Explaining my job … gets interesting.
If I’m trying to play it up, I mention that time I climbed a volcano and broke into a federal research facility in order to help secure it against anyone who wants to stop us from studying the stars (love you, Gemini), or that time the Internet was falling down and my colleagues and I rescued and secured NTP — the system that tells almost every computer in the world what time it is. Management types are more interested in my operational roles securing the SWAMP and Open Science Grid. If I want someone to go away, I start boring them with talk of unsafe string operations and propagation of error when agile methods are taken too far and design integrity is lost. Sometimes I’ll just crack jokes about how computers are trying to kill us all … because it keeps me from tearing my hair out.
There are dozens of roles out there to play in information security (also called “cybersecurity” or “computer security”), but I’m something of a generalist. I like it that way because a skilled generalist is needed when there’s an emergency and it’s still unclear exactly what went wrong. This is where I thrive.
The secret to being the guy who gets the call when something horrible happens is pretty simple: be good at something, and have a long history of putting down what you are doing to help the person who just came to you with a problem. People remember who they like going to for help, and while it takees some time and effort, it’s a habit that ensures I have a wide network of people I can call when I need help, and that I get a call when something crazy is going down.
I stumbled onto the internet when I was a preteen seeking help with a program that wasn’t working, and soon found myself patching bugs for some of the best open source software engineers out there. Don’t be impressed: it was low-level scut work. I made the unclear comments match the code. I replaced all the instances of one function with a better function, making sure that the arguments got rearranged properly. I verified bug submissions and cleaned up issue queues. But, because I was friendly and helpful — making their lives easier and work better — they taught me things. The more I learned, the more free work I could do, after all.
After a short bout as a civilian working for the U.S. Army in mixed technical and non-technical roles, I bopped around between tech startups for most of my early career. By remaining a contractor and focusing on early-stage companies, I was able to work from home (important for a mostly-single mother with a young child) and keep control of my schedule while making a decent income. I also learned that companies checked a contractor’s portfolio and tend to ignore her education (or lack thereof), and the decade of development experience and two technical books I’d written by my early twenties spoke volumes.
This lifestyle also put the onus on me to ensure that I was always evolving as a professional: I had to read, to experiment with new technology, to build things beyond my paid work, to speak and write and build my reputation. I didn’t have a supervisor shepherding me along, or a teacher ensuring I had a reasonable set of skills put before me. Given my compulsion to fix things, and to keep life interesting, this usually isn’t a problem.
I have a few different titles, but in the end I’m just a hacker. I figure out how things work, and I try to make them better. I have a preference for emergencies and life-critical technologies and infrastructure. I love hanging out with people who find this stuff fun and interesting — even the beginners — because there are so few of us and building a nexus of passionate people is the start of building a nexus of talented people. Infosec needs more talented hackers.