Back in 2018, I was fortunate enough to join a company called Expel. It had a great culture, friendly management with a real desire to do what’s right for customers and employees, and a product that seemed to fill a real need – and to fill it well.

Being remote friendly even in 2018, we were ready when the pandemic hit, and it seemed like we made it out the other side unscathed. But then we hit some snags, and in June 2023, I got laid off, along with 10% of my co-workers.

This was the first time I’d ever been out of work – I’m not sure I’ve even taken a vacation between jobs. At first I was a bit terrified. But they offered a good severance package, I had some savings, my wife was employed, and I have a very supportive family. So I tried to make the best of it.

Taking a Gap Year

Mostly, I’ve been doing things around the house for myself and the family, and getting some rest (in InfoSec, everyone is always a little burned out). I’ve given a lot of volunteer time to the Boy Scouts – including staffing leadership training courses, spending multiple weeks at camp, and other efforts.

I’ve done some job hunting, but it’s been discouraging. The industry continued to have layoffs all through 2023, and even into 2024. So, like many others in my position, I send out applications, but get very little by way of response.

Overall, the break has been good for my mental health. Though it’s been frustrating, demoralizing, and, yes, sometimes depressing, it’s not been a bad year, exactly. Just… very different. I’ve been extremely lucky that I’ve had such great support, and the opportunity to spend time helping a cause I believe in.

Time to make the donuts…

I’m finally finishing up with my latest round of volunteer work (building and running a new scout program at summer camp next week). Which means…it’s time to get serious about getting back to work.

I need to poke my head back up, raise my profile, and most especially, start reaching out to people. Which I’m terrible at. If you start talking with me, you may find it hard to get me to shut up. But starting that conversation, especially when it kind of comes down to “Hey, got any jobs I’d be a fit for?”, is something I’ve never found easy to do.

Hence: This post.

What do you want to be when you grow up?

That’s the big question. It’s been difficult just putting into words exactly what I’m looking for. I’ve thought about this a lot over the last year, and I’ve come to the realization that there’s no single, or simple, answer. There are several things I’d be happy to do, some of which don’t even fall into the Information Security world.

So instead, let’s take this from a different angle: If this is a Choose Your Own Adventure (which, after all, it is), what are the plausible ends to the story? From most desireable to least:

Unlikely

  • Expel sells for a bajillion dollars, and we retire off my stock options. Plan B: Win the lottery (Note to self: buy a lottery ticket).
  • I become a successful independent developer of of web-based services and iOS apps (or do the same for an employer, but that seems even less likely than making it as an indie).

Good Sweet Spots

  • Manage a security team in a company that recognizes the importance of security.
  • Help a small company build a security program, then run it for a couple of years. Rinse, repeat.
  • Work for a larger company, supporting management of a security team, improvement of architecture, security operations, etc.
  • Consultant to help lots of small companies start building security programs.

Out of the Box Ideas

  • Escape the security industry altogether. Work for the local or state government, or non-profits, in areas like infrastructure, parks, etc. Doing what? Really, anything, if the pay is good enough (which, unfortunately, it probably wouldn’t be).

If I HAVE to…

  • Security Operations - managing AuthN/AuthZ, monitoring endpoint security tools, handling bug bounty submissions, incident response, etc. The day-to-day grind of just doing security.
  • Application Security Testing - I used to do this at NCC Group, but I’m not sure I want to go back to that. When it’s fun, it’s great, but most of the time it’s just not my cup of tea anymore.
  • Working in a SCIF - I live in Northern Virginia, and can probably get a job back in the government CyberSecurity contracting world. But I spent half my career there, and like App Testing, I’m not sure I wanna go back.

Absolutley Not

  • Cryptocurrency or generative AI. If someone has a legit approach to AI for inference and discovery (with citation-supported analysis, traceable confidence levels, verifiable sources, etc.), then that might be interesting. But overpowered Markov chains don’t really float my boat.
  • Disruptive startups in exploitative industries (gig work, etc.)

General Thoughts

Red vs Blue

Unfortuantely, so much in this industry seems to be either Red Team (breaking stuff) or Blue Team (protecting stuff). I’m really at my best..somewhere in between. Helping to enable every employee to be as secure as possible, while not sacrificing productivity. If there’s a term for this, I haven’t stumbled on it yet (though I’ve been kicking around ideas for a talk to better describe this concept).

What do I find challenging?

When it comes down to it, my most enjoyable work has related to building something to address a problem. The “something” could be a spreadsheet with crazy macros, a python script, a full web-based proof of concept tool, a research paper or presentation, a training course, or even a wiki full of process and procedure. The end result is: There was a gap, I figured out how to close that gap, and now the company can keep it closed in the future.

