The LogRhythm Champions Network is an exclusive community of LogRhythm’s most passionate and strategic customers. This elite group of customers leaders in the InfoSec community and are experts in all things LogRhythm. The LogRhythm Champions Network works to recognize these leaders for their advocacy efforts, connect them with fellow experts, and empower them to reach their personal and professional goals. Learn more about the people who choose to partner with LogRhythm.
This Champion Profile showcases Kevin Merolla, security manager at Chart Industries. Here is Mr. Merolla’s story, edited and condensed from a recent interview.
What organization do you work for and what is your current role?
I work at Chart Industries, a global manufacturer of equipment for the oil, gas, and cryogenic industries.
How long have you worked at Chart Industries?
I started at Chart as a contractor back in 2012. I was hired to run the Help Desk as part of a temporary engagement. I had just transitioned from another role and was looking to find something a little more permanent, but this presented itself in the interim. I was able to extend my contract using my prior expertise as an infrastructure guy — think windows, active directory exchange, servers —and creating a reputation of dealing with things that nobody else wanted to deal with. Ultimately, I was asked to “do something” with an intrusion detection system, which forced me to start learning about InfoSec. In a way, I started working in security accidentally.
From there, I took over and onboarded several additional security tools with some success. A couple of months later, my boss called me into his office and asked if I wanted to run the security at Chart. I had no idea what I was doing, but I said, “let’s do it. I got this.” So, in 2014 I was hired as an Information Security Analyst and the rest is history. In total, I’ve been at Chart for just under nine years, but it’ll be my seven-year anniversary as an employee in August.
What is your educational background?
I never finished college; I am too ADHD to make that happen. I bounced around between five or six majors across five or six universities and never actually finished. I have a ton of college credits, just not enough in one focus area to get a degree. Despite not finishing school, I supplemented my formal education with hands-on work experience, vendor training, red and blue team courses, and several industry certifications. Specifically, I went the GIAC route to earn my GIAC Certified Windows Security Administrator (GCWN) and GIAC Certified Incident Handler (GCIH) certifications.
Tell me a bit about your journey as an InfoSec professional.
I have been in IT for 22 years, starting at a local internet service provider (ISP) in Dayton, Ohio. When I started in 1999, I was compiling Linux kernels so the custom PCI T1 routers that were based on AMD Athlon processors would run properly. It was fascinating work and I loved it. I cut my teeth on Linux. I knew how to configure Linux before I ever touched a Windows Server. So, I credit that first job with my love for source software and command line.
Next, I got my MCSE certification from Microsoft and started doing consulting work. Funny enough, Microsoft awarded me with a gold badge because I was one of the first 500 people in the country certified on Windows 2000. When I ultimately moved back to Northeast Ohio, I signed up with a consulting firm as a contractor, where I worked for many years until I ended up at Chart.
Consulting was always fascinating for me because not only was I able to gain enterprise experience through working with some very large companies, but I was able to gain a broad view of IT in the business world. I’ve gotten to see a ton of different environments and had to solve unique challenges throughout the years. I believe those experiences have kept me motivated because I am always learning something new or problem-solving. That’s what gets me up in the morning. I love solving complex problems.
Sounds like you fell into security. Would you say that?
Absolutely! I was always the IT guy at companies. I was never the security guy. During my consulting roles, I would usually slot myself in with companies that didn’t have an IT staff. That’s where I felt that I brought the most value. Often, they couldn’t afford full-time IT, but they could hire me as a contractor on an hourly basis when they needed help. I could get them at least up to speed and keep them relatively safe in doing so.
I didn’t really start with security until Chart. When I was hired full time, there was no security program and there was no security staff. I had to build the program from the ground up. I didn’t know what I was doing. Luckily, I had a supervisor who was a CISSP and a CSO at his previous job. He got me plugged in, showed me the right training, and introduced me to the local InfoSec community. I’ve still got a long way to go, but I’ve been able to ramp up quickly and get my skills up to par to do my best to defend the company.
That’s wonderful! Based on your security journey, it seems like you are a self-made man?
Yeah. I’m a “going to figure it” out kind of guy. I’m a problem solver. I’m like a dog with a bone. I often get pulled into things at Chart that has nothing to do with security, just because the way my mind works is good at problem-solving. I’ve worked in probably 40 or 50 different environments over the years. So, I’ve seen a lot of stuff that can break which gives me a lot of historical knowledge that I can reference.
Problem-solving seems to be a reoccurring theme here. Is that what drives you to continue to work in cybersecurity?
I think it does. That is partially why I was attracted to cybersecurity in the first place, you constantly must learn new things. Cybersecurity isn’t a monolith, like with Active Directory and similar topics. The threats are changing. The attacks are changing. The tools are changing. Everything is constantly in flux and I have to learn that next thing to keep up. I’m never bored, which it makes it super fun for me.
What is your cybersecurity philosophy and how does it drive your security programs?
I was taught by my first boss in InfoSec, the idea of a sea of human sensors. I treat cybersecurity like it’s in the job description of every employee at the company. No matter the role, each employee can have a positive impact. For example, just one phishing email can be extremely damaging. But if a targeted employee is suspicious and proactively reports the email, that person can literally save us a hundred thousand dollars. That is a massive impact for one person to make, especially several times a day.
