13 Security Pros Share Their Most Valuable Experiences
From serving as an artillery Marine to working a help desk, a baker's dozen of security pros share experiences that had the greatest influence on their careers.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltfbe2d3842b9e2a59/64f0d395923ffe1bce5775e8/ExperienceIntro.jpg?width=700&auto=webp&quality=80&disable=upscale)
There is no one-size-fits-all approach to building a security career, as evidenced by the diverse range of educational, professional, and personal experiences that its many practitioners have.
It's also impossible to predict which projects will teach you lessons you'll use later in a future security role. You could learn to better communicate with clients while working a help desk, or maybe you could gain the confidence to present your first security talk from a mentor at one of your first jobs.
When asked about his most valuable experience, Yair Silbermintz, lead backend developer at Aon, pointed to the time he implemented a new OAuth provider from scratch in an earlier role. He had implemented authentication before in a couple of systems, he says, but typically that involved wiring premade components or tweaking a small part of the authentication scheme.
"There were definitely roadblocks and also just a huge amount of small features I never really thought of the importance before," Silbermintz says. "Things like a nonce, which was just noise to me before, suddenly played a key role in keeping it secure." There were several items, he says, which he had "glazed over" as a developer but covered a pitfall in the auth process. He walked away from the experience knowing he could no longer ignore small features.
"If someone asked me for something small, even just a random string added to the end of a payload, I needed to fully understand why," he continues. "That extra level of understanding that I go for when working has really shaped my career."
We asked the cybersecurity community which experiences have been the most valuable in teaching them lessons they carried throughout their careers and what those lessons were. Here, 12 more infosec practitioners share their responses.
What was your most educational experience? Feel free to share your thoughts in the Comments section, below.
(Image: Kasto - stock.adobe.com)
Mark Orlando, CTO of Raytheon Cyber Protection Services, points to his time as an artillery Marine: "[You] never enough time or resources, you won't always like the outcome or agree with the larger strategy, but you have [to] be a master of your domain and do your part no matter what," he says.
The experience taught him to be both flexible and humble, "as there is always someone better/smarter/stronger than you." Serving as a Marine "has saved me a lot of frustration in cybersecurity," Orlando says.
Early in his career, Brian Vecci (photo, left), field CTO at Varonis, spent two years working on a help desk. He calls it his most valuable experience, "bar none." Being tasked with building and configuring equipment, troubleshooting hardware and software, and working to provide a strong end user experience taught him to know how things fit together and where potential security gaps exist.
"I believe everyone should work on a help desk at some point in their career," Vecci says. "It helps you understand technology, business, and the unceasing ability for end users to break the unbreakable, which is exactly what attackers will do."
Allan Liska (photo, right), threat intel analyst at Recorded Future, also cites the help desk as a valuable training ground. "It helped me learn to listen to the problems that employees were experiencing, how they tried to work around those problems, and how to work with them and other departments to help solve those problems."
(Images: Varonis, Allan Liska)
Before she became corporate vice president for Microsoft's cybersecurity solutions group, and before she entered the security space, Ann Johnson was a healthcare specialist at Data General. There she learned to understand network architecture and storage architecture, building skills she later applied to her security career. The division where she worked configured the storage and network its healthcare system ran on.
"Understanding how the fundamental architecture worked helped me understand how to secure the architecture," she explains.
Later on, when she was hired as a PKI specialist at RSA Security, she took architecture principles from storage and networking and applied them to how PKI was architected. The same lessons helped her when she went on to lead RSA's global online banking and credit card fraud business. While she didn't touch on network security, knowing the building blocks of architecture helped her understand the nuts and bolts of how risk engines work.
"It's all about the architecture," Johnson says.
Jeremiah Dewey, senior director, managed services, at Rapid7, learned the delicate balance between technical expertise and communications skills during shifts contracting for the military in a security operations center.
