07 Computer Security career path

This might get long and rambling, so the first paragraph is the bare
minimum, and if you want more details, continue reading :)

The short story:

Started with my first computer at 3, went to a high school with no
computers, went to college, got a job as a sys admin while in school.
Went to grad school, worked as a sys admin parttime there. Got hired on
by Foundstone, learned lots of stuff, took another job with a small
consulting company.

The longer version:

My dad worked in accounting, they like crunching numbers fast, so he
always had access to computers, and once I showed an interest in them,
he bought me one. From then on I always had a computer, technically it
was the family's computer, except I was the only one who used it. We
moved to a small town in south Texas, and the school had no money, so we
had no computers. We still had typewriters for our typing classes (this
was 1992-1996, so not that long ago). Friends and I used computers
outside of school though, and I was introduced to BBSs (until my parents
discovered that the closest BBS was a long distance phone call).

I got lucky living close to a university, they offered something called
TexPREP - Pre-Freshman Engineering Program
(http://w3.panam.edu/~texprep/) I spent 3 summers in High school being
introduced to various types of math, engineering and computer science.
This is where I learned that I could "do computers" for a living.

I went on to graduate from high school, and started at Texas A&M
majoring in Computer Engineering. I later changed to majoring in
Computer Science and minoring in Electrical Engineering, mostly because
I could take the chip design classes that I wanted to, without having to
also take Statics and Thermodynamics :) Against the wishes of my dad, I
found a job as a lab assistant helping answer questions about FORTRAN.
I also had my first introduction to UNIX, and I was hooked. A guy I
dated introduced me to Slackware, and I've been a unix convert ever since.

That first summer, I worked as a "temporary employee" on the graveyard
shift babysitting two AS/400 minicomputers. They were OK, I wasn't
terribly impressed, but it was work, it paid, and I could study while I
was at work - and be wide awake for the 7:30am class I had signed up for :)

In the summer of '98 I accepted an internship with INRI - now part of
Northrup Grumman. I did some software development on Windows NT,
porting their existing software from HP-UX to NT. I was doing mostly
GUI work, and while I was OK with the job, I wasn't happy for multiple
reasons: 1) I was working with windows, 2) I discovered I have no
concept of design, so my GUIS never looked "right", and 3) I discovered
that while I like coding, it's not something I wanted to do every day
for anextended period of time.

At the end of the summer, a friend recommended me for a "programming
assistant" position with the math department at A&M, and I started
working with them. I was basically a jr sysadmin with some programming
thrown in. I learned a lot about Solaris and Red Hat, and basic
adminning skills. I loved it! Through this position and the remaining
classes I had, I developed an interest in security. Primarily host and
network security, and I took every opportunity to practice my skills.

I also signed up for a graduate level crypto class, which was
interesting, but a struggle for me since my math background wasn't the
strongest. Luckily, I knew exactly where the professor's office was,
and he was willing to answer a lot of questions - working in the math
dept had it's advantages. At this time, I also started taking some of
the more theoretical computer science classes, and discovering that I
really didn't like them, kinda sterring me away from "traditional"
computer science.

My dad was big on education, and once I finished undergraduate, I had
already been accepted into graduate school at Carnegie Mellon in their
Information Networking Institute (INI). The degree of Master of
Information Networking consisted of Computer Science, Electrical
Engineering, Business (ick) and Public Policy classes. I figured, well,
I like most of it, there's only two classes required in the "business"
part, I think I can handle this...

I handled most of it. I went through your stereotypical hell first
semester. It was both fun and exhausting at the same time. I was
"working" this semester as an admin. I say "working" because it was
only 10 hours a week of required work, and usually, we only ended up
wokring about 3-4 as was needed (I ran the Linux systems, it was a lot
less work for me :) )

In the following spring, summer and fall, I worked on my thesis and TAed
for several classes: two Open Source (Linux and Apache) graduate level
classes, and two undergraduate classes: Java and C. I got lucky with
the C class. I had worked for the professor for a while with his Java
classes, and he trusted me, and he also ended up having surgery and was
out for 4 weeks, and I "took over" the class for those 4 weeks. I
discovered how much I really enjoy teaching that semester.

