Calm and Steady - The Joy and Overload of Starting Something New

I've been postponing this blog post for a while. Once again, I'm finding myself in the situation that I literally have to push myself to sit down and start writing with the intent to publish something in the end. To show up and let whatever comes out of it be good enough.

Interestingly, as I've picked up journaling for this year's personal challenge of #CalmAndSteady, there's nothing holding me back from taking note of what's going on in my head day by day. Yet blogging... is a bigger step after all that takes a lot more time. Even though I'm doing this for myself and my own learning in the first place. Well, I've just learned again the last month that my ramblings, musings and public reflections seem to have helped someone in my circle. I'm always super glad to hear this, it's the best bonus I could imagine! My posts definitely aren't for everyone, yet if they help anyone move a step forward on their own journey, what more could I want? 

Alright, let's get to it and look at my last month. So many things happened! It's been really good, and really overwhelming at the same time. While rationally knowing there's only so much I can do given the time and energy left to me, I still had a hard time giving myself grace. I'm still learning to keep my calm, and that steady can also mean a tiny fraction of a small step a day as long as there's movement.

 

New Job, New Role

First the obvious: I've started out at a new company, as a security engineer on their cloud security team, focusing mainly on product security. So many uncertainties and at the same time opportunities come with this! I'm super glad I took this leap, it's already been very rewarding. My new team is awesome: folks are lovely, really knowledgeable, and actively helping each other grow. The domain and product are very interesting and challenging, offering an intriguing mix of valuable legacy and modern innovation. There's plenty of opportunity to have positive impact and really grow there as well. I even have the pleasure (and pain) to dive into yet again a partially new tech stack! Granted, I really do enjoy figuring things out and comparing mental models with what I've worked with before, so that can be counted as a plus.

A new job comes with different constraints and freedoms to adapt to. Based on that, I had to shift my daily rhythm once again, which always takes time adjusting to. Also, adapting to being on-site at the office at times, which comes with all downsides and also benefits. I really forgot how much time is lost just crossing distances, though! Plus dealing with noises, too low room temperature, and so on. And yet it's lovely to see my teammates and other colleagues in person and enjoying lunch together, I really missed that. I'm glad I have a basic grasp of this company's and team's rhythm by now so I can also organize my community endeavors around it without too much of a hassle.

Learning something new can really have a toll on you. I've totally underestimated how much it would on me, it didn't feel like it while going through it. The onboarding was and still is great, the pace feels very sustainable, I enjoy learning lots of things and exploring more every day. And yet. It seems time is just running away from me. I lack energy. Especially in addition with a changed daily rhythm, changed nutrition, changed physical routine, changed room temperature, and so on - rationally, I know it's a lot of change to digest. And yet what I achieve every day next to work feels so little. Guess what, here's the giving myself grace part once more.

Best things: I was neither doubted nor frowned upon by any colleague of any role so far, not even once. Never had that before when joining a new company and team, let alone when taking on a new role! It's just beautiful to see how it can be. On top of that, I was appreciated for speaking at conferences, people highlighted it as a good thing and actively made it possible, just as agreed when taking up the offer. What a relief! And finally, I managed to already contribute hands-on - which I love, as I'm learning so much more when getting my hands on something. This also allows me to figure more things out and ask further questions I wouldn't have known to ask otherwise. The first feedback I've received based on my contributions was very promising and validating, what a relief for my anxious mind! So, after only one month, I'm rather confident already that I really do have a place in this company, team and role, that I can actually grow with them and I will have the space to do so. The last time I had this feeling so quickly was when I started out at Flixbus, where I also took quite a leap and it paid off big time.

By the way, just being on this new role, I already gained new ideas for blog posts and talks. Nothing I've followed up on yet, but more opportunities to spend time sharing more than my personal reflections will come again.

 

Everything, All at Once

Let me repeat: the last month had been quite overwhelming, and also rewarding. All at the same time. In hindsight, there seems to have been a number of coincidences all happening in the same month - February might not have been the smartest month to start my new job just because of everything else happening at this time. It's also been the month when people who made up their resolutions in January started reaching out to collaborate on new endeavors. It's been a month where folks in my circles were looking for a new job and asked for support. I've given my first mock interview this way and it seemed to have helped prepare the other person for their real interview! Definitely a big win. It's been a month when several conferences, podcasts and other events invited speakers or ran calls for papers, which kept me busy. It's also been the month when we fully picked up organizing our own conference again, the Open Security Conference, onboarding lots of new folks to the team (yay!). It's been a month when several private appointments with family and friends took place. It's still been volleyball season with games to be played. And of course, thanks to my changed situation, folks reached out to inquire about my new job, to pick up usual catch-up calls, and also continue shared endeavors.

Well, all this happened within just a few weeks while I was trying to settle at my new company, figure out whether my vacation plans would still work out and if conferences I planned to submit to would be feasible at all, how my new schedule and rhythm is like so I can plan other endeavors around it. 

Oh, and do I have to mention the state of the world? Global and local just as well. Considering there was a very important election going on in my country and the outcome was exactly what I feared it to be - it's been indeed everything all at once in February. Well, after the election is before the election, and every day counts towards working toward a better future, and there are manifold ways to contribute to it.

