Two years ago, I set out to get into cybersecurity. I had no idea where this journey would take me, and I had no aspirations at the time of turning this into a career. I’ve found that very rarely do people who have been doing something as long as me decide to completely change their profession and eschew the comforts of years of experience. Fortis Fortuna Adiuvat! I knew last year that security was where I wanted to be, and I was coming to the realization that I may need to leave Microsoft in order to do it. It wasn’t a decision that I would take lightly having been with the company for 8 years. Then I got a surprise.
The Power of Networks
I wrote previously about the importance of building relationships. It’s pretty well-established that having a great network of people is one of the best ways of finding new opportunities. I can’t stress enough how having someone advocate for you is a sure-fire way of at least getting a foot in the door and setting yourself apart in a sea of applicants and resumes. One of the things I did early on was to try identifying security teams, leaders and opportunities within Microsoft, so I could best know how to position myself to help. Microsoft is an enormous company with lots of security teams that span everything from red teaming and threat analysis to malware detection and incident response. To this day I don’t know the full-breadth of everything security-related at the company. But if it’s security-related, I’m positive Microsoft touches it.
Being so active on social media, I tend to run into new people constantly through the “six degrees of separation” effect that social networks like Twitter present. Following and being followed by many Microsoft employees has the net effect of bubbling up new people to connect with. One of those people is Ann Johnson, CVP of Microsoft’s Cybersecurity Solutions Group. It’s very rare to see a senior leader so engaged on Twitter let alone be as approachable as Ann is so I took the shot of connecting with her and it was one of the best decisions I could’ve made. She’s an industry veteran who has the key skill of adapting to the constantly and rapidly evolving security landscape while maintaining genuineness and approachability across the whole org chart. I decided I needed to meet with her and share my vision for security advocacy.
One Does Not Simply Meet with CVPs
One thing I’ve learned over the years is that it’s very hard to get facetime with most people in the senior ranks at big companies. They’re super busy individuals whose calendars resemble a game of Tetris gone horribly wrong. If you’re able to get 15 minutes on a calendar, consider yourself lucky. As luck would have it, I managed to wrangle not 15 but 30 minutes of Ann’s time on a quarterly visit to HQ, and I made sure to be prepared for our discussions. I felt I only had one shot at presenting my thoughts and didn’t want to waste it.
Being an advocate for communities has always come very naturally to me. From the first user group I attended to leader developer relations for the Edge browser, being directly engaged with technical communities has been a core part of my day-to-day, learning and teaching while helping to be a voice where I can. While some people like to go to conferences and sit behind a booth waiting to hand out t-shirts in exchange for a badge scan, I’m more of a “boots on the ground” type of guy seeking out those unique opportunities to have real face-to-face conversations with people and fully understand what they’re interested in. I’m a bit old school and feel that you can’t truly understand the context of a conversation unless you’re able to hear the tone of a voice, see the expressions on a face and experience the body language of a person you’re engaged with. I feel I’m very good at this type of engagement, and it’s also helped me build some really strong relationships with top developers and now security practitioners.
This was something that I wanted to bring to Microsoft in the form of security advocacy. I saw an opportunity to engage with security practitioners, researchers and bug hunters to ensure they had someone to be their advocate within Microsoft. In addition, I wanted to help build new lines of communications with this community that would allow us to better understand the tools, methodologies, resources and issues it faced, so we can contribute back in a way that was impactful and genuine. I wanted to help give this community another voice into Microsoft and complement amazing teams like MSRC who have their hands full.
This is exactly what I talked to Ann about, and she totally grokked it.
I felt strongly that I had a unique opportunity in front of me. To quote Eminem’s “Lose Yourself”:
If you had
Or one opportunity
To seize everything you ever wanted
In one moment
Would you capture it
Or just let it slip?
So many let opportunities like these slip for many reasons including fear, lack of desire to sacrifice, or a lack of long-term vision. Being new to the industry, I knew that what I had to offer was hamstrung by my lack of security experience. I offered Ann 20% of my time plus after hours work to begin to build a program that would help us better communicate with the security community. To Ann’s credit, she must’ve seen something in my plan, because she agreed to help me ramp up in security. This included helping me attend several marquee events including DEF CON, BSidesLV, Thotcon, and DerbyCon. I made sure to remember the hand that fed me by volunteering to work in the Microsoft booth at Blackhat two years straight as a podium greeter, so I could “pay my way” to these other community events. That Hacker House training course I mentioned in my first article? That was thanks to Ann as well. She gave me a shot, and I ran with it. I demonstrated results as I went along and was respectful of the opportunity she gave me.
Building Skills and Relationships
One thing I knew is that if I didn’t develop my skills at a reasonable pace, it wouldn’t matter if I went to 30 events and talked to a thousand people. I had to be able to talk the talk and back it up in some fashion. I also knew that this community doesn’t appreciate n00bs coming in and spouting at the mouth. “Humble” was the operative word to describe how I approached people, always working hard to listen and not feeling embarrassed to ask for help. It’s really cool to see how helpful people can be when you approach them by genuinely saying, “Hi. I’m new to security, and I REALLY want to learn and was hoping you could point me in a good direction.” I’ve yet to meet someone who wasn’t willing to give me at least 5 minutes to answer a question or just point me down a path. And I will say that it’s incredibly liberating to be the new person with carte blanche to ask silly questions.
