My Security Journey

Hi I’m David and I love working with technology.

Back in the olden days I was fascinated by a project where in elementary school where we would write letters to pen pals in a different city’s school.  What was special about this project was that the letters were written on a computer and then all the different letters from students were mail merged together and sent through a modem at (300 baud!) to a bulletin board service (BBS) where schools would connect and retrieve their letters.

I was captivated by the process to get these letters from point a to point b.  Putting all my classmate’s letters together.  Retrieving the Hayes modem out of the computer closet. Plugging it into the port on an Apple 2E and into an actual phone line.  Making sure the terminal software connected to the right place.  Inputting a phone number and gobbledygook strings to make the connection happen.  Hearing the high pitched whines and static from the modem speaker, negotiating the connection. Seeing the system menu of the remote computer system and putting our written words into the ether for others to retrieve.  Just the fact that I remember this 30+ years later shows how impressed I was by this.  The computer lab at my school became my early morning and after school hangout.  I wasn’t the most popular kid in school by a long shot.

At the same time, envisioning making a career in computers was neigh impossible.  I was great at remembering facts and figures for history, geography and economics classes.  I was a student who couldn’t wrap his mind around mathematics.  I went to summer school, got tutors but my math grades were just barely passing.  That being said, I kept being told, how can you be so good with computers but so poor at math.  Without math, I was advised there was no way to go into computer science and work with computers as my career.

When it came time to go to college, I had barely passed a 10th grade advanced math class in addition to my regular senior math class.  So I played to my strengths in the social sciences and with the guidance councillor’s help ended up in…. a political science program in college to hopefully go to law school.  Funny how at 16 years old you’re supposed to take decisions as to how the rest of your life will be shaped

Suffice it to say, I had a mediocre college career and didn’t see much of a future.  I bounced around in different jobs until a friend of mine helped me get a gig doing internet tech support at an Internet Service Provider (ISP) just after Y2K.  It was glorious, staying inside in air conditioning, working on computers, helping people out with their problems to get connected to the internet.  It was heaven compared to what I was doing before.  I made some really good contacts there a lot of whom I still reach out to today.

Now you might be asking yourself, that’s all well and good – But what does that have to do with Security – I’m getting to that.  A little less than a year into tech support, I was promoted to a network operations job.  I moved to Toronto and set up a new life in a new city.  I’d be one of the people responsible for making sure the ISP network ran correctly from a data and voice perspective.  Glamorous – I know.  Since I was the low person on the rotation I got the worst jobs.  Calling people to follow up on tickets.  Entering new phone numbers and calling cards into the voice switch (DMS-500 FTW), testing long distance terminations to places like China and Russia at silly hours of the morning and evening to see if they worked.  I soaked it all in and I loved it!  I learned so much of the basics of networking in this job, not just TCP/IP but voice switching as well.  Imagine my shock when someone opened up the menu to change long distance terminations to a better provider than our usual cut rate providers or troubleshooting voice T1 circuits, putting an actual physical loopback plug on a patch panel and seeing all the channels respond back.  It was long but I learned so much about how networks interconnected from a voice and data perspective.

Eventually I got to travel and install all this equipment in datacenters all across Canada and the US.  I had just come back from the facility 60 Hudson in NYC in the late evening the day before 9/11/2001.  I was watching the video footage on a day off I had, I thought it was a video game.  I had woken up late, turned on the TV to see lower Manhattan covered in soot and dust.  This experience stayed with me.

I stayed in the NOC at this ISP for 2.5 years and moved on to another ISP in an engineering and planning role where their value proposition was installing fiber optic connections in office buildings and selling 10 and 100 Mbps symmetric ethernet connections to companies in the building for the same price as a ADSL or cable modem line, IN 2003!!!  It was a wonderful time building out networks and getting folks on net.  Again, I learned so much about core networking, peering to other companies and how to setup a router to create L2TP connections for ADSL clients.  Unfortunately, a lack of experience on my part in the finer parts of business – really did the network always have to be up when we wanted to experiment, yes yes it did.  Just remember kids, spanning tree is important no matter if the client says they don’t want to pay for ‘extra’ packets they found on a network sniffing tool.  Rebooting core switches during the day for code upgrades without warning because a fault was found, also a no-no.  I had become something crazy, a functional alcoholic at night and waking up early to go back to work crazy hours to do it again the next night.  I got laid off after making many stupid decisions and returned home humbled and burnt out.

But from the ashes a phoenix rises again.  This time some friends reached out for a networking expert to join their growing security firm.  They had security knowledge but were signing large enterprise customers to do SOC work and consult on firewall and IDS/IPS managed services.  I knew the routing and switching part, I picked up the security part pretty quickly when on the first day I was asked to join a meeting with the Juniper Networks Sales Engineer to demonstrate their newest firewalls that we were going to start selling to our biggest customer within a few weeks.  I have never learned as much about people and process than in this first security job.  Lets understand in 2005 security wasn’t exactly the buzzword inducing craziness it is today.  I picked up a lot through osmosis and seeing other wonderful security professionals do their jobs and work with folks to get to the crux of problems in security.  I also got to travel all over the world and experience many new cultures.  From Tianjin China to Toulouse, France to Phoenix, Arizona, Green Bay, Wisconsin and many stops in between – it was one of the best times of my life consulting on major security projects, meeting great people, learning how different companies get things done.  This is still the way I do things today.  If anything, to stay humble, ask questions, be respectful and collaborate fully with your peers.

I’ve been in a few other places since then, I’ve picked up more than a few certifications and went back to school and completed a degree with a concentration in network operations and security and am working on a graduate degree in cybersecurity.  I’m at management level now, so I don’t touch equipment as much as I used to but this is another discipline to learn and get better at.

If anything I can recommend these would be the top 5 maxims:

1. Put in the work: The best way to learn is by doing something.  Labbing, trying things, soak up the knowledge from your work colleagues.
2. It’s OK to fail:     Reflect on your mistakes, realize what went wrong and how you would do things differently.
3. Keep learning:   Use the resources at your disposal, books, computers, cloud, break things and fix them.  Understand concepts deeply.  Security changes so quickly from one day to the next you have to stay up to date or else you’ll be a relic.
4. Stay grounded:  Don’t fly off the handle if you can avoid it.  Complain about problems at the beginning of meetings but try to quickly move into ‘solution mode’.
5. Be positive and set an example for others: We all have off days, but if the positive days outnumber the negative ones then you’re still ahead.  Take time for self care, take vacations, meet new people, sleep in once in a while.  Nothing worse than being the guy who’s always ‘At Work’ in all situations.

That’s enough for now – If you made it this far, more power to you.  If you have experiences to share, put them in the comments I would love to hear how people got into tech, cybersecurity and risk management.