Looking back, it's no wonder I felt slightly (haha) overwhelmed and lacking energy. The month of March will stay quite busy as well, yet better as a few things could have been clarified already. Afterwards, I plan to keep space for myself to just enjoy the ride and not add much of anything else to my list this year. Instead, I hope to rather reduce things where I can and introduce more slack in my private time. Let's see how long I can keep this up.

 

Calm and steady enough? 

Depending on how you look at it, my personal challenge for the year is either going super slowly and by far not as steady as I wished for; or alternatively, it's going super well as I've been continuously tested to stay calm and confident throughout the month while not feeling at my best capacity or basically having time for anything. Rationally, I realize I did spend lots of time on lots of things, just different ones than I set out to do.

This month, I didn't pick up any new topics. Despite not having much time, I did make some progress on the following ones.

• Continue reading "Threats: What Every Engineer Should Learn From Star Wars" by Adam Shostack. I'm really slow in reading. And yet this book is still worth it, showcasing different ways how threats can manifest.
• Adding to my flashcards here and there as I came across concepts to take note of. Didn't practice on them, yet extended them as I go and that was good enough for me this month.
• Finally founded a small CTF team! It's actually happening, we just had our kickoff call and our first CTF participation is already scheduled. Literally can't wait for learning together on this.
• A bit of Hack the Box challenges for myself. Not much, and yet I'm always learning so much when working on them. Even when having to look up things in walkthroughs, the eureka moments are strong here.
• A few C# exercises on Exercism. As I started at my new company and am learning a lot about C# and .NET framework there, I decided not to pursue these exercises further in my free time as of now. Coding exercises are sometimes nice to have, you can limit your thinking to a certain space and can just do a small thing. That being said, I tend to learn more on something that contributes value to a higher goal besides merely finishing an exercise. (I do notice I don't apply the same logic to the Hack the Box challenges, curiously.)
• I completed the other Semgrep Academy courses I wanted to do. So that one's now ticked off my list! Feels good to finish something.

I've experimented with a few approaches to my challenge, mainly how much energy and time to invest in what, and in what order to prioritize things during my day. Sometimes it worked, sometimes it didn't. In the end, only the current day and moment can tell me where my energies are flowing and what I'm currently able to invest. Sometimes I have to build up energy by doing seemingly unrelated, or even potentially wasteful things before I'm up for the actual thing. And that's okay as well. It's about giving myself grace and stay calm. (Yeah, I have to repeat this over and over for myself.)

That applies to my joy topics as well. Turns out, I fail investing in them daily. Not that there's no joy at all, I've integrated enjoyable stuff into my days quite well already (like sipping on luxurious tea, or listening to audiobooks). Yet additional pure joy topics (like playing computer games) need more time, headspace, and energy for me. I've done a lot better investing in these things during the weekend. Weekly "pure joy for myself" topics seem to work for me, while my learning topics can indeed be tiny daily steps to make progress.

My needs had been covered quite well-ish during this month. A bit more sleep, a bit more exercise, a bit more warmth would have been good. The next months to come can offer more of that. Journaling still works out super well for me, I'm gaining lots of benefit without it costing me much time.

I've came across thought-provoking inspiration from community folks this month that felt so relevant to my endeavor that I want to leave these peices here for my future self.

• Alan Page shared a very resonating piece in one of his recent newsletters: “So, I’m reminding myself of something as I sit in my favorite local coffee shop: It’s okay to write even when it feels hard. It’s ok to write, even if the subject isn’t riveting or compelling. It’s okay to create, even when it comes in fits and starts. It’s okay to show up imperfectly, with half-formed thoughts, as long as we keep showing up.” This really reminded me of working on showing up. Even if I don’t feel like it on that day. When I did show up on bad days it worked super well for me in the past, I know it can work. Yet it's the same thing what’s been holding me back, or rather how I’ve been holding myself back many times, on so many things I set out to do: not showing up for myself. What a profound reminder.
• I came across a post on Mastodon that included this quote: "Anything worth doing is worth doing badly." Of course, context is crucial for such statements. It does present a perfect reminder to myself for my challenge though: Anything done is better than nothing done. Poorly done is better than nothing done.
• Mark Techson shared this piece of gold: “Need to figure out what I have to let go of to make room for what I want 🤝🏾” So much this... I'm not there yet. Yet.
• On a related note, Amy Edmondson asked this amazing reflection question: “How can I let go of the things that are keeping me stuck?” Phew, hitting the nail on the head. 
• Just a few days ago I told someone else to give themselves grace, that time and energy comes in waves, and tides will rise again. Yeah. The actual target audience was me, myself and I.
  

I did gain confidence through working hands-on on actual tasks, and getting feedback through both the personal realization that I've figured things out as well as external validation from other folks appreciating my work. In addition, I did gain confidence and showed up stronger in other areas of life (like volleyball) as well which is such a nice payoff for my personal challenge.

