Sunday, March 31, 2019

A 12 Year Quest -- My Story

On a quest, through the desert.

(credit: Assassin's Creed – Origins;
Thick Skin Side Quest –
Crocodile, Hyena, Vulture Locations)
Last week I started a new job as Principal Modeler for Cyber Risk at Risk Management Solutions (RMS).  This is HUGE, coming after a 12 year quest that was far from easy or certain.

I don't normally post personal stories on this blog (or elsewhere) but today feels like the right time for this particular personal story.  I'm writing this as a way of connecting to my community, many of whom have shared the ups and downs of this journey.  I don't have any big lessons or advice. Even so, some readers may find this story instructive or inspirational, even indirectly.  I hope so.

Caveats: In this post, I don't individually acknowledge and thank all the people who have helped me along the way.  There are so many, so I will do that separately, both in one-on-one communications and later blog posts.  I'm also going to discipline myself not to write about all the details, all the events, all the feelings along the way.  That would be too long.  I aim is to have a post that is readable and still specific enough to be meaningful.

Even so, it's a long blog post. If this suits you, the story continues below.

Prelude: A Holding Pattern

Prior to mid-2006, I was working as a solo consultant ("Meritology"), focusing on economic analysis of IT investments, but also jack-of-all-trades on what ever project came to me.  I had left KMPG Consulting (later BearingPoint) in 2004, after 10 years.  Even though I was a Senior Manager and doing well, I left for three reasons: 1) my young son (Being a good father to him was a top priority and I needed to avoid travel to make my schedule work for shared custody); 2) Big 6 consulting was sucking my soul and not getting me closer to fulfilling my personal mission; and 3) BearingPoint was a sinking ship and I didn't want to be the last rat off before it sank.  (Sure enough, BearingPoint collapsed after going public in Dot.Com boom, via Sarbanes-Oxley violations, mass firing of executives. Finally it was sold off in pieces.)

Really, I was in a holding pattern, waiting and hoping for a new career direction to unfold.  While it appeared in the post-bubble world that there would be a high demand for solid economic models of IT investments, that did not materialize.  But the truth was that my heart and soul weren't really moved by that type of work, therefore I didn't push very hard for it.

What was I looking for?  Some class of important business/social problem that centered on "qualitative complexity" -- i.e. complexity in the dynamic structure of the system, including emergent structure.  I wanted to find a business/social problem that defeated conventional methods and therefore required breakthrough models and methods.   If the problem was hard enough and compelling enough, then it would be the motive force to drive fundamental innovation along the lines of my mission.

Earlier in my career, I worked computer-aided engineering, computer-aided education, and computer-aided sales/marketing (a.k.a. Customer Relationship Management -- CRM) as candidate domains, but none of these worked out as a "motive force" for fundamental innovation.

Quest status: Not yet started.

Birth of a Calling

In mid-2006, a good friend from my social network asked what I did for work, and then said, "I do a lot of consulting for information security firms.  They are desperate for ROI models.  I can introduce you!"  My first reaction: this should be easy compared to what I have been working on (e.g. knowledge management, full of intangibles, etc.).  How wrong I was.  Instead of "easy" I found a tangled nest of unsolved problems, even unsolved in theory.  Some people even said, "Anyone who can solve this problem deserves a Nobel Prize".  There were several 'blue ribbon' commissions and reports during 2001-2006 that framed the problems, pointed in the direction of solutions, and called for making R&D in this area a national priority (US).

A nearly-impossible socio-technical problem that is a national priority?  SIGN ME UP! (see mission statement)

I then set on the task of gathering all the information I could find -- academic, industry, and government.  When I had a critical mass, I printed it all out (~50 pages, reduced, double sided), made copies, and then tried to make connections with potential collaborators and sponsors. 

Quest status: We are ON OUR WAY! But to where, exactly?

A Rough Start

How do you think I was received by the first people I talked to? Not very well.  One of my first pitches was to CommerceNet in Palo Alto.  They presented themselves as a sponsor/ incubator/ investor in breakthrough ideas. They were pioneers in e-commerce.  They had just invested in 23-and-Me (personal DNA evaluation).  They had expressed interest in security and  privacy as a major theme.  Good fit, I thought.  

