Looking back and forward on a twenty-five-year career in cyber security

I got into security almost by accident. After graduating from university, my wife and I moved to Northern Virginia in 1997. There, I attended a job fair at a hotel. Standing in line to meet with a large government contractor, I investigated a room to my left, off the hallway. I saw a guy sitting, typing on a laptop, and talking to nobody. I thought, “Huh, this line will be here when I get back; let me see what this guy is up to.” I walked up to him and struck up a conversation. And just like that, I met Mike Weidner.

During the conversation, Mike explained how they were looking for a system administrator, and I began the interview process then and there. After some follow-on interviews at their offices at Boone Blvd in Tysons Corner, Virginia, I was offered the job. Keep in mind that I had no idea what a “security” company did, but there I was.

The next few years were incredible, as I was transformed from a system administrator into a security engineer. I stood on the shoulders of giants in the industry, learning from Marv Schaefer, Gary Grossman, Chuck Pfleeger, Victoria Thompson, Stan Wisseman, Bill Wilson, and many others. They taught me the true meaning of threats and how threats manifest in different pieces of a system. I worked alongside people who have grown into giants in the industry— Doug Landoll, Diann Carpenter, Jeff Williams, and Klayton Monroe. They pushed me to keep up and learn everything thrown my way.

My first big takeaway from my Arca experience is the importance of pouring into the next generation. I look for opportunities to mentor newer security folks every chance I get. I’ve made this a priority since my days at Arca. It’s not like I came up with this on my own — I’ve reflected on what I was taught by all the Arca industry giants — pour into others, as the return is great.

As the Internet bubble was in full swing, Arca was acquired not once but twice. The first acquisition didn’t stick, as the acquiring company had some issues, and we landed as the new security consulting arm of Exodus Communications. Exodus was the company that everyone used, but most had no idea. Exodus, at its peak, had 44 data centers worldwide, and three out of every four clicks on the Internet went through our data centers.

I started as a Senior Security Consultant and migrated into Incident Response. Exodus brought together a group of ex-FBI agents and people like me that had been using computers for decades. We investigated many major breaches and worked on industry-wide security events under the guise of the Cyber Attack Tiger Team or CATT. When the Internet bubble burst, so did Exodus, and I was back on the move.

I had a few jobs between Arca and Exodus, all without leaving. My takeaway from this time was to reinvent yourself often. I went from consulting to Incident Response and learned a whole new discipline. I leaned into all the Exodus CATT team members could teach me — learning from trained investigators from the FBI and other Intelligence agencies. Reinvent and never stop learning. Our field is so large we must all continue to learn new things.

After Exodus, I had a brief and uneventful stint at a Government Contractor. From there, I landed at Cisco and worked on Common Criteria and FIPS 140 certifications for five years. After leaving certifications and joining an inward-facing product security team, I was challenged to bring threat modeling to the whole engineering organization. I dove deep into threat modeling, grasping how to perform it. I was the Chief Security Advocate at Cisco for five years, and one of the things I did there was work with Erick Lee to define requirements for Cisco’s threat modeling tool (which Erick did all the coding for). Afterward, I worked toward distributing the tool to engineers across the company. We saw success in our efforts as threat modeling became a prominent piece of Cisco’s Secure Development Lifecycle (CSDL).

After a few years, I left Cisco to start Security Journey. First, I built a product that teaches developers and product-adjacent people the foundational, intermediate, and advanced facets of application security. Then, I led Security Journey to an exit in 2022. (If you are wondering, in my next chapter as CEO of Kerr Ventures, I’ll split my time between startup investing/advising, consulting, and incubating my next idea(s).) I’ve written all my learnings from Security Journey in a series of yearly posts that you’ll find on the Kerr Secure Blog.

When I ponder all the different job functions and opportunities that I had, I realize that while the technical side of security is important, it’s the easier part of what I’ve accomplished. The soft skills of leadership are things that I developed by watching excellent leaders lead. From my managers at Arca to Tom Sweeney at Cisco, I learned how to lead by watching others lead well. I’ll never forget my favorite Tom Sweeney quote — “Judge yourself not by the number of people you manage, but by how many managers you create.” This embodied Tom’s philosophy — pour into people.

Back on the security side, as I think about everything I’ve seen on my personal security journey, it feels like we’ve come so far, yet we have so much further. In my time, we’ve gone from a client-server desktop-focused world to fully networked, containerized, and cloud-native delivery. The technology we rely upon has revolutionized how we deliver IT and applications, yet we still have threats. The threat landscape has changed over time as new attackers enter the scene, new attack scenarios are dreamed up and implemented, and the number of interconnected devices has exponentially grown. At the end of the day, it still comes back to threats. The threats are consistent across the decades, and the need to understand them and mitigate them continues to be a priority.

In my career around application security, I’ve watched the industry go from waterfall to Agile to DevOps. When I ponder the application security impacts, we are doing the same activities with DevOps that we did with waterfall at a more increased pace. Threat modeling is important in all methodologies, just like SAST, DAST, SCA, CVA, and RASP should be incorporated into every application security program today. While some things change, some things stay the same.

I often wondered in the early days of my career if we would run out of threats and put ourselves out of jobs by solving all the security challenges. I thought there was a chance in those early days, but as the years went by, I understood that I’d retire from this industry someday, and the threats would still exist. They would look different than when I started, but there will be plenty of room for engineers to continue to tackle the newest threats that impact the human beings of the Internet.

We still need more people in our industry. We can argue about how many people we need, but we can all agree that we need more people. I don’t see myself moving away from the world of security. I dream of being like my friend Brook Schoenfield when I grow up, continuing to share my knowledge and experience across our industry. Brook calls himself the “Elder Statesman of AppSec.” Someday, I hope to be invited to that group. I feel like I still have much more to learn.