More to come, but this via one Michael Howard pointing to an article by the “other” Mike Howard on campus, who are strangely both work in security.  A little different, but an interesting article and we use the same language and similar approaches.

http://www.securityinfowatch.com/Cover+Focus/no-size-fits-all

Met some of the people I would be working with on Tuesday, but as I have no direct reports (as of yet – I’m an IC, Individual Contributior, initially but that may change), my manager introduced me to a bunch of people while walking offices, corridors and being placed in various meetings.  I was pleased that the very first one I was placed in I had quite a lot to contribute so off to a good start I hope.  The number one item for me is to figure out where I need to be plugged in as it’s really apparent that I could easily spend too much time on “interesting stuff” but which would really be using me most effectively.

I think I’ve done all the mundane, but necessary, Start@Microsoft things like elect benefits, HR forms, Legal, order laptop, etc.  I have a nice desktop already, and it’s very different going into an office every day than working from my home office.  Not sure I totally like having to get up earlier and the 20min commute rather than the 20ft I had previously (and being able to work in my undies if I want to – I don’t think my new colleagues would like that!), but there’s no question that I’m getting exposed to more learning and involvement/leadership opportunities already.

Starting to understand the main architecture of Bing and I really get now why they are calling it a “decision engine” rather than a search engine.  I’ve liked the general results I’ve got from using it since launch, but there’s so much more than just indexing pages – things like “answer pages” to give you back the info you need when there is a definitive answer out there the system knows about.  I think that people are very much stuck with how search has always been (throw keywords in and return matching results), that a new approach might be a little “jarring” to some.  In many ways I kept thinking about a graph (and thesis) I had when doing my PhD.

There’s certainly some way to go (perhaps I’m joining at the equivalent of “windows 3.1 for workgroups” for Bing with “Win7” somewhere on the horizon) and lots of interesting things I’ve seen even in my first week.  It’s a real hive of work there with no-one treating this as a “solved” problem and one person or company has it “right”.  I certainly see where I can contribute and drive security (already have some responsibilities and “commits” set – my manager doesn’t hang around )

All-in-all, a really good first week and settling in nicely.  Thanks to all the people that commented/blogged/twittered offering congrats and best wishes when I announced the move – means a lot to me

Since about January, I’ve been transitioning out of the Foundstone Professional Services team and into one of the McAfee product teams (as I hinted some time ago).  This was a good move for me, as although I absolutely love the guys I work with in FSPS, and the work certainly was interesting (getting to see how a lot of companies and their security, or lack-thereof in some cases, and helping them get better), I longed to “get in deep” with a problem which, due to the very nature of the kind of consulting I was performing, seldom happens – usually it’s work with a client to do some testing/auditing/evaluation of where they are currently, find what things they are missing, report on the impact/issues/reasons of the delta, recommend how to move forward, and then be on your merry way.  Normally one doesn’t hear anything until the next engagement other than maybe some quick email exchanges or conference calls for clarification or review as the client is bringing you in for a specific purpose; once that is done, remediation and on-going work is done by their internal staff because paying continued consulting rates would, in many cases, be cost-prohibitive (and thankfully there’s lots of work out there still, so there’s always that next client to start the cycle again with).

In transitioning to a McAfee product team meant that I could really get my teeth into a problem, look at the requirements, devise an architecture to move forward, and slowly develop and overcome issues with implementing the final delivery of the product (I’m sorry I can’t be any more specific at the moment, but when it’s released I’ll post again about the project and sing the praises of the people I worked with).  It was pretty clear that this is what I really missed doing – researching a problem and devising solution(s) – and what was only going to be a sabbatical to the product team for a specific technology/release was panning out to be a full time position.  I was welcomed onto the team with arms wider than I could have possibly hoped for, and was settling into working with some great people and a roadmap that could have kept me interested for years.

But then I got an email and went out for a coffee with an old friend from the STAR conference circuit. He was back working for Microsoft in a cool group and was looking for people – there was a need for a “security guy” and I came with good recommendations.

I guess I’ll have to say at this point, to be fair, that I had begged off from ever going to Microsoft.  I had interviewed there a few times in the past and my experiences were “mixed” at best.  I had seriously doubted myself after a few of the loops, and had just about had enough – it was clear that for whatever reason I wasn’t a “fit” so had crossed it off the places where one day I might have seen myself.

Anyway, I talked to some of the people there, met the director for the group, and after what I thought were just informal “get to know you / what we do” kind of meetings (although there were some obligatory “whiteboard” questions), it was clear that they wanted to hire me.  Sort of sunk in when on the way out, Mr Director (I’m not going to mention any names as-of-yet because I don’t know how happy they are about having their names out there, and as a security/privacy guy, I’m very much for “opt-in” ) said “I’m going to ask HR to extend you an offer”!!!