Through a connection, I was able to get invited to present at one of their regular weekly seminars. It was attended by four CommerceNet people, including a couple Principals, a couple of technical people affiliated with CommerceNet, and a couple of my friends.

I was only presenting an R&D opportunity, and suggesting an approach to research.  I had no answers or solutions.  Even so, nearly all of the questions were:  "How are going to do this?  What is your solution to that?  How much have you prototyped?"  There was zero excitement after the meeting. 

I suspect that one reason for the lack of excitement or interest is that I lacked any credentials in their eyes.  I wasn't a PhD.  I wasn't a software guru. I wasn't a veteran of any hot startups.  I did have a well-regarded person recommend me, but that only got me the seminar presentation. 

I persisted, to no avail.  I invited myself to a few CommerceNet social events, including the Christmas party, hoping to convince one of the Principals to champion this cause, or at least hold some kind of workshop with other local experts.  Fail.  I followed up with emails and then phone calls.  Eventually, it was clear that they were shutting me out.  Like in Hollywood when they say, "The producers decided to go another direction...".

Clearly, it wasn't going to be enough for me to simply frame the problem and invite other people to work on it and sponsor the research.   

Quest status: Bleak. No clear goals. Plenty of people said it was impossible in principle ("anti-quants") or impractical in practice ("how are you going to solve that?).  Zero prospect for me to earn money via any specific job title.  No prospects for consulting either, given that I didn't yet have viable solution.

Starting as a "Nobody", Becoming a "Somebody"

Moving into 2007, I decided to attend several conferences and workshops on my own dollar, hoping to learn as much as possible about information security and the current state of research on risk and economics of security.  I was a Nobody.  The people I talked to were polite, but mostly they weren't sure why they should talk to me.  Only a few kind people entertained long conversations where I could ask my newbie questions.  I wasn't always sure who I should talk to because almost nobody was presenting on the topics that would interest me most.

One conference was in Paris, for Risk Managers in Financial Services.  There wasn't any mention of information security risk ("cyber" wasn't yet a thing) in any of the keynotes or session presentations.  I had assumed that someone in Financial Services would be quantifying risk of information security, given their quant risk capabilities and regulatory imperatives.  But not so.  I grew exasperated.  At a reception, I managed to button-hole the Head of Operational Risk at Citicorp and asked him -- point blank -- "Do you have a working relationship with the Citicorp Chief Information Security Officer (CISO)?  Do you exchange data and models that allow you to quantify risk associated with information security?"  Long answers made short: No and no.  "We should, but we don't."

Out of these conferences and workshops, I made a few contacts that blossomed into collaborative relationships.  That led to my first real work product.

Quest status: On a trail, of sorts. Not alone anymore.  Still zero career options, let alone opportunities.

First Real Product

In fall of 2007, I thought I had learned enough to formulate a specific, actionable research agenda, in contrast to my earlier "framing" and unspecific plea.  That lead to the white paper: "Incentive-based Cyber Trust: A Call To Action".  I posted on the Web a few places and also circulated it by email.  I would have liked to publish it some place official but I didn't have academic credentials, plus I didn't know who might publish it.  (It was too long and detailed to be published in any industry journal.)

What was the initial response to this "call to action"?  Silence.  Nothing. Not even criticism.  I seriously doubt if many people even read it.  (For what its worth, I think its a good read even today.)

But, I made some progress connecting to community and finding collaborators.  I found and joined the email list. Then in February 2008, I presented at their mid-year conference, Metricon 1.5 in San Francisco.  And for the first time, I received significant positive feedback on my ideas, including an early version of the Total Cost of Risk approach.  Very enthusiastic response from a couple of security experts, a CISO, and a fellow who worked for the US government (FDIC).

Quest status: A stake in the ground.  No longer a "Nobody".  A community member, with some good encouragement. Still zero career options or opportunities.

Attempting to Make Something Happen

In 2008, US Department of Homeland Security (DHS) put out its first R&D solicitation for research on information security metrics and risk.  It was open to both industry and academics (unlike National Science Foundation (NSF)).  GREAT!   I cooked up a grand plan: orchestrate a multi-organization, multi-sector research team.  Attended my second Workshop on the Economics of Information Security (WEIS), again on my own dollar, and recruited a couple of key people I met the previous year.

