As mentioned briefly in this blog, I’m relatively new to the profession of security as a full time gig. I love this field of work and as I’ve excelled at other ventures, I think I’ll do great here too. Wrapping up the old year and ringing in the new has me thinking about what went right in 2008 and what I need to focus on in 2009 for improvement. I suspect these same things can help others out there, so I’ll share my thoughts.
2008 saw a big change in my life. I moved to a new part of the country and moved into a new career which I feel passionate about. I think I made some pretty substantial improvements in my balance, integration and separation of work and life and my primary focus in 2009 will be to continue this. A big contributor to this movement for me has been the book, The 4 hour work week. If you haven’t read it, please do yourself a favor and read it. It may not change your life, it may not be realistic for you in your present place, it may not even represent how you want to live, but the ideas in that book will expand your ideas about what work can be. If you are a workaholic and love it – don’t read the book. If our momentum in life is like a flywheel (an idea discussed at length in Good to Great with respect to company success) then The 4 hour work week was the single largest push to that flywheel I saw in 2008. I’m looking for other similar opportunities in 2009.
With respect to security, in 2008 I was thrown into the lions pit to establish an InfoSec program at a fast paced start-up. These sorts of situations are the ones that I excel at. I am not the guy who moves slowly and methodically and spends years getting it perfect. I believe in evolution and the constant questioning, revisiting, and improving of process. I believe the more consensus the better but I’m happy to move on without input if others don’t have time or interest. This year I think I made good progress, but I also think I could do better in 2009 and I will. I put a few policies out there, purchased a few tools, and established myself in the company as “the Security guy”. These are all good basic steps, but if I’m going to make this thing stick I need to make this thing pro. 2009 sees me focusing on BCP planning, creating actionable security analysis tools and putting some real awareness in place of our present security posture. It’s great to say you have a security team in 2008, in 2009 the plan is to turn this into a business unit that contributes to the bottom line instead of consuming it; if only through preservation of revenue and avoiding risk.
Lastly, I plan to further develop my own brand and do what I can to contribute to the security community at large. I may be new to a formal security role but I’m not new to security, nor am I new to common sense. I’ve been doing network and system administration for over ten years and security is an informal part of those jobs every day. To this day still, the individuals who do this work are where the rubber meets the road for security. Audits and policies are necessary, but the everyday decisions which impact your security posture are made by the technical guys who are not on the security team. I am focusing on the technical aspects of security, understanding better the tools and techniques used to audit and attack systems and networks, and understanding better how to educate those individuals who work in these areas every day. I’m looking for opportunities to volunteer with local chapters of security organizations like ISACA and ISSA and I’m continuing to develop content for this blog, which I intend to make more and more valuable.
To those of you out there who may read this, I challenge you to do the same. Make 2009 a year of growth and investment in others. These economic times make this all the more important and fully justify investing in yourself but may not make it clear why you should invest in others. We don’t get anywhere alone, just think about that for a minute and you’ll agree. Invest in others, it will pay off.
Happy 2009 to everyone out there.