Skip to main content

The Beginning

Twenty years ago, I was that IT guy. Printer jammed, email stopped working, computer made "that weird noise"—I showed up. I started as an independent IT consultant in 2005, fixing computers for local businesses.

My toolkit: USB drive full of antivirus tools, patient smile, endless "let me Google that for you" searches. I loved it. Every problem was a puzzle, every fixed computer a small victory, every grateful client taught me something new about technology and people.

How It Works

⚠️ Warning: This diagram illustrates cybersecurity threat landscape for educational purposes. Security professionals should follow ethical guidelines and proper authorization in all activities.

flowchart TB
    subgraph threatactors["Threat Actors"]
        TA1[External Attackers]
        TA2[Insider Threats]
        TA3[Supply Chain]
    end
    subgraph attackvectors["Attack Vectors"]
        AV1[Network]
        AV2[Application]
        AV3[Physical]
    end
    subgraph defenses["Defenses"]
        D1[Prevention]
        D2[Detection]
        D3[Response]
    end

    TA1 & TA2 & TA3 --> AV1 & AV2 & AV3
    AV1 & AV2 & AV3 --> D1
    D1 -->|Bypass| D2
    D2 --> D3

    classDef preventionStyle fill:#4caf50
    classDef detectionStyle fill:#ff9800
    classDef responseStyle fill:#f44336
    class D1 preventionStyle
    class D2 detectionStyle
    class D3 responseStyle

The Accidental Security Engineer

Security wasn't part of the plan. It found me.

During consulting years (2005-2010), I noticed patterns. Same 3-4 clients kept getting infected with malware every 2-3 months. Small businesses were losing data to ransomware before ransomware was cool. I started implementing basic security measures on around 50 endpoints across 12 clients: centralized antivirus, backup strategies, user training.

One client said something that changed my trajectory: "You're not just fixing our computers, you're protecting our business."

That clicked. Security wasn't about technology. It was about enabling people to work safely and confidently. Protection, not restriction.

The Enterprise Leap: From Small Business to Big Systems

In 2014, I transitioned to enterprise IT, handling asset management with a security focus. Suddenly, I wasn't just dealing with a few computers. I was working with 800+ devices across 4 locations, ensuring NIST-compliant processes. The scale was overwhelming at first.

Key lesson: Enterprise IT is a different beast. It's not about knowing everything. It's about:

  • Understanding processes and compliance
  • Building repeatable solutions
  • Documenting everything (seriously, everything)
  • Learning to work within frameworks, not against them

The Federal Years

Years ago, I transitioned into federal cybersecurity work. IT generalist became security specialist. Starting as Service Desk Lead, I gradually took on broader security responsibilities:

  • Managing endpoints in regulated environments
  • Implementing security controls for sensitive operations
  • Leading teams through security incidents
  • Translating between technical staff and compliance auditors

The progression was intense:

Service Desk Lead: Security at scale requires automation.

Security Engineer: Understanding frameworks like NIST SP 800-53.

Lead Security Engineer: Leadership is about enabling others.

Vulnerability Management: Large-scale systems taught me metrics matter.

Biggest revelation: Security isn't about saying "no." It's about finding secure ways to say "yes."

The Plot Twist: HPC and Research Computing

In recent years, I worked with High-Performance Computing environments. Suddenly, I was securing GPU clusters with 100+ NVIDIA A100/H100 GPUs running complex computational workloads. Talk about imposter syndrome!

But here's what I learned: Security principles are universal. Whether you're protecting a small business network or a supercomputer running research calculations, the fundamentals remain:

  • Understand what you're protecting and why
  • Know your threat landscape
  • Build defense in depth
  • Monitor, respond, iterate

Practical Impact Example: When we implemented proper SLURM accounting and GPU isolation, we caught a researcher accidentally consuming $50K/month in compute resources that would have gone unnoticed. Security controls saved both money and prevented potential abuse. My experience with GPU power monitoring in homelab ML environments taught me how easily computational costs can spiral out of control, while demystifying cryptography provided the foundational knowledge needed to implement proper data protection across HPC systems. Learning continuous cybersecurity education strategies helped me keep pace with rapidly evolving threats in these complex environments.

The Present: Cloud Security and Beyond

Today, I work in cloud security, which represents the culmination of everything I've learned:

  • The troubleshooting skills from IT support days
  • The process knowledge from enterprise IT
  • The security frameworks from federal work
  • The scale challenges from vulnerability management
  • The performance considerations from HPC

But most importantly, I still approach every day with that same curiosity from my consulting days.