I want my employees to be empowered and show them they can significantly impact Chart’s, global InfoSec posture. Be it good password hygiene using a password manager, being suspicious of emails, or implementing two factor at home. I don’t get a lot of time to focus on security awareness, but my hope is that over time I can build an InfoSec program that literally touches every employee.
What concerns you the most from an InfoSec perspective?
Every company has a unique threat posture. It’s almost a digital fingerprint of how you’re attacked. At Chart, we don’t see corporate espionage, or large-scale nation-state attackers coming after us. What we do see every day is financially motivated phishing style attacks. Because of that, we invest heavily in phishing protection and I’ve tuned my security program to target these types of attacks. Additionally, we are about to make a huge investment in phishing user awareness training.
Unfortunately, things like security awareness training require a lot of buy-in from leadership and can take several years to implement. As a multi-national corporation, I have to get support from leadership in every country and I have to support languages unique to each country. Today we do business across 14 countries on four continents with 37 different locations. So, it’s a big challenge at Chart to properly address these threats.
Now, if I take the step back and address what I’m most concerned about at a global level, two things come to mind: talent shortages and the sheer pace of new security vulnerabilities.
If you’ve been to any conferences or read CIO magazine, you’ve heard about the talent shortage in cybersecurity. I definitely agree with this. But I have a little different take on things because I think that it’s a problem of our own making. I believe the InfoSec community has an exclusivity problem, especially when it comes to women, LGBTQ+, and people of color. From my experience I’ve seen and continue to see a subculture of white male dominance that has caused trauma and pushed people out of the industry. I’ve also believe this toxic culture is keeping good people from getting into InfoSec. From my perspective it’s heartbreaking. Creating a more inclusive and tolerant community would go a long way to bring in qualified people and help close the talent shortage gap.
Beyond that, the sheer velocity of new security vulnerabilities is staggering. Last year there were 18,000 CVEs disclosed. So far, in 2021, there have already been over 110,000 CVEs. If that keeps up, we’ll get to over 40,000 CVEs in one year. That’s staggering. More to protect, more to patch.
What do see as the driver behind the increasing number of security vulnerabilities?
I think it’s a lot of reasons. Number one, Internet of Things (IoT) and the trend of work from home. The Linksys router hack showed there was plenty of money to be made by targeting homes. Attackers aren’t just targeting the enterprise anymore, they’re going after home networks because they are soft. We’ve seen man-in-the-middle attacks, DDoS attacks, and other attacks launched from compromised routers.
At the same time, I think more people are looking for these vulnerabilities and have ever looked for them before. On one side you have the threat researchers, whose job it is to find these flaws. Then on the other side, bug bounty programs are incentivizing people to look harder than ever. I actually know of a woman who started a company that specifically specializes as professional bug hunters. Ultimately, it’s a good thing to find vulnerabilities, but as a defender, it’s exhausting to try to keep up with it all.
When you’re not spending a hundred days on the road, what do you do for fun? What does life look like outside the home or the office?
When I’m out of the office, I love to get outside and get my vitamin D. Specifically, I like to hike and bike with my wife. On top of that, I like to spend time with family. I’ve got a decent-sized family here locally, so I get to spend a good amount of time with them. Or I have got a brother in Detroit who I like to visit.
Additionally, as a hobby, my wife and I are both photographers. We have the photo bug in us. I am a huge fan of taking pictures of birds of prey in flight. Think your Raptors, Eagles, Hawks, and Kestrels. My favorite bird in the world to take pictures of is the Peregrine Falcon. It’s just the fastest animal on earth of any kind. It can travel at nearly 300 miles an hour and literally punches its prey with its claws instead of grabbing it. It’s incredible.
My wife is particular to animals in general, especially anything that has four legs and is furry. We love going to zoos, animal parks, bird sanctuaries. In this industry, I don’t get a lot of free time. Work can bleed into my personal hours, my sleep time, and even my vacation time. I try and maximize my time off when I get it.
Why did you join the LogRhythm Champions Network?
“It’s an honor to be invited into the LogRhythm Champions Network. I’m excited about participating in the program. I tend to go all-in with vendors and technologies that I use and believe in, and LogRhythm definitely falls into that category. I’ve been with [LogRhythm] for going on seven years and I love the product. I love the company even more.”
What are you hoping to gain by participating in the LogRhythm Champions Network?
Well, that’s the thing, I don’t do things like this to benefit me per se. I participate because it gets me plugged in and keeps me engaged. I get to meet and talk to awesome people. Plus, I get to answer questions about things I care about. To me, that in and of itself is a reward. I’m here to kind of give back to a company that’s been a strategic partner of my companies and mine for several years now.
How will your participation in the program impact your partnership with LogRhythm?
I feel like our partnership [with LogRhythm] has been strong up until this point, and honestly, I’m hoping to continuously strengthen it. The InfoSec industry can be tough and a bit uncertain. I’m hoping this program will empower me to take LogRhythm wherever my career goes in the future. I see LogRhythm as a critical tool in an InfoSec program and to the overall success of any organization.