"Sure, we saw some intense attacker campaigns and all the trappings that go with them, but what was most valuable to me was seeing the vast network of people and processes needed to keep large networks safe," he explains. "It is an intricate framework that is not simple at all to navigate, and no one job is truly more important than another."
It's an environment where each incident can -- and often does -- become a crisis, Dewey says, and managing that crisis through process and clear communications "is just as important as having the right hands on the keyboard." The balance between technical acumen and communications becomes more important the higher up the chain you go, he adds.
A humbling experience early on is valuable regardless of your field, Dewey points out. "Pulling a 3:00 a.m. shift definitely keeps you grounded," he says.
Early in her career, Limor Kessem (photo, left), executive security adviser at IBM Security, was learning the intricacies of financial cybercrime when a high-ranking officer with the same employer instructed her to go replace him at a conference where he was scheduled to speak.
"I was shocked, scared, and did not believe I was up to the task," she says. He wrote her a bio, which she says she "would have been way too modest to ever write, but which was definitely true by then," told her he trusted her, and sent her on her way.
After a successful talk, Kessem continued to speak at security events. "From that day on, I would pick up the conferences that mentor could not get to," she says. "I gained a lot of experience, and I never stopped since. If it wasn't for him, I doubt I would have ever dared do this in this lifetime."
Similarly, Annabel Jamieson Edwards (photo, right), manager at Accenture Security, gained confidence from Accenture mentors ahead of presenting her research on ransomware business operations at the Executive Women's Forum national conference in 2017. With their help, she says, she was able to successfully deliver her first-ever conference presentation to 500 of the industry's leaders and practitioners.
"Coming from a non-STEM background, it was probably the first time that I truly realized the importance of my skill set among my highly technical peers in the cybersecurity industry," Edwards says. From there, she was driven to become more involved in the threat intelligence community and, within the next year, traveled to present at Code Blue, Asia's largest hacking conference, and the European Space Agency.
(Images: Limor Kessem, Accenture Security)
After he studied psychology at a university, Marc Rogers, vice president of security strategy at Okta, went on to become a bouncer in Manchester, England, in the 1990s. The job, combined with his course knowledge, taught him a lot about human behavior, and he says many lessons from the experience remain relevant today.
"Not only did it teach me a lot about physical security and understanding real versus hypothetical risk, it also taught me a huge amount about human-centric attacks, such as social engineering," says Rogers, noting his experiences have been "instrumental" in understanding human behavior during incidents.
Building a team is "the most exhausting, most frustrating, and, ultimately, most rewarding process," says Emily Wilson, vice president, research, at Terbium Labs. As new brains join the team and ask questions that have never been asked, you're forced to see every crack in the process and every gap in your own knowledge, she explains. It forces you to slow down and evaluate, then re-evaluate, your strategies for information sharing, building on different concepts, and communicating with the team.
"It forces you to stop and ask yourself what's really important, what matters, and what success looks like -- and then asks you to articulate that, clearly, repeatedly, and patiently," she says. "It requires you to problem-solve constantly and work the puzzle of another person's skills and experiences."
And just when you think you have it figured out, you hire someone else and the process starts again with new questions, mistakes, and challenges. "It shakes things up; it keeps you on your toes," Wilson says. But, she notes, it's worth it when you see someone you've been working with finally succeed and come into their own abilities.
Building new skills is useful to security pros, but so is sharing them, says Brian Warehime, principal threat researcher at ZeroFox.
"The most valuable experience for me over the years has been building projects that benefit the open source community and fill some need or expand on something that's already been done," he explains. When learning a new skill -- for example, Python -- he incorporated real-world projects into his training and built things to reinforce the skill and give back to the community.
In cyberthreat intelligence, for example, he aimed to build tools people can use and share. "Releasing these tools and seeing people actually use them was awesome and incredibly rewarding to me personally, but having people use these I would hope benefited them too," Warehime says.
