2024-07-26 10:27:00
This morning on my way to work I listened to the latest episode of Open Source Security podcast. Their topic was very relevant to a past-intern Jana's master's research and to my current intern Cynthia's software project.
Specifically, episode 438: CISA's bad OSS advice, vs the White House's good advice
They made some very good points speaking against our team's ideas of doing risk analysis on open source dependencies. I really like it when smart people provide counterpoints to my own thoughts.
My teams and interns followed a classical approach, where we discern a number of key factors and metrics to determine whether a software dependency is "trustworthy".
I still like that we did these projects, because they can provide insight into our risk exposure. But I agree with the podcast's presenters that such a tool doesn't provide a solution to the problem.
They pointed to CISA's recent document about this very same problem, which they dubbed unhelpful. And they referred to Mitre's Hipcheck, which is another software solution for risk assessment on open source dependencies.
It all sounds like great materials to read into! It might even make for some interesting conclusions and counterpoints for our current intern's final report.
kilala.nl tags:
work,
View or add comments (curr. 0)
2024-07-22 11:15:00
Here's a bigger version of the mindmap shown above.
After last week's introspection about my career, I've been doing a lot more thinking. I've put a lot of thought into which technical and non-technical skills I need to develop, to stay current in today's market. I'll talk about that another day.
I also realized that I left out one important thing in my mindmap: my personal pitfalls.
- I've mentioned that I feel I have way too little time to do everything I want. Well, one big timesink is Discord. I do a lot of mentoring on the Discord servers of Certification Station, /r/comptia, prof. Messer, APISecU and others.
If I'm very honest about it, yes this is somewhat to the benefit of others, but even without me they would still find mentoring from others. More importantly, it's great for my ego (dozens or hundreds of people uttering gratitude to me) which means, as my dear friend Menno puts it, "it's like crack cocaine to me".
I rely on Discord for the WICCA Summer School and for WICCON communications. But aside from that I really need to find a way to keep me off there. It takes hours every week, which I can spend elsewhere.
- Imposter syndrome is a paralyzing thing I deal with, which stems from the clash between me wanting to know a lot about all the work I do and me realizing every single time that I really know very little. The more you know about something, the more you know how little you know. ;)
It's not a bad thing to know my limitations. But it is a bad thing if I let that realization get me so down that I get blocked mentally (sometimes even depressed). I need to find a healthier way of dealing with imposter syndrome.
- Last week I'd already concluded that I shouldn't hire any junior employees into Unixerius any time soon. The fun thing is that in talks with Marli, my colleagues and my mother inlaw (who's a job coach) I've learned that I was actually doing things the Right Way (tm) after all! I was not dealing with my juniors badly, I was letting them make their own mistakes. So... I can feel less bad about that. :)
kilala.nl tags:
work,
View or add comments (curr. 0)
2024-07-18 21:52:00
The past few days I’ve felt a bit stuck in my work, feeling the need for some change although I’m not quite sure what yet. My weekly routine has been quite that: routine.
Every week, I spend four days with my primary consulting customer and the fifth day I teach classes at ITVitae. For over a year I’ve been thinking how I could change that up, especially now that I’m self-employed and “a businessperson”. I don’t just get to run my own career, I have to!
I’ve been juggling all kinds of options.
- Can I maybe split my four days among more than one customer?
- Could I maybe split weeks between teaching for another company and doing smaller contracting gigs?
- Could I do three days of contracting, having one day for “management” work? Does that mean I could try and get an employee?
- Am I really happy with the direction my consulting gigs have had, these past years?
After a rather big family event (one of our two cats passed away) I turned all the sourer and more introspective. I think I want something to change, but I’m not sure what.
So, I got to mind mapping and brainstorming. Thinking about things that give me energy and things that really eat energy from me. I put those into clouds of “things I like which help others”, “things I like which feed my ego”, “things I enjoy”, “things I dislike” and “things I’m not good at”.
