From IT Support to Senior InfoSec Engineer: My 15+ Year Journey
The winding path from fixing printers to securing federal systems – lessons learned, mistakes made, and advice for aspiring security professionals
Reading time: 10 minutes
The Beginning: When "Have You Tried Turning It Off and On Again?" Was My Mantra
Twenty years ago, I was that IT guy. You know, the one who showed up when the printer jammed, when email stopped working, or when someone's computer made "that weird noise." I started as an independent IT consultant in 2005, which is a fancy way of saying I fixed computers for local businesses and anyone who would pay me.
My toolkit? A USB drive full of antivirus tools, a patient smile, and an endless supply of "let me Google that for you" searches. But here's the thing – I loved it. Every problem was a puzzle, every fixed computer was a small victory, and every grateful client taught me something new about technology and people.
The Accidental Security Engineer
Security wasn't part of the plan. It found me.
During my consulting years, I noticed patterns. The same clients kept getting infected with malware. Small businesses were losing data to ransomware before ransomware was cool (spoiler: it's never cool). I started implementing basic security measures – centralized antivirus, backup strategies, user training.
One client said something that changed my trajectory: "You're not just fixing our computers; you're protecting our business."
That's when it clicked. Security wasn't just about technology – it was about enabling people to work safely and confidently. It was about protection, not restriction.
The Enterprise Leap: From Small Business to Big Systems
In 2014, I joined e-End, handling IT asset management with a security focus. Suddenly, I wasn't just dealing with a few computers – I was processing hundreds of devices weekly, ensuring NIST-compliant data destruction. The scale was overwhelming at first.
Key lesson: Enterprise IT is a different beast. It's not about knowing everything; it's about:
- Understanding processes and compliance
- Building repeatable solutions
- Documenting everything (seriously, everything)
- Learning to work within frameworks, not against them
The NIH Years: Where Security Became Serious
My time at NIH (2016-2023) transformed me from an IT generalist into a security specialist. Starting as a Lead Service Desk Engineer, I was suddenly responsible for:
- 350+ endpoints in a federal medical research environment
- Implementing security controls that could impact life-saving research
- Leading teams through security incidents
- Translating between researchers who needed flexibility and auditors who needed compliance
The progression was intense:
- Service Desk Lead → Learning that security at scale requires automation
- Security Engineer → Understanding frameworks like NIST SP 800-53
- Lead Security Engineer & ISSO → Realizing leadership is about enabling others
- Vulnerability Management Lead → Securing 100k+ systems and learning that metrics matter
Biggest revelation: Security isn't about saying "no" – it's about finding secure ways to say "yes."
The Plot Twist: HPC and Molecular Dynamics
In 2023, I took a detour into High-Performance Computing at NIH's LoBoS cluster. Suddenly, I was securing GPU clusters running molecular dynamics simulations. Talk about imposter syndrome!
But here's what I learned: Security principles are universal. Whether you're protecting a small business network or a supercomputer running cancer research, the fundamentals remain:
- Understand what you're protecting and why
- Know your threat landscape
- Build defense in depth
- Monitor, respond, iterate
The Present: Securing the Cloud (The Government One)
Today, I'm at Technology Transformation Services, working on cloud.gov. It's the culmination of everything I've learned:
- The troubleshooting skills from IT support days
- The process knowledge from enterprise IT
- The security frameworks from federal work
- The scale challenges from vulnerability management
- The performance considerations from HPC
But most importantly, I still approach every day with that same curiosity from my consulting days.
Mistakes I Made (So You Don't Have To)
1. Thinking Certifications Were Everything
I collected certifications like Pokémon cards. While CompTIA A+, Network+, and Security+ were valuable, the real learning happened when applying that knowledge. Certifications open doors; experience gets you through them.
2. Avoiding What I Didn't Know
Early on, I'd dodge tasks involving unfamiliar technologies. Bad move. The biggest growth came from jumping into the deep end – like when I had to learn SLURM for HPC management or eBPF for kernel-level monitoring.
