Managing changes

-

"Change is the only constant in life." -Heraclitus

If you want to skip all the background prattle, and see what this post is really about, just click here. There have been some changes in my life during this autumn, and I want to share them with you, because they may have some impacts on what I will write in the future. 

But let's start from the year 2002, because that's the first time I got paid for playing with computers.

I started my journey as a sysadmin during senior high. For some weird reason I got a summer job as a Java developer, who also had to administer our internal systems and the computers for a 'computer game coffee shop' which was located in the same building as our office. Teens came there to play CS, and we also held some workshops for game development. 

Yes, my hidden and secret past. I have got paid for writing Java. We all have our own secrets! But, that has been my only job, where my duties actually included developing any software, so I am not totally wasted, am I?

During the second year at the university of technology I got a part time job to administer systems in one department, and later for six departments. Winters part time and summers full time. At the same time I was studying RF electronics, and was really heading towards RF systems in mobile environments. I also managed to get one summer job to play with antennas in high end mobile phones. At that time there was a mobile phone company who also had produced rubber boots in the past, and these days seem to get most(?) of their money from patents related to mobile devices. I worked there, but my job didn't include anything rubber related, luckily.

But, then someone noticed that someone had loaned too much money for almost broke people, and we got one of those global money crisis, and this rubber boot company couldn't hire me to write my M.Sc thesis about mobile phone antennas, so I stayed at the university and tried to understand how the research staff could get their computers in so desperate conditions. 

I finally got my M.Sc. degree and started looking some 'real job'. I can say that I sent quite many applications, but they weren't very successful. Until, after quite long and complex process I got a call from the recruiting agency. "Unfortunately I have to say that you got the 2nd place in this process, but...... I have one other place. Would you be interested in this?"

So, I joined a small company with big dreams. Their job ad had so wide and huge requirements that I wouldn't have applied for it if I had seen it. Luckily I hadn't seen it. :) 

That company was responsible for M2M connections and systems for complex industrial environments, and all the real work was outsourced, we just administered everything. When I joined that company, my knowledge of power grids was that there are bigger and smaller poles and the bigger the pole the higher the voltage. And my main job there was to look after the network and systems our customers used to control their 20/110kV power grids and plants.Thus I had to lean many new things, and I had to learn them fast.

I was responsible for the cyber security of those environments, worked as the L2-L4 support for everything and handled more difficult field debugging things. And in some occasions went to brush snow away from the satellite dishes in remote locations. Basically a sysadmin with project manager duties. During summer the field trips were quite often okay, I might say.  But there were also cases when the weather wasn't so 6/5.

A more difficult problem where the mobile operator finally
agreed that their 2G really was broken in this location.  		  




   


 

During this 900 km trip to the various power plants the thermometer showed -25C and the internal heater of our Volvo V70 wasn't working correctly. It was cold trip! But luckily the weather was clear and nice, so at least the views were great!

I learned a lot. And had lot's of fun. We had one physical security related project where the project team was from Israel. One engineer was an Apache pilot with lots of combat hours and who still worked as a flight instructor for those killing machines in addition to working as an engineer. All I can say that he had some wonderful stories. I am not saying anything more, at least not publicly. *grin* And then there was the really devout Jew, who made a five course vegetarian dinner for us at our office. With our help. Naturally there was only a small "kitchenette", so it was an interesting evening! But I have not eaten so good food very often....

 

You can almost hear the history these tools at one hydroelectric power plant are shouting.


Even though it was more than interesting job, the company was too small for what they were doing and how things were organized, and because I was the only guy who really understood how our systems worked, I got support calls even during holiday. And I couldn't never leave my laptop too far. So, after 3 years I decided that I had seen enough.

Luckily a friend of mine sent me a link one day that their company was looking for a real sysadmin. I applied and during the interview they asked 'Could you think about moving to our HQ location?' I came home, asked the same question from my wife and her response was 'When can I start to pack?'

So, we moved to a totally new city, bought own house built in the 60s which we still are renovating, and I started learn security, virtualization, SAN, security, complex networks, did I already mentioned security, ICT budgeting, etc. After a while I got promoted to a team leader of a newly founded internal ICT team, and was basically responsible for the ICT infra of a software company with 300+ employees. Years passed, I learned more, renovated our house, learned more, got a small burnout, learned more, left my team leader duties and became the ICT Manager of that company. 

But something wasn't working. The job was really interesting. The company HQ was located in a fantastic location 8 m from sea, and colleagues were great. But still. Something wasn't working. I had absolutely too diverse job, too much to do and I couldn't concentrate on anything long enough. 

I wasn't satisfied. 

About a year ago my boss asked if I had heard anything about a security event called Disobey. I asked directly if this means that I could go there, and he basically couldn't say no so thus started the countdown for my departure. I am not sure if I ever told him that this was one of the things which made me to leave....