Which resulted in the overview you see above (here’s a larger image). EDIT: Just to give more insight into my process, here's what the whiteboarding session ended up looking like.
I then looked at where those things either feed upon another, or where they clash.
For example:
- Ever since I took over as CEO of Unixerius, I’ve been thinking about helping juniors by employing them, getting them into IT. But after guiding five interns across four organizations I have learned two things: I’m not good at “bossing” someone if they underperform and between all my other work I don’t have/make/take enough time to manage them.
So, if I really want to do this, then I really need to drop hands-on work. Which clashes with the fact that I really, really enjoy doing my own hands-on work.
Conclusion: it is not a good idea for me to hire a junior employee of my own. If I can help another senior who is self-reliant like I was when Dick was CEO, I’ll do it! But I can’t in good conscience hire a newcomer.
- Some of the best fun I had while contracting, was four customers ago when I worked for a government subcontractor. At the time I speced, designed, built and documented three key infrastructures for a green fields IT environment. I built an HSM-backed PKI, a Graylog central logging system and a PAM solution as core infra for hundreds of servers.
That was a huge challenge and it let me run three whole projects by myself. I was hands-on with everything, and I loved it!
Yes, I also had to deal with some of the formal architecture stuff which I loathed, but it was worth it. But I do know for a fact that I do not want to make architecture my main activity. Never ever.
Conclusion: I want to do more hands-on work again, building something real instead of telling people how to do it.
- There’s a big clash between my dislike of not understanding something I work with and me wanting to really learn in-depth about the tech I work with. This frequently leads to imposter syndrome because I keep learning how little I really know.
That’s not something easily fixed. That’s not something you take away. It’s something I need to learn how to cope with through introspection, mindfulness, and acceptance.
Conclusion: I should find exercises to accept my limitations, while also investing time and money into learning what I want and need.
- The last three of my assignments were all about DevSecOps. I very much enjoy the tech aspect of it, helping people by building pipelines and tools that make developers’ lives easier. I love teaching people how to improve their work, giving them new skills. And I don’t even mind working with architects to help clarify security and compliance requirements.
But I have a hard time dealing with management BS and politics. And it grates on me when people willingly refuse to learn new things. Fighting against the momentum and drudgery of a slow turning ship wears me down. I really do want to help people, but from time to time I need a change of pace.
Heck, last year my WICCON presentation covered all this stuff!
Conclusion: Next time, maybe less with the AppSec coaching stuff, no?
- I really want to spend MORE time learning, spending time and money on my own education. To be open: I’m afraid of falling behind! I am afraid of losing relevance in the consulting market.
But I don’t have time enough! I already spend many of my evenings on learning, or on preparing classes for my students, so there’s no more room over there.
I could switch back to three days of consulting, one day of teaching and then have one day for learning. I could do that for a few months and then go back to four days consulting. That would work!
Of course, the alternative to staying relevant as consultant would be to hire a few people and manage them while they bring in money. But we already covered that: I don’t know how to pivot into that successfully and I don’t know if I want to.
So… Decisions!
- I have already started pitching lines to new potential consulting customers, so I can do a 2/2 split in my days and work on two different assignments.
- I have informed my current primary customer that I will be decreasing my hours a bit. This will either give me the room I need for that second customer, or it gives me temporary respite for some additional learning!
- I have discussed my desire for more hands-on work with my coworkers at my current consulting customer. I had already set wheels in motion for a project to implement a new infra and app stack, so we decided that I would do the who shebang.
That means moving part of my DevSecOps coaching and managerial work to the new internal hire, which is a good thing.
- I have become a lot more “selfish” insofar that I’m outright decreasing my availability to my primary customer, to make room for teaching and learning.
I’m teaching my week-long DevSecOps intro class twice this fall and I’m doing SANS Amsterdam this October.
This introspection has been useful!
I’m not done yet though. I need to rethink my planned learning path, to make sure I’m still investing time in the right things.
kilala.nl tags:
work,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.