A valuable experience in PAS Global founder and CEO Eddie Habibi's security career was during his first gig as an independent OT consultant. He was in the control room of a refinery on the Houston Ship Channel, working on the design, configuration, and commissioning of a Honeywell TDC3000 control system at a Fluid Catalytic Cracking (FCC) unit. The unit had a capacity of some 100,000 barrels per day, or more than 130,000 gallons of oil moving through a large pipe every hour.
One day, a "reversal at the fluid unit" prompted a near disaster at the control room, Habibi says. While the operators brought it back to a safe state, an incident investigation showed a simple typo had been the cause. An operator had entered 97% instead of 9.7%, causing the slide valve to move far more than intended.
"It was clear this was an unintentional and plausible human error, the kind of error that can happen to anyone, even when performing critical tasks," he says. "But the potential impact of it was not lost on me." The incident reinforced his enthusiasm for operational safety, and Habibi has since focused on his career on the operator's role in hazardous processes.
"The ultimate goal of an OT cyberattacker on a processing plant is to move molecules to places they are not designed to go, furthermore causing accidents that destroy assets, create unsafe conditions, and harm the environment," Habibi says.
Shuman Ghosemajumder, CTO at Shape Security, helped develop the Google AdSense network, which grew to become a multibillion-dollar pay-per-click advertising business over a few years. Along the way, his team learned firsthand how quickly criminal groups could adapt to new technologies.
"Helping build the AdSense network at Google in the early 2000s taught us a lot about the ingenuity and speed with which cybercriminals could evolve," he says, explaining how the team saw sophisticated click-fraud attempts, both automated and manual, from all over the world.
"We had to proactively and creatively invest in new approaches and technology, including very large-scale machine learning systems a decade before the current industry fascination with AI [artificial intelligence] and ML," Ghosemajumder says. The lessons learned helped inform future strategies for protecting against fraud and abuse.
Shuman Ghosemajumder, CTO at Shape Security, helped develop the Google AdSense network, which grew to become a multibillion-dollar pay-per-click advertising business over a few years. Along the way, his team learned firsthand how quickly criminal groups could adapt to new technologies.
"Helping build the AdSense network at Google in the early 2000s taught us a lot about the ingenuity and speed with which cybercriminals could evolve," he says, explaining how the team saw sophisticated click-fraud attempts, both automated and manual, from all over the world.
"We had to proactively and creatively invest in new approaches and technology, including very large-scale machine learning systems a decade before the current industry fascination with AI [artificial intelligence] and ML," Ghosemajumder says. The lessons learned helped inform future strategies for protecting against fraud and abuse.
There is no one-size-fits-all approach to building a security career, as evidenced by the diverse range of educational, professional, and personal experiences that its many practitioners have.
It's also impossible to predict which projects will teach you lessons you'll use later in a future security role. You could learn to better communicate with clients while working a help desk, or maybe you could gain the confidence to present your first security talk from a mentor at one of your first jobs.
When asked about his most valuable experience, Yair Silbermintz, lead backend developer at Aon, pointed to the time he implemented a new OAuth provider from scratch in an earlier role. He had implemented authentication before in a couple of systems, he says, but typically that involved wiring premade components or tweaking a small part of the authentication scheme.
"There were definitely roadblocks and also just a huge amount of small features I never really thought of the importance before," Silbermintz says. "Things like a nonce, which was just noise to me before, suddenly played a key role in keeping it secure." There were several items, he says, which he had "glazed over" as a developer but covered a pitfall in the auth process. He walked away from the experience knowing he could no longer ignore small features.
"If someone asked me for something small, even just a random string added to the end of a payload, I needed to fully understand why," he continues. "That extra level of understanding that I go for when working has really shaped my career."
We asked the cybersecurity community which experiences have been the most valuable in teaching them lessons they carried throughout their careers and what those lessons were. Here, 12 more infosec practitioners share their responses.
What was your most educational experience? Feel free to share your thoughts in the Comments section, below.
(Image: Kasto - stock.adobe.com)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024