2017 has seen me take a twist in my career path. Moving from 11 years working within Technical Infrastructure Architecture and Operations, to Information Security.
The inspiration for this career change came from a few serendipitous sources.
When I joined Moonpig.com in 2014 (having had a fantastic 8 years building my career at Sony Playstation as SysAdmin and Operations Manager) I was tasked with setting up a new in-house Technical Operations function that would help to see Moonpig attain PCI-DSS compliance (as a level 1 merchant with full SAQ-D) as well as further improve their TechOps practices.
Whilst building the new team and dealing with PCI I was fortunate to have the opportunity to work with the talented Luke Potter at Surecloud - who had been engaged as Moonpig's preferred ASV. Spending time with Luke and his team during the course of that year (and years to date in my subsequent roles within the Photobox Group) inspired both the technologist in me as well as the lateral thinker: the vulnerabilities they were seeking, impressive exploits they were able to PoC and deep technical knowledge through which they were able to do this essential work was truly something to behold. It was at this time that I got my first taste of true AppSec and InfoSec workings, and I sensed that I'd hit upon something that would re-stoke the technologist in me in a way that pure technology management was unable to.
As Moonpig achieved its PCI certification, the brand, and in fact whole Photobox Group soon underwent a rapid program of security uplift and investment later in 2015. I was fortunate to now be leading the Group's Technical Operations capability across the UK and mainland Europe, and working alongside the Group Risk team was able to plan and deliver a wide-spectrum series of projects aimed at adding to, and improving the Group's Security working practices, processes and supporting technologies.
As a diverse team we tackled so much in so little time - DOS protection, WAF capabilities, SIEM adoption, DarkTrace, end-point security enhancements, GRC reviews, built SOC support via 3rd parties - and had ethical hacking submissions thrown into the mix as well as a few interesting discoveries by our own Engineers to deal with.
During the final stages of delivery of the program I was fortunate enough, in 2016, to enjoy a two month sabbatical from work with my young family.
We travelled across France, and whilst covering the miles between our stop-overs I began to reflect as to what my next career challenge needed to look like. It was especially important for me to maintain the promise I'd made myself upon leaving Uni that I will always 'get out of bed and go to work for something I care and believe in.' This became especially focused for me when I realised the simple pleasures of having time with my wife and children, and the sabbatical reinforced the fact that I needed a good reason to leave them back home each day if work was to be that draw.
Upon my return to Photobox everything was will ticking along nicely still thanks to my Deputy and team keeping on top of things - Operations were operating - and so I offered my resignation as means of giving myself the kick I needed to find that 'next challenge' and to ensure I was still useful to the business. Dominic Cameron - my truly brilliant and gifted boss and Group CTO at the time - smiled and reminded me there was still much to do, and later shared that the Group intended to further invest in Security through hire of a new CISO.
I threw my hat into the ring instantly (over a HipChat conversation with Dominic from Valencia if I recall) and what followed was a somewhat bumpy journey for me. Long story short, I didn't become the CISO. However, I did get offered the chance to become the Group's first Senior Director of Information Security, and deputy to the new-hire CISO.
The CISO they chose was Dinis Cruz, and when we first met we simply hit it off. He's a hardcore AppSec specialist, with razor sharp engineering chops and an energy and work ethic that compliments our Group perfectly. He's also an enthusiastic mentor, and I felt assured that staying at Photobox to support the Security initiative under his guidance would be a great next career move.
Dinis and I soon realised we could start to build a function for the Group that saw him focusing on being CISO and the 'AppSec' areas of what we aimed to create. I would focus more on the InfoSec/SecOps side of things - bringing my experiences from TechOps, PCI-DSS and more to the party.
And so here I am. 'Day 1' you could call it (I know those Amazonions out there might...). A new career path, brilliant support from the Group and learning opportunities I could only dream of.
This personal blog has come about through my wish to share my learnings, no-doubt naive discoveries, thoughts, proposals, achievements and reactions as I find my way along this new path.
Forgive the blunders, but better my views, comment on my thoughts and help me to open source my career as it steadily begins to unfold in front of me.
Even in the year since my decision to pursue this path, and the two months I've now officially held my new position I've met some amazing new contacts - ethical hackers, black hats, hostage negotiators, CISOs from many walks of life and industries, social engineers, legendary founders and secret service operatives.
Without name dropping - they know who they are - I want to thank them all for encouraging me to take this step, and I hope to be able to repay the favour by contributing to the increasing pool of knowledge, debate and progress we all aim to make in this field.
