It has been almost three weeks since my last post and because my goal is to provide one or two posts a week, that is simply too long.
My silence can partially be explained by simple mundane things like a high workload and the desire to spend time with my family when I am at home, but there has been a secondary cause also.
I believe that it is important to reflect about who I am professionally and how I want to portray myself. After having collected a bunch of security certifications (in chronological order: CISSP, GCIH, CISM, OSCP, CISA), I think I'm done with that for a while. All certifications have contributed to my understanding of the field, and they reconfirmed that I am exactly where I want to be.
While up to recently, I advertised myself as a information security generalist, I believe that I am currently in the process of shifting focus towards becoming an information security strategist.
My day to day work, and my general thinking, has been impacted by the fact that I have few operational responsibilities. For one, it means that the only 'real' reasons that I am touching security technology are out of curiosity, to prove a point, or to evaluate a product's potential. Actual implementation and operation is not something that I have done in quite a while.
Likewise, while I am fairly proficient with vulnerability scanning and penetration testing techniques, I have not done full tests recently. It doesn't mean that I don't like to tinker around in my own lab to try out new tools, or that I don't assess new vulnerabilities and exploits, but the pressing need to be current to the minute is something that it slowly fading.
I feel a little sad about this realization. Being on the bleeding edge of technology, developing and performing assessments, and being in the loop on what's going now on is incredibly rewarding. But, setting strategy, determining direction and ensuring that an organization moves forward in its level of professionalism and its quality of service is something that also has its rewards.
At the very least, not being on call 24/7 for operational emergencies has its benefits.