they'll definitely be a few recurring themes, from you know, the rest of this conversation that come up in this but, you know, if you want to be a good consultant, probably one of the biggest things is that you need to be a self starter. That's only really second to being a lifelong learner. So you need to stay up to date on the threats on trends, there's emerging technologies every day. There's new methodologies or processes that we have to try to keep up with and And the business environment changes consistently around us, right? So every time we think we have a plan for protecting stuff, the environment changes around us. And we have to modify that plan, right, we have to take another look at it. So understanding those things, and bringing those into focus is really important if you want to be successful. I mentioned mind mapping, right? I told you, I really liked mind mapping. And so one of the things that I tell young professionals is to start to lay out your knowledge, skills and abilities and a mind map and get a picture of how many branches there are, and how many sub branches there are. And you start to think of it like a, like a spiderweb. And, you know, my statement before about is your web strong enough to catch the next opportunity. I think that that's, that's a really powerful tool, right mind mapping your knowledge, skills and abilities, right? So you do that. And you can understand not only what you know, but what you have to learn what your gaps in your knowledge are, if you want to be a good consultant. And then the other thing, the last thing that I'll tell anybody who's getting into the consulting profession, and I've learned this the hard way, a couple of times 2018 One of them, but if you're going to be a consultant, you need to build up a solid emergency savings fund. And, you know, I'm not licensed to give financial advice or any of the other stuff that should actually be said, As a disclaimer for that. But I think just common sense of having an emergency savings fund, particularly in a career, that's, that's volatile, right. So sometimes you're you know, sometimes you're on top of the roller coaster, getting ready to go for a really fun ride. And then other times, you're just kind of there clicking up the hill, you know, hoping that eventually you're going to get that get that other bite at the apple, right. And during those lower times, having the emergency fund behind you or having that built up and having that in a solid place makes the stress of not having billable work, or of not having the next client coming in the door. If you're an independent, it makes it a little bit better, it will alleviate some of that stress. Because consulting can be very stressful if you don't have that backstop. So those would be my three main points.

Travis  37:51  
Yeah, those are all excellent points. And like, it's funny, you mentioned having an emergency fund because I feel like even in in in house roles that I've held over the years, having having like an emergency fund, I don't know, maybe three, six or more months worth of expenses in cash, just gives you like a little more peace of mind. Like for example, maybe you're like a residential security agent working for a high net worth family, it's pretty easy to get fired. If you do one wrong thing or make one poor decision, you might very well just be out of a job. Like if someone doesn't like what you did, or even in other roles where maybe, maybe I was just like sick of the role and needed to do something else, where I just kind of like, left the job, take a break, because I had that emergency fund and then took my time finding something else that was more useful, or like more, really more useful in terms of like directing my career. And then you know, it even gave me time to like go study for another cert. So yeah, I do love that. And then especially being in consulting where it is more volatile. That's something that's definitely essential. And so I I love that advice. Thanks.

Matt 39:11  
I appreciate that. Yeah,

Travis  39:12  
and you touched on this a little bit, but all ask anyway. So are there any? Are there any specific competencies or skill areas that you think are critical for people that want to be good consultants? Is there anything that stands out to

Matt 39:31  
design thinking and problem solving? Top of the list, right? Understand that you need to start with the start with the end in mind, right where you want to go? What's the vision, if you don't know the target that you're trying to hit? There's no way that you're going to hit the target, right? Taking a user centric approach to things right, which a lot of times people don't consider the user which is why we Get things like, you know, the 20 pound weight sitting by the exit door. Because, you know, it's easier for the users to go that way to get to the smoking area than it is to go out the front door and go through all the access control, right? And so when we're, when you're thinking about those things, you bring journey mapping into it, right? And so a lot of a lot of consultants look at it from the adversarial perspective, which you absolutely have to do. But you also have to, if you're going to be doing design work, you have to do it from the user's perspective and do their journey map, right? So how, if you're a user, how are you going to interact with the security system that you're designing and design it so that there's less friction, but not less security, I think is probably the trick. One of the other things is strong written and verbal communication skills. You just, you just need them, you need to have the ability to speak publicly, you need to have the ability to communicate your message message clearly and concisely, whether that's verbal, whether that's written. And you need to keep your already your audience engaged. And hopefully, we've done a little bit of that here today. And then I think just taking it back to our other earlier parts of the discussion, it's the ability to learn and adapt to new circumstances quickly. If you're a consultant, you're going from, I mean, your typical projects, I don't know about you, Travis, but how long do your typical projects last?