So overall, steady-ish and calm-ish it was the last weeks. And that's okay for some time as well. I've still did some things, some theory and some practice, some solo and some social stuff. I've done plenty of learning at work, naturally. Doesn't count towards my challenge, and still. I've realized a bunch of times that I've actually gained confidence, and that definitely counts for something. The best: my inner critic had been pleasantly calm this whole month, and rightfully so. That's a huge win, considering all the things that happened. And in hindsight I did better at giving myself grace even though it didn't feel like it.

Yes, there's more that I could do for things I want to do. Yes, there's less I could do for things that don't help me forward. Yes, I could say yes less often to make space for myself and better opportunities to come. It's a learning journey after all. And yes, I'm still excited about this specific personal journey in 2025.

Calm and Steady - Off to a Good Start

The blog post to make a new personal challenge public is usually the most exciting to write. The first post afterwards to share progress is usually the most difficult. Once that initial one is out of the way, I often have a better hunch on what I want to share in what way, whether I use a template for structure or not, how refined the post should be, and so on.

That's exactly why I literally just sat down to type whatever comes into my head at that moment in time. And I intended to share it, as rough and raw as I could allow it to be. I did go over it once more, yet kept in mind that there's more value in sharing early than in over-polishing.

The first month of my new "Calm and Steady" personal challenge is coming to an end. Here's what I've done so far, what worked and what didn't, and the insights I gained.

 

Journaling Using a Template for the Win

I knew I would need some way to track what I'm doing so I can look back and decide on potential course corrections. Additionally, I am well aware that I think in writing - so I like to write to think. Putting words down in writing often help me realize things better than any other way. That's why I set out to start journaling not only for work, but also for personal endeavors like this. 

I've made a conscious choice not to get lost in tooling paralysis but pick the first tool that could possibly work. I needed something that allowed me to get started quickly without hassle yet won't block future migrations. For this case, I tried Notion. It never really matched my needs before, yet using it for a month now I can say it was totally worth making this call. Fast, easy, synced, editable everywhere, not too constrained, and I can just export my notes in markdown and move somewhere else whenever I want to.

Next, I created a template for my daily journal page. I've iterated over this a few times now and just adapted it to what I needed. Having a few sections available meant I could focus my time on the actual content and still check boxes I wanted to evaluate later on. I also made a deliberate choice to have only few free text sections and the rest quickly interactive checkboxes and buttons to save time and lower the burden to do this daily. Here are my current template sections:

• Thoughts: anything noteworthy I want to record or reflect on.
  
• Practice or Theory: what small step I took today to make steady progress.
  
• Joy just for the Sake of Joy: whatever I did just for myself, where joy was the self-purpose.
• Needs Covered: which of my daily or less regular needs I've satisfied today.
  
• Voice of My Inner Critic: how calm or loud my inner critic got and why.
  
• Mood of the Day: how I've perceived the day overall.
  
• Sunday Joy Check: whether what I'm doing still brings me joy or I should change anything.
  

Turns out, this worked surprisingly well for me! It's been giving my thoughts both structure and freedom. I have a daily reminder to fill it, and I actually did so every day. Nice.

 

Enough Options, not too Many

Based on initial ideation, I chose to start the following topics which provide a mix of theory and practice, solo and social time.

• Read "Threats: What Every Engineer Should Learn From Star Wars" by Adam Shostack. I have a pile of potentially awesome books on my reading list, and I know it takes me long time to go through any of them. This is the book on the top of my pile, so I finally started it. Didn't make much progress yet, but it's been insightful already.
  
• Write my own flashcards with concepts I come across. Doing so, I followed my original idea to cater to my brain's needs. I started an Anki deck to which I added any terms and concepts I encountered during my daily work on topics. It still grows organically. I wondered when to start learning using these cards in a regular manner to memorize the concepts. I tried the mechanism once as a proof of concept which was already helpful. I think I'll continue building the deck a bit further before I introduce a regular routine.
  
• Explore the Exercism C# track. I like the platform's way of introducing language concepts and allowing you to practice in steps, as well as see other folks' solutions and improve yours iteratively. My upcoming role has a focus on the .NET platform with which I haven't had many touch points yet, and I'm curious about concepts and conventions in C#. 
  
• Solve Hack the Box labs. I just love these security puzzles to practice. I'm still a newbie and there's much to learn, so this involves going through frustration until you either have the eureka moment or the humbleness to look things up and learn by following walkthroughs. Yet any little step equips you better for the next, and it's just fun. Also, it's a great one to do socially together and I'm glad I had great company during this month.
  
• Found a CTF team. It's been on my list for 1.5 years, and guess what? It's now happening indeed! I have a small group of folks who are still interested to join me in this experiment. Once I have a hunch on my work schedule rhythm, I'll organize first informal practice sessions and we'll see where it leads us.
  
• Do Semgrep Academy courses. Back when Tanya Janca offered her We Hack Purple courses, I've already enjoyed the AppSec Level Foundation 1 course. Now it was time to complete level 2 and 3 as well. They were validating of what I already know, filling gaps of what I didn't know yet, and they equipped me with tangible advice for real work situations. Hence, I decided to continue with the other free courses offered, like on secure coding.
  

Turns out, the variety of topics helps me go with my energies each day. At the same time, I've also realized I've reached the limit of topics in focus at the same time. I hope to finish some the next month to maintain flexibility to change my way based on new learnings. 