We put together a really good "white paper" (a.k.a. short preliminary proposal) for the first stage of evaluation, and I was lead author.

Quest status: On the YELLOW BRICK ROAD! (or so it seemed).  If we make it past the first round AND second round, I could finally get paid for some research work, starting a year or more from then.

But then... 

For Want of a Click

Things turned really bad in the Fall of 2008.  Financial crisis. No consulting projects (not even getting my calls returned).  Job interviews canceled.  Bigger than all of this was a huge family crisis.

But in some ways the worst thing was when I forgot to visit a DHS web page before the deadline and click "Yes" next to the question: "Will you be submitting a full proposal?".  I missed it by two days.  I contacted DHS immediately and appealed for an exception, and they said, "No".  Was there any other options?  "No."  Can I talk to anyone else?  "No."

It was my own dumb mistake.  Sure, having such a requirement with a deadline is dumb, but it was right there, in writing, and I didn't pay attention to it.  

Heartbreaking, for both me and my collaborators.  I hate disappointing people and, boy, did I let them down.

With both personal and economic crises to deal with, it was time to hunker down.

Quest status: In a dark, cold place.  No clear path forward. No career prospects.

Survival Mode, Then a New Path Appears

In 2009, it was all about surviving, financially and emotionally.  Often, it was all I could do to get through a the day. Wasn't thinking or planning ahead. Going into Fall 2009, at least I had a couple of job interviews -- nothing related to information security metrics or risk.  

"Why don't you go to grad school and get a PhD?  That's what you really want to do, isn't it?"  A good friend asked me these provocative questions while we were hanging out a picnic one weekend. (She had some magical intuition about this, even though her work and mine are miles apart and we only know each other socially.)  

I had been considering PhD programs about every 5 years ever since I graduated college.  It just wasn't right.  Only after Complexity Science appeared in the late 80s did it seem like the academic world was aligning to my interests and intuition.  Finally, in the early 2000s the field of Computational Social Science became a reality, and that seemed like a great fit for me.

I thought, "Why not apply, at least as a backup plan?  I can wait to make the final decision after I get accepted to at least one school." So I did.  I applied to Stanford, UC Berkeley,  Carnegie Mellon University, and George Mason University.  The latter was the only one with a Computational Social Science department, and also the only one without a direct connection to information security/risk.

I only got accepted at George Mason.  I was one of two finalists at Stanford, but didn't get it.  (There's a great story there, which I might tell later.)  By this time -- Spring 2010 -- I still didn't have any job offers or solid opportunities lined up.  So I accepted the offer from George Mason and I became a 52-year old grad student.  Off to Fairfax, Virginia!

Quest status: Discovered a new path.  To follow it, I had to drop nearly everything I was carrying and start over.  I had some minimal income, and wouldn't be earning anything more for several years. But at least there was a path.  Feeling more optimistic.

A 52-Year Old Grad Student

I'm going to skip over a lot here.  Grad school courses and exam went really well, overall.  It was complicated, though.  I was seeing my son much less. I had also started a relationship before I left California, so for 2 years it was long distance.  In principle, she was supportive of me being on this path in grad school, though in practice there was a lot of difficulty.

The best thing about it was that I felt like I was on the right path -- finally! -- after many years of wandering.  I still couldn't see exactly where I was going after grad school (PhD) but I thought there would be more options than before.  Plus information security metrics + quant risk was still growing in importance.  

In 2011, the Society of Information Risk Analysts was formed by some colleagues from the security metrics community.  I was an early member.  Finally, there was a dedicated community (email list, and eventually conferences) of people focused on the challenges of quantifying probabilistic risk models for cyber security.

In summer of 2012 I moved back to California, continuing as full-time grad student and research assistant, working remotely. By 2013 my assistantship had run out, so I got a full-time job as Data Scientist at Zions Bancorp. That put the PhD program into part-time, but I "only" had to finish my dissertation.

Quest status: Slowly crawling up a long steep hill.

The "Black Dog"

I am skipping many details and events, but I will share something important.  I started experiencing serious episodes of depression.  

Burning the candle at both ends.  Chronic sleep deprivation. Feeling like I was constantly disappointing people around me. And a bit too much alcohol.  It started out feeling like just a funk, but eventually matured into the "Black Dog", in the words of Winston Churchill.