Travis  41:38  
Well, it might be an engagement, that's three to four months, it might be six months, it could just be an ongoing project where, you know, it's going longer than a year.

Matt 41:51  
And so it's, but it's never, it's never a very long term, right? It's like you're being thrown in different pools all the time. And you have to learn how to swim in that particular pool each time you're thrown into it. And I think if you want to be a really good consultant, that's a, that's a skill that you have to learn really quickly, is how to how to swim in new pools all the time.

Travis  42:16  
Yeah, it's funny, you're the first security person I've heard talk about journey mapping. Because like, I've definitely heard in the context of like, user experience design, like understanding the path of clicks that a user might take from. They think of, they think of whatever tasks they're trying to do, and then going all the way through completion. But yeah, I love the way that you explain it when you talk about one of the users going through the security system, like starting from the outside or starting from the interior, and like each, each device and system that they might come in contact with during their journey from inside or outside of the building. So I do love what you mentioned there. And then yeah, in like a broader way of just user experience. It's just so important in so many contexts, everything from the way that we produce reports to the way that we communicate information and presentations to like how things get implemented in real life versus you know, what, like, vendor might explain to us at exhibit hall? So, yeah, I do think user experience is so important and design thinking. So yeah, those are, those are awesome things to think about.

Matt 43:36  
Yeah, it's also it's also a customer experience, too, right? Because if we're, if we're internal security, or we're proprietary security, we have customers just like if we're a consultant, who has customers, and I think it was it was Maya Angelou, who said, people will forget what you said, people will forget what you did. But people will never forget how you made them feel. And that experience is how your, your consulting makes people feel right. Your clients at the end of the day, they're looking to be heard. They're looking for guidance that aligns with their vision. And they're looking for value that exceeds the cost to get it. And, you know, when we start to apply that thinking to everything that we're doing, whether it's the user or whether it's the customer, you realize that you're not the center of the universe, or the smartest person in the room.

Travis  44:35  
Yeah. And just out of curiosity, when it comes to design thinking, Are there any particular organizations that you follow? Like, I don't know, like maybe Interaction Design Foundation or, or maybe like some other thinkers out there that you've found to be useful?

Matt 44:55  
I'm a huge fan of, not to plug them but idea And then there's also an I think you could actually, you said you were studying project management. So I think you can actually get it through the Project Management Institute, there's a group that does a thing called wicked problem solving through through PMI. And they just they have some really interesting concepts how to how to do it. My favorite of all time, I think I mentioned it before was what came out of Google Ventures, which are design sprints. And it's, it's a really accelerated process that, you know, cuts out a lot of the nonsense just to get to the good stuff. And, you know, I've I've actually taken some of their stuff and adapted it to security workshops that I do to help people work through some of their more complex problems in a much faster way. So those would probably be a few right? Idea, wicked problem solving, and the sprint book.

Travis  46:09  
Awesome. Yeah, I will definitely have links to these in the show notes so that people could also jump into them, too. Yeah. And you mentioned another, like, really important skill, which is kind of like facilitating discussions and conducting, like interviews with the clients that we're serving, because there's definitely an art to it, there's, like, there's a very bad way to do it. And there's a very good way to do it. And it takes, it takes a little bit of like experimenting and time to get better at the interview process and in like, facilitating and directing some of those meetings to so that's, that's also just a huge skill in itself as well. And you mentioned one book so far, you mentioned or you mentioned, a couple, one of them being the Google sprint book, are there any other books that you've found yourself recommending over the years, the most,