Same applies to my "joy for the sake of joy" bucket. I draw from a good variety of things I love doing as I go, depending on whatever I'm up to at any given day.

Spotting Behavioral Patterns

In the beginning, I've been quite diligent with keeping my joy topics going every day. I did notice how much I limited time for these things, though, or that I usually put them at the end of the day after everything else was done (business before pleasure and such). In the last weeks, I've once again started to neglect them completely, prioritizing everything else. The things I do for this challenge still bring me joy, yet that's a known pattern that I need to be very cautious about and take deliberate action against.

On a positive note, I've been way better in keeping my needs satisfied. Not super great, but way better than last year. Having my needs as part of my journaling template really helps me not to lose sight of them.

I've identified a detractor I didn't expect: social media. It probably sounds like an obvious one to many, yet I've been rather constrained about it most of the times. That being said, the last months my social media time got really out of hand. I'm spread across too many platforms and formats these days, I didn't filter content enough, and I didn't prioritize my time for the most valuable places. I've started experimenting with a few course corrections in order to get back to a sustainable pace and still get the value out of social media without getting drawn in. Healthy boundaries and such.

Once more, I've realized that I need to tackle smaller tasks and quick wins first to free up headspace and gain momentum to manage bigger ones. Not to feel paralyzing overwhelm and staying in a state of anxiousness, but instead taking action to re-gain a state of calmness.

Going Steady, but Keeping Calm?

Looking back, my inner critic was doing quite a great job this month. The inner voices mostly kept calm and rightfully so. Only rarely they flagged something, mostly valid concerns. It's been a good, restful and rather calm month in general, which made it easier. Yet practicing while being in good shape can help prepare a lot for wilder times. 

I've also learned a few things based on the concerns my inner critic alerted me on.

An alert might feel overwhelming at first, loud and noisy. It might seem unhelpful in the moment. I might only learn if it was valid or not in hindsight. And still there might be something important going on, something to learn from. This happened to me during a volleyball game I had this month (yes, the inner critic also applies to other areas in life). I made the decision to take myself out of the game, hoping to give us a winning chance - my critic was loud in that moment in all possible ways. A week later my coach gave me invaluable feedback that my decision had indeed been a good one for the team and how it showed maturity. In hindsight, my critic was letting me do the right thing yet I wouldn't have needed to doubt my decision.

Whenever I just rush do things quickly and get them out of the way, I fall back to automated thinking and approaches I’ve used most times before. Yet those don't work well when I'm confronted with a new domain or challenge I don't solve every day. Which means, rushing when trying to navigate less experienced terrain makes my critic go loud. To find good solutions (that don’t need to take long either), I need to take some time and calm space, really look at the problem at hand, and think about how to approach it. That’s the frame in which I can make use of other knowledge and pieces of the puzzle I already have that aren't automated yet. Therefore, a reminder to myself: use system 2 to think slowly about problems and you have all your tools available to solve them.

Picking up puzzle pieces as I go sometimes feels really slow (hello, critic!). And yet it proved to be an invaluable approach for me during my whole career. This month, I've learned once again that gathering pieces together with others can turn out to become really valuable for them as well. It's worth it and we all get better as we go. I need to stay patient.

In conclusion, all this helps me see my inner critic in another light. I already knew I could learn from it rationally, and now I have further evidence including the emotional experience. That insight alone was already worth starting this whole challenge. I hope to turn it into further calmness. Also, I'm curious how things will play out the next month when I'm starting at a new company, in a new role. Stay tuned!

Calm and Steady as She Goes

Personal challenges serve me well as my themes to focus on in a year and grow with them. It's that time of the year again to reveal what I'm setting out to do in 2025!

As it turned out in the past years, my brain already starts thinking about the next year's big challenging scary endeavor before finishing up the current one. To enable myself to keep going and completing that first, I'm taking notes for next year whenever any thought pops up. And as usual, I share these raw notes for my future self, mostly unedited. Here are those I took during 2024.

Consider security certificate as next year challenge (as I want to start speaking at security conferences, and grow into security related jobs, or just be taken seriously, or just prove it to myself)

Just reading books - catching up on all

Start a capture the flag (CTF) team, finally

Maybe just continue new contributions anyway - at least 3 of them will continue overlapping into 2025

Definitely include fun activities and self-care, like games, books, volleyball and fitness, just rest, and more - was way too few this year

Focus on the fun in learning (while continuing ongoing 2024 endeavors)

• fun: gamify things (participate in 1 CTF)
• frequent: deliberate regular practice as a habit (including CTF teams, solo puzzles, programming exercises, etc.)
• foundations: learn theory for conceptual foundations, e.g. using flashcards, for “prove and show yourself” situations, potential interviews, and certifications (do 1 security related certificate to validate yourself and increase your market value)

Theory and practice: a flag a week, a cert a year - security first, development second

Journal

Fun, practice, theory - integrated in everyday, leaving space, in this priority

Focus on new job

Practice and theory, emphasis on fun. Security and development. Only constraint: 15min on anything every day, computer games every week.

