Yesterday we had someone at our home to look at replacing the front and back doors. The rep for the company was exceptionally personable and we probably spent more time with him than the simple transaction of selecting and ordering new doors for our home warranted, but my wife and I are "people" people so we enjoyed the conversation and engaged with this young man. He told us about his life, how he came to Canada by way of Israel and originally from Russia. How his first main job here was actually working immigrations to make it easier for people to come to Canada than it was for him (a bit of a shocker in how long it took and how much it cost, to be honest) and how he rather randomly ended up as a rep for a door and window installer. It was rather fascinating to learn more about how he got here, how we viewed Canada coming from both Israel and Russia, and how he feels his life is improved living here (another reminder of why I'm a grateful Canadian!).

What was interesting though was last night, after my daughter's new super-energized kitten (Herbert) went to bed and I could enjoy a glass of wine in peace without our new feline Edward Scissorhands taking to my legs, I began to think about my own career journey and what got me here and, as I'm sure many folks randomly do every once in a while, I stalked myself online to get a sense of history that under normal circumstances I wouldn't normally think about or remember without prompting. Apparently I am so full of "today" stuff that I forgot about the "what got me here" stuff.

It started with a search for my name and Annvix on wikipedia. Not a lot there, but it did remind me that I had devoted 5 years of my life to a security-focused Linux distribution based on Mandriva, the last version of which was released over 12 years ago. I actually had no idea that it had been reviewed on probably a few months after the last stable release and a few months before I decided to call it quits with my last commit on April 10 2008 to 3.1-CURRENT (last stable release was 3.0-RELEASE on Feb 3 2008), so it was interesting to find a review on it over a decade later.

(I think one of the Sun Fire X4100 machines in my rack still has Annvix installed on it and I bet if I fired it up it would boot... with no idea of what the passwords might be!)

Some of the other references on wikipedia were to articles I had written for TechRepublic. When I looked, there were 28 pages consisting of 286 results, with articles from Feb 2000 to June 2011, mostly Linux-related but the last few years had a bunch of Mac-related articles as well. Looking through the list of things I wrote about was a definite trip down memory lane, as I used my writing for TechRepublic as an excuse to learn about new software so that I could write about it. Anything that looked interesting merited a review or how-to.

Coinciding with that, I also stumbled across a joint Debian, Mandrakesoft, Red Hat, and SUSE response to a Forrester Research report that claimed Microsoft Windows was more secure than Linux, which was also noted in a ComputerWorld article, back in 2004. Sadly, despite looking, I couldn't find the original report, just a number of articles discussing it. The Forrester Research site only appears to retain reports back to 2006, otherwise I would link to the original report.

Never would have guessed in 2004, when I co-wrote that statement with Mark Cox at Red Hat, that he would end up being my boss 5 years later when I left Mandriva for Red Hat in 2009.

In fact, when I started writing for TechRepublic, I was a volunteer packager for Linux-Mandrake (at the time) -- akin to a Fedora contributor today. I quit my job (in bill collections) and started my own consulting company, predominantly writing for TechRepublic and a few other sites, and it was that period of volunteering and writing that got me the gig at Mandrakesoft, as a documentation writer and packager (by invitation, I never applied for a job). It wasn't until about a year later that I started doing the security work at Mandrakesoft, preparing updates for users of Linux-Mandrake to correct the (then-rare) security vulnerabilities in our products. At this point in time I had pretty much zero security skills and, as security in software slowly came to the fore emerging as something we really needed to pay attention to, I did all of my learning on the job.

It's worth pointing out that, at Mandrakesoft, I was the sole member of our security team for most of that time. We didn't have an incident response process or tools to handle security updates. Much of what we did was modelled after what Red Hat was doing (we started using CVE names shortly after Red Hat did, our errata (MDKSA) was similar to Red Hat's RHSA, etc. I built the program and everything around it. Unlike Red Hat where we have Engineering write patches and build software, Release Engineering to release the software to customers, and QE to quality test, the entire process was handled and driven by one person --- I found out about the issues, backported the patches, tested the packages, and used my own self-written toolchain to publish the advisories.

Fast forward seven years of running and managing the small security team (PSIRT, but we didn't call it such back then) at Mandriva (formerly Mandrakesoft) I made the leap to join Red Hat in February 2009 as a Senior Software Engineer as part of the Security Response Team (now known as Product Security).

At Red Hat, for the first 5 years I spent my time doing vulnerability analysis before becoming a manager in late 2014, where I remained as a manager (of a few different functions in Product Security) until late 2017 when I assumed the leadership of our entire Product Security team.

It was in 1998 when I was first introduced to and started to use Linux, 22 years ago. Half of my life has been spent working on open source and being part of the open source ecosystem. I've ended up in a position that I didn't even dream was possible 22 years ago and, if I'm honest, wasn't anything I ever aspired to. This wasn't even a proverbial twinkle in my eye.

So why write a blog post about this? Well, like my new friend who will be installing doors in my home in a few months, I've had a very interesting and rather unorthodox career journey. Grit, hard work, getting involved and putting in the extra mile (or ten) got me to where I am today. Yes, unorthodox. Yes, unbelievable.

In today's world where we have a huge cybersecurity skills shortage, I don't think my story is unique. At least, I hope it isn't. And, if it is, it needs to not be unique. There are a number of people who found their way into security by means of "accident", "happenstance", or "divine intervention" (I attribute it to the latter). I get frustrated when I see people on Twitter who are smart and begging for a chance to get into the security field to be sidelined by lack of certifications or training. If I could hire you all I would! I believe security is something you can train and teach, if you have sufficient technical proficiency and, most importantly, and insatiable curiosity to understand and break things, or what I call "the spark". I learned security on-the-job. When I started at Mandrakesoft, it wasn't with security certifications and experience. I learned on the job because someone suckered me into the "one to two updates a month" job of taking on security updates. If I had a team to support me and teach me, maybe things would have moved faster. Who knows? The point is that we, as security practitioners who are looking for people to hire, have to accept the fact that there is more work than there are "qualified" people. And that's ok! Because there are a lot of curious and smart people out there without degrees and CISSPs and other certifications that we can teach and grow into amazing security people.

And if their career journey is unexpected because someone took a chance on them, I say good for the company willing to take that chance. After all, my career journey was entirely unexpected and turned out better than I could have expected. I suspect the same will be said of many in the next 22 years.

(As a a side note, in high school, my plan was to become a fantasy author. Then my dad introduced me to the BBS scene and I discovered a new world where I found what I would ultimately devote my life fighting against -- interestingly, the sole reason I looked at Linux in the first place was to actually run my BBS!)