markofu’s blog

Background In 2023, I bought The Good Parts of AWS by Daniel Vassallo and started learning about the Small Bets community he’d founded, and subsequently joined (you can join here ). Daniel has posted extensively about his thoughts on a full-time 9-5 job and I won’t repeat them here (you can follow him or Louie Bacaj on Twitter for many well thought-out posts on taking small bets as an indie hacker/solopreneur). I’m not active in the Small Bets community, more of a lurker who reads the messages later and watches the videos as recordings (fyi, there’s excellent classes every month with people who are creating/publishing/hacking and having successes, see the public calendar here ). Having joined the community, it got me thinking about what creative things I could do in my personal time to give me some fun challenges outside of work. Having been constantly asked by fellow parents on things like: - How do you control screen time? - Can my kid play “Call of Duty”? Should they? ( hint : i...

After many years in Security @ Riot Games and eventually putting the "s' out there, I recently decided to jump out of my comfort circle for a new challenge and joined a   start-up   (yes, I left a comfortable, stable job in a pandemic, lunacy lol). Now that I've been here almost 6 months, I wanted to share some findings because security at a start-up is significantly different.  When you join a start-up, there's going to be so much that you can do and it will be incredibly easy to "boil the ocean", and try to fix everything. At best, this guarantees failure for the Security team, at worst, alienation from the engineering and product teams. There are some obvious quick wins that a Security team can make without slowing down iteration and innovation speed, while also reducing risk: Auth  Partner with Engineering/IT/CTO such that there's alignment on Security owning all things "auth(n|z)".  As part of this ownership, you need to be prepared to resp...

When we (Rookie and Mark) sit down and go into one of those self-reflective modes, we often talk about things we wish we knew and so we figured it’d be a good idea to share some of those things. Hopefully maybe one person learns from our failings :) So, without further ado, this is the first post in the series of “Things I wish I Knew”. One thing, I (Mark) personally wish I knew about was imposter syndrome, which according to  Wikipedia  is: a psychological pattern in which one doubts one's accomplishments and has a persistent internalized fear of being exposed as a "fraud" From exams in school to sports competitions, each house move, big “stretch” projects, every new role and becoming a parent, I’ve always had the feeling that I’m not good enough. This typically results in me striving to prove myself constantly, which typically works out well but when it doesn’t, it causes: me to burnout colleagues or friends to become frustrated as I may not be giving them enough space ...

So firstly, we obviously failed at our promise in our first post, i.e. we didn’t post an article every few months. Both of us did contribute to the   Leadership Tribe of Hackers book   so that makes the failure a little less, right???   Anyway, in this post, we wanted to share what we have found to have worked for the Security teams at Riot Games during the Covid pandemic.  Like Chris Hymes described  here , we pivoted early (before the “stay at home” order) to collaborate with IT (and teams across Riot) to ensure there was a secure and reliable “work from home” experience for Rioters. As challenging as this emergent work was, the more difficult and ambiguous challenge arose after-implementation.  Surely, the pressure was off as Rioters were now able to work from home such that Riot could securely deliver new games, transition to a  remote broadcast for eSports , onboard new vendors (to help further with “ wfh ”) and do their usual day jobs? That wasn'...

 A question that I have received a lot over the last few years is: What are good books about managing and leading people in InfoSec? So to help prevent others from making the many mistakes and blunt approaches that I have made, here's a list of such books with a short note on why I feel it's a good read and why I've found the content helpful. P.S. If you don't want to read books,  the best thing to start with as a leader is being a good listener! High Output Management This is the management bible in many ways. It's a truly fantastic book that describes how to lead, manage your team(s) and how to best spend your time on what’s important. It’s survived the rest of time, being published first in 1983, and although this is over 30 years later, this book is still highly relevant and educational. Principles This was an amazing read - in fact I think it is actually a pretty phenomenal gift of knowledge from Ray Dalio to us all. Clearly both Dalio and Bridgewater aren’t fo...

Quite recently, my GSE was up for renewal. I'm currently in the middle of transporting my family to another continent and I've slightly more responsibilities work-wise in 2016 versus 2012. However, given the effort and study that it took to get the cert the first time (and to a lesser degree the expense), I figured it was a no-brainer to renew. For me, I've always been a huge fan of the GSE and considered it the epitome of InfoSec certifications, much like the CCIE for (Cisco) networking. Personally, I learn better by "doing" and consider it as the evidence that someone knows their stuff so the "2-day lab" element in the GSE was a both a huge goal and challenge that I was excited about. I talked about the value of "doing" when trying to learn about yourself previously here with the infamous Security Ninja and here on my own blog so there's no point in repeating myself. When I did the GSE, I absolutely loved the hands-on lab mo...

Socialising Security @ Riot Quick Link: Presentation here . Background In late November last year, I had the honour of following the illustrious David Rook (ex-SecurityNinja :) ) in the Owasp Dublin Chapter meeting (thanks Ow en & Owasp Ireland) . Quite a few people (mostly Chris John Riley ) reached out and said: “The presentation looks cool and I'm jealous of the cool artwork but context, need MOAR context!” From an OpSec perspective, it's not always possible to include all the context when it comes to publicising security presentations, but @Riot, the goal of the InfoSec team is to socialise security within Riot, our players, the gaming community and the security community. Tl;dr Each Rioter is responsible for their own security   Riot has posed very new challenges (for me) - Scale Volume of Incidents (i.e. a successful compromise, a leak, a ddos attack) Open policy to security ( this is the bit that will draw the crowd ) We want to...