Have two buckets, do one of each every day - depending on energy that day:

• security or development, play or theory (CTF, book, flashcards, kata, build, ...), alone or with others
• joy for self-purpose and care: play (not casual), draw / paint, read fiction

Make use of what works even on bad days: habits and streaks

Be mindful of other tasks and commitments: conference speaking, work, open security conference (osco), leadership workshops, card deck game, accountability partnership

Build in system so I can't automatically fall back on the exact same easiest thing every day

Blog every week what I learned, allow myself to post in bullet points only to still learn in public and share insights, also for my future self

Idea from Tobias Geyer for keeping myself accountable regarding self-care: accountability buddy :)

You'll notice duplicates and different formulations of roughly similar ideas. I usually just add notes as I go on purpose so I see how my thinking evolved over time. Also, some ideas I've listed in 2024 had been overhauled and outdated by reality in the meantime. For example, I don't need to prepare for my entry in a security role and related interviews any longer, I already had to do them without said prep - and I made it! I'm still so grateful. Certificates would still be useful of course for market value and some seem to be actually useful regarding their content. Maybe something to head for the year after.

That aside, looking at my notes, can you see the red thread showing up for 2025 already? The things that repeated in my head over and over? I see it and yet I need to write it down and formulate it out. Why? It helps me get down to the core challenge, forces me to structure those thoughts into a clear hypothesis and allows me to check in with myself from time to time to see how I'm doing and hence keeping myself accountable. This way I can also make it public, which again holds me accountable in a different way. And another one is to have a learning partner to check in with from time to time (thanks for being there, Toyer Mamoojee!). Or maybe multiple, e.g. one per topic or realm, and why not? Whatever works. I'll figure out what will work for me this year.

 

The Challenge

What is the actual challenge for me this year? Well, this one needs some background and explanation.

I got challenged throughout my career, even life, regarding what I'm doing, what I'm not doing, or not doing enough of it, or not be enough, or be too much, and whatever. Be it the evergreen "you're not technical (enough)" while certain people will keep moving the respective goalpost just for the sake of gatekeeping and keeping me busy and preoccupied with trying to reach an unreachable goal, no matter how often I've proven I am indeed technical. And where I'm not yet, I'm capable of becoming more technical. It doesn't stop with this classic, though. I've also heard "you're not your job" a lot of times. While in general I agree, this one stings just as well, given how much I enjoy tech and work on a variety of tech-related things in my non-work time. My identity is manifold and at the same time parts of it are indeed deeply rooted in my job. I'm fine with it. I'm super privileged to love what I do for a living and gain a lot from it for the other parts of my life. 

There are more challenges like these two examples. I've actively invested in unlearning my people pleasing tendencies for some time now. It's hard. On bad days, I fall back to old behavior patterns. On some days, I get past them without feeling overly selfish. And yet they come back to me time and time again. My inner critic is very trained on getting loud whenever I might disappoint people and their expectations to me. No matter how conflicting they might be (hence setting me up for failure), or whether I concur at all in the first place. I don't want this inner fight anymore that costs so much energy and focus when it's not needed (there are valid topics where the inner critic is a very useful mechanism, it doesn't exist without a purpose).

I want to set out to calm these inner voices that are especially strong in moments when I feel dumb, that I'm not knowing my own craft well enough, or that I'm not being allowed to enjoy my craft no matter my current abilities. I've once again had quite a few of these moments in 2024, like during a code retreat at a conference, in a work situation with a former teammate, and more. They sting, they hurt more than they should, and I take them to heart way more than is helpful. They linger in my head and take up way more space than they deserve instead of me just acknowledging that this happened and moving on. Instead of just building on the countless positive indicators that I am going my way the way I do and it's fine like it is.

One particular case when my inner critic gets too loud is the following. Whenever other people use specific terminology related to what they're doing, e.g. techniques, patterns, strategies, you name it - my brain struggles to remember what it was about. That doesn't happen for things I've been most used to as I've had plenty of opportunity to practice over the years, let's say "exploratory testing". But if someone says "dependency injection" I'm beating myself up for not instantly being able to provide its exact definition even though I've also had plenty of touch points and made use of this concept over and over myself. And that's what's nagging me: my inner critic shouting "I'm blanking out, but I should know, I should be able to explain!" and certain outer critics pointing out "see, I told you you're not technical". While at the same time knowing that first, there are lots of folks who don't judge me for it. Second, I've just not had the same opportunity to learn and practice certain concepts compared to others who focused on it. And third, my brain and body need a lot of repetition to memorize anything, I've learned that already in my childhood. So now I could do lots of different things; I could keep whining about it, I could stop bothering, or I could give myself more opportunities based on my specific needs and calm those voices. For 2025, I'm choosing the latter.

A dear community friend told me that haters gonna hate - whoever wants to put me in any corner will do so. No matter what I do. I can only control what's in my realm, which is my own inner critic demanding to prove myself to myself and others. Therefore, I need to focus on myself.

That is exactly what makes this challenge scary for me. It's about facing my inner demons and taking action instead of just letting them roam around. It's about focusing on me and not on what the rest of the world tells me or I assume they would tell me. It's working on myself. My last challenge of 2024 was very outward facing, contributing to community. This one is contributing to myself.