Mistakes I Made (So You Don't Have To)

1. Thinking Certifications Were Everything

I collected certifications like Pokémon cards. Over 5 years: CompTIA A+ (2006), Network+ (2007), Security+ (2008), Linux+ (2009). Valuable, but real learning happened when applying knowledge. Certifications open doors, experience gets you through them.

2. Avoiding What I Didn't Know

Early on, I'd dodge unfamiliar technologies. Bad move. Biggest growth came from jumping into the deep end: SLURM for HPC management, eBPF for kernel-level monitoring.

3. Forgetting the Human Element

I once implemented a "perfect" security solution requiring 3 authentication steps for file access. Within 2 weeks, 80% of the 200-person team had written credentials on Post-it notes. Security people won't use isn't security. It's theater.

4. Not Building a Network

For years, I thought networking was just TCP/IP (dad joke intended). Building relationships with other professionals has been invaluable for learning, opportunities, sanity checks.

Lessons That Shaped My Career

Start Where You Are

You don't need to know everything about security to start. My IT support background gave me:

  • Troubleshooting skills that translate directly to incident response
  • Customer service experience crucial for stakeholder management
  • Broad technical knowledge for understanding attack surfaces

Embrace the Imposter Syndrome

That feeling of "I don't belong here"? Your brain recognizing you're growing. I felt it moving from:

  • Small business to enterprise
  • IT support to security
  • Private sector to federal
  • Traditional IT to cloud and HPC

Each time, it meant I was learning.

Find Your Why

For me, it's protection and enablement. Whether protecting a small business from ransomware or securing research that might cure diseases, knowing your "why" sustains you through challenging times.

Never Stop Learning

Technology evolves faster than any of us can keep up. Not a bug—it's a feature. My current learning list:

  • AI/ML security (LLMs aren't going away)
  • Quantum-resistant cryptography (the future is coming)
  • Privacy-preserving technologies (security without privacy is incomplete)

Advice for Aspiring Security Professionals

1. Start Building Now

  • Set up a homelab (it doesn't need to be fancy)
  • Contribute to open-source security projects
  • Write about what you learn (blogging clarifies thinking)
  • Break things responsibly (emphasis on responsibly)

2. Develop Soft Skills

Technical skills get you hired, but soft skills get you promoted:

  • Communication: Can you explain security to non-technical stakeholders?
  • Empathy: Can you understand why users do insecure things?
  • Leadership: Can you influence without authority?
  • Patience: Can you handle the 500th "I got a suspicious email" ticket?

3. Choose Your Path (But Stay Flexible)

Security is vast. You might gravitate toward:

I thought I'd be in offensive security but found my passion in security engineering and architecture. Stay open to where your interests lead. Building a secure homelab gave me a safe environment to explore different specializations before committing to a career path, while vulnerability prioritization with EPSS and KEV taught me systematic risk assessment that applies across all security domains.

4. Remember It's a Marathon

Burnout is real in security. We deal with:

  • Constant threats and alerts
  • High-stakes decisions
  • Rapid technology changes
  • Often being seen as the "Department of No"

Build sustainable practices:

  • Have hobbies unrelated to tech
  • Set boundaries (the incidents will still be there tomorrow)
  • Celebrate wins, even small ones
  • Remember why you started

The Journey Continues

Fifteen years in, I still feel like I'm just getting started. The kid excited about fixing computers is now excited about Zero-Trust architectures and AI security. The tools changed, scale changed, but the core remains: solving problems, protecting people, enabling progress.

To those starting their journey: the path isn't straight, the learning never stops, and yes, you belong here. Whether you're in help desk, development, networking, or any other IT role, security needs your perspective.

Every expert was once a beginner who refused to give up.

One Final Thought

Last week, my son asked me what I do at work. I told him, "I help keep the internet safe for people like you." He said, "That sounds boring."

Then I showed him my homelab, explained how I catch bad guys trying to break into computers, and let him help me write a Python script to monitor our network.

His response? "Okay, that's actually pretty cool. Can you teach me more?"

That's the real measure of success – inspiring the next generation to take up the shield.

What's your security journey been like? I'd love to hear your story – the wins, the failures, and the lessons learned along the way.

Related Posts