I won't mention my thesis other than the experience was miserable, and
I'm not sure I would ever do it again, primarily due to my advisor.

I finished all my classwork, but not my thesis, so I took a programming
job at CMU, and I hated it. I just didn't fit in very well with the
personalities of the group, and it was extremely nerve wracking. I did
get a lot of experience working with network routing protocols, and
TCP/IP though. I had continued work on a friend's thesis which allows
you to take an active TCP connection, "pause" it, and restart it with
one of the hosts being changed.
I wanted out of this environment more than I could imagine. I was even
considering working jobs I knew I wouldn't like, but could do, just to
be out of there. Luckily, an opportunity came up.

Other students in our program had finished their thesis a semester
before we did, and one of them was working for Foundstone. He referred
me, and they made me an offer to work in DC. I did penetration testing,
teaching other people how to crack into machines (the Hacking Exposed
classes), host configuration reviews, and some source code reviews.

I really enjoyed working for Foundstone. I liked the work, I liked the
people, but I really hated the travel. I was a consultant, and we'd be
travelling about 2 weeks per month, sometimes more, sometimes less. I
did it for almost a year, but it took it's toll on me. I wanted to be
home to play with my boyfriend and my cats. I started sort of looking
for a new position, I wasn't in a hurry though, and I figured I'd wait
until I found that "perfect" job. My boyfriend was also looking for a
job at the time, and I'd scan the Washington Post for positions that he
might be interested in, and I found one titled "Computer Hacker wanted".

I was extremely intrigued, and I applied. The President of the company
sent me an e-mail about two days later wanting to set up an interview.
The company was Gemini Security Solutions, a small consulting company
outside the city. They specialize in PKI, but do software development,
documentation development, security audits, and pretty much anything
that has to do with computer security. I was up front at the interview,
that I was mostly happy with Foundstone, and I was putting feelers out
to see if I could find the "perfect" job. I was also upfront about why
I was thinking about leaving Foundstone. I don't mind *some*
travelling, but the 1-2 wks/month was a bit much.

He told me a lot about the company, what he wanted to do with it, where
he wanted it to go, how he wanted to get there. I thought that was
extremely important because when I interviewed with him, there were 3
employees including himself :)

I thought about it long and hard. I was leaving a stable company with
good benefits, good pay, good people, and going to an unknown smaller
company, not so great benefits, and unknown stability. I decided to
take the chance, and I'm so glad I did.

I've been here for almost a year and a half, things are going well, I
still like my job, I love the people I work with - kind of important in
a small group, and I couldn't imagine working anywhere else now. Some
of the highlights of the environment: very casual - shorts, jeans,
t-shirts - unless we're at a client site or clients come visiting, then
it's usually business casual. Relaxed work hours. As long as I work at
least 40 hrs/wk and get my work done, I can pretty much come and go as I

The only bad thing about the job is it's in Virginia, I live in Maryland
- it's a 35mi drive one way, with public transportation not an option -
it just doesn't come out this far. Moving to VA might be in the future,
but I tend against it because of politics and a nesting complex :)

Someday, I'd love to try teaching at the university level again, but I'm
in no rush. I'm currently in the part-time faculty pool at the local
community college, so I may get to teach one or two classes at some point.

I had also flirted with going to law school at one point, enough that I
had taken the LSAT to get in. My scores are good for another 3 years,
so it may still be possible...

Lessons learned:
1) Who you know is more important than how you answer job ads. All but
one of my positions was obtained via people I knew. Network, Network,
2) Sometimes you gotta get out of a position no matter what it takes.
3) Smaller companies have more leeway in the environment than in pay and
4) There are some things you may be good at, but you don't particularly