I wrote more about these first months of that journey in the first post of this blog, so go and read from there. If you don't have anything better to do, for example. 

I have thought lately quite much why I am so much interested  in cyber security, and I have not found any real answers for that. But for some really weird reason anything around the security topic really will get my attention. I think one reason is that I want to really understand how things are working, and knowing more about how to break them gives you more understanding about how they really work. All those dirty and juicy details you won't find from the manuals...

There was one problem, though. As I wrote in some earlier post, there are not so many security related jobs in these parts of the world. Luckily I was not in a hurry to get a new job. It is much easier to look new jobs and go to the interviews if there is no real pressure to get the job! I applied to some positions and got some good experiences and some not so good experiences. 

The biggest obstacle for me was, I think, that even though I had done security related things quite much during my sysadmin years, I had never had security as my main task. And with my background (and my location....) there weren't available any entry level jobs I would have even considered. 

Months passed. Then came covid-19 which made things much more "interesting" for a person looking for a new job. Some more months passed.

Until during summer another friend of mine sent me a link. When I noticed which company it was, I didn't even look further. No way I would consider working in that mega corporation. I had heard enough about how things would not work there.

Some weeks passed. For some reason that link still haunted my thoughts every now and then. And finally I decided to check that card. 'I can go to the interview and if for some weird reason things will go forward, I'll decide then. I don't need to decide right now.'

You probably can guess already where this is leading? Things really started to roll forward, and after almost 6,5 years in that software company at 1.10. I got a new badge and a new title. Finally something really related to the security. R&D Cyber Security Specialist for a SCADA software is my role right now. 

I can't speak much of my actual job, but I think I will find things to post. If cyber security is kind of a small niche field, ICS/SCADA/OT security is even smaller. It is so closely related to the actual physical processes that you cannot apply directly all the solutions and ideas from the IT security field. You must have quite good understanding of the physical process those devices are controlling when you are designing the security architecture for those systems.

They say it is really hard to find a good IT security person, but it's some magnitudes harder to find a good security person who understands the requirements in the OT field. So, I think that this was really good move regarding my career, but we'll see how things will go in the end. 

Ps. Changing jobs when almost everyone is working remotely is not something I could recommend to anyone. I was not able to say goodbye properly in the old job and the start in the new job has been not so smooth, because all the coffee/lunch break small talk is not there.

Comments

Post a Comment

Popular posts from this blog

The only constant is change

-
"I'm leaving next week. I'll change to company Y." This comment from my coworker caused quite many feelings and put my thoughts in motion. "Company Y.... Umm... I have heard it few times, and I know persons who have joined them, but I have no clue what they actually are doing. Let's see what their website shows. Oh. They seem to have an open position, which would be a direct match for me." At this point I had been in my position a little less than three years. Those years had been absolutely incredible, from the experience (and also CV...) point of view. When you are working in a global enterprise as the product security engineer/cyber security architect for a product line whose products are used globally in critical infra related use cases, it's quite unique place to gather experience and hopefully also knowledge & know-how.  There were multiple really interesting projects going on, which would give even more experience around how to secure 40 y...
Read more

Passion is a fruit

-
 "What if we educate them and they leave?"  "Well, what if we won't and they won't leave?" "Hi, there will be a big security conference in Helsinki next February. I'm going there. Can I use work hours for that or should I use my vacation days?" This is how I presented the trip to Disobey to my boss last autumn.  Disobey is quite a unique event, and presentations are not The Thing(tm) for this event, even though they are also awesome. Meeting people and discussions with them are among the reasons to go there.  This year the following presentations were nominated to my top list. Not all of them will be released on Youtube, but I can recommend any of those which will be released. Antti Kurittu: Story of Vastaamo (Keynote) Juho Jauhiainen: Losing My Mental Health in Cyber Security Jussi Eronen: Vulnerability Handling for the Masses Helinä Turunen: Cyber Comms 101 - What to Say When Cyber Hits the Fan (workshop) Lea Viljanen: Hacking the Audit Int...
Read more

Hack the Box, CTF, challenges, and ethical hacking (+ some thoughts about courses)

-
During last few years I've bought some Udemy courses when some person has suggested them. Mostly they are related to security and hacking, because that's the high level topic in ICT which interests me most. Yes, I've bought them. And hadn't started any. Until this summer. In the past if you wanted to learn some new skill in the ICT world, you usually attended some 3-5 day long course which normally costs some thousands of euros. Quite costly, too much information in short time span, and it required many days off from work + traveling. Then came the online courses. They cost less, you can follow the videos as you wish with your own schedule and you'll get community reviews for courses before buying them. I'm not fully sure but I suppose that the instructors get some amount of money for every attendee and no one wants to use their money (or time) to poorly made course. Thus every instructor has an incentive to make their course as good as just possible. At the mo...
Read more