Passion is a fruit

-

 "What if we educate them and they leave?" 
"Well, what if we won't and they won't leave?"

"Hi, there will be a big security conference in Helsinki next February. I'm going there. Can I use work hours for that or should I use my vacation days?"

This is how I presented the trip to Disobey to my boss last autumn. 

Disobey is quite a unique event, and presentations are not The Thing(tm) for this event, even though they are also awesome. Meeting people and discussions with them are among the reasons to go there. 

This year the following presentations were nominated to my top list. Not all of them will be released on Youtube, but I can recommend any of those which will be released.

  • Antti Kurittu: Story of Vastaamo (Keynote)
  • Juho Jauhiainen: Losing My Mental Health in Cyber Security
  • Jussi Eronen: Vulnerability Handling for the Masses
  • Helinä Turunen: Cyber Comms 101 - What to Say When Cyber Hits the Fan (workshop)
  • Lea Viljanen: Hacking the Audit Interview
  • Lauri Paatero: IEC62443-4-2-WTF?

I also heard great thought from one of the speakers after his presentation.

"If you are an introvert and hate networking, you should give a presentation, because then others will handle the networking part for you."

Especially Juho's talk about the mental health issues he has faced, and the rock star phenomenon we seem to have here and there were spot on with my thoughts. You won't very often see standing ovations in tech conferences, but after Juho's talk it happened. 

We need people with really diverse backgrounds, but we shouldn't burn them out. You don't need to be the best in every area of cyber security. You don't need to even understand most of them. You don't need to spend all of your free time to hack things or learn new stuff. 

My view is that you should find that corner you are comfortable in and become good player there. Don't try to be the best, because there always will be someone who is better. But try your personal best. 

I also think that for most areas and for most persons it's not the best career move to have your first higher education in the cyber security. You should learn something else first, and then learn how cyber security can be used in that field. 

This is kind of supportive field, and not the primary thing. No one buys cyber security. People (and companies) want that their IT systems are working. They want to shop and handle money without issues.  They want to have electricity flowing all the time to their houses (and factories). They want to feel safe when visiting a doctor.

If you don't have strong domain knowledge, it's quite probable that you will fail (and fail hard) when trying to apply security in that area. Just because you don't know the weird (and critical) things in that field. 

What you should learn depends heavily on what you are aiming for. Sysadmin background is great thing if you are into technical security, but not so important if you want to communicate about the security. And psychology is probably critical field to understand if you need to understand how people are behaving and how we could design systems which are safer to use. What kind of language to use, what kind of user interfaces to have. 

What you need in embedded security differs quite much from what you need when you are in auditing or compliance business.  Cloud stuff is far from security awareness training business.

So, strong previous experience is great to have, but in the end, it doesn't matter much where that experience is from. Because there are so many weird niches and corners in the cyber security land. Nevertheless, I still think that most persons should have strong enough technical understanding, because we are dealing with technical stuff after all. We are dealing with computers, and systems. Even when we are communicating with people, but we are communicating about stuff related to usage of technical systems. 

If I think myself, I'm kind of jack of all trades. I know something about too many things, but I'm not the super guru in any field. But most probably because of my really diverse background, I've gotten "somewhere" in my various positions. Outside of computer land I've been doing for example the following things: played with and organized free time activities for teens and scouts, been board member and chair person for few registered associations, done sound/lights/video for countless concerts/festivals/whatever, and read absolutely too much starting already from the first grade. I also have played multiple instruments during my teenage years. 

But what next? I don't know for you, and not even for me. At the moment I'm working as an R&D product security architect, but I don't suppose I will work there 20 years. Not even 10. What I've known already before, and what this Disobey taught me, I'm more blue teamer than red teamer. I like working in teams, not alone. And I enjoy trying to communicate clearly, taking in account who is listening to my rants, and trying to tune my language and message based on that. 

One thing I know for sure. I need some hands on stuff here and there. Not only audit excels and project management dashboards. 

Oh, sorry. Did you wonder how my boss replied? Let's put it that way that I slept in a hotel, and did not have to call a relative and beg a sleeping spot. And today I spent many nice moments when filling things in the travel invoice system. ;) 


Comments

Post a Comment

Popular posts from this blog

The only constant is change

-
"I'm leaving next week. I'll change to company Y." This comment from my coworker caused quite many feelings and put my thoughts in motion. "Company Y.... Umm... I have heard it few times, and I know persons who have joined them, but I have no clue what they actually are doing. Let's see what their website shows. Oh. They seem to have an open position, which would be a direct match for me." At this point I had been in my position a little less than three years. Those years had been absolutely incredible, from the experience (and also CV...) point of view. When you are working in a global enterprise as the product security engineer/cyber security architect for a product line whose products are used globally in critical infra related use cases, it's quite unique place to gather experience and hopefully also knowledge & know-how.  There were multiple really interesting projects going on, which would give even more experience around how to secure 40 y...
Read more

Hack the Box, CTF, challenges, and ethical hacking (+ some thoughts about courses)

-
During last few years I've bought some Udemy courses when some person has suggested them. Mostly they are related to security and hacking, because that's the high level topic in ICT which interests me most. Yes, I've bought them. And hadn't started any. Until this summer. In the past if you wanted to learn some new skill in the ICT world, you usually attended some 3-5 day long course which normally costs some thousands of euros. Quite costly, too much information in short time span, and it required many days off from work + traveling. Then came the online courses. They cost less, you can follow the videos as you wish with your own schedule and you'll get community reviews for courses before buying them. I'm not fully sure but I suppose that the instructors get some amount of money for every attendee and no one wants to use their money (or time) to poorly made course. Thus every instructor has an incentive to make their course as good as just possible. At the mo...
Read more