homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Instructor Spotlight: Jonathan Kirby
JonathanKirby_370x370.png
Jonathan Kirby

Instructor Spotlight: Jonathan Kirby

Get to know Jonathan Kirby, SANS Associate Instructor for the Cloud Security curriculum.

February 22, 2021

Instructor_Spotlight_JonathanKirby.png

1. What was your journey and/or catalyst that led you to cybersecurity? Why did you decide to be in this field? Tell students why you chose this career

What is my cyber-superhero origin story?

After completing my bachelor’s degree in Criminal Justice, I started my career in retail and hospitality management. (I know... criminal justice and hospitality management have nothing in common).

I worked as a store manager for a coffee company and as a hotel manager. I then worked for a software company that made software for hotels where I was a Customer Care Manager and led high-profile customer relationships and escalated support teams. This is when I became more interested in tech and actually wanted to work in tech.

From there moved over to Best Western Hotels & Resorts where I worked as an IT Business Analyst. I supported the interface that connected all of our individual hotels to the corporate office. I also helped hotels with connectivity issues and discrepancies between their local property management systems and HQ. If you booked a reservation with Best Western, your reservation went through the interface/connection that my team supported.

I got to work with our corporate help desk and IT Operations. I learned about ITSM (ITIL), computer networking, and enterprise-level network operations. I learned about software development and what all goes into “making the sausage.” I also learned about PCI and all of the security requirements that support PCI-DSS.

At that point, I was 10+ years post-university, and I had a good job that I should have been happy with. I was doing good work for a company that I supported and believed in. But I was unsatisfied with my career and career outlook. Put another way, I still had no idea what I wanted to do when I grew up. I just knew that it wasn’t what I was currently doing.

I was taught “the ways” of Servant Leadership early on in my career, and one of my early leaders told me, “It is never a waste of time to invest in another human being.” From that point on, I knew I needed to do something where I could train, coach, and mentor others. I just didn’t know what specifically I wanted to do.

I had studied psychology a bit in college, and I had always been interested in human behavior. So my first thought was Human Resources, but I also studied Criminal Justice, and many times growing up I dreamed of leading special forces teams and/or doing investigations and detective work.

While doing career research for jobs in tech that I might be interested in, I came across Information Security. I had never heard of Information Security before, let alone the possible career opportunities.

I quickly realized that Information Security seemed to check all my boxes. This is an area of “the tech world” where I can do good in the world to help keep people safe. I could respond to incidents, do investigations, build “safer” stuff, and I could even maybe break into companies’ facilities and/or networks just to see if it could be done and it would be legal. That all just sounded like the coolest thing I had ever heard of!

So I started to work with our corporate Information Security team where I could, and I set out to learn everything I could about information security.

I learned basic programming stuff online, as well as, A+, Net+, and Security+. I also did the SANS Cyber Aces (https://www.cyberaces.org/) free courses, as well as, learned about Social Engineering and the "human" side of security. Once I earned my Security+ certification, I was able to get a job on our Information Security team as an Information Security Analyst.

After a year or so as a “general” security analyst, I decided that I wanted to focus my career on helping builders build more secure stuff. Specifically, I want to help software developers build more secure applications, and I want to help cloud engineers & architects build more secure cloud-native systems.

At that point, I started learning everything I could about AWS, cloud, and application security... and I haven’t looked back.

2. Please share professional experiences/skills outside of the classroom that shows your expertise in the subject you teach. Why are you uniquely qualified to teach for SANS?

I have been working as a Cloud and Application Security Analyst/Engineer for about three years, almost completely in AWS and other SaaS applications. During this time, I also created governance, risk management, and audit/compliance programs. Prior to that, I worked as an Information Security Analyst for a top hotel brand. I’ve studied and worked in almost every domain of information security.

In addition, over the last 10 years, I’ve worked side-by-side with software developers, network and system engineers, IT Operations, and support. And I’ve also worked with business operations, sales and marketing, finance, and leadership. Throughout my career, I’ve been working to really understand the perspectives of all these different business units and understanding how they all need to work together to achieve common goals. Common goals being the overall success of the organization.

I understand that “Security” needs to be an enabler for “business”, not a roadblock. I coach people to look for more secure ways of doing things, versus telling people “no”.

With Cloud Security, in general, but specifically with DevSecOps, culture and collaboration must be a part of the program in order to achieve success. I understand the different perspectives and goals for each of these groups and what is important to each of them to succeed. I bring that perspective to my teaching.

3. What has been the highlight of your career so far? Speak about an experience(s) that validated you chose the right career ( success in cracking a case, former student success you were part of as an instructor, etc)

This is it…. the opportunity to teach for SANS is the highlight of my career so far. The ability to make an impact in Cloud and Application Security on a global scale. It’s kind of a big deal. :-)

That said, I believe that I am still in the early stages of my career, and there’s a lot that I want to do.

4. What made you decide to become a SANS instructor? When? Tell your students why you chose SANS.

I don’t think there was one thing that made me decide to become a SANS instructor. Once I had identified Security was where I wanted to focus my career, I think it was always the “thing” that I would aspire to be. Regardless of whatever career path I chose, I always kind of had the idea of being a SANS instructor.

It was this time last year at SANS San Diego 2020, where I facilitated for the first time for Frank Kim and MGT512: Security Leadership Essentials. I got a behind-the-scenes look working and speaking with the instructors, the meeting coordinator, other facilitators, and all the students. And, I got to experience how all that works together to “make it happen” to be a great experience for everyone. That’s when I knew it was something I wanted to be a part of.

