“For me life is continuously being hungry. The meaning of life is not simply to exist, to survive, but to move ahead, to go up, to achieve, to conquer.” - Arnold Schwarzenegger
I recently returned from Ruxcon and realised how much I enjoyed the conference and how much I enjoyed making new friends, catching up with old ones and making new acquaintances as well as the variety of talks which I found interesting. It always takes me a few days after to really dwell on events and consider what I walked away with. This year, I walked away with a few things - a clarity of purpose that I don't think I've had in a long time. My attendance this year triggered an epiphany for me that made me accutely aware of where my growing frustrations with certain things in my life. E.g. - what I am doing, what do I want to be doing, what would I rather be learning, balancing that with other personal commitments, financial goals, etc. I think at times, I've also directed that frustration at the wrong people in my life. So, if you read this and realise you've been on the receiving end of me griefing you - sorry about that.
I'd not posted much since my Management vs Technical post as this has consumed a good portion of my brainpower trying to figure out what route I was going to take. I've lost track how many times I've been asked the question too. So I've made the call, although some might call it taking a third option. But more on this later.
Sometimes, the only clarity we get is the realisation of what we enjoy vs what we don't enjoy. Or maybe that's the point and always has been and I'm just a slow learner.
Anyway, here's what I've learned - especially in the past two years in no particular order:
- I enjoy learning both technical and managerial work and will create my own opportunities to learn both areas as I see fit;
- I have realised the joy of working with my hands again (so to speak) doing technical work (after too much time largely hands off);
- I am, and always will be, a self-directed learner;
- If I am ever going the managerial route it will won't be for someone else's business (at least I don't see it today);
- I enjoy talking security to non-security folks;
- I enjoy reading technical security theory;
- I really dislike drawing up security policies (why can't people just people buy the ISO27001 and 27002 standards and start reading??);
- I really dislike "light and fluffy" security work without a strong technical underpinning;
- I really dislike talking security strategy with businesses that have no desire to be strategic or even take security seriously;
- I really want to work alongside my friends doing really, really cool stuff;
- I want my work to leave a lasting impact;
- My attitude and career goals and aspirations really don't fit well into a corporate hierarchy (e.g. my sense of fashion on "casual" Fridays :);
- I have strong anti-authoritarian tendencies - at least for rules that make no sense to me;
- I really don't want to work 40hrs a week in an office away from my family (although I'll gladly do more if I can at least be near them);
- I have business interests outside of infosec that I want to see through (eventually);
- Infosec is a great industry full of always interesting work once you get past the cynicism of most people in it :).
There it is. Perhaps its not much a wish list but its enough for me to give me focus.
My blog for a long time has focused very heavily on what businesses need to do to make themselves more secure. I've arrived at the conclusion that by and large, its not really rocket science (I did admit I am perhaps not the fastest learner). It just comes down to getting commitment and support from the businesses' executive manager and cascading that down. Once that commitment exists, as long as it is staffed by genuinely, well intentioned people that genuinely care about the business, things will improve. Perhaps not overnight and not without setbacks. Hell it may not even resemble anything best practise - but slowly and surely it will. Thankfully, I've been blessed to see this throughout my career enough times to know it to be true. If that doesn't exist or cannot exist, then security is doomed to fail and you're working under that management chain, you should probably GTFO before its too late. Thankfully consulting is a great way to study what you love and help others without being so constrained by those politics. So this lifestyle agrees with me - at least for now. :)
Anyway, thanks to those who helped me to find this clarity. You know who you are. My blog will start to change focus more and more to topics which match my interests. I will still write for cso.com.au - I must admit the time I spent here normally is being invested moreso in my articles there. Nonetheless I think my change in focus will lead to some equally interesting posts here.