This interview is the first part of our "The 11%: A Look at the Women Closing the Cyber Security Gender Gap" series. This series takes an in-depth look at the variety of roles women play in the field of cyber security and the ways they're changing the industry. You can learn more about the whole series here.
When Kelly Schmitz joined the Navy in 2011, she thought she was buying some time to figure out what she wanted to do. But by the time she left, she had found a career that combined two new passions: malware analysis and teaching.
Before Kelly joined Focal Point Academy as a Cyber Security Instructor in 2017, she spent six years as an analyst for the U.S. Navy, focusing on malware analysis and digital forensics. While in the Navy, she recognized a problem: there were no formal training materials or instruction for new members on her digital forensics team. So, she built the training. In the process, she discovered a job she loved – teaching cyber security.
Today, Kelly is out of the Navy, but she hasn’t stopped training and mentoring new cyber professionals. As a natural problem solver who wants to help “ease the struggle,” she’s a perfect fit at Focal Point, where she teaches courses in operating systems security and malware analysis (in both the military and commercial sectors) around the country. When she isn’t teaching, she’s researching malware and cyber trends, building new course material, and analyzing new pieces of malware with her team.
Kelly sat down with Buffy Ellis, the VP of Training at Focal Point Academy, to discuss what she loves about her job, conquering imposter syndrome, and her love for researching and teaching malware analysis. You can read her full interview below.
Buffy Ellis (BE): Can you explain the type of role you have?
Kelly Schmitz (KS): Sure! My role, at this point, is Cyber Security Instructor with Focal Point Academy. I travel around to our clients or training centers and teach on cyber security topics, typically either operating systems or malware analysis. Then when I’m not teaching, I’m building that courseware.
BE: And before that you were in active duty military service, right?
BE: And how many years were you in a cyber field in the military?
KS: Six years. I was doing malware analysis and digital forensics for the Navy. After I had been there for a year or two, I also started teaching new people that would come into the shop where I was working.
BE: Is that where you decided you might be capable of teaching?
KS: Yeah! When I would go into a new shop, there were people who had been working there before me, and when I would ask questions they would say, “Well, you should look it up because that’s what I had to do.” I didn’t like that answer, so I learned how to do things, and I started creating training and teaching people that came in after me.
"I didn’t like that answer, so I learned how to do things, and I started creating training and teaching people that came in after me."
BE: What did you like best about that role?
KS: Easing the struggle. When you’re new in the military and you don’t have any cyber background, getting thrown into these highly technical shops can be a really painful experience. So I liked helping to ease the pain of that experience and helping people out.
BE: People join the military join for a variety of reasons – whether it’s to help pay for school or to find a career with opportunities to travel, etc. What were your driving reasons for joining the military?
KS: Well, I went to college for a few semesters beforehand, and I realized I had no idea what I wanted to do. I was just wasting time and money because I didn’t know what I wanted to study. I decided that if I joined the military, I would at least have a job for however long my enlistment was and maybe I could figure out what I wanted to do at that point. And then I ended up in a field that I actually really enjoy.
BE: And how did that process occur? My understanding is that you take the ASVAB (Armed Services Vocational Aptitude Battery) and based on your abilities and what positions are open, a recruiter guides you to a specific field. Is that what you experienced or did they offer incentives or create interest in cyber specifically?
KS: Before I joined, I had researched some of the jobs and I wanted to become an intelligence specialist for the Navy. And I really wanted to do photograph analysis. I had been on the CIA website and they have this little challenge where you can analyze photographs and gather information from that, which I thought was pretty fun. So when I went in, I asked about that job. I wanted to ship out as soon as possible because I was tired of working retail.
So I took my ASVAB and got a 90 on it. Because my score was so high and they were hurting for cyber security people, they told me I could be either an IT (Information Systems Technician) or CTN (Cryptologic Technician – Networks). I didn’t really know what those were, so I just asked which one had the highest security clearance. They said CTN, so I went with that, not really knowing what it was. But I got pretty lucky because when I got put into a shop, it was malware analysis and digital forensics. I think both of those are like solving a puzzle, which is essentially what analyzing photographs would have been.
[Editor’s note: It’s a little dated, but you can still take a CIA photograph analysis challenge here.]
BE: It sounds to me like you’re very similar to a lot folks I’ve spoken to who kind of fell into this career field but have certain aptitudes and character traits that make this work attractive. And yours seems to be problem solving, and you found that in security rather than intelligence and intelligence analysis. Is that a fairly accurate statement?
KS: Yeah, cyber security kind of chose me!
BE: So far, what do you love most about the work you did both in the military service and now here at Focal Point as an instructor?
KS: I like the people that I’ve met. You meet some really interesting people, especially in the military. I like figuring out how they got into the military and into what they’re doing. And you meet some people that are just so smart, it’s hard to understand it. You don’t know how they have so much brain in their head. So yeah, I admire the people. I keep trying to learn more from them.
BE: Of those really smart people you’ve met, does anyone stick out as a mentor or someone that helped guide your career or make decisions that affected your career?
KS: I feel like here, at Focal Point, there are some people that I really look up to and I’m always asking questions of – like Jimmy [Wylie] and Damien [Cash]. I’m always asking those two questions. And Marcelle [Lee]. She’s always going to conferences and she’s very confident too. So I look up to her and I ask her questions as well. [Editor’s note: Jimmy, Damien, and Marcelle all teach courses at Focal Point Academy.]
"I admire the people. I keep trying to learn more from them."