One more thought. Going back to my previous challenges, a whole lot of them are about gaining confidence. To speak on stages. To go deeper into coding. I also have a whole talk on gaining technical confidence. See a pattern? Even after 15 years in tech I'm still seeking for that inner and outer peace of a calm mind. This year it's on. On my own terms, in my own ways, I'll find a way to become calm enough. Never jump to perfection, right? Just continuously do steps to become better. And calmer.

My Needs

This year, I took additional time to reflect on my new challenge, goal setting, and especially my own needs. Here are a few things that really helped me gain further clarity.

• Cosima Laube shared a great technique, the "W.I.N. manual" (W.I.N. = What I Need). She asks to note down our answers to a few questions. The core one is "What do I need to do well, enabling me to be the best version of myself?" Daily, weekly, monthly, a few times a year? And lastly, what are things that are not helpful at all, that drain my energy? This exercise doesn't take long, doesn't have to be overly comprehensive, and yet reveals a lot of insights. For me my needs are focused around taking care of my body and brain, managing my cognitive load, giving myself calm space and time where I can think, taking continuous tiny steps. Allowing the pieces of the puzzle that I pick up as I go form a picture over time. Giving myself joyful and playful moments. My energy drainers and detractors revolve around pressure: due dates, social expectations (or my interpretation of them), allowing myself to be pulled in other directions, my ambition setting myself up for failure and getting angry at myself for it, my brain trying to puzzle out incompatible input and getting stuck, my body alerting me on neglected needs or even forcing me to stop.
• This reflection made me remember an exercise I had done already in 2023, thanks to a dear former teammate who worked on making our company's work environment more accessible. She introduced the idea of creating an "inclusivity passport" to gain clarity on our own needs and offer a way to communicate those of them that we want to share with our colleagues. It asked us to think through our needs when it comes to touch, vision, hearing, speech, cognition, and anything else. It was immensely helpful for me and I gained further insights about myself. For example, I found myself listing most of my own needs in the cognition category. Here are some excerpts, that are especially relevant for my personal challenge: "I need time to think without too tight constraints. I can only focus on one thing at a time. If my cognitive load gets too high, I literally won't be able to think at all anymore, everything slows down to a halt. I can get very anxious, hence I'm trying to keep myself in a calm place as much as possible - that's where I do my best work and in general am the best human I can be. Hands-on repetition helps me learn new things."
• I have a magnet board at home. Over the years, I just added to it, leaving whatever was there before. A few days ago, I decided to redo it, and look what I came across as reminders from my past self: "Calm is a choice". "Sometimes we need to stop to be able to think". "Energy is limited". Yep, so very fitting. 
• Last week, I happened to listen to a podcast with Brook Schoenfield where he dropped a few gems which resonated heavily with me. Let me incompletely paraphrase some core points here: "Keep listening. Just because you don't know what's going on doesn't mean your brain won't get enough of the background over time to begin to reveal the form. Don't be in a rush, let it happen, it takes a while (unless you're naturally predisposed). For us mere mortals we gotta wait and do the time, eventually it takes form."
• Mark Techson posted a video on how to nail the goals you set yourself. He asked three questions. First, what was holding you back in the past from getting this done? Well, for me it was often no action just talking, plus investing time in other things that drained my energy and capacity - basically not keeping space for this and especially my own needs. Second, what do I stand to gain if I actually hit this goal? What's in it for me? My response was peace of mind, calmness, the "I got this" feeling, confidence. But also less worry, less anxiety etc. over things that are not worth it. Gaining back control over my own mind and the things I have in my own hands. Finally, what do I stand to lose? Phew. My self-belief, confidence and trust in myself. Hence, all the things I could do and have impact on where I need exactly that. Control over my life as I allow other people to dictate it.
  

Listing all these needs and thoughts and seeing them right in front of me, I realized that these are all things that I have in my own hand. Phew... I can literally gain back control and choose to be calm and slow and steady. Or whatever else is helpful in the moment.

Last year's challenge was very fruitful and yet turned out to be very stressful as well. This year, knowing there will also be a lot going on in life in general, I want to take it slower. Because that's what my brain and body really need. As ambitious as I am, I want to start taking things in ways I can take them best. Slowly, steadily it is.

The Hypothesis

I believe that learning in ways that fit my own personal needs, every day for just a bit, combining theory and practice, will soothe my inner critic, and allow myself to focus on the joy of (re)discovering knowledge and skills while holding space for whatever else I want to use my time for during the year. 

I've proven the hypothesis when my inner critic focuses on their original task again to alert me on actual concerns, and I've had a good time with what I learned and worked on.

The Experiment

I like to keep my hypotheses on a higher level, rather overarching and generic while crisp enough, yet I also yearn for concrete details that will guide me on my first steps and also help with evaluating the hypothesis in the end to prove or disprove it. Here's the tangible experiment I have in mind to test the above hypothesis.

