This week I read an article, The Cult of Passion, from Chris Sanders. I didn’t like it much at all at first. But then I liked it, and now I really kinda don’t like it again. I think it’s just the tone of the piece; it’s very Tumblr-esque. It’s very “use the term properly, damnit!” even though we all do (mostly) end up using it in the same way, though definitely blurring denotation and connotation together. Do we really have to convince everyone that the phrase, “I have a passion for security,” is unhealthy, or do we all really know what we mean?

(I originally wrote more about what I disliked, but I wanted to cut that down and yet still keep my points. Basically, I don’t like the assertion that passion can’t be measured so we can’t evaluate it. I think, between the lines, Chris is trying to say that the person who does “infosec” 20 hours a day is not necessarily better than the person with a better work-life balance, or something like that. I just don’t like the way he frames it. I also didn’t like the miss that we are actually paying to do infosec all day, in terms of hours of our life and time. Now, granted, we are paid money in return, but make no mistake we are still paying to some degree. I also don’t like the blind assertion that other professions clock out after 8-10 hours. Anyway, moving to the positive…)

Regardless the tone and whether I like the full article or not, there are some absolutely excellent points, all centered around what we love doing. It’s a good idea to say, “If you didn’t get paid, would you still come in to work?” “If you had to pay to do infosec, would you?” Personally, I like to ask, “If I was income neutral, what would I enjoy doing as a job?” And this also goes into deciding what passions I might have outside of work, for instance, “What do I do when not at work to be happy? What hobbies do I spend the money I made on?” (Note: I emphasize the one question in this paragraph, as it’s a key question I ponder through my life, and one that could be it’s own chapter in a book. I look at my resultant answers, and balance that against whether those other ideas are just post-lottery-winning ideas or things I can actually make a living doing.)

The above faults aside, the other questions are excellent. Infosec is often a resultant pursuit due to passions in more fundamental things. And if nothing else, this article has allowed me to get a little bit beyond, “Well, I have a passion for infosec,” and actually look into why that is. Infosec is a result of other, more fundamental passions.

PASSIONS
I love solving problems, puzzles, riddles, and mysteries (thanks Encyclopedia Brown and childhood puzzle books!).

I love organizing things, lists, planning, and seeing a well-oiled machine work, both today and more long-term. (thanks science background/interest!).

I love creating solutions to problems. This includes using creativity and imagination (thanks gaming and reading as an only-child!).

And (probably the most common one we collectively get correct) I love learning new things (curiosity and the information gap) and creative (and objective!) ways to use technology and do all of the above (thanks brain!).

For me, I have fairly equal parts objective knowledge application/observation as well as subjective creativity and imagination. I do require these both to be addressed month-to-month. This means I can’t just create new things or harbor ephemeral ideas all month, but I also can’t just read balance sheet numbers for a month. (Interesting to note that coding is a strange middle ground in today’s IT environment) I need a bit of both, and honestly, most of IT supplies that in spades as long as my role isn’t in such a large company that I am only nose-deep in one thing week after week. For many people, it might be that they require doing different things here and there lest they become bored; but for me, there’s reason behind the desire for a little variety.

I probably have a little bit of a love for catching bad guys doing bad things; even if that means catching innocent people making mostly innocent mistakes that fall outside the lines (is it schadenfreude [BOFH!] or hall monitor syndrome?). I want to make sure things are still operating as they need to be operating. (I like to look at it like I’m teaching how to properly do something.)

I honestly also feel like I have a passion for teaching and sharing knowledge with others in a way that doesn’t come across as egotistical. I can also communicate well enough to tailor my delivery to the technical levels of my audience, and I take some pride in that. I’ve worked with non-technical clients, non-to-mostly-technical coworkers, and technical colleagues.

Pulling from my hobbies, I love a little bit of friendly competition (multiplayer gaming). I love using my imagination (reading, even solo gaming), I love creating something (I don’t stoke this enough, but maybe cosplay soon), I love possessing comfort items but I also love keeping things simple. I love using my senses (food, music, movies, clouds, wind, weather, candles, a bit of drink, exercise). And I love more learning and engagement with friends over all of the above or some new experiences.