So, here I am with a bit of a conundrum.  I’m currently working with a great team at McAfee, in a product that I believe in and can make and impact, and a roadmap of things that I could work on (and most importantly be super interested in) for years.  On the other hand I’m being offered a role to help set the direction for all of security testing at Microsoft’s Bing.com platform as a senior SDET/security test architect.

I’ll let that sit for a while.  I had to as it was a difficult decision, so take a breather

I really wasn’t looking to leave McAfee/Foundstone – the company has treated me very well, I have great colleagues there that are just plain *friends* now and hopefully will always be, and I feel the company is heading in the right direction with some fantastic management that I’ve had from the top to bottom.  However, on the other hand, what a great opportunity to work on such a big, strategic site such as Bing, and to have that on my resume.  Microsoft were great in that they didn’t pressure at all and gave me a few weeks to think about it, including setting me up to have some time for very open talks with various people to know what life on the team looks like and how my role would pan out (which, if I can, I’d like to write more about as I get further into the job).  It was night-and-day different from my other experiences with Microsoft.

So, positives…

• Having the opportunity to work on something at this scale, in my field, and with such a spotlight is rare (clearly, only one other place) and (as long as Bing doesn’t get hacked up and it’s my fault!) as a colleague said “this would not be a career-limiting move”.
• Despite the haters out there, Microsoft clearly “gets” security now, and has attracted some top talent in that field. Getting the chance to work with some of these people would be fantastic.
• Even inside Bing practically every big computer science problem is touched upon somehow, and if for whatever reason I don’t want to work in that field/team any more, inside Microsoft you could do everything from designing mice, through to games, and obviously so many different types of software technologies/platforms – there’s plenty of growth opportunities there.

semi positives…

• Microsoft are just outside of Seattle, which is where I’m based now and have wanted to live in this area for a long time.  Being able to go into an office and interact with people I think gets much more done than via email/phone.  Now, in consulting where you are doesn’t matter much – the internet and an an airport close by works well as you are onsite with clients lots.  The McAfee product group were flying me in every month and a half or so for a week of really productive meetings and stuff, and I’m quite happy working remotely (and I’m actually very productive in my home office), but you do in some way get “isolated” and not involved in conversations/meetings as much as I’d like to be.
• I won’t have to travel nearly as much – both for professional services (every few weeks) or in the product group (every few months).  I don’t mind travel (in fact I quite enjoy it), but it’s hard leaving family at home and sometimes trying to schedule even little things like meeting up with friends or going to a concert can have unexpected changes (although to be fair, Foundstone was always really good with me sorting anything like this out, but I just hate having to bring it up as it feels like “shirking” work if I need to turn any travel down).

negatives…

• In taking the job with Microsoft, I don’t get to “see out” the product I started building.  It would be hubris to say that I’m needed on that team to complete it or for it to be a success – the guys clearly can do a great job – but I like to finish what I start, feel I have plenty more to add, and if nothing else would be a benefit to the team as another resource to get things done and meet deadlines.  There’s never a “good” time, but I guess this is “non-optimal”.
• I’ve built up some level of “goodwill” at McAfee and know many people there.  There’s no question that at Foundstone/McAfee I’m treated very well and have a great working relationship with people there.  I’ll have to start that again at Microsoft and be somewhat a “small fish in a very big pond” again.  Not so much of a negative as I like building relationships, but certainly having to start again, and I’m really going to miss the guys I’ve worked with.
• Simply the “new”.  Each company works differently, and I’ve never worked for such a big enterprise before.  I’m sure I’m going to have to learn a lot, and quickly, in what it takes to really thrive in such an organization.

In taking everything into consideration, I think this is a fantastic opportunity and something I’d be stupid to turn down.  It’s really going to up my game, give me new learning experiences, and allow me to work on something at a scale that I’ve never been able to before.  In many ways it’s both exciting and daunting at the same time!

So, today is my last day at McAfee/Foundstone.  As of Monday I’m a Microsoft employee and the joys of NEO – New Employee Orientation (or where you get your chip implanted and force-fed the corporate kool-aid ).  I’m certainly going to continue posting about general security trends and news I find interesting, but hopefully can add a slant on what it’s like working in Microsoft and on a property such as Bing.  All that after  I know how the land lies – I don’t after all want to get fired soon after I get there!  So, don’t expect very much in the short term as a) I’m going to be really busy getting up-to-speed on the platform and technology, and b) get to know what is on and off-topic.

Well, stay tuned, and hopefully I’ll have some interesting things to write about.