The inspiration for this career change came from a few serendipitous sources.
When I joined Moonpig.com in 2014 (having had a fantastic 8 years building my career at Sony Playstation as SysAdmin and Operations Manager) I was tasked with setting up a new in-house Technical Operations function that would help to see Moonpig attain PCI-DSS compliance (as a level 1 merchant with full SAQ-D) as well as further improve their TechOps practices.
Whilst building the new team and dealing with PCI I was fortunate to have the opportunity to work with the talented Luke Potter at Surecloud - who had been engaged as Moonpig's preferred ASV. Spending time with Luke and his team during the course of that year (and years to date in my subsequent roles within the Photobox Group) inspired both the technologist in me as well as the lateral thinker: the vulnerabilities they were seeking, impressive exploits they were able to PoC and deep technical knowledge through which they were able to do this essential work was truly something to behold. It was at this time that I got my first taste of true AppSec and InfoSec workings, and I sensed that I'd hit upon something that would re-stoke the technologist in me in a way that pure technology management was unable to.
As Moonpig achieved its PCI certification, the brand, and in fact whole Photobox Group soon underwent a rapid program of security uplift and investment later in 2015. I was fortunate to now be leading the Group's Technical Operations capability across the UK and mainland Europe, and working alongside the Group Risk team was able to plan and deliver a wide-spectrum series of projects aimed at adding to, and improving the Group's Security working practices, processes and supporting technologies.
As a diverse team we tackled so much in so little time - DOS protection, WAF capabilities, SIEM adoption, DarkTrace, end-point security enhancements, GRC reviews, built SOC support via 3rd parties - and had ethical hacking submissions thrown into the mix as well as a few interesting discoveries by our own Engineers to deal with.
During the final stages of delivery of the program I was fortunate enough, in 2016, to enjoy a two month sabbatical from work with my young family.
We travelled across France, and whilst covering the miles between our stop-overs I began to reflect as to what my next career challenge needed to look like. It was especially important for me to maintain the promise I'd made myself upon leaving Uni that I will always 'get out of bed and go to work for something I care and believe in.' This became especially focused for me when I realised the simple pleasures of having time with my wife and children, and the sabbatical reinforced the fact that I needed a good reason to leave them back home each day if work was to be that draw.
Upon my return to Photobox everything was will ticking along nicely still thanks to my Deputy and team keeping on top of things - Operations were operating - and so I offered my resignation as means of giving myself the kick I needed to find that 'next challenge' and to ensure I was still useful to the business. Dominic Cameron - my truly brilliant and gifted boss and Group CTO at the time - smiled and reminded me there was still much to do, and later shared that the Group intended to further invest in Security through hire of a new CISO.
I threw my hat into the ring instantly (over a HipChat conversation with Dominic from Valencia if I recall) and what followed was a somewhat bumpy journey for me. Long story short, I didn't become the CISO. However, I did get offered the chance to become the Group's first Senior Director of Information Security, and deputy to the new-hire CISO.
The CISO they chose was Dinis Cruz, and when we first met we simply hit it off. He's a hardcore AppSec specialist, with razor sharp engineering chops and an energy and work ethic that compliments our Group perfectly. He's also an enthusiastic mentor, and I felt assured that staying at Photobox to support the Security initiative under his guidance would be a great next career move.
Dinis and I soon realised we could start to build a function for the Group that saw him focusing on being CISO and the 'AppSec' areas of what we aimed to create. I would focus more on the InfoSec/SecOps side of things - bringing my experiences from TechOps, PCI-DSS and more to the party.
And so here I am. 'Day 1' you could call it (I know those Amazonions out there might...). A new career path, brilliant support from the Group and learning opportunities I could only dream of.
This personal blog has come about through my wish to share my learnings, no-doubt naive discoveries, thoughts, proposals, achievements and reactions as I find my way along this new path.
Forgive the blunders, but better my views, comment on my thoughts and help me to open source my career as it steadily begins to unfold in front of me.
Even in the year since my decision to pursue this path, and the two months I've now officially held my new position I've met some amazing new contacts - ethical hackers, black hats, hostage negotiators, CISOs from many walks of life and industries, social engineers, legendary founders and secret service operatives.
Without name dropping - they know who they are - I want to thank them all for encouraging me to take this step, and I hope to be able to repay the favour by contributing to the increasing pool of knowledge, debate and progress we all aim to make in this field.
Great post! It's really brave to share your views like this :)
ReplyDeleteI'm looking forward to reading the next 50 posts :)