Reflecting on 2024
A reflection of how 2024 has been for me
Reflecting on 2024
Introduction
2024 has been a year of rapid growth and change for me. I have had the opportunity to learn new skills and work on exciting projects that combine multiple topics in cybersecurity. This year was primarily my internship year, and although I am not new to the industry having worked full-time before and part-time during my studies (some of my work was detailed here), this was still the first time I primarily took on a security focus rather than an IT focus.
What I Learned
While I was initially hired to perform more Governance, Risk, and Compliance (GRC) tasks, I quickly found myself wanting to exercise more technical skills, both to strengthen my (university) capstone project as well as to explore topics like software development, infrastructure as code, and automation. I was fortunate to get the buy-in and support I needed from my team to pursue these interests and use the skills I had learned to improve my work. I like to believe that I have made a positive impact on the team and the projects I have worked on.
An Engineering Approach to GRC
The core of my personal approach to work has always been to find ways to reduce manual effort and repetitive tasks because I am lazy. Laziness isn’t necessarily a bad thing, and in fact, I would even suggest that those who aren’t lazy aren’t reaching their full potential. As Bill Gates once said: “I choose a lazy person to do a hard job because a lazy person will find an easy way to do it.”.
I am not the first to suggest this: take a DevOps approach to GRC.
That means taking on a more engineering approach to GRC, where we automate as much as possible, and where we treat our policies and procedures as code. This allows us to version control our policies, track changes, and opens up the possibility of automating the monitoring and enforcement of these policies.
This is a topic I have been exploring in my capstone project, and I hope to share more about it in the future.
What About Risk?
What I said above covers the Governance and Compliance parts of GRC, but what about Risk? My belief is that risk is a business problem first and foremost, and talk about technical controls should wait until after financial analysis has been done and presented. Sure, you could say that an engineering approach to GRC is managing risk, but how do you actually convince the decision makers of its success and value without showing them the numbers?
I will be honest and say that I think qualitative risk assessments are just checking the box for the sake of compliance. I believe an effective and persuasive risk assessment should be quantitative, and the use of statistics and data science will be helpful in this regard. I have been exploring this topic as well in my capstone project, partly because I believe that talking about mathematics and statistics is a common enough academic topic, and partly because I haven’t seen it applied in practice, and I want to see how it can help me build a better story for stakeholders and decision makers.
Soft Skills
I have alluded to this in my previous post about a book I picked up. I started this blog this year as a way to improve my writing skills, and presenting my thoughts and ideas to a wider audience has given me more confidence in my ability to communicate effectively. My manager said that “creating a good story is key”, and this is something that I recognized and want to improve.
I have always been a private person, and deciding what to share with the public has been a challenge for me. I like to believe that I have struck a good balance between sharing information about myself and my work, while managing to draw good lessons and parallels with topics that don’t necessarily relate to cybersecurity.
Having the Balls to Speak Up
Despite metaphorically not having functional balls, I find that I have been speaking up often about security matters over the course of my work, even when I may not be directly involved. I think it is understandable that cybersecurity professionals are expected to have opinions on security matters, and bring them up when they see opportunities for improvement, and even more importantly, when they see things are done correctly.
Part of the value I bring to the team is my depth of experience in IT operations and my application of security principles to these areas. Being effective at GRC means being able to convince the IT team to have the right controls in place, and this is where I feel my background has really helped me. I feel heartened that my team has been receptive to my feedback and suggestions, and I hope to continue to provide value in this area.
Interesting Stats
As made clear in my About page, I do track visitor statistics across this blog using Goatcounter, provided you aren’t using an adblocker. I am pleasantly surprised to see more traffic than I expected, and I am grateful for both the explicit and silent support I have received. I hope to continue to provide content that is interesting and valuable to readers and supporters.
What I find interesting is that my most popular post is not about cybersecurity, but about my vasectomy. I like to believe I have made quite an impact with that post, talking about something that people often don’t talk about, and I hope that my ability to connect my life choices with my approach to cybersecurity has been interesting and valuable to my readers.
Conclusion
This year has been a year of growth and change for me, where I have picked up new skills and worked on exciting projects. I have shared my belief in taking an engineering approach to GRC, how I think risk should be presented, and how I am developing my soft skills through this blog. I have also shared my thoughts on speaking up and the interesting statistics I have observed on this blog.
1
2
nicholaschua@youread.me:~$ exit
logout