Aug 27 2011
I have had way too much experience changing jobs and adjusting to new workplaces. Over the last decade I’ve worked at six different companies, only one of which have I lasted at for more than two years. In and of itself, this isn’t necessarily a bad thing, since job changes are common in the security arena and every one of these job changes has been a step up or an escape from a situation that was not beneficial to my mental health. My latest change from being a Qualified Security Assessor at Verizon Business to becoming the newest Security Evangelist at Akamai was an escape as well. I wasn’t escaping from Verizon, a company and group of people I can honestly say I enjoyed working with, but rather a (partial) escape from working in a compliance framework I was completely burnt out on. Four years as a QSA is more than anyone should subject themselves to, but that’s a post for some time when I’ve recovered more thoroughly from the experience. And the act of changing jobs frequently isn’t even what this post is about; it’s about one of the bad habits I’ve developed when changing jobs. It’s about going silent on the blog and pulling back into myself while I figure out where I’ve landed.
I have a voice in the community. I’d be guilty of false humility if I didn’t admit it was a fairly big voice. I’ve been doing this for a long time, which in and of itself creates an awareness in the community and frankly, I sometimes have some points worth committing to digital paper. But when I started blogging, no one knew who I was and no one I worked for had any awareness of what a blog was or what sort of impact it could have on a career or on a company that employed a blogger. Quite frankly, eight years ago I was just another faceless guy managing an IDS and web filter. I had some ideas I wanted to throw against the wall in order to see what stuck and to have people pick apart so that I could learn and strengthen my understanding of security. I didn’t realize at the time that blogging would be instrumental in forming my career and putting me in touch with security professionals around the world. I also didn’t realize that employers might read my blog and make decisions on whether or not to hire me based partially on my writing. I also didn’t realize that blogging could affect my employer and get me fired.
I’ve learned a number of lessons about blogging the hard way. I’ve learned that no matter what I think I’m writing, what’s important is how other people are reading it. There have been a number of posts over the years that I thought were just throw away ideas that somehow struck a cord with a huge number of security professionals. More often, there have been posts that I thought should provoke a major outcry by readers that went out with barely any notice at all. I still don’t completely understand the difference between the two. But in both cases, I’ve realized that people are reading and judging what I write, for good and for ill. And when I write something people read, it can get back to my employer. I know of at least one job I left, at least in part, because of something I wrote on the blog. I also know of at least two roles I’ve been offered directly because of my blogging, podcasting and social media experience and voice, including my current role. Overall, I have enjoyed a huge positive impact on my life due to the blog and I will not give up on it.
But one of the bad habits I’ve picked up because of my negative experiences has been going silent when I start a new position. There’s a few reasons for that, and understanding an employer’s tolerance for blogging is only one of them. It’s stressful to start a new job, no matter who you are and how much you love the job you’re moving to. My new role at Akamai is no exception to this rule, in fact it’s one of the more stressful changes I’ve ever had. I love the job, I love my role, but there is SOOOOO much to learn and I’m expected to be an expert NOW, rather than in six months. I can do it, I love the challenge, but cramming so much new information into my tiny little brain leaves very little extra horsepower to synthesize the information into something worth blogging about. And I’m not the sort of person who wants to merely regurgitate information, I want to be able to use what I’ve learned and reframe it into something that’s valuable to the security community as a whole. Which is really hard when you’ve got a fire hose of information aimed at your head and you’re just trying to find the room to breathe.
Another reason it’s hard to blog when starting a new job is just the sheer enormity of change. Finding the time to blog, the time to podcast, the time to exercise and sometimes even finding the time to spend with the family is hard at first. What are my priorities? What tasks have to be done before I can quit work for the day and what tasks can wait until tomorrow or be blown off all together? When can I fit in an hour or so to collect my thoughts and put them on the screen? 30 minutes? 15? Please, can I just have 5 minutes to post a link or two? The first few weeks or months are incredibly chaotic and somehow blogging is always one of the first things to suffer for it. But better blogging than my family.
I’d be lying to myself if I didn’t say that gauging my employer’s willingness to accept blogging was one of the main roadblocks when I start a new role. I’ve been burnt before and it’s left an impression on my psyche. I’ve learned to be up front about my blogging and podcasting and my resolution to maintain them and my voice, but it’s still been a crap shoot in some cases to find out what my employer’s tolerance in real life is anything similar to what they said in during the interview process. More often than not, my employers have maintained an air of benevolent ignorance towards my blog, but every so often I’ve gotten the “we’ve read your blog and are not happy” conversation. Not often, but it has happened and it’s never comfortable talk. I’ve actually told at least one manager that my blog and podcast are more important to me than my job. Neither of us really walked away from that conversation happy.
I’m very excited to say my position at Akamai as the newest Security Evangelist is very different. I was explicitly hired, at least in part, to blog, to podcast and to continue being a very vocal part of the security community. Everything I’ve encountered so far tells me this is where I need to be now and hopefully far into the future. Many of my coworkers were friends long before I worked for the company and will be for a long, long time. But, like everyone, I’ve been scarred by some of my previous experiences and it takes a conscious effort to overcome the habit of initial silence. Obviously, this post is part of combating that, but carving out an hour or two a week to post as part of my job rather than despite my job will also be an important part of the effort as well. I’m supposedly a ‘thought leader’ and in order to be that, I have to actually have the time to collect my thoughts in order to put them out there for other people to read and critique.
One last reason I haven’t been writing nearly as much as I used to over the last year is saturation in the PCI field. Not the field itself, it was my mind that had reached the saturation point with no room for new ideas to enter. Over the last few years my arguments with folks like Josh Corman, Mike Dahn and a myriad of other really bright people had reached the point where we weren’t talking about anything new, we were just going over the same old ground from different directions. Or just having the same argument again and again without anyone learning something new. And that’s not what I want for the blog or for my own education. While it’s not the same as not writing because of a new job, it has definitely been related.
So here’s to setting aside some time and energy to blog. I like writing. I like getting feedback. I like putting my ideas out there for others to tear down or build upon. There are a lot of people smarter and/or more experienced than I am and interacting through the blog makes me a better security professional. And if you haven’t figured it out by now, I’m passionate about being a security professional and becoming better at it every day. Blogging has long been one of my best tools for meeting that goal.