Then I took SEC540: Cloud Security and DevOps Automation last May, virtually with Eric Johnson. And that’s when I knew what I wanted to be an expert in for my career, and in turn what I wanted to teach.

Why SANS? I want to strive to be a great leader and excel in the security field. I want to work with some of the best folks in the field who share a similar passion for security training and education. And, I have a deep desire to help others succeed. SANS offers all of these things that are important to me. If I were playing baseball, teaching for SANS would be the “Big Leagues.”

5. As an instructor, what is your teaching philosophy? Tell students what defines you as an instructor. What makes you unique to teach this class?

I am a Servant Leader. As a Servant Leader, my primary responsibility is the success of my team. My primary mission is to help others achieve their greatest potential in whatever that is.

I like to take a coaching/mentoring approach to my teaching where I share all the knowledge, skills, and experiences that I have gained; and then act as a guide for the student, supporting them on their learning journey. I believe this approach lends itself to better critical thinking and creativity since there is often more than one way to do something and everyone brings a different and unique perspective to a given problem or topic area. In addition, students are empowered to own their experiences and success.

Security needs to be “baked-in”, not “bolted-on”, and I always try to instill “secure-by-design” values into my teachings.

6. Why do you enjoy teaching this topic? Tell students what makes you the best teacher in this subject.

There are two main reasons why I enjoy teaching Cloud Security and DevSecOps.

  1. The DevOps culture
  2. The speed and possibilities of the cloud

Cloud Security and DevSecOps is the intersection of all the best parts of working in tech, and the possibilities to create are limitless. My passion for all the subjects is contagious.

I want to help and inspire others to create amazing and secure things; whatever those things are.

7. In your opinion, what are the biggest challenges your students might face when learning about this topic and how do you as an expert address those challenges in a way that helps students in their day-to-day careers?

It’s interesting that the two things I enjoy most about teaching these topics are the same things that I think will be the most challenging for folks. In my opinion, I think the two biggest challenges students might face when learning Cloud Security and DevSecOps are: 1) the culture, and 2) the DevOps tools-of-the-trade.

The reason I believe these will be the big challenges is because they’re counter-culture for security folks. As security professionals, we think we know what’s best for being the most secure, so as a result, we naturally want to control everything.

And now we’re being told that we have to work with other non-security groups to help them “be more secure” in what they do. And if we do that, we’ll actually get a lot more done, a lot faster, and also reduce our overall risk to the organization? That is fantastic! It’s just backwards to the way a lot of security folks approach security.

How do I address these challenges?

If we embrace the DevSecOps culture and focus on continuous improvement, we will be successful in The Cloud. This is something we can implement on Day 1, with no technical skills or approvals required. Everything else can be developed and built-up over time.

For Culture:

  • Breaking the mindset of “NO.” Security can’t continue to be the “big brother” or “department of no” if we want to be successful in The Cloud. Security will be left behind if we don’t start finding ways to help and support business innovations and evolutions that have security built-in
  • There’s a lot of studies and psychology behind the benefits of making little, incremental improvements every day, versus trying to make big changes all at once. You end up making greater improvements overall when you focus on getting a little better each day.

Regarding DevOps Tools:

  • Building on the first challenge, security professionals need to work side-by-side with developers and operations folks. We need to understand the tools and workflows that our partners are using and understand how we can maximize those tools and environments for baking security into everything we do
  • This means that we need to learn the tools-of-the-trade, which in this space are the DevOps tools
  • Learning how to use the various CI/CD tools for automating all the “security stuff” can be challenging because there are a lot of tools, and that’s in addition to all the security tools we’re also using. While they are different from what many security folks are used to using, we need to remember that it’s just a new set of technical skills we get to learn. Then take time to learn, practice, and strengthen them over time like anything else. Patience and persistence also helps here. Remember, continuous learning and continuous improvement. Always working towards getting better

8. In addition to being a SANS instructor and working in the field, I also work in the professional community as:

  • SANS/GIAC Advisory Board Member
  • Blogs and webcast provider for SANS
  • Instructor for a Cybersecurity Bootcamp

10. What are your interests or hobbies? Tell students what interests you, inside or outside the industry.

  • Social Engineering, human behavior, performance psychology, and social psychology
  • Dog lover and all around animal lover
  • I enjoy hiking and most outdoor activities

11. Book Recommendations

Pour Your Heart Into It, By: Howard Schultz

Start With Why, By: Simon Sinek

Wait, What?, By: James E. Ryan

Breaking and Entering, By: Jeremy N. Smith

The Phoenix Project, By: Gene Kim, Kevin Behr, George Spafford


Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cloud Security

Related Content

Blog
InstructorSpotlight_370x370.png
Cloud Security, DevSecOps
November 20, 2020
Instructor Spotlight: Brandon Evans, SEC510 Lead Author
Get to know SANS Certified Instructor and SANS Cloud Ace, Brandon Evans.
BrandonEvans_Headshot_370x370.png
Brandon Evans
read more
Blog
InstructorSpotlight_370x370.png
Cloud Security
November 17, 2020
Instructor Spotlight: Ryan Nicholson, SEC488 Author
Get to know the author of the hot, new SEC488: Cloud Security Essentials.
370x370_Ryan-Nicholson.jpg
Ryan Nicholson
read more
Blog
Spotlight_340x340.png
Security Management, Legal, and Audit, Cloud Security
May 4, 2020
Instructor Spotlight: Jonathan Risto, MGT516 Co-Author
Jonathan is an author and instructor for MGT516: Managing Security Vulnerabilities: Enterprise & Cloud.
Jonathan_Risto_370x370.png
Jonathan Risto
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn