This week I’ve been being serious and doing some reflective work on where I want to take my career, as well as asking for help. Asking for help is difficult, but rewarding. If you’re struggling with something, this is your sign to ask for help.

Matching software

I have two matching projects on the go at the moment. I don’t mean they make a good pair, though in some ways they do, but more that they’re both about assignments. In one, I’m working with Infrastructure-as-Code (IaC), and in the other, I’m doing business change and project management. In short, I am getting the full experience of building a product and the service around it.

I don’t love all of it. But I’m happy to be knocking the rust off.

IaC is a really interesting concept. With the following lines, I can spin up a load of resources on a cloud platform. This is literally all it takes – assuming I have the right permissions set up – to create a web server running a container and a load balancer. It’s the closest I’ve ever got to magic.

class MentorMatchStack(cdk.Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        ecsp.ApplicationLoadBalancedFargateService(
            self,
            "MentorMatchWeb",
            task_image_options=ecsp.ApplicationLoadBalancedTaskImageOptions(
                image=ecs.ContainerImage.from_registry(
                    "ghcr.io/mentor-matching-online/mentor-match/web"
                )
            ),
            public_load_balancer=True,
        )

Because it’s still code, it comes with all of the usual problems of code. How do we divide things? Are things chunked up logically, as collections of stuff, or along service lines, as horizontal slices of capability? I don’t have an answer. I don’t think there is an answer. You just have to pick one and then defend it stubbornly until you die.

At the other end, the Fast Stream code is approaching version 1.0.0. This means I’m now switching gears and starting to work internally on managing the change: making sure that people are consulted and that their concerns are heard and understood. We’re going to run it alongside the existing process, but that in itself is such a massive step that I almost don’t believe it’s happening.

End of year

I had my end of year review. I really like these – I know some people don’t – because my organisation is pretty good at encouraging folks to set aside time and actually do the work.

I also remember watching this scene back when I was in university from the television series Scrubs, and one particular line hitting really hard:

You don’t have to answer to me. You don’t have to answer to [the Chief of Medicine]. You don’t even have to answer to your patients, for God’s sake. You only have to answer to one guy, and that’s you.

Now. I was studying existentialism at the time, and I still consider myself in that school, and this fits very neatly. At the end of the day, the only person who can decide if I’m doing my best is me. And so having a chance to sit down and really reflect on what I was hoping to achieve, and whether I’ve done as much as I can (bearing in mind my Stoic approach, that 50% of all work is down entirely to outside influences that are beyond my control) to achieve those, is a really precious thing.

I’m pretty happy with where I am, by the way. I need to keep an eye on the work I do outside of my core duties. They’re exciting and genuinely make me better at my core job, but I need to keep reminding myself that they’re not actually my core job.

MSc

Two exams are upcoming, on the 28th and 30th. The university gives us 24 hours to complete them and they’re open book, and there’s a really interesting spread across the cohort in terms of how long people actually spent on it. The recommendation from staff was about 4 hours – but from a quick poll, the highest scorers were the people who spent closer to 8.

I feel a distinct sense of déjà vu: this is exactly the same argument I’ve had previously with colleagues about how we evaluate developers. A take-home exam privileges those who can afford to spend 8 hours, rather than 4, on an exercise. On the other hand, a four-hour, doors-locked, sit-down-and-do-it privileges people who can regurgitate information rather than read up and think critically. On balance, I think as security professionals the former is closer to what real life is like. As long as we’re not being graded on a curve, and folks can pass the course with 4 hours of work, I think the unfairness of some folks spending longer than others on the paper is the least-worst option.

I don’t like having to find a least-worst option. But then I suspect that’s going to feature more and more in my life going forward…