BE: What kind of things do you see yourself doing in the future? Are there any technical areas you’d like to explore or any roles or positions that you would eventually like to move into?
KS: Well, I really enjoy teaching. So I want to stay with that, but I always want to increase my knowledge. There is so much to learn because cyber is changing really quickly – you have to keep up with everything that is coming. I also want to increase my knowledge of topics I already know. For example, there’s a whole other level of malware analysis that I’ve really only scratched the surface of.
BE: You and I were talking earlier about how there is a pronounced shortage in cyber security of qualified people to fill all the positions, and more specifically, that there is a large gap between the number of men and the number of women entering cyber security as a career field. Can you think of any challenges that are unique to women pursuing careers in STEM or technology related fields?
KS: Honestly, I think “imposter syndrome” is the big thing for women. I think sometimes we lack the confidence that some men have because of that. In my experience, when I decided to leave the Navy, I almost didn’t pursue a career in cyber because I felt like if I interviewed for a job in cyber, I would sound like an idiot. I think that’s a big issue, just from personal experience and talking to other women that I’ve worked with.
BE: What are some ways we could collectively address that concern? Are there things that we could be doing as an employer? Or are there things that could be done out in the industry to encourage women and, in particular, help them realize that their experience really does lend to these positions?
KS: I think having more conferences just aimed toward women. When I was in the military, every time I went to a class, it was always men teaching. At conferences, you usually see men speaking so I think we need more women out there encouraging other women and giving speeches and telling them, “You are qualified to work in this field,” and “You know more than you think you do.”
BE: That’s great. Are there any benefits to women pursuing a career in technology? Is there anything about being a woman that makes us a strength in this field? Besides the fact that you never have to wait in line for the bathroom when you go to conference.
KS: That’s true! I guess because there’s so few of us, the more you know, the more you can have other women sort of look up to you. So I guess, it’s easier to be a mentor as a woman to other women in this field.
"I think we need more women out there encouraging other women ... and telling them, 'You are qualified to work in this field,' and 'You know more than you think you do.'"
BE: Thinking of your cyber career overall (and I realize you’re only a few years into it), is there a learning opportunity you could share with us as a sort of learning lesson to others?
KS: I almost didn’t pursue a career in cyber after I got out of the military. So I think the lesson is just realizing that you know more than you think you do. I didn’t think I knew that much, but that wasn’t the case. So have more confidence in yourself because you’re a lot smarter than you think you are. This is a difficult field and nobody knows everything. So if you think that not knowing everything means that you’re not intelligent, that’s not true.
BE: One of the reasons I’ve been drawn to and stayed in this field is that there is always something new to learn and that’s a great point. So when you were at the end of your six-year enlistment in the Navy, you were putting your resume together and you had that “I’m not sure I’m ready to enter the commercial workplace” feeling. What got you over that hurdle? What got you to the point that you felt confident enough to interview and then pursue a future career in cyber?
KS: I was taking the GPS class, the class that everyone in the military takes when they get out of the military to help them build their resume and prepare for civilian life. I was taking that class with one of my female coworkers and she knew she wanted to stay in the field and she hadn’t even applied for jobs yet. She was getting out before me, but she wasn’t worried about it. And I admired her for that. I thought, “You know, I feel like I know more than this person. I trained her on some of these things. If she can do it, I can do it.” I realized that the worst thing someone could tell me was no or they just wouldn’t respond back to me, so I might as well go for it.
BE: Overall, what would you consider to be your biggest success so far in your career?
KS: This actually happened a few weeks ago. There was a class that I was teaching in Georgia – it was the largest class I’ve ever taught, and I had so many technical issues that week. I was worried to read my reviews. I sent them instead to Jess [Hays], another woman that I work with. We always send each other our reviews if we’re worried about what they’re going to say, so they can ease the shock. And she told me after she read them, “You need to print these out and frame them so you can look back any time you’re feeling bad about yourself and say, ‘No, I’m awesome.’” All of the students spoke really highly of me, and it was really incredible to read.
[Editor’s Note: Here are a few quotes from the feedback Kelly got from this course.]
“To date, Kelly is one of the best instructors I’ve had…”
“Kelly is very knowledgeable and is very good at presenting…”
“She [Kelly] seems to really enjoy teaching and working with students.”
“Always willing to answer a question no matter the complexity”
“The instructor seemed extremely knowledgeable in the field of malware analysis.”
BE: So you’ve done some analysis work, you’ve done forensics and reverse engineering. If someone who’s reading this wants to learn more about any of those areas, could you point them to any particular blogs or websites that they could learn more about cyber security in general or what you do specifically?
KS: Yes. The Art of Memory Forensics is my favorite book. It’s about memory analysis, and that also helps with malware analysis, so it’s kind of a double dip. It teaches you about the internals of memory for both Windows and Linux systems, so depending on which system you like, it has both.
And then for articles, I think that’s always changing. If you’re looking for a good place to start, I’d recommend McAfee and Symantec articles, and Microsoft as well for a broader look. They don’t go in-depth into the analysis so if you don’t understand all the technical terms, that’s a good place to start.
BE: Ok, and then lastly, what do you think the future holds for you overall?
KS: I really love teaching. I really hope I get to keep doing it and to keep growing. And that my students always feel like they can come back to me with questions in these topics.
"Have more confidence in yourself because you’re a lot smarter than you think you are."
If you are interested in participating in our series or would like to suggest someone for us to feature, we would love to learn more. Just complete the short form below, and we’ll be in touch.