3. Forgetting the Human Element
I once implemented a "perfect" security solution that users bypassed because it was too cumbersome. Security that people won't use isn't security – it's theater.
4. Not Building a Network
For years, I thought networking was just TCP/IP (dad joke intended). Building relationships with other professionals has been invaluable for learning, opportunities, and sanity checks.
Lessons That Shaped My Career
Start Where You Are
You don't need to know everything about security to start in security. My IT support background gave me:
- Troubleshooting skills that translate directly to incident response
- Customer service experience crucial for stakeholder management
- Broad technical knowledge that helps in understanding attack surfaces
Embrace the Imposter Syndrome
That feeling of "I don't belong here"? It's your brain recognizing you're growing. I felt it moving from:
- Small business to enterprise
- IT support to security
- Private sector to federal
- Traditional IT to cloud and HPC
Each time, it meant I was learning.
Find Your Why
For me, it's about protection and enablement. Whether protecting a small business from ransomware or securing research that might cure diseases, knowing your "why" sustains you through the challenging times.
Never Stop Learning
Technology evolves faster than any of us can keep up. That's not a bug; it's a feature. My current learning list includes:
- AI/ML security (because LLMs aren't going away)
- Quantum-resistant cryptography (because the future is coming)
- Privacy-preserving technologies (because security without privacy is incomplete)
Advice for Aspiring Security Professionals
1. Start Building Now
- Set up a homelab (it doesn't need to be fancy)
- Contribute to open-source security projects
- Write about what you learn (blogging clarifies thinking)
- Break things responsibly (emphasis on responsibly)
2. Develop Soft Skills
Technical skills get you hired; soft skills get you promoted:
- Communication: Can you explain security to non-technical stakeholders?
- Empathy: Can you understand why users do insecure things?
- Leadership: Can you influence without authority?
- Patience: Can you handle the 500th "I got a suspicious email" ticket?
3. Choose Your Path (But Stay Flexible)
Security is vast. You might gravitate toward:
- Offensive security (pentesting, red teaming)
- Defensive security (SOC, incident response)
- Governance and compliance (frameworks, auditing)
- Security engineering (building secure systems)
- Security research (finding new vulnerabilities)
I thought I'd be in offensive security but found my passion in security engineering and architecture. Stay open to where your interests lead.
4. Remember It's a Marathon
Burnout is real in security. We deal with:
- Constant threats and alerts
- High-stakes decisions
- Rapid technology changes
- Often being seen as the "Department of No"
Build sustainable practices:
- Have hobbies unrelated to tech
- Set boundaries (the incidents will still be there tomorrow)
- Celebrate wins, even small ones
- Remember why you started
The Journey Continues
Fifteen years in, and I still feel like I'm just getting started. The kid who was excited about fixing computers is now excited about Zero-Trust architectures and AI security. The tools changed, the scale changed, but the core remains the same: solving problems, protecting people, and enabling progress.
To those starting their journey: the path isn't straight, the learning never stops, and yes, you belong here. Whether you're in help desk, development, networking, or any other IT role, security needs your perspective.
And remember – every expert was once a beginner who refused to give up.
One Final Thought
Last week, my son asked me what I do at work. I told him, "I help keep the internet safe for people like you." She said, "That sounds boring."
Then I showed her my homelab, explained how I catch bad guys trying to break into computers, and let her help me write a Python script to monitor our network.
His response? "Okay, that's actually pretty cool. Can you teach me more?"
That's the real measure of success – inspiring the next generation to take up the shield.
What's your security journey been like? I'd love to hear your story – the wins, the failures, and the lessons learned along the way.
Related Posts
Building IR Playbooks with Ansible
Transform incident response from chaos to choreography using Ansible. Learn to build automated playb...
Vulnerability Management at Scale with Open Source Tools
Build an enterprise-grade vulnerability management program using only open source tools. From scanni...
Implementing DNS-over-HTTPS (DoH) for Home Networks
Complete guide to deploying DNS-over-HTTPS on your home network for enhanced privacy and security, w...