Let me share a personal story, about how my formal career in security started.
“You’ve done security before, right?” I was sitting in my quite typical Silicon Valley office. An actual office, mind you—while open-space was becoming all the rage, it still had not infected every company to the degree that it has today, and line management types like me tended to have an enclosed space to call home. Mine was an 8 by 12 room that somehow managed to fit three desks for the three managers who shared it. There was the network architect/manager, the systems architect/manager, and me, the network operations manager, the one who was responsible for making sure that the other guys’ stuff was actually doing what it was supposed to do, day in and day out. Later on I managed to score my own office, nicknamed “the closet” because it was a tiny room, and we could not resist the temptation to name it after its original purpose which was, indeed, to serve as a janitorial closet. When I first floated the idea, I simply asked if I could move into the “hallway closet.” The nickname, if you want to call it that, stuck. But it was just big enough to fit a working environment into, and had one big advantage in not being shared. Naive as I was at the time, I actually thought that information security called for some privacy, and I thought it passionately enough that I managed to convince the CIO of it as well. It was Friday evening and I was wrapping up a couple of emails before heading home. The office was mostly empty. The network operations center team were, of course, in their “pit,” which was another shared office, but other than that, there were maybe one or two others in the building. One of them turned out to be the CIO, and she was the one standing at my door, asking me if I knew something about security. “Well, yeah… you know that,” I answered. “ Not formally, of course, but… “I need your help,” she cut me off, rather abruptly. She generally had an abrupt manner, but I immediately sensed that this was different. What I didn’t know at that moment was that, in handling the breach that brought down almost half of the company’s online services platform that weekend, I would effectively be relaunching my career. Like many old-timer security folks, my technical background was in coding and networking—an exploding growth discipline in the late 80s and throughout the 90s, and one that was a natural extension of my youth spent tinkering with technology in unintended ways. I grew up when “hacker” was considered mostly as an alternate term for “nerd who understands computers and command lines,” and when being one was considered cool and popularized by movies like War Games (still one of my all-time favorites). I programmed (in machine language, no less) and war-dialed, sure, but a good friend and I had also rigged together a dual expansion card for the Apple II platform that allowed us to tap into and parse communications from early information networks that connected major banks and other institutions, just to see what was going on. Those were the days when “hackers”—using the word in its very naive mid-80s sense—like me actually added our real home phone number to the little “cracked by” screen that we would add to a computer game we made available for copying, just so other folks like us could call and introduce themselves. My “cracker handle” was a literal translation in Hebrew of the phrase “pain in the ass.” There were no laws against doing that at the time, and curiosity did not kill the proverbial kitties. If anything, it just made us more curious. When the Internet took center stage, I was more than ready. It was no shock that I ended up working for an ISP straight out of university in late 1994, although it was entirely by mistake. I arrived for an interview at a company that was building computer parts, and simply entered the wrong door.The person I ran into, who later became my boss and first important career mentor, asked me if I knew anything about networking. My answer had him sit me down in a room for a 2-hour interview, which resulted in a job offer on the spot. Amusingly enough, I never even realized it was the wrong company until after the interview was over! That was the start of my formal networking career We managed to resolve the incident that weekend. The security officer—the fact that the company actually had one was a testament to advanced thinking—could not be reached at all, but we put together a team, ran the forensic analysis, cleaned everything up, and recovered The platform by the wee hours of Monday morning, with no interruption to customers. I finally went home around 4 a.m. that day. By the following Friday, I was promoted to run Information Security, a new department that I was supposed to build from scratch.By the following Friday, I was promoted to run Information Security, a new department that I was supposed to build from scratch.