• The learning topics pay into application or cloud security in some way. Narrowing things down a bit should provide focus while still being broad enough to provide plenty of flexibility to see where my energy is going.
• It's completely up to me whether I go for theory or practice on any day, as long as both parts are represented every week.
• For theory, I'm going for systems that helped my brain learn back in formal education - like using flashcards to memorize terms and definitions. I acknowledge that I need repetition first before I grow understanding.
• For practice, there are lots of options to choose from, like capture the flag challenges, developing a practice project, contributing to open source, building tools for myself, and so on. These can be very temporary throw-away projects or things that have long-term value. Anything counts as long as I apply my knowledge and practice deliberately.
• To support my brain, I build a habit of doing something every day. Can be as tiny as a 1-minute effort or as big as spending hours. Just something to do and focus on. It doesn't have to bring me further and I don't have to make any perceivable progress of sorts.
• Every week, I check in with myself if what I'm doing brings me joy. As simple as that. If yes, great keep going, if not, I change one thing and then see the following week whether this improved the situation or I keep experimenting.
• I take note of moments when my inner critic gets loud again on things where there's no need. I just take note, there's no need for further reflection (it'll happen anyways without myself forcing it in). I just acknowledge this happened.

To capture the last two, and maybe also my basic needs, I'll probably start journaling again. I might or might not blog about what I learn as well. I think in writing, so stuff like that really helps me. I'll figure out what works, I can make up my mind any time during the year.

The Timeline

I'm officially starting my challenge right after publishing this post. I keep it running for at least 4 weeks. I'm stopping latest at the end of October 2025. This time it's a hard stop wherever I will be at that moment in time, there's no prolongation. I might stop any time beforehand whenever I see it's not helpful, or causing me a miserable time.

This year, I've tried a few things out already before posting this. See what might work, set up a basic structure to start with. Weighing a few things in my mind, see how it feels. Not overdoing anything, as whatever I come up with should also fit in a very busy day. Experimenting a bit upfront just helped me formulate this challenge.

 

The Hashtag

Why is a hashtag or tag line important to me? This is how I refer to my challenge in my own mind. It's also how I describe it to others, so it helps to make it descriptive, crisp, and concise. It took me a while to figure out a good one for this challenge yet it was crucial to gain further clarity of its core. Sometimes it's about trusting the process and believing I'll get there. 

After trying out lots of different variations, I settled on #CalmAndSteady. That's the phrase my mind kept coming back to. It already sticks. I can just as well let it stick. Yes, I'll be learning stuff as I go. Yet the core is all about me and how I approach things and how I respond to things. It's about which system and space I create for myself, catering to my own needs and caring for myself. Calm is about grounding myself, finding that inner peace and quiet, freeing myself from anger and anxiety where possible. Calm my inner worries and give me back the time and energy to focus on what's important to me. Calm that critic. Steady is about keep on keeping on, taking tiny step by step. Not overdoing, not jumping to perfection, just consistently keeping at it. Progress and growth will follow.

I wanted to formulate things positively, so "calm and steady" works. It also works for other parts in life. For example, I really want to get healthier again while my body reminds me of my age every day. I need to take it a lot slower than many years back, and not rush at all; otherwise, I'll have to pay a price and be even more patient with myself again. So yes, this year is a "work on myself" year. Calm and steady includes that patience that I'll need with myself to wait until pieces come together and fall into their places. It also includes that peaceful inner state of mind that keeps me enabled to act, no matter what else might come on the outside. I'd very much like that. Especially given the state of the world.

Anything else?

Oh, there will be plenty of "elses" throughout the year! Lots of things will happen. Life itself, a new job, a new role, conference speaking, sports, games, books, travel, friends, family, the world, whatnot. 

This challenge is intended to fit neatly into life and still be helpful. Let's see how it goes. Off I go!

2024 - What a Wild Ride

At the end of each year, I sit down to look back and take account of the past year in writing. I've made it my own tradition to help myself acknowledge all the things that happened during the year, especially any achievements of sorts.

I started the year with lots of hope of great things to happen (they did), lots of challenges to tackle (that sentiment nailed it), lots of joy on the way (not as much as hoped for), and lots of energy replenished (phew... nope). The year was an unexpectedly wild ride and it really drained my energy reserves. The good news is that I'm ending the year on a very positive note with a lot of hope for the future. The struggles paid off and I'm grateful for my past self that I've pulled through.

Dear future self, here are my accomplishments of 2024.

• My sixth personal challenge of courageous new community contributions really took off, took quite a toll, and was still so much worth it. I've helped bring lots of things to life: a whole new conference, a practice app, a card deck game, a leadership workshop series - and I've given conference sessions on security for the first time. It's been massive and I've dedicated a whole separate post on closing the challenge, so I won't repeat most things in detail here.
  
• One thing I will indeed repeat, as it was a true #AchievementUnlocked moment for me: I've spoken at my first security conference this year, BSides Munich! Super grateful for this opportunity, and it came at a perfect time right when I kicked off my job search, for which this specific speaking engagement paid off even more. One interviewer shared they watched the recording and liked it (phew, yay!). My future manager was sitting in the talk (I can't make this up)! When it comes to the community, this talk helped me make further connections. For example, I had a call with a new acquaintance to exchange inspiration and ideas to evolve a security champion program further. I got invited to participate in university research around DevSecOps. And you can imagine my surprise when I've discovered my very own talk been referenced in Katilyst's security champion newsletter that I had subscribed to earlier this year! Mind-blowing. By the way, in case you'd like to hear about how my work as security champion evolved over the last years, check out the recording.
• I've had 12 speaking engagements this year, which makes it overall 103 since I've started out in 2017. Crossing the threshold of over 100 gigs is definitely something to celebrate! Looking at conference sessions alone, I've given 8 sessions at 6 conferences in 3 countries this year. In all time, that makes it 48 sessions at 27 conferences in 12 countries. I really have to count and see these numbers for myself, I'm still in awe that I really did all this. My past self wouldn't have believed me one bit.
  