Matt 47:06  
over the years, the most? Probably, from it from a general security awareness standpoint. And I've recommended it to colleagues, I've recommended it to friends. I'm not associated with the organization. But the gift of fear from Gavin de Becker, that's just chock full of good advice and information, particularly for for women who are trying to navigate the society as it is today. You know, that is one that I that I really highly recommend. I think early on you and I may have had a discussion about design and evaluation of physical protection systems from Marilyn Garcia. And how it it fell off of the radar of the PSP from as is, but it's still one of the even though it's a little bit older, at this point, it's still one of the best books for understanding physical security and how those systems should be, should be laid out. And then a couple more recent ones, the smartest person in the room by Christian Espinosa. So really good book, particularly for consultants, because we, we tend to often run into that thinking of, you know, what are the potential thinking of being the smartest person in the room. And then Maxie Reynolds did a book called The Art of attack, which gets into attacker mindset and that whole adversarial thinking the other side of journey mapping, that adversarial thinking side that is really important when you're doing when you're doing security work. So I know I rattled off more than more than one or two, but those are those are some of the ones that I found recently that are that are pretty good.

Travis  49:04  
Yeah, that's good, the more the better the gift of fear I loved like, I think it's, I think there's no book out there that's better as like an introduction to thinking about security in the context of just your everyday activities. So I do love that one. Yeah, the physical security book by Marilyn Garcia. Also another really good one I thought compared to like some of the ASX materials. I like her books, I think it lays it lays out physical security and like a more digestible way and like, like more of a logical flow. So I do. I did really like her book and off to check out The Art of the attack or art of the attacker. Yeah, that sounds like another really useful one for thinking about. Yeah, how we're designing systems and how different vulner abilities can be exploited. So

Matt 50:02  
yeah, that one that one, it's by Maxie Reynolds, it is available on Audible. You mentioned you like Audible it is available on Audible. And, and it talks a lot about the that attacker mindset and, you know, gets into social engineering and your way to, you know, like the simple things like carrying a handful of boxes and walking up to a door and somebody's going to hold the door for you. You know, those things like that, that we, we kind of repeat, Austin, but she frames it really nicely in the book.

Travis  50:35  
Awesome. Yeah. And I'll have links to all these. And thank you for the recommendations, I will check them out for sure. So moving on, I was curious to ask, are there any bad recommendations that you've heard people give security consultants or security practitioners over the years that you think listeners should maybe avoid? Like, are there any bad recommendations

Matt 51:00  
in terms of, you know, people, whether they're entering the field or whether, you know, whether they're giving, whether they're giving bad advice? I have heard a couple leaders say a very simple phrase, that's not important for you to know, right now, when they were asked the question. And I think one that's that slightly poor leadership, right? If you're, you know, if you're in the if you're in the heat of things, you know, maybe it's, we could talk about that a little bit later. But if you have someone who's young and motivated and trying to learn something, rather than rather than discourage it, just point them in a different direction, right. Point them to a resource, encourage them to encourage them to, you know, research it rather than shutting them down. Right. So I don't, I don't really like to see. See that. In leaders, and I think we're getting better with it. Right. I think, you know, as, as the years have gone on, people have started to understand a little bit more, that, you know, real leadership is about the people more than it is about the position. And I think is that shift settles in, we'll see less and less of that more dismissive. You know, you don't need to know that type of approach. So hopefully, that, hopefully that makes sense.

Travis  52:40  
Yeah, that does and, and that relates back for when I was doing my grad program a couple years ago, one of in one of the classes we had to interview, like, essentially interview experienced practitioners in whatever it is, in whatever type of roles that we'd like to be doing in the future. And someone connected me with like a senior manager for a very big technology company in Austin. And I had a chance to chat with them. And one of the big takeaways from my conversation with them, and they were like a super senior director, they mentioned that, like, very early on in their career, everything was about developing, essentially developing, like tactical skills for themselves. And then, as it got later in their career, they had to place much more emphasis on people and developing, just developing all people's skills when it comes to communication when it comes to coaching, when it comes to facilitating group discussions, or even like, correcting people, that sort of thing. So yeah, I really do. I really think that advice is very practical. And I think it's something that like many people, including myself, like early on in our careers, we may not spend a lot of time on, but that is so valuable, really throughout the course of your career. And then, especially when you get into more leadership roles.

