I recently spoke with a close friend who’s been in the security industry for over a decade. We discovered an interesting issue we both had, but never discussed.
Both of us had become pessimistic.
It’s not terminal pessimism. It’s not like there’s no point in living, doing anything, or initiatives. But it is subtle and strong enough to hinder growth.
Let me tell you how I got here.
After college, I got my first job as a Product Security Engineer. If you don’t know this role, it’s a fancy way to say that you will secure every technology that’s needed for the product to work - web apps, mobile apps, infra, networks, more. Over a year, I developed a mental model for finding security issues: Start with basic threat modeling questions and dig deeper.
Here are Adam Shostack’s [mini…
I recently spoke with a close friend who’s been in the security industry for over a decade. We discovered an interesting issue we both had, but never discussed.
Both of us had become pessimistic.
It’s not terminal pessimism. It’s not like there’s no point in living, doing anything, or initiatives. But it is subtle and strong enough to hinder growth.
Let me tell you how I got here.
After college, I got my first job as a Product Security Engineer. If you don’t know this role, it’s a fancy way to say that you will secure every technology that’s needed for the product to work - web apps, mobile apps, infra, networks, more. Over a year, I developed a mental model for finding security issues: Start with basic threat modeling questions and dig deeper.
Here are Adam Shostack’s minimal questions for threat modeling:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
Then I got promoted. More tasks, more teams, more interactions, more security reviews. Adam Shostack’s question “What can go wrong? What are we going to do about it?” had become my second self, especially the “What can go wrong?” part. It was auto-suggested by my brain. I found security blind spots and architectural issues in feature design review meetings faster than before.
I had (and still have) a relatively successful career because of this mental model.
But this came at a cost. This question seeped into all my thinking - even outside work.
Me: Should I invest? My brain: What can go wrong?
Me: Should I move to a better place to live my fullest? My brain: What can go wrong?
Me: Should I <add something important>? My brain: What can go wrong?
These seemingly simple questions have many variables that can go wrong. A major chunk of these variables are outside our control. You can’t defend yourself against most of the potential issues.
This auto-suggested question made me focus on obstacles and how to tackle them, rather than the goal and the reason I’m pursuing it.
This auto-suggested question hindered my personal growth and led to another side effect - stress. As Naval puts it, uncertainty is the root of stress.
The vicious cycle:
That’s how a question that contributed to my success in my security career hindered my growth.
What to do about it? 😜
I’m still in the security industry, specifically the cloud security domain. I love solving security issues. Whenever my brain auto-suggests this question outside work, I take a deep breath and consciously think about the goal and why I’m pursuing it. It requires some effort when getting started.
Also looking back, I find most potential issues were just in my imagination. Reality turned out far better most times. I use this as proof to convince myself not think too much about all the things that can go wrong.
Rancho in “3 Idiots” told the solution long ago. I didn’t understand it then.
👋