Other people in the InfoSec community have written in some detail about their experience with depression.  Later I might write about mine.  For now, I just want to say that it doesn't resemble ordinary sadness or "the blues".  My mother died recently, and the sadness I felt during and after has no resemblance to full-blown depression. Best way I can describe it is "sinking into a whirlpool", except the whirlpool is a black hole.  It distorts everything, even the acts of kindness of loved ones who want to help.  Ordinary logic and reasoning doesn't work.  Crazy stuff (like suicide) seem inevitable, the same way that some young people believe it is inevitable that they will marry and have kids some day.

Of course, depression just made everything worse, so it was self-reinforcing.

Lucky for me, I didn't need medication.  It was enough to get good sleep, exercise, fresh air and sunshine, and time spent on diverting activities that had immediate satisfaction/reward, like organizing books or fixing things.

Sadly, my relationship ended, too, when we finally agreed we were not aligned in life goals and priorities.

Quest status: Keeping my head above water, but just barely.

Will I Ever Get Back on the Quest?

After so many years of surviving on on a grad student salary and savings, I couldn't continue.  It would have been ideal to finish by PhD by then, but that didn't happen.

Just in time, I found a job at Zions Bancorp through connections I had made years earlier in the and SIRA communities.  This came after a few job opportunities fell through at major forward-thinking Bay Area companies -- where I thought I was well-qualified or even over-qualified.

Zions was good for me in that they were accommodating regarding my request for work arrangement that would also support me taking time to do academic work.  Even so, progress on my dissertation had slowed to a crawl and I had no good answer to: "When will you finish?"

By Summer of 2018 I was looking for new work, with the hope that I might find something that would be in alignment with my Mission and Quest.  Alas, while I found tons of job openings for Data Scientists, even at information security companies, it seemed like they were only looking specialist Data Scientists -- statistics, machine learning, R + Python, big data, etc.  I didn't see any job openings that required the sort of breadth and depth that I could offer.  Furthermore, I didn't see strong evidence that any companies were committed to advancing the state of the art in "quant risk".

Quest status: So close, yet so far away.

Finally: The Promised Land

In early January 2019, I received an email from the hiring manger at Risk Management Solutions (RMS).  I had previously applied for a Data Scientist job at RMS, based in London, but didn't hear anything after the initial phone screen with HR.

I had been following RMS since 2007, as they appeared to be one of the few companies with core competencies and market position to be a leader in "quant risk" for cyber security.  But until ~4 years ago, they didn't have any resources or activity devoted to cyber risk.  (It turns out that their insurance firm customers had not requested any cyber risk models until recently.)

Hallelujah! A new job position had been created that was much better suited to me. The hiring manager had already read my blog posts, followed me on Twitter, and seen a few presentation videos.  (Why is this rare?  Why don't hiring managers do on-line research on all their job candidates?)

It's still very early, but for now I'll just say that the company, the team, and the mission is very exciting and very aligned with my Quest.

Quest status:  I'm so very thankful to have reached this place.  It is a fulfillment of everything that has come before, including the original intuitions and inspiration.  It is also a platform for new things, including things I haven't yet imagined.

Thanks to you, dear reader, for reading this long story

Postscript: Who Do I think I am?

Some might read this post as evidence that I have a "Messiah complex" or otherwise that I think I am special or entitled because I feel a "calling", etc.   Or maybe that I am just arrogant.  Anyone who takes on near-impossible goals, especially as a personal mission, is subject to such criticisms, which boil down to: Who do you think you are?  Special? A genius?

Judge for yourself.  I won't argue.  I will say that for a few decades, I have studied the lives of people who were later called "great" or "genius", so I know about the complex psychology of committing your life to a "grand challenge" missions.  I've studied the down sides, including ruined lives and mental disorders like obsessive attachment to delusions (a.k.a. "going crazy").   No doubt, there is something intrinsically "crazy", "arrogant", and unreasonable to think to yourself: "Yes, I think I can help solve this massive, unsolved problem that looks impossible and has defeated many other people."  Reasonable, sensible people avoid such problems.
"The reasonable people adapt themselves to the world: the unreasonable person persists in trying to adapt the world to themselves. Therefore all [major] progress depends on the unreasonable person." - George Bernard Shaw (adapted)

No comments:

Post a Comment