Skip to main content

The Security Path

Background

In 2023, I bought The Good Parts of AWS by Daniel Vassallo and started learning about the Small Bets community he’d founded, and subsequently joined (you can join here). Daniel has posted extensively about his thoughts on a full-time 9-5 job and I won’t repeat them here (you can follow him or Louie Bacaj on Twitter for many well thought-out posts on taking small bets as an indie hacker/solopreneur).

I’m not active in the Small Bets community, more of a lurker who reads the messages later and watches the videos as recordings (fyi, there’s excellent classes every month with people who are creating/publishing/hacking and having successes, see the public calendar here). Having joined the community, it got me thinking about what creative things I could do in my personal time to give me some fun challenges outside of work. Having been constantly asked by fellow parents on things like:

- How do you control screen time?
- Can my kid play “Call of Duty”? Should they? (hint: if you’re asking me, they’re probably too young ;-) )
- How do I set up parental controls?
Why won’t the game studio allow me access to the support tickets for my kid? It’s my money they’re using to buy those skin. (this is more complex than you’d think)
- How do I secure your home Internet?

I noticed that my text messages were turning into long emails, and these in turn were becoming a long blog post. As a result, I started typing and when I was suddenly at 50 pages, I realised it was a small book. Ultimately I leveraged the information from the Small Bets classes, and published the book on Gumroad. I didn’t do it to make money but to share information, challenge myself creatively and play around with some stuff outside of my core area of experience (i.e. to learn).

For the second project, in talking with a good friend, Will Bengtson, we realised that there was nothing really out there in the world of cybersecurity describing the various security career paths, and what was out there wasn’t easily discoverable. And so, we set ourselves the challenge of creating a book that did this, with a twist - we would interview a bunch of professionals from the industry because everyone’s path is different, and there are so many unique stories that it would be a disservice not to try to share some.

Interestingly now that I’ve started this spare time creative process of “small bets”, I have had multiple ideas, just not enough time but that's fun :) 

Goal

Our goal was that the book that would hopefully help answer questions that we, and no doubt many of you, have been asked many times in your Security career such as:


- What should I learn?

- How did you get to where you are?

- If you could start in Security again, would you do it all again? Anything different?

- Do you want to be a CISO, lol?

We were particularly interested in ensuring a diverse group of interviewees, with a desire to learn more about people who switch to cybersecurity from a completely different career.

Process

- We started this project in December 2023, and came up with a list of 10 questions
- We created a “pitch” and asked volunteered Jason Chan to write a foreword to the book
- The next stage was a mix of editing, clarifying, and politely chasing down people
- Will and I reached out to a bunch of folks we knew in the industry, asking if they’d like to contribute and if they knew 1-2 people they’d like to nominate (Not everyone can contribute, the industry is hard enough as it is without having to answer extra questions but everyone was so gracious and supportive, even if they couldn’t contribute <3)
- We originally hoped to get answers back by January, but on reflection with Christmas and the winter armageddon in tech, that was clearly far too unrealistic (lesson learnt)
- Answers began to trickle in through January, and we began to construct it on Google Docs with the goal of publishing on Gumroad initially as it's DRM free and updates can aesily be sent out easily for free to those who've purchased it, and then later we'd work on publishing on Amazon
- Thinking about pricing, marketing and all those things we’ve no clue about

Questions

  1. How did you get into Cybersecurity? If you started your career off doing something completely different, what prompted the switch? 
  2. What’s your current role (No need to mention company if you do not want to)? What type of work do you or your team(s) do? Any pros or cons, if you’re willing to share? 
  3. How did you decide on the management or individual contributor track? Have you been tempted to switch to the other track? 
  4. What area of Security do you specialize in? What made you focus there? Are there roles within Security that can form a strong basis for leading to another role, e.g. SOC analyst into becoming a Detection engineer?
  5. What is your approach to mentoring?How do you make yourself approachable to mentees so there's safety and trust?
  6. If you’d one piece of advice to give to your younger self on starting again in the Security field, what would that be? 
  7. If you were starting out again, what sub-field within Security would you dive into, i.e. what’s currently most exciting and why, in your opinion? 
  8. Do you have any preferences on doing security for a small (< 500 people) versus big company? 
  9. Is there one book/course/conference that you’d recommend to someone starting out? 
  10. If you had a magic wand, what is the one thing you’d change about the security industry?

Status

The book is complete (though I’m sure there’ll be corrections as people spot mistakes as they read it). Publication details are: 

- 70 interviewees
- 300+ pages
- Gumroad: “early access” version available now (20% off - code earlyaccess
- Amazon: kindle and ebook version to be published on March 21st, 2024 🀞
- Launched  The Security Path website today, but not sure what we’ll do with it outside of a landing page (ideas welcome πŸ™).

Now that we have hit 'publish', there will be a cocktail of exhilaration and terror. Thanks to all those who kindly answered the questions, and the many friends that gave us tips and advice!!!

Comments

Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a...

WAF versus DPI Firewall

This is a question, I've frequently been asked in recent years and in the last month, o n one of the internal mailing lists, in my old company, the following question was posted – In simple terms, what tasks is a Web Application Firewall (WAF) able to do that a Deep Inspection Firewall can't and why ? by one of my colleagues. Many of you may be surprised (I know I was initially) but this question still comes up an awful lot. Having answered the email (as a warning, I went into a lot of detail and plugged the awesome Security Onion ), I was requested to write a technical blog on the subject, but as I left the company soon after, the blog was never published. Therefore, to save me answering the question again, I thought I’d publish it so I can just reference the link in future J

LinkedIn Emails

Receiving mails via LinkedIn is an interesting experience. For example, how many folk actually personalise "contact requests" - from what I see, less than 1%. I typically try to because I think it shows some thought has gone into the request and it's friendly, but then "manners" on the Internet is a very different thing to the real world, right ;-) Anyway, to the point of the blog post. In early November (2012), whilst I was preparing my Security Onion presentation for IrissCon  (why did I bother when my MBP died on-stage), I received a very interesting and personal email via LinkedIn. The email came from a "Senior International Belief Instigator" (let's call him the SIBI - to save me typing) at Riot Games and the email was literally awesome, it hit many of the key points that you'd hope for in a recruiter email but it also had a wonderful tone. In my ignorance, I knew of League of Legends but not Riot (yes, I am embarrassed by that). I r...