The best solutions are those with long term benefits – supporting corporate memory, repeatability and consistency of a process, efficiency of delivery, etc. Not just solving for the specific, immediate case, but solving the general problem, and doing it right.

I’m excited by the chance to figure out how things work (see also: all the conference puzzle contests I’ve won, and my deep dives into various Apple features and the 1Password architecture). My most memorable AppSec testing moments weren’t about finding obvious catastrophic bugs. Instead, they built on understanding how the system worked, and finding subtle tricks that can be wedged into more serious attacks.

I’ve always loved programming, ever since I was a kid. But I’ve never done that “professionally,” and I suspect I’d probably hate how modern programming is done. I’m always looking for a way to sneak in a little python hacking here and there, just to keep those skills from turning to complete mush.

Finally, it’d be great to present talks (or blogs) about what I’ve been doing and learning lately. I feel that sharing ideas and discoveries within the community is essential to the long term progress, and success, of almost every aspect of InfoSec.

Management, or Individual Contributor?

I’ve always been an Individual Contributor. I’d greatly appreciate a chance to put the leadership and project skills I’ve been helping teach, into practice for myself.

I believe my knowledge and experience could help me with basic project (or team) management, though I’ve never held such a role formally. I can imagine a position where I look at a problem, identify requirements, sketch out a solution, and then find the best way to make that solution happen. Many of my interests and experience touch upon that process, but again, I don’t know if it’s something I can just jump into at this point.

Is it telling that I actually set up Confluence and Jira for use at home?

Project Management is just one example – I’ve seen more than a few jobs that look really intriguing on the surface, and scratch several itches, but because I didn’t have specific experience in that particular combination of work and skills…I’m not qualified.

A title, by any other name…

My last job was Senior Security Engineer, and the job before that was also “Senior level.” I’d been working largely at a Principal level for a couple years, and was working with management to make that official when the layoffs came. So the obvious goal is some kind of Principal Security Engineer.

Or Architect? I probably lean more towards Architect (identify the problem, sketch out an approach, design a solution) than Engineer (which may be more focused on actully building, installling, and running the solution). But again, my experience never includes “design,” per se, so it’s hard to justify such a switch.

Some companies have an individual contributor level that’s beyond Principal, with more independence and a wide-ranging “just help us get better” brief. When I was at MITRE, that was called “Fellow.” I think other companies have called it Technical Director. I’m not there yet, but if I can’t break into project or team leadership, that may be my long-term target.

Ultimately, the title doesn’t really matter as much as the work behind it, but it sometimes seems like this is a pretty structured industry, so maybe starting with a title in mind could help my focus.

What kinds of companies?

I want a job that’s challenging, interesting, and provides room to grow and learn. This doesn’t have to be a security job, or even in the security industry. It’s important that I support a company with a mission that helps people, rather than simply works to enhance shareholder value. Organizations that:

  • Provide security or related services (especially if they make things easier for smaller companies, or for individual consumers)
  • Produce products I use frequently, and admire or appreciate
  • Support a public-facing mission – certain government jobs, non-profits, or NGOs
  • Scratches nerdy itches – transit, mapping and GIS, infrastructure, parks, knowledge management, renewable resources

I want to avoid companies that are all about chasing growth, supporting exploitation of workers or consumers, focusing solely on consumerism, advertising, cryptocurrency. If the company culture is about improving the bottom line, then I’m probably not going to be interested. If it’s about helping others, then I’ll want to learn more.

Office? Remote? Hybrid?

I’ve grown accustomed to working from home – I did so for several years at NCC, and pretty much since the pandemic hit until the layoffs came. But I’m also willing to work in a hybrid office, if that office is a short commute away. What I really don’t want is an hour commute, each way, every day of the week. That’s just… Hard No.

I’m also hoping to avoid frequent travel. It was fun, once upon a time, to hop across the country helping different customers, but now I just want to focus on solving problems, from a comfortable and familar environment.

Bottom Line (at bottom)

I’m looking for a role, at the Senior or Principal level, with opportunities for problem solving, long-term process building and planning, and the ability to make broader, strategic contributions. Something that’s challenging - new and interesting problems to solve, not simply building and running the same old solutions every day.

The ideal position would not be offensive (red team) or purely defensive (endpoint monitoring or incident response), but in the middle, influencing and enabling best security practices across the company.

I would eagerly welcome a chance at team or project management. I’ve had no formal experience in such a role, so this would likely have to begin at a small scale. However, I do feel this is in line with my skills and experience, and would be an excellent growth challenge.

I prefer remote (or local hybrid) work, for a company with values I can respect and admire. I want to help my employer, individual consumers, and the industry, to progress to a more safe and secure future.

How do I get from here to there? I’m not exactly sure, but would greatly appreciate any contacts, tips, or help getting my name in front of people.