Who am I?

This is a question that I’ve struggled with for most of my professional life. I started out like most IT people do: in an IT support position. Then I kind of bounced around a little and wound up in a Tier 1 cyber security position. I did this for a few years and got burnt out (big surprise) and found out coding was fun, so went into programming for a while. Then I got pulled back into cyber security again, willing to give it another go (for the money offered, mostly, if I’m honest). I did that for a few more years and decided to start my own business with a focus in cyber security services. Then I decided I hated cyber security and left the business. Now I’m just doing the same salary security job I was doing before, but considering next steps.

That was really long winded. How about I just answer the question.

After a lot of reflection on what my true aspirations are in life, I decided that I want to be a builder. Naturally this first made me think I should just go back into programming, but lately I’ve been thinking more broadly than that. I want to build things that have huge, positive impacts on people. No, I don’t mean make a business a ton of money. I mean I want to reduce tedium, monotony, inefficiency, and suffering of all degrees. I want to enable somebody to do something they could never do before, or at least make them able to do that thing better. Maybe this means completely overhauling an IT process that requires thousands of hours of tedious, ice-pick-though-the-eye, manual work, and making it a streamlined, automated process. Maybe that could allow those affected to spend time thinking about things that matter, enriching their own work life.

Or maybe they just end up getting canned because leadership doesn’t pay you to think about those other things.

Regardless, I knew I had to leave my cyber security business because the security field is a thankless job. And even that sounds like an insufficient way to describe the despair that comes along with it. Cyber security work requires a enormous amount of input only to result in a negligible impact. That lack of any real, lasting impact wears one down over time and eventually invokes feelings of uselessness.

You see, we security analysts sell insurance. And no insurance salesperson has ever been fulfilled by what they do. It’s why cyber security burnout is rampant and not getting any better year over year. Some think that it’s because it’s impossible to keep up with the tidal wave of new threats that come out monthly, weekly, daily. But really, I think it’s because deep down, cyber security folks know that nobody wants to deal with security unless it’s their last resort - and even then they’ll probably just try to ignore the problem until it goes away (this is called “accepting risk” in corporate newspeak).

Take this common security analyst scenario: imagine spending multiple days or weeks analyzing vulnerability data from recent scans. You research the results of the scanner and first focus on the ones it claims are the most severe, based on an arbitrary score decided on by a guy in a basement somewhere with no knowledge of you or your client’s context. Upon further analysis, you realize this “Critical” vulnerability has no known exploit and is seven years old. Nobody has figured out how to exploit it. This causes you to reassess the severity rating and wring your hands over whether this “Critical” vulnerability is even going to provide value to your client. Then you have to figure out how annoying remediation for it will be. Maybe it’s a framework vulnerability that requires multiple major version jumps to address, which isn’t realistic since your client isn’t going to spend more than five minutes trying to address this edge case, unexploited vulnerability. So you ultimately decide to omit it.

You do this over and over and over for each vulnerability until you finally come up with a list that is curated and triaged and scary enough for the client to maybe care. You pour an inordinate amount of effort into making the report look professional, unique and eye catching enough to make sure that the client won’t go to sleep after scrolling past the overly loud cover page. You resist leaning on ChatGPT to do it for you because you fear that the client will secretly be a security expert and find a hallucinated claim that you missed when you were trying to read the entirely-too-verbose response in a sleep-deprived state.

You do the report readout with the client and explain in plain language why you decided on this list of doomsday vulnerabilities and how they should most definitely be concerned that their digital world could end. This is met with “oh interesting” or “hmm”. Following the readout, you have a post-readout call with your business partner to do the retrospective and try to decipher the monotone expressions emitted from the client. Months later, when it’s time to do the next scan in the quarterly cadence, you find out that the client wants to push it out since they really haven’t had time to deal with the vulnerabilities yet, but they’ll get around to it eventually. See, this report of yours went into a folder somewhere (likely one called Recycle Bin) and was probably never even thought about again after your readout. The reality is that you were hired to check a box; not cause a stir, not cause more work.

That’s what I mean by a “thankless” job.

Anyway, what was the question? Who am I? I’m a builder. And a lifelong learner - I love learning new stuff. I’m a programmer and a security analyst, for better or worse. And lately, I’ve started to develop a fascination with AI, though I’m trying to not drink too much of that Kool-Aid. I care about making things efficient and being productive. Other than that, I like traveling and find the world outside of my bubble to be interesting/inspiring.

What kind of content will be here?

I don’t know. Whatever I want.

But really, most likely the things surrounding the stuff I just mentioned above. Even security because sometimes there are cool things in that.

Why do this blog?

Yeah, it’s a saturated space. It’s hilarious any time somebody still recommends blogging to get exposure in 2025, especially in a time when GPT Blog Master 4000 can just do it for you.

But I think that’s exactly why I want to do this. To not let an AI bot do it for me. To not let my writing ability (or ability to think) atrophy because all I have to do is write a prompt. Then ten paragraphs of the most generic, word-salad-laden prose are instantly generated in a response, which even has a little copy button for your convenience.

Writing is something that has multiple benefits. It allows you to work stuff out, find gaps in your knowledge, and helps you re-encode long term memory to increase your understanding of a subject. On top of that, it allows you to keep a historical record - a snapshot in time - of what you were thinking and doing. It improves your ability to abstract and simplify your thoughts, allowing your to look at things in a new light - a new lens.

Other than the obvious benefits writing, this blog will be another thing that will keep me from my gaming addiction. Gaming is terribly unproductive. I know people find escape in it - I did for decades. But I’ve recently come to grips with the fact that there are just better things to lose yourself in. I don’t think I can come up with a single positive attribute of gaming that can’t be replaced with something else that’s actually productive (and doesn’t even have to be high effort).

So that’s pretty much it. I want to write about the things I care about as a means to think about them in a different way, and maybe help me work through things I’m trying to figure out. I don’t use social media because it’s a race to the bottom. People can’t read more than two sentences there anyway. So this is probably the best way for me to do all that.

And no, I don’t care about exposure. I’m not doing “content creation” or trying to make money on this. I’m not intending to be an “influencer” or whatever they call themselves these days. No, I’m not going to have a comments section. To be honest, I don’t really care about the opinion of anybody that reads this. Unless they have an opportunity for me to make a major positive impact on somebody’s life. Then we can talk.