Matt 54:13  
Yeah, I think you're I think you're absolutely right, and whoever you, whoever you spoke to hit, hit a really good, hit a really good point. At the end of the day, our collective intelligence is higher than any one individual, right. And so engaging your team, you know, getting everybody, you know, pulling in all of your stakeholders. It's just it's absolutely critical. And it's good to hear that while you're going through school, you got introduced to somebody who actually presented things in a good way. So that's a that's great.

Travis  54:48  
Yeah, I think that was like one of the most useful exercises I one of the most useful exercises I did in that program because, yeah, it just forced me to go out to talk to experienced practitioners and gave me an excuse. Because it's like, sometimes you might not feel comfortable just reaching out to someone who's like, much higher in the hierarchy, so to speak. So that was that was really enlightening. And that kind of connects with my next question, which was, like, as younger professionals move into more leadership roles, how do you see our industry changing? If, if it changes at all? Is there anything that comes to mind for you?

Matt 55:32  
So how will the industry change, we need to, I guess, look at the next few years and things that are going to impact it right. So when I, when I sit back and look at it, I think there's two schools of thought. One is that, you know, with increased crime and everything else, security is going to expand, right, it's going to, it's going to balloon a little bit, I more see a net decline in terms of the positions that are available for people. And, and I also see challenges with people willing to take physical security on as a career path. And so the two should hopefully work themselves out, right, as fewer people want to enter physical security, the impact of the physical security positions getting reduced, might might not be as notable, right, it might not be as big. And I think those people coming into the career path that are that are motivated for it are going to be coming into a more converged environment. So I think cyber physical security, resilience, all of those things are going to keep gaining steam. And the humans, the young professionals entering into that security path are going to have to understand how to work with or be supplemented by technology. Right now, chat GPT is a big thing, right? It came out, came out what like two weeks ago, and there was other ones before GPT, that ones are seems to be the one that has taken off. But you know, when you start looking at the capabilities that something like that has, you have to really start looking at, you know, knowledge workers in general, and how, you know, how we proceed in the, in the future, when, you know, those those facilities are, are available, right, or when those those systems are available. And I really think it comes down to growing your knowledge, so that things that are either produced or implemented by those types of technologies, you're capable of reviewing them for, for quality for accuracy for, you know, if it's the most effective path. And for things like, you know, creativity, right, like, AI doesn't, isn't creative. Human beings are right. So I think the security profession is going to start to head in that direction. And that's where the most successful people will probably start to focus is that, you know, that overall approach, the other thing that that I'm kind of seeing, and I think, you know, we're gonna see a lot of benefits from it. But the, you know, diversity and inclusion that's going on right now in the industry, the push for that. But I'm looking at it more from just the greater diversity of thought, that's going to come from bringing all different types of people to the party, right, you're bringing, you're bringing in all of these different perspectives now that we didn't have before. And so where we were an industry of a lot of a lot of law enforcement people and military people, not that that's a bad thing. But by bringing in folks who haven't had a similar path, I think we'll get a lot more creative projects coming out, I think we'll get a lot more diversity in thought, and we'll get better solutions at the end of the day. So if I had to, if I had to forecast things over the next few years for younger professionals, I would say that those are probably some good points to follow or to look at.