The training I got at Hacker House was a fantastic foundation for getting me started. I knew I wanted to start off in offensive security. I NEEDED to understand how people hacked things, and going that route was absolutely the right decision for me. The courses from eLearnSecurity helped to take me to the next level and understand a broader set of technologies, techniques, topologies and tools that have dramatically improved my ability to have genuine conversations with security professionals. And participating at these top events has helped me get more comfortable with how to approach security folk in a way that respects their boundaries, privacy and time.
But if I had to point to the biggest benefit I’ve derived from these experiences, it’s the fact that I’ve slowly started building a network of amazing security professionals. I feel good knowing that I’ve developed first name relationships with folks like Dave Kennedy, Rachel Tobac, Georgia Weidman or Don Donzal. We’re not best buds, but they at least know who I am now. And one of the best friendships I’ve developed is with Tony Punturiero who runs the NetSec Focus, one of the largest message servers out there. I met him at DerbyCon last year, and he’s been one of the best mentors for me and of course, now a friend.
Roman Stoic philosopher, Seneca, said, “Luck is what happens when preparation meets opportunity.” Being able to get the skills AND the relationships was important to my success. And Ann took notice. This was just the luck I needed.
I Might Have to Go
It became apparent late in 2018 that I might just have to leave Microsoft in order to shift into a security-specific role. The company has a wealth of opportunities… in Redmond, WA at the company HQ. While Microsoft has become better at embracing remote workers, some parts of the company still prefer having their employees in house. It’s quite possible I could’ve been able to jump onto a security team, if I wanted to move from sunny Florida to the frozen Pacific Northwest but moving wasn’t in the cards. Then in early December, Ann reached out and said she had an opening for a security advocate, and that I should apply. “OMG! OMG! OMG!” Seriously, that was my reaction.
I applied for the role and went through an interview loop. I felt really good about being able to meet the requirements, but can’t say I came out of the interview feeling like I locked it down. My loop had a mixed group of team members with different perspectives on what the role was and how best to approach the security community. It would take almost two weeks to hear back. Those two weeks felt like an eternity, especially since I was heading off for holiday vacation when traditionally everyone is out of the office.
Hello Microsoft Security Advocate
I mentioned earlier that I have always felt comfortable in a community-centric role and being a developer advocate with the ability to directly help developers was one of the most fulfilling times of my life. I appreciated that people could look to me for help and felt confident that I’d be their advocate within Microsoft.
Thankfully, I didn’t need to leave Microsoft to get into security. Just as I had gone on vacation, I got the notice that I got the job as a Microsoft Security Advocate. What a way to kick off my vacation! I had landed a dream role working with some of the most talented security professionals on the planet. Ann hired me to execute on the vision we shared of helping advocate for security practitioners, researchers and bug hunters; the people who roll up their sleeves and implement the things the C-level signs off on. These are the ones that need to have a voice, because they’re neck deep in the trenches installing and managing systems, handling incidents, defending networks and working hard to protect all of us. This is the community that I’ve grown to love so much over the last two years, and now I get to work with them officially.
Fortis Fortuna Adiuvat
The literal translation of Fortis Fortuna Adiuvat is “(the) strong (ones), Fortune helps”. It is probably best known as “Fortune favors the bold (or brave)”. This is one of my favorite quotes, so much so that it is in my Twitter profile. It is first known to come from Phormio, a play by the Roman playwright, Terence. In the play, Antipho is encouraged to stand up to his father’s disapproval of marrying a poor girl by being strong, because fortune favors the strong. Being strong and bold in your convictions has helped me in numerous ways in my life. This was one of those moments.
This journey has been a lot of work and sacrifice. Thankfully, I’ve met so many people that have been cheering me on to succeed, especially my family. Changing careers after 30 years is truly scary, and I can’t say that I didn’t have a couple of “WTF are you doing?” moments. One thing is for certain, I knew that I really wanted to help protect people. That was the impetus for pushing forward. I set out to get involved in cybersecurity and two years later, I’m here.
If you’re interested in making the jump, don’t let anyone tell you that you can’t. Find that one thing that truly interests you and immerse yourself in it. Ask for help. Meet people. Share your thoughts and ask the silly questions. Nobody will judge you. And above all, believe in yourself. You got this. Fortis Fortuna Adiuvat!
Featured Image: Screen shot from John Wick: Chapter 2.
Rey Bango is a developer advocate at Microsoft focused on helping developers build awesome cross-browser experiences. He’s an ardent supporter of standards-based development and open-source development. He’s taken an interest in information security, especially appsec, and wants to help build more secure experiences.bango career highlight infosec microsoft security social