WEAKNESSES
So, I love lots of things that show my passion. Do I have gaps or weaknesses that are borne out of personality or shaped by my experiences in life over the past decades? Yes. Chris mentions that imposter syndrome, and I know I do suffer from that; I have this inherent dislike/distrust of other people, but I also seem to have this inherent unfounded respect of other people I don’t know, or rather I attribute competence to other people without any proof (we can talk about philosophy and metaphysics another time over whisky). That usually only lasts until I find my voice amongst new people or roles. How do I fix this? Just keep myself surrounded by other infosec people so I realize that I’m at least as good as most everyone else. By forcing myself to speak up. By also forcing myself to fail and be better for it!

I’m terrible meeting new people. I’m a typical introvert where I am terrible about initial small talk. It’s not an inherent thing to be interested in other people who aren’t already close friends. I make friends slowly, and often find myself assuming someone would rather not talk than shoot the shit for a bit (since, usually, I feel that way!). I’m super easy to get along with, I don’t actually have terrible social anxiety, but I tend to be the quiet one in the corner. And while I always come out of that shell, it just often seems to take some time and effort to do that. How do I fix this? Just smile and try to ask questions I actually want answered by a stranger. Actually try to be interested in others in general; they all know something I don’t!

I’ve worked in IT for the past 15 years, and for all of those years, training and organized learning on the job (outside of troubleshooting something and learning from it) were luxuries that I never had time or backing to pursue. That was all own time pursuits and things that were outside the budget. As a result, I feel like I need to have my working days filled with actual work. I’m not sure this is a me thing or rather shaped by my managers of the past 10 years that required such time-spend reports every week.

Due to some of my managers and company cultures and combined with the occasional imposter syndrome issue, this does end up causing me to be a little risk averse, more so when my manager is hyper risk averse. This means failure is a bad thing, which can mean I end up not trying something and coming out neutral rather than trying and failing. Now, keep in mind most of my background is in Sysadmin/Ops; I feel security itself is far more forgiving of trying new things, as long as they don’t land the company on the news headlines due to a breach. But my science and tech background means lots of fails are useful data and contribute to learning! So I love failing, but it does strike a strange situation where my environment screams Don’t Fail and yet I sort of want to do something and try it out with X% risk of failing. It’s something I have to deal with consciously with both me, but also probably more so my environment. We’re humans in a human world; it’s ok. And as long as people aren’t dying, life will go on. I’ve worked in a company that said, “Innovate and try new things!” while at the very same time whispering, “Failure is not acceptable.” It’s a cultural red flag that I keep in mind during job searches.

DIRECTION
All of this leads me to another related topic: what do I want to do? I’ve looked at framing this quest(ion) not long ago in a post from last winter: security job areas.

So, what do I want to do all day that I’ll love doing, and just happen to get paid to do? (Yes, there’s tons of other things to think about, such as the team, manager, company, and other things that influence happiness, but let’s assume the best here.) What sucks is I find myself just listing all the infosec roles (except maybe management and SOC analyst)! But I’ll try to rank things a little bit here.

red teaming – sounds so fun and varied, plus gives good, actionable value in return to clients
pen testing – solving problems and analyzing an environment are fun.
vulnerability assessment/management – much the same as above, just a little more structured and formulaic
security advising, consulting – quite varied, from high level concepts to low level step by step advice.
risk, compliance reviews, auditor, policies to find gaps and advise on proper steps/evidence
incident response/malware analysis
web application pen testing and reviews

Does this mean I’d hate doing the other things? Absolutely not. Honestly, other than being a third shift SOC analyst in a large company or just a initial provisioning tech in an MSSP, I’d likely be happy with most any infosec role.

RESULTS
So, this turned out to be a lotta introspection, and I even hesitated to even post it. But what does this mean for me tomorrow, next month, this year, and in 5 years? It gives me a way to evaluate what I want to do, for work, in each of those time periods. It also gives me an idea of an end goal (let’s just say a blend of red team/pen testing/vuln assessments/audits/consulting) which in turn gives me a chance to look at my gaps in getting there. Do I lack some certifications or training on the CV? Do I lack certain knowledge and skill I can pick up on my own time? What tasks do I want to grab at work tomorrow? And what opportunities should I keep my eye open for and jump at the moment they appear? It’s good stuff, and I think I maybe already knew some of this, particularly with my OSCP learning earlier this year, and continued CTF/Hack lab efforts.