There comes a time when you need to look at yourself in the mirror and think to yourself “Am I giving my best? Could I be doing more?”. As I approach 40 I’ve been doing this more and more over the months gone by and all the time, the answer or conclusion has been “No, not even close”. I think once your honest with yourself and admit that you’ve a “problem” you can do something about it. My “problem” is that I’ve been missing energy, enthusiasm, direction and motivation to the high standards I set myself as a result of many internal and external factors over the years.
It’s easy to blame others, employers, managers, industry the weather or any other bullshit excuses that typically get used, but at the end of the day, it IS my fault for allowing this to happen. It is my responsibility now to change things and one of those is to have a good look at what I’m doing, where I see myself going and giving myself a bollocking for getting complacent as it’s not the man I was or want to be.
As such, I’ve decided to take some advice on board as well as identify areas that actually interest me and motivate me. I’ve always excelled in things I like doing so why not aim to do things I like more but as a professional. Thankfully I’ve seen the light in time to do something about it!
Unfortunately this does mean that there are to be some sacrifices. As you’ll already have gathered, my VCDX journey is one of them. I don’t feel as though I even truly gave my full attention to this in reality. Of course I will still continue to support those going through higher level VMware accreditation and do VCDX mock panels but my questions will always be more aimed at the justification for the business requirements and drivers rather than technical. My commitment to the VMware vExpert program will not stop however as it my first love and I’ll continue to support the community for as long as I’m relevant. To be clear VCDX is still a worth while journey so if you’re on this path then do not be dissuaded by my change of direction.
To be blunt, the “tech” used to get my juices going in the past, but I left that behind me a long time ago when I took on the role as a Solutions Architect. It doesn’t mean I will forget all the technical lessons I’ve learned or how or why all the parts of the jigsaw come together. What it does mean I don’t need to go the “N-th degree” now as that’s was Subject Matter Experts (SMEs) are for as they are all current with their chosen field of expertise.
It is an almost impossible task to keep up to date with all the latest emerging technology and practices to deep levels. If I need to know something like that now I simply Google the crap out of it or jump on to Youtube and get a crash course or better still, ask others if I need to. The reality now is that time is precious and I don’t have much of it especially as father to little boy with limitless energy. What I am interested now in regards to vendor technology is boiled down to but not limited to:
- What is it?
- What business problem will it accomplish?
- What does it impact on?
- How is it licensed or re-sold?
- What support options are there?
- How much does it cost?
- What others do the same job and what makes it different?
The proverbial “fork in the road” is one that I’ve reached well before Christmas last year when I realised that I wanted to do more in business security, governance and compliance strategies and take my focus away from technology specific accreditation and recognition. So one fork in the roads leads to VCDX and other high end technical skill sets and the other to universal business accreditation in security, enterprise frameworks and business level studies. I am taking the latter.
So why security? Much like Business Continuity and Disaster Recovery; businesses are starting to wake up to the fact that actually there are now going to be some explicit laws and governance requiring businesses to protect themselves. GDPR anyone? In the past, it was always a secondary activity or done on a needs must requirement but generally ignored unless they got burned or had a few “boo boos” and learnt the hard way. Now there are going to be real financial consequences to the business if they do not comply.
I think we will all agree that as more and more interaction with the internet goes on with business and personal systems; the threats that exist there, the damage they can cause will only magnify and expose weaknesses. The amount of security experts and resources in existence are already falling behind the demand and playing catch up.
My experience within Solutions Architecture and pre-sales work is that I’ve often been fascinated by the lack of security postures and strategies implemented by companies I’ve worked with. I’ve equally been impressed by others that have implemented matured policies and strategies and found much of what they’ve done fascinating. Combine this with the real need to plug this skills gap and start helping business stake holders start their security journey; then it’s an obvious road for me to take not least because it’s a job role that will be around for many many years to come of course!
What bit of security will I be focusing on? Well simply put, I don’t want to get my hands on firewalls, penetration testing or code hacking. Nope, I can safely say that is a skill that I will leave to the die hard devops and network specialists.
So I’ll be concentrating my efforts on governance, compliance, strategy and policies based on known and matured enterprise and security frame works and methodologies. The translation of business and assessment of risks, threats and vulnerabilities of a company will be where I hope to spend most of my time and the appropriate policies and strategies to apply.
In terms of qualifications I’m looking at CISSP from ISC2 to begin with. I’ve read through exam guide by Shon Harris and Fernando Maymi and think it is an excellent resource to start with. I’ll be taking the exam in June as I think I’ll be ready by then as I’ve been taking on board information since before Christmas and feel this should give me the time to be ready.
Much of what I’ve read so far I already knew from my experience in different roles. Most of it, is what I would term common sense but there are some real eye openers in technicalities and structure which will prove very useful indeed. Simple things like trying to understand what information you have is most precious and it’s classification would be ranging from “I don’t care” to “If we lose it, we might as well close the business” kind of level. It’s very similar to putting in a robust Disaster Recovery plan and Business Continuity plan in certain areas. In fact, this would form part of the availability and integrity sides of the “fundamental Principles of Security triad” and confidentiality would be the remaining side to consider.
In real world terms, you could argue if it’s important enough to backup and or keep highly available, it’s important enough to secure!
In terms of my day job there won’t be too much change other than that security will well and truly bolted on in my life and with any luck, advance any existing security teams internal and pre-sales/SMEs by joining them on a full time basis assuming this is accepted. My long terms goals will be to consult specifically within the high level security space with the intention to become a Chief Information Security Officer (CISO) for a large organisation.
My blog will also change too as you can expect, however the articles that are being used by VMware as reference material will remain until such time as they are no longer required as I’ve been given great feedback from you out there as it has been helpful. When it comes to my fellow bloggers at vMusketeers.com I’ll still be one of the gang and input my security thoughts on many topics as well provide editorial advice back-end to their blogs articles which you won’t see unless I comment on it! If you’ve not looked at vMusketeers.com then please do so, the guys on there are very knowledgeable in virtualisation and you’ll find them very useful!
So that’s it. The path is clear to me now and I’ve now set my sights on achieving something that means a lot to me so I now have the motivation to get it done. CISSP here we come. To those that have supported me in my VCDX journey, I thank and salute you and hope you can support me in this new direction too but I doubt very much you’ve seen the last of me!
If you’re reading this and are already established in the security industry then please by all means lend me your advice or help me on along my new road.
Regards and well wishes to all.