I’ve found it interesting to read about how people arrived in the field information security. Each person has a unique story to tell — no two paths are exactly the same, and some diverge considerably. Here’s my story.
I got off to a non-traditional start graduating from college with a major in English. From there I embarked in a random work history: dry cleaner, bakery, greasy spoon grill, cook, bus driver, book store, D.C. intern. I won’t go into all the details of all that, but I will take a moment to mark what I view as the true beginning of my IT career.
Hired as temp worker writing code in Excel VBA, (that’s right, Excel Visual Basic for Applications), I designed Excel reports that took loads of data and moved it around in a workbook for charts, graphs, etc. This was object oriented programming with a miserable IDE. I would have to plan when and how I made changes because it literally took 1-3 minutes to save. I worked on the boss’ daughters’ computer. I can still see colorful stickers plastered everywhere on the chassis.
I built odd things: reports that changed languages on the fly with the press of a button (within the workbook), an Excel workbook that doubled as a scantron form, and charts and graphs that built them selves dynamically. We delivered reports that ran very complex macros in large corporate network environments. I back to this now and it seems utterly INSANE…from a security perspective.
Getting used to programming concepts literally made my brain hurt. I spent many a lunch break on the room laying in a lawn chair holding on to my head. I also did .NET web development and started writing SQL queries, along with building out reports and integrations.
My next job required that I learn C# and even more SQL Server work. Here’s where I started doing stuff with credit card numbers: encrypting them, storing them, passing them around with APIs, etc. I’m not going to comment on best practices with any of that, but suffice it to say I studied PCI compliance aggressively. I also, learned what audits were like. And I learned about things like check digits, electronic check formats, and electronic check processing. All of this was my introduction to cyber security. It was my first foray into the imaginative world of threat modeling…and where things can go wrong with data.
After that, I took a job that focused primarily on business intelligence. This involved more SQL Server in the form of SSRS, SSIS, and something new SSAS (SQL Server Analysis Services), which is basically an Excel pivot table on steroids (slight oversimplification, but a handy one for quick explanations). Then I did an awkward shift into Oracle’s business intelligence world. This pulled me into data warehouse development and fairly heavy development in OBIEE and the dreaded RPD file. I also did some work around analytics. And, in my spare time, reviewed classes on machine learning.
Through all of this, I remained interested in security, so when a security analyst opportunity showed up, I took it. I landed the job, I think, because of my applications development experience and my full exposure into the world of PCI compliance and threat modeling. Right away I dove into vulnerability management, which has me hitting nearly everything in the environment with packets. In addition to this, I now study cloud infrastructure and security at the same time I study OT/ICS security. And I am working out how to implement both at the same time. These two areas were once incredibly far apart, but in some ways, seem to be getting closer every day.
Through all of this, I maintain a fascination I’ve had with Linux for like 15 years. Every year Linux gets better and better and better.
I also maintain an interest in pen-testing. There is so much learn in this area that it keeps a person coming back over and over again to study new tools and approaches to seeing and validating vulnerabilities. So that’s my story for now. Hats off to you if you read this whole post and good luck on your info sec journey!