Things have been fortuitously random in my life. My first love was music, and I would like to have made it my career. But, my body needs a lot of health care, and music is no way to make money. When it came time for college, I was firmly dissuaded from majoring in music. (I would probably have made a better composer than performer, but now we’ll never know...)
So I turned to my second love, language. In high school I took AP French and did a lot of German, and had started to read books on linguistics. So I ended up double-majoring in linguistics and in French language and literature, and almost completed a minor in Latin (I got burned out). Clearly, these were not much better options for career maximization. My mom thought I could be a translator. (I did profoundly love the 2 courses on translation and stylistics, and the excellent professor who taught them. I loved them all.)
However, I did take 2 quarters of computational linguistics classes, and I fell in love with the homework assignments which consisted of writing simple Lisp programs to parse, generate, and manipulate corpora in tiny toy grammars. Of huge importance was the mentorship of two friends who had spent their childhoods learning to program while I had been practicing guitar and learning music theory. After classes on Wednesday nights we drank a lot of pizza and ate a lot of beer, and I soaked up as much as I could about Unix, discrete math, Perl, and C. I probably missed a lot.
I had also taken a job in the foreign-language building’s computer lab doing help desk and webmastering. I thereby discovered the Constructed Languages mailing list, and found myself trying to understand the Perl script someone posted to generate made-up words, and then Word Net too. I didn’t yet know what to do with it, but I knew it was going to be cool.
Then I moved to the multi-media computer lab and forced myself to use Linux as my daily computer. (A Pentium 75 running Red Hat 4.2! It might have had as many as 32 MiB of RAM...) I got addicted to its quirks, and started trying to understand C code and shell scripts. Then I bought a used and already-obsolete NeXT Color Turbo for home — the first computer of my very own, and I loved it as much as I loved my first decent guitar (a Washburn D-10 that I sold a few years back to a 14-year-old girl (same age I was when I got it) whose mom was as anxious as mine was about this kid who was about to waste their life on rock and roll). On that NeXT I learned Perl, I attempted to learn C, and I stayed up until 4 AM reading the manual pages.
And when I finally graduated from college, I was just barely employable as a web developer.
A paranoid web developer. I almost wonder if my near-total ignorance of programming contributed to my interest in security engineering. I had learned enough in college to come to believe that the difference between a global library of unrestrained, free reading and conversation, and a globally-connected Panopticon, was cryptography (not that I understood anything about it). That piqued some cranky interest. And then I joined the BUGTRAQ mailing list (the Full Disclosure of its day) and realized just how many awful security vulnerabilities I had authored just that month. Then I was really hooked.
When I finally moved out to San Francisco — in the depths of the dot-com crash, May 2001 — I got another web app development job and started focusing in earnest on learning more programming languages (Python and Java!) and on security in general and OpenBSD in particular. When the long-moribund dot-com stopped paying us on time, I got lucky and took a chance to work for much less money (but consistent money!) at the Electronic Frontier Foundation as the systems administrator. I managed to parlay that into a position as Staff Technologist, and then as Technology Manager; and by that point I had learned enough about security to move to a job as a security engineering consultant at iSEC Partners.
iSEC opened my eyes to a lot of insanity and hilarity. It was at iSEC that I got my real security engineering education. By a few years in I had developed a pretty serious eye-twitch, and a nervous tic: I couldn’t leave the house without checking, like 5 times, that the doors were locked. Sometimes I would circle the block, come back, check again. This, even though I knew that standard home door locks are trivially bump-keyed.
It was a completely irrational response to the (now rather banal) knowledge that our entire economy and society could collapse at any moment. It was all good, though; about this time I built a guitar from parts and gigged regularly with 2 bands.
Through iSEC I had been doing a lot of work at Google, mostly on the new Android operating system, and I had come to love the Google and Android engineers. Eventually, a good friend press-ganged me into coming to work at Google on Android, and my new boss was the rightfully legendary Dianne Hackborn. Even more education was had, by me, at that time.
Then I went back to the EFF, this time as Technology Director. It was a good opportunity to lead some technology projects there and assist on some of the litigation they do. In that role I learned that although I am a cat, I am not a cat herder. Perhaps that is obvious, but it wasn’t yet obvious to me. Soon I was enticed back to Google, this time with the Chrome Security team.
Best job ever.
The most important thing, what enabled me to grow and learn as quickly as I could, was community — teachers, mentors, learning-friends. Just by luck and random encounters I’ve had several truly excellent music teachers, great French and Latin teachers at all levels, linguistics friends who were also Unix wizards, great managers, great team-mates, great engineering role models. My worst times were times when I was disconnected and had no community — I moved much more slowly than I could have when I first moved to SF, and things picked up for me as I found my peeps. Peeps make it happen.