Skip to main content

The Security Path

Background

In 2023, I bought The Good Parts of AWS by Daniel Vassallo and started learning about the Small Bets community he’d founded, and subsequently joined (you can join here). Daniel has posted extensively about his thoughts on a full-time 9-5 job and I won’t repeat them here (you can follow him or Louie Bacaj on Twitter for many well thought-out posts on taking small bets as an indie hacker/solopreneur).

I’m not active in the Small Bets community, more of a lurker who reads the messages later and watches the videos as recordings (fyi, there’s excellent classes every month with people who are creating/publishing/hacking and having successes, see the public calendar here). Having joined the community, it got me thinking about what creative things I could do in my personal time to give me some fun challenges outside of work. Having been constantly asked by fellow parents on things like:

- How do you control screen time?
- Can my kid play “Call of Duty”? Should they? (hint: if you’re asking me, they’re probably too young ;-) )
- How do I set up parental controls?
Why won’t the game studio allow me access to the support tickets for my kid? It’s my money they’re using to buy those skin. (this is more complex than you’d think)
- How do I secure your home Internet?

I noticed that my text messages were turning into long emails, and these in turn were becoming a long blog post. As a result, I started typing and when I was suddenly at 50 pages, I realised it was a small book. Ultimately I leveraged the information from the Small Bets classes, and published the book on Gumroad. I didn’t do it to make money but to share information, challenge myself creatively and play around with some stuff outside of my core area of experience (i.e. to learn).

For the second project, in talking with a good friend, Will Bengtson, we realised that there was nothing really out there in the world of cybersecurity describing the various security career paths, and what was out there wasn’t easily discoverable. And so, we set ourselves the challenge of creating a book that did this, with a twist - we would interview a bunch of professionals from the industry because everyone’s path is different, and there are so many unique stories that it would be a disservice not to try to share some.

Interestingly now that I’ve started this spare time creative process of “small bets”, I have had multiple ideas, just not enough time but that's fun :) 

Goal

Our goal was that the book that would hopefully help answer questions that we, and no doubt many of you, have been asked many times in your Security career such as:


- What should I learn?

- How did you get to where you are?

- If you could start in Security again, would you do it all again? Anything different?

- Do you want to be a CISO, lol?

We were particularly interested in ensuring a diverse group of interviewees, with a desire to learn more about people who switch to cybersecurity from a completely different career.

Process

- We started this project in December 2023, and came up with a list of 10 questions
- We created a “pitch” and asked volunteered Jason Chan to write a foreword to the book
- The next stage was a mix of editing, clarifying, and politely chasing down people
- Will and I reached out to a bunch of folks we knew in the industry, asking if they’d like to contribute and if they knew 1-2 people they’d like to nominate (Not everyone can contribute, the industry is hard enough as it is without having to answer extra questions but everyone was so gracious and supportive, even if they couldn’t contribute <3)
- We originally hoped to get answers back by January, but on reflection with Christmas and the winter armageddon in tech, that was clearly far too unrealistic (lesson learnt)
- Answers began to trickle in through January, and we began to construct it on Google Docs with the goal of publishing on Gumroad initially as it's DRM free and updates can aesily be sent out easily for free to those who've purchased it, and then later we'd work on publishing on Amazon
- Thinking about pricing, marketing and all those things we’ve no clue about

Questions

  1. How did you get into Cybersecurity? If you started your career off doing something completely different, what prompted the switch? 
  2. What’s your current role (No need to mention company if you do not want to)? What type of work do you or your team(s) do? Any pros or cons, if you’re willing to share? 
  3. How did you decide on the management or individual contributor track? Have you been tempted to switch to the other track? 
  4. What area of Security do you specialize in? What made you focus there? Are there roles within Security that can form a strong basis for leading to another role, e.g. SOC analyst into becoming a Detection engineer?
  5. What is your approach to mentoring?How do you make yourself approachable to mentees so there's safety and trust?
  6. If you’d one piece of advice to give to your younger self on starting again in the Security field, what would that be? 
  7. If you were starting out again, what sub-field within Security would you dive into, i.e. what’s currently most exciting and why, in your opinion? 
  8. Do you have any preferences on doing security for a small (< 500 people) versus big company? 
  9. Is there one book/course/conference that you’d recommend to someone starting out? 
  10. If you had a magic wand, what is the one thing you’d change about the security industry?

Status

The book is complete (though I’m sure there’ll be corrections as people spot mistakes as they read it). Publication details are: 

- 70 interviewees
- 300+ pages
- Gumroad: “early access” version available now (20% off - code earlyaccess
- Amazon: kindle and ebook version to be published on March 21st, 2024 🀞
- Launched  The Security Path website today, but not sure what we’ll do with it outside of a landing page (ideas welcome πŸ™).

Now that we have hit 'publish', there will be a cocktail of exhilaration and terror. Thanks to all those who kindly answered the questions, and the many friends that gave us tips and advice!!!

Comments

Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a

Start-Up Security

After many years in Security @ Riot Games and eventually putting the "s' out there, I recently decided to jump out of my comfort circle for a new challenge and joined a   start-up   (yes, I left a comfortable, stable job in a pandemic, lunacy lol). Now that I've been here almost 6 months, I wanted to share some findings because security at a start-up is significantly different.  When you join a start-up, there's going to be so much that you can do and it will be incredibly easy to "boil the ocean", and try to fix everything. At best, this guarantees failure for the Security team, at worst, alienation from the engineering and product teams. There are some obvious quick wins that a Security team can make without slowing down iteration and innovation speed, while also reducing risk: Auth  Partner with Engineering/IT/CTO such that there's alignment on Security owning all things "auth(n|z)".  As part of this ownership, you need to be prepared to resp

What's the point of (InfoSec) Certifications?

Quite recently, my GSE was up for renewal. I'm currently in the middle of transporting my family to another continent and I've slightly more responsibilities work-wise in 2016 versus 2012. However, given the effort and study that it took to get the cert the first time (and to a lesser degree the expense), I figured it was a no-brainer to renew. For me, I've always been a huge fan of the GSE and considered it the epitome of InfoSec certifications, much like the CCIE for (Cisco) networking. Personally, I learn better by "doing" and consider it as the evidence that someone knows their stuff so the "2-day lab" element in the GSE was a both a huge goal and challenge that I was excited about. I talked about the value of "doing" when trying to learn about yourself previously here with the infamous Security Ninja and here on my own blog so there's no point in repeating myself. When I did the GSE, I absolutely loved the hands-on lab mo