So I am looking for new things to do. This is a post that provides some background to that.
I joined Virus Bulletin in January 2007. I was hired to do maintain its website and make sure it didn’t fall over when the BBC and Slashdot linked to it, which I did, but then there were more things at the company that needed doing and I realised I kind of liked security so I stayed on. I built a test for email security products (we called them spam filters back then) which is still running. I started doing other things too, such as write blog posts, give conference talks, and build a web security test framework. I also became heavily involved in our conference. Then, in 2014, I became Editor, which in VB’s funny set-up means I kind of run the company and I am pretty involved in just about everything the company does, from making budgets to writing test reports, and from doing pre-sales talks to putting together the conference programme.
But the time has come for me to move on. In part because I think I have done at VB what I can do. In part to close a chapter in my life. And in part ─ and this is actually the most important part ─ because there are so many other exciting and important things to do.
My main requirement for future work is that what I do is meaningful and makes an actual difference. I have a strong interest in work related to civil society, but I know a big difference can be made elsewhere too. I would like my dozen years of working in security, and thus getting a pretty good grasp of how security works beyond the sales pitches and scary headlines, to be turned into something really good.
I am looking for a full-time, or mostly full-time position, at a new location, but I would be happy to work on short term and possibly part-time projects for a while. I do like working towards a clear, tangible goal, so that could actually be exciting.
I think my understanding of security and my experience in it is rather broad, which is one way of saying I am not necessarily good at one particular thing. I can do a lot of things reasonably well and I think I would be most useful in a broad, varied role.
I can do research. Though never a core part of my job, I have analysed spam campaigns and, based on C&C traffic, malware families. I have done many smaller, ad hoc research projects. I have a background as an academic researcher in pure mathematics, which gives me a pretty good understanding on topics such as machine learning and cryptography. I have given a number of technical talks on the latter subject. I am familiar with a wide range of research tools and can program and design technical systems.
I can write. I have written a great many blog posts for Virus Bulletin, as well as guest articles for various sites such as Forbes and Ars Technica. I write a weekly newsletter on threat intelligence. I have written technical reports and edited a many often technical papers written by others. In the past, I have written articles on music, history and mathematics.
In can speak. I have spoken at more than a dozen industry conferences around the world including RSA, Nullcon, AfricaHackon, NorthSec and TROOPERS. I have given talks at private industry events. I have given both technical and non-technical talks, depending on the subject and the audience. I have helped others prepare for talks and sometimes speak to the media.
I can plan. I have been the main organiser for the Virus Bulletin conference since 2014 and have been a member of various industry committees. I currently serve on the board of AMTSO. I was chairman of the students’ association for maths students and a student member of the faculty council at my university. At VB, I have worked in implementing various regulations and managed a remote team.
I also know a lot of people in infosec. This can come useful in future jobs, especially when it comes to using their help in achieving a goal.
I have over the course of my career in infosec come to learn that the challenges we face are far less of a technical nature than we are led to believe. I would like future jobs to be technically inspired rather than purely technical, but I do enjoy the occasional deep technical challenge. Working with an inspiring team is even more important to me though.
Two final things. First, I am a white man working in an industry with an abundance of white men. If you find yourself discussing possible work with me, which undoubtedly will involve me trying to convince you I can do that work, please try and be critical and consider whether it makes a difference to you that I confirm to the stereotype of an infosec professional.
Secondly, it is important for me to work in a diverse and inclusive work environment. Not only do I believe that as individuals we have more to learn from people that aren’t like us, but a big part of information security is about trying to understand other people’s threat models, thus making working with those other people, in an environment that suits them as much as it does me, of vital importance.