My Journey to “Small e” Systems Security Engineering

“Small e” Systems Security Engineering (SSE) you ask? We’ll get to that; it’s a part of the journey.

Like many, I didn’t grow up with a lot. Long, sad, traumatic childhood that caused me to do poorly in school in my formative years. When I finished High School, I say finished because I did not graduate. Failed Trig and you had to pass both maths to graduate. Took it in summer school and ended up with the same grade. That was that for me. I spent that summer of 1980 reading primarily. Sure, I looked for work as well, but at that time in my hometown adults were bagging groceries in supermarkets, so not much opportunity unless you knew someone.

That fall the bulk of my friends, most of whom were excellent students, began University. Many of them were studying Civil Engineering and I’d often hang with them at the student club, or party on the weekends when funds allowed. I was wandering downtown one afternoon with my then best friend, who is now a Director General with a Federal Government Department, and we walked by the Canadian Armed Forces recruiting centre. We were bound for his house, so I said “I’ll see you back at your place later. I have a stop to make.” In I went.

I was literally able to test then and there, chose what was then called the Communicator Research “trade”, because it was in comms and seemed secretive. Yes, Signals Intelligence (SIGINT) certainly is secretive. After I was done, I went to my friends house, stayed for dinner (as they were like a second family to me) and then I went home and told my family the news. Ecstatic does not describe the response well enough. I had chosen a path, on my own without any intervention. They were proud.

Boot camp and six months of SIGINT training behind me in 1981, I was sent back to my home province for my first posting at one of Canada’s SIGINT units. Between 1981 and the time I had retired in 2001, I had served on all three of Canada’s coasts, the nation's capital, a couple of ships, NSA, CSE, Italy and Bosnia, with a myriad of other career courses and duties sprinkled in. This included 5 tours of Canada’s arctic station, CFS Alert, in Nunavut Canada. In 1996, while I was on leave before my last tour of CFS Alert, I took the exams for a GED without any preparation whatsoever over the 5 days I was on leave and received my High School diploma.

It wasn’t until 1998, when the culmination of some hard work by some very talented folks saw the recruiting from our military trade to form DND’s first Information Operations capability. We had to submit resumes, be interviewed, and wait for a selection process to unfold. I was a Senior NCM, a Sergeant at the time, but in the spring of 1999 was chosen to lead the creation and development of Canada's first Computer Incident Response Team (DND CIRT). It was complimented by a sister team called the National Vulnerability Assessment Team (NVAT). Together we were the Information Protection Centre (IPC), now called the Canadian Forces Network Operation Centre (CFNOC), as over time all network services were combined.

Those two years were a flurry of basic computer and network courses, from operating systems to SANS Incident Analysis. We staffed, trained and built the teams, wrote doctrine, processes, deployed Intrusion Detection across the Country, additional antivirus applications, monitored, reported, participated in International forums, and gave briefings to just about every visiting country and Canadian government department that had heard of us. But at the days end I still retired in 2001 after a failed attempt at offering me a commission from the ranks in order to maintain the continuity of the unfolding program. I had a wonderful retirement function, attended by over 120 great folks for whom I regaled the fond memories of my career and offered the following advice: you are the product of your environment; choose wisely. I did.

My first job, as a Manager of Security Operations for a small start-up in 2001 was uneventful. I was repeating the military exercise of creating a Security Operations Centre (SOC) for them as they wanted to get into the Managed Security Services (MSS) world. Things were going fine until I got wind of bankruptcy risks and I jumped ship 6 months later. That is when I landed at CGI, Canada’s largest consulting and Business Process Outsourcing company at the time. The Director who hired me, started me down the path of learning Risk Management, but also tasked me with the creation of a Business Case to get funding for an MSS, as I had convinced him that was the path to righteousness during the interview. I’d never heard or seen of a business case before, let alone ever written one at that time, but on I went. A couple of months later, we had secured two series of internal funding to create two SOC’s, one for Federal Government clients (they wanted separation at the time) and one for the private sector.

While we had some great technical folks building out the SOC’s, I led the creation, staffing, training of the team. Additionally, I did Channel Management, Marketing, was spokesperson, wrote the proposals and all the Business Development by myself. I burned out fast, no promotions, etc. so I moved on. In the first 3 years of operation, we took a small security risk management practice with revenue of about $5 million a year, to $22 million. I had succeeded. They had succeeded.

Since then, I’ve worked for a series of firms in different security management roles, all available to review on my LinkedIn profile. This all culminated with a decision to hang out my own shingle as a consultant in 2014, having been let go by a financial firm I worked for at the time. While this was my first time being fired for anything, and it was difficult, it was a decision I will never regret. Why, it’s a part of my journey to SSE.

In the summer of 2016 I was contacted by someone I know, but not well, asking if I was interested in joining them at the Naval Engineering Test Establishment, which is run by the Royal Canadian Navy through an outsourcing agreement with Weir Canada. That “interview”, over a coffee in the sun, during which we talked about cybersecurity and C4ISR and never was a traditional interview question asked, led to a second discussion with a hiring manager and a decision by me to join as a consultant vs an employee.

I was put on the Canadian Surface Combatant project in the fall of 2016 and have been there since. However, I’ve probably learned more in the past 6 years on this project than any similar length of time anytime in my 42 years of working. I certainly did not have any previous exposure to Major Capital Projects within DND in the past, but have been engaged in the Systems Engineering aspects of this project, from a Cybersecurity perspective, all this time. My colleagues had already developed a Systems Security Engineering-based risk management framework that would work inside the Systems Engineering required of the Directorate. It injects the outcomes of the Cybersecurity Framework and NIST SP 800-160 Vol 1 so that real security Engineering can be managed through the project lifecycle.

Jeebus dude, get to the “small-e” Engineering will ya? My NETE colleagues are very proud Professional and academic engineers. The clients I work with have similar backgrounds. And, while our security industry is rife with roles that are defined as Engineering roles; many of them simply are not. If you’re not an Engineer, you’re not holding an Engineering role; hence “small e” engineering. I wouldn’t disrespect their hard earned education to even go there. However, they only make $5/hr more than I do. <insert smiley emoticon here>

What’s the point man? Well, dear reader, since the mid 1990’s and before, I’ve been mentoring transitioning military members. I never suffered the angst that many of them do today. Many go the path of university and college education, but it wasn’t my path. It’s not always everyone’s cup of tea, or even affordable give other life circumstances. However, over the past few Covid years, never in my 4+ decades of working have I seen an uplift of support to assist folks transitioning into our industry. Mentorship offerings, free courses, free platforms for training, labs, exercises; all within reach. You can literally get all the training you need FOR FREE.

I think I’ve made it clear that it’s not always easy, the work is hard, challenging, constantly changing and clients can be difficult as well, but I have not regretted it one single day. Had some bad days of frustration, anxiety, “I’m done with this”, but no regret.

So, regardless of your current background, if you are looking for a career like this, want to earn a very decent living and be proud of everything you do, you need only to connect with folks in the industry and learn. You can start here if you like: https://start.me/p/b5epnR/free-or-near-cybersecurity-training. If you are an employer, write your job descriptions fairly to the role. Yes, education is important, but the baseline skills that a formal education elicits can be nurtured in many other ways. Make opportunities for folks obviously willing to learn, regardless of the path they are on to do it. Unicorns simply don't exist.

Thanks for bearing with me on this journey. I left lots out, but if this old guy with nothing more than a GED and some tenacity can carve out a life, certainly you can too. Good luck with your journey and feel free to contact me if you need to talk.?

#infosec #cybersecurity #careertransition #HR #SystemsSecurityEngineering #SystemsEngineering #CAF #DND