Community

The security community is home for me. I attended my first DEF CON in 1999 and was hooked - first on mailing lists and local events, eventually national and global conferences as a volunteer, organizer and occasional presenter. Commercially, I've worked as a practitioner, vendor, implementer, advisor and investor.

I love that this industry is cooperative: for most of us, the rest of the security community isn't our competition - the adversaries and threat actors are. So there's a tradition of community-run, nonprofit events and groups who get together regularly to share knowledge and ideas more or less openly. And - while we still have a ways to go - the community has gotten more welcoming over time, with subcommunities for different types of practitioners and backgrounds.

Conferences

While the giant conferences - RSA and Black Hat - have their place, I've increasingly found that I learn the most at smaller community conferences. My sweet spot is 300-500 people: enough to have conversations and not have to travel as far between conversations; but large enough to represent different perspectives.

So these days I'm most likely to be at community events:

  • fwd:cloudsec, focused on independent cloud security practitioners; I helped build this conference back in 2019 and continue to participate on the board and organizing committee.
  • BSides Las Vegas, a generalist, community-run, in-the-weeds event more likely to contain practical talks on life as a defender, with real lessons about what does and doesn't work. I used to enjoy the new vulnerability drops at Black Hat and DEF CON - but while they're fun, in practice I can't use them in my day-to-day.
  • Shmoocon, which ended in 2025, was *the* conference for the DC area; with tracks on "build it" (new tools), "belay it" (defensive techniques - originally "break it" in early years until the founders wanted to change focus), and "bring it on" (community, policy and nontechnical practices - befitting the DC environment)
  • Summercon, one of the original hacker conferences. I'll be honest - this one is mostly a hangout; the talks are researchy and esoteric and not practical. But it's in Brooklyn and a lot of folks who've been in the community for a long time attend.

Startups

I got involved in a few early-stage Internet companies in high school - Orlando's biggest dialup internet company, and a DC-based network provider that had aspirations of being a major backbone player on the East Coast. When I left my first post-college gig, I joined up with some friends, bought a patent back from our prior employer, and made a go of turning it into a product. While I left after a few years in a company pivot, I've loved the startup ecosystem ever since.

Still, it can be hard to innovate in those corporate roles, and so some of the most exciting ideas - the ones that push the industry forward - come out of startups. I've been lucky enough to advise and invest in several, and while I keep a strict wall between the companies I'm involved in personally and my day job, it's still worth doing because it keeps me close to people who are trying new technical approaches - and because, after all this time, moving the community forward is as important to me as any other professional responsibily. I specifically focus on companies that are developer-forward, who believe that the future of security is embedded in other parts of the business, driven by automation and integration with less-technical users and workflows.

For disclosure, here are the companies I'm working with:

  • outtake.ai, using new AI techniques to combat impersonation on the Internet. I'm excited about them because their founders - as Palantir alumni - impressed me with their ability to solve practical problems that require sifting through vast amounts of data. Security folks have been talking about anomaly detection and ML for years, but their take was fresh and novel - and they proved it works.
  • Socket, automating analysis of dependencies. Software composition analysis is not new, but many tools drown you in false-positives; Socket has automated a much more comprehensive analysis that gives you a clearer sense of whether a dependency is truly vulnerable or - worse - malicious, using your organization's risk tolerance. And more importantly, it meets developers where they are.
  • North Pole Security, bringing delegated security decisions to teams. There's an inherent tradeoff in security between locking things down (but preventing legitimate work) and being open (but accepting the risk of malware). North Pole recognizes that the people best suited to make these tradeoffs are within the team - not an ivory tower security organization. Based on the open-source Santa product, they have systems that help defenders work together to make smarter decisions about what should run on endpoints.
  • Work-Bench, a NYC-based seed fund, focused on early-stage founders in infrastructure, data, security and the future of work. I really like their approach - taking people with technical and business depth and teaching them go-to-market skills in enterprise products through the power of local community. The overall security vendor ecosystem can feel like a "market for lemons;" in that it's hard to tell what works, and companies over-sell their impact often because they (including me during my early startup days) lack experience as a corporate defender. Work-Bench helps to bridge this gap, whether it's in product-led growth or more traditional sales - important because even a perfect product needs distribution to succeed.

People all the way down

Most of the code I've written has been thrown away. While you can certainly infer things about my skill as a developer (I'm not bad, but at this point more of a prototyper than professional), it's part and parcel of working at startups - especially now that my career has taken me to more people and technical leadership roles.

Mostly, it's the tech work that is "real" - the products people by and use, encoding the concepts that actually solve security problems. But that's not my specialty, so if I have any impact, it's because I help others find ways to make the best use of their technical skills. I collected some of my favorite aphorisms and principles from places I've worked, and a few I wrote myself, into the collection on this website. Because any change you want to make, culture you admire, art that inspires you, technology that amazes you or infrastructure that serves you - it’s all the work of a person or people who made it happen. Even in the most technical role, there's no path to not working well with people. It's "people all the way down."

Learn more...

I reserve a few hours a week to meet with folks from the community to talk about these and other topics. Find me and let's chat.

← Back to Home