I recently discussed my ambitions and career goals, and wanted to share some of that discussion here. It gives a little insight as to my interests and the sort of decisions I face as I try to get more involved as a professional and volunteer.Q: Where do you feel you are in your career, today?
A: I am currently a technical program manager in computer security, for a Fortune 100 multi-national company. I am mainly responsible for vulnerability management and strong authentication. So, I am dealing with vulnerability assessments and pen testing and network security, endpoint security, remote access security and architecting solutions to enable the business in a secure way. This can be quite challenging at times, but it is rewarding. I manage many complex, global projects, but am still an individual contributor, and I don't see my role changing anytime soon. I feel my skills have improved, and my knowledge of security and the business, but I was hired with this job title and pay grade and don't see any chance of that changing.
This is typical of the security function, in industry. I'm not complaining. I am glad I can add value and feel I am being successful at what I do. I just wonder if this is what I am best suited for.
Q: So are you looking to change jobs?
A: I don't think so. I do feel I need to challenge myself, in some way, and I do that by teaching and volunteering, as well as working hard at my day job. I'm a strong believer in lifelong learning, and finding a way to contribute to one's profession and society at large. It would be too easy to give in to my lazy side, and just do what comes easy and coast. I don't feel I'd be satisfied with that choice.
I want to keep my skills sharp, and in my present job I often need to push myself to do that. I could easily get comfortable and go on autopilot where I am, and stay in a silo, and do my job adequately and bide my time until I retire. That's very doable, and it would give me a relaxed lifestyle for sure, but I think it's important to grow as a professional and as an individual.
I've been fortunate to be able to do what I've been doing for the past 12 years. I work for a great company; an ethical company that is a leader at what they do. They are well respected, and right up there with Mom and Apple Pie. They have been very supportive and I've really come to understand how a security organization functions at a Fortune 100 company. I think I've come a long way, from when I came here in 1999 with only university and government experience. It's been a privilege. I've been afforded opportunities to travel to other countries and to see all aspects of a company that's been involved in manufacturing, sales, insurance, healthcare, banking and quite a number of acquisitions and divestitures over the years.
My management seems to appreciate the value of my volunteering and serving on boards and participating in councils and peer groups. I learn a lot from networking and having discussions with peers in CISO groups, and doing all this, but it isn't required for my present job. I do it because I want to maintain currency, and to push my boundaries, and I really aspire to contribute as a thought leader in the security space. It is nice that my colleagues allow me to join in these discussions, even though I am an individual contributor in my present job.
Q: How else do you keep up with trends and changes in the security profession?
A: I try to stay up with technical advances by reading and talking to my peers, and other subject matter experts. I am past the point where I can spend much time deep-diving, and I need to deal with a broad range of issues, so I rely heavily on others for the technical stuff. I also participate in advisory councils and boards and I speak and blog on topics, when I have the time. I'd like to speak more, and write more, but in the commercial sector there isn't much opportunity or support for doing research, so I don't have much that people want to hear about. I am usually left with topics on corporate governance. I've gotten excited about security metrics, this year, and hope to speak more on that topic.
I used to work as a scientist, and I used to speak and write articles all the time, so I do miss that, but I compensate by developing courses in computer security and teaching. I find that is a great outlet for my inquisitive side.
Q: Would you like to be a security researcher?
A: I don't have a real interest in that. I wouldn't turn down an opportunity to direct research, if someone came to me with something exciting, but frankly there are younger and better people to do this. People much smarter than me. I'd actually like to be spending less of my time in the trenches and more time focusing on security strategy.
Q: Are you satisfied working in IT, when you used to be a scientist?
A: I don't consider myself to be an IT worker. I consider myself to be a scientist, an educator and a security professional. I think it's limiting to categorize people. There is a lot of similarity between the mindset of the scientist, who is trying to develop models of how nature works, and then see if those assumptions hold, and the mindset of the security professional, who makes assumptions about risk and then looks for ways to test those assumptions. My background as a scientist makes me well suited to develop logical models and to assess and address risk.
In addition, I feel that my background as a scientist, and my teaching, and the work I do as a volunteer with students promoting STEM education, and my work with the FBI, IEEE and other groups exposes me to many different viewpoints and I think that's important. It gives me a broader view of things, and helps me to consider problems from different perspectives.
Q: What's next for you, in your career?
A: If I stay on this course, I expect I will try to find more opportunities to travel and speak, and perhaps take on some more course development or try my hand at writing - I am just not sure how relevant my experience is to the broader security community. I think I'd be satisfied, but I would probably focus more of my energy into volunteer work and teaching, and maybe take on a more technical role with IEEE and my critical infrastructure protection work. There are certainly benefits to a less responsible day job, and a more laid back lifestyle. It is hard to imagine myself sitting in the same chair, in the same cubical, for another 15 years though, just waiting to retire.
Q: If you could choose any job, what would it be?
A: If I had my dream job, I suppose it would be one that's exciting and challenges me to always be learning and pushing my boundaries. I'd feel valued and appreciated and feel the same kind of enthusiasm every day as I go to work, that I feel when I am at a security conference, for example. I'd like to be a leader; a decision maker, doing something integral to the mission of the business, rather than seen as just another technical resource.
I'd like to be in a location that was outwardly motivating, and working with lots of people much smarter than me, so I can make informed decisions and maintain a level of excellence in whatever I'm doing. I'd like to have frequent opportunities to converse with thought leaders and innovators. Maybe it would be in a college town, where I'd be able to attend seminars and on the latest technologies and research. I think there are many more opportunities for a security professional on the coasts, because that's where the thought leaders are, and where you can interact in person with more of your peers. I am always getting invited to events, but being in the Midwest, not much goes on in our community. That's actually why I got involved with IEEE and became president of our local engineering and science council, so I could try to promote more activities like that, locally.
Q: Tell me more about why you feel that sort of interaction is important.
A: I think it is important to hear from thought leaders in the security field, as well as academia and business entrepreneurs and policy makers. Too often people keep to one group, and don't pay attention to the others. Like I said before, I don't think we can thrive in a vacuum. I think when we expand our thinking, when we hear different perspectives and are exposed to diversity, it can be transformative.