Travis  59:44  
Yeah, I completely agree. It's funny, like you mentioned diversity of thinking and right now I'm working my way through this audio book about project management about Scrum in particular. And as I'm listening to it, the author's talking about like all the is like all these historical historical teams like recently, and then maybe further in the past, and like how they were approaching projects like everything, from NASA, to Google, to Amazon, to software development at Salesforce to like, all these different projects. And it's funny, as I'm listening to the book, it's given me lots of ideas about some of the different applications in the different security projects that I work on currently. And even though it's something that's very different, it's like project management style for developing software. It's something that, you know, he's giving me some great ideas for the projects that I'm working on today. So, yeah, I definitely see diversity of thinking being huge there. And then also, like you said, like the growing emphasis on being more familiar with information security, or different information systems. And yeah, I think luckily, for like, Gen Z, and millennials, that something that kind of that they kind of just like absorbed from being involved in the culture, they're kind of like natives when it comes to technology. So that should be something that's easy, easy for them to catch on. But also, that might be a little bit of a challenge for others, too. But luckily, there's so much educational content out there that's free or just incredibly cheap and incredibly available. So hopefully, that should be, you know, very easy for all practitioners to get access to.

Matt 1:01:35  
Yes, it's funny that you say that, though, because there was a, there was an article last week about Gen Z and millennials and technology. And it was a report basically, that they're more likely to click on phishing links, which I found, I found really interesting, they grew up around technology, they know that the risks are there. But they're more likely to click on phishing links than some of the other folks, you know, across the generational spectrum. So I guess with all of that technology being around all the time, we tend to not look at it as from a risk standpoint as much, maybe, is the reason.

Travis  1:02:23  
Yeah, that's an excellent point, too. It's funny, I stumbled across. I forget the name of the company, but they were doing research around social engineering and generations. And yeah, they found something very similar, where, essentially, younger generations are far more likely to be deceived when it comes to like, when it comes to email and interactions on their computer, versus older generations, which were much more likely to be deceived. Over the phone. So yeah, I just thought that was something really interesting that you know, even the attackers are kind of like Catterick categorizing their victims and choosing, like different mediums based on research, where they know what works and what doesn't. So, yeah, I just think that part's really fascinating.

Matt 1:03:15  
It is, it is great stuff.

Travis  1:03:17  
Yeah. And as we wrap up our session today, were there any other topics or any other items that you wanted to share?

Matt 1:03:28  
So I think I think throughout the, you know, this session, we kind of covered a lot of them. You know, you'd know, my feelings on security, design thinking, you know, hashtag security, design thinking, go and jump on that. running workshops, and the importance of that being willing to learn. And then I guess the last thing, and, and you and I have talked about this before to is, you know, for the folks who have been doing this for a while. It's not really secret sauce, right? It's Don't be stingy with your knowledge, right? So you acquire all of this knowledge over time, and you pack it away, and you never share it with anybody. And then eventually, it just goes away when you do. And I've kind of taken a different approach of, you know, nobody really owns knowledge, right? And so, try to just try to share it a little bit more, you know, and on that note, I'll probably be putting out a few more graphics. Next year in 2023. And, you know, after today's talk, I might even, I might even put out a couple of mind maps to to go over some of the stuff that we hammered through Travis. So cool.

Travis  1:04:46  
Yeah, that could be a really cool resource, just so people could also get, like some insight into how you approach like structuring your mind maps and looking at it. Yeah, I think that'd be really cool. Oh, Um, yeah. So Matt, I really appreciate you sharing your time with me today. We covered some really cool topics, I think highly applicable. And maybe, I don't know, I just feel like security people may spend far less time thinking about some of these ideas because they're not in like, I don't think design thinking or mind mapping. I don't think those typically fall into like, I don't know, any of the security organism, the typical themes of what the security organizations talk about. So I hope people can take away take away some interesting themes to go dive into after the podcast. So some of them were, you know, user centric design systems thinking, applying mind maps, like you mentioned, seeking projects where you can contribute knowledge to some of your peers, which I'm trying to do here as well. Yeah, and then so many others, which I'll try to summarize in our show notes. So Matthew, I are met. I really appreciate you sharing your time with me today. And thanks a lot for joining me.

Matt 1:06:10  
I was thank you so much for the opportunity. It was a pleasure. And I know you haven't been doing this that long. But you do a very good job of the interview. So I appreciate working through this with you. So you know, thanks. Thanks for the journey.

Travis  1:06:28  
Thank you. I really appreciate it, Matt.

Subscribe to the newsletter below, and never miss new content!


Megaphone