• Including this one, I've written 10 blog posts this year. This number still surprises me as I remember that next to everything else going on this year, there was little to no time left at all for writing. A pity, as I do think in writing, and I do write this blog for myself in the first place, for sharing in the second. Maybe there's more space for it in 2025, I'll see it when I'll do that year's review.
  
• My main social media platforms this year had turned out to be still Mastodon on first place, followed by Bluesky (especially after the recent wave of folks joining). Instagram surprisingly landed on third place (being a lot better than I ever expected it to be). My LinkedIn presence grew as well. It's by far not my favorite platform to consume content, yet it has its very own purpose for career networking endeavors. Overall, I'm grateful for everyone out there posting meaningful content over the course of the year that made me think, made me read, made me listen, made me learn. I'll continue curating my own feeds hoping to pay it forward.
  
• I've invested in a few other community endeavors over the year as well. Like continuing my accountability and learning partnership with Toyer Mamoojee, security pair testing sessions with Peter Kofler, joining a few code reading club sessions (unfortunately a lot less than I had hoped for). I've also had several calls and even on-site meetings with other dear community friends over the year, with us sharing on various topics ranging from learning cybersecurity, to startup ideas, to community dynamics, to anything and everything that moves us.
  
• At work, this year was a wild ride as well. My team and I had a tough time deciding on all the incoming requests and their actual priorities, and catered as best we could to those with highest importance given the circumstances. Compliance of all kinds was a big topic, too. We had several incidents which allowed us to learn how our system could fail in new and surprising ways and implement respective mitigations. Lots of tricky data migrations to get right. Quite some team fluctuation as well, people leaving and coming. In the end we were a smaller core team still doing our best to keep up with occurring demands from all sides, and getting our valued legacy product back in shape. Given the circumstances, we've mostly smashed it. Well, until things changed completely.
  
• Me, my team and lots of other colleagues had been laid off due to the company's business pivoting. I'm very proud of my team, on the sound culture we've built and fostered for us, how we showed up for each other over time, and how we even in the moment when everything came to an end celebrated what we had and gave each other feedback along on our ways. Kudos to everyone! We really had a good ride together. It's never nice to go through layoffs, and yet it's actually been surprisingly good to get laid off as a whole team, just having it end together at this moment in time. It's been like a band-aid being ripped off. Based on our talks, we all preferred this option over a slower and potentially more painful end, like getting chipped away at and dissolved over time.
  
• My amazing network really stepped up in words and action, spreading the news of my unexpected job search, sharing opportunities, making connections. This kind of invaluable sponsorship, plus me putting a lot of effort into a high intensity search, plus my personal challenge endeavors (again building on my network) this year, allowed me to find a new job within 6 weeks, contract signed within 8 weeks. I have to write these numbers down for my future self, and even for my present self as I still can't believe this happened so fast, especially given the current market. Closing everything just before the end of the year. And not just finding just any job but one that I really, really want. And on top of that, a role change that I hoped for in the next years to come. Now it's already here, and I'm so ready for it. I've witnessed the magic of "one door closes and many other doors open" before, yet this year this phrase became a whole new meaning for me.
• This year's personal challenge was all about new community contributions. Here's a new work-related contribution that I didn't foresee beginning of the year. From next year onward, I'll continue my path as a security engineer. When looking back at the kinds of contributions I've done this year and how many had security at their center, it does make a lot of sense, though. I just thought it wouldn't come to it that fast. There will be many more new challenges awaiting me on this next part of my journey, and I bet a few well-known ones as well. I honestly can't wait.
• It feels like a milestone in my career to get this new role and hence opportunity to explore next year. A dear community friend helped me put up a mirror for myself: she said all this is not coming suddenly for me. I've been building this up over many, many years, the knowledge, the network, the path for myself. Lots of little building blocks all over the place providing the foundation for this next step that now has a big meaning. It's been about persistence, continuously moving forward, little by little. About pushing myself also in times I didn't feel like it, like just right after the layoffs that came at a time when I just wanted to breathe and rest. She heard me saying how tired I was all over the year. She's been celebrating this huge step for me, it's all coming together. I'm very grateful for having such dear friends offering reflections in times I really need to see them. And she's been right: the compounding effect of all the little things I've done in my career is indeed real, and very impactful now for me. I'm grateful for my past self pushing through.
  

Here I am. It's the end of the year again. It's been once again helpful for me to look back and see all of the above. Now I'm already super curious what my review for 2025 will look like!

Contributing in New Ways - Finding Closure among New Opportunities

Finally, there's time and space to close my personal challenge of 2024 by looking back at what happened and what I learned from it. Setting out beginning of the year, I had the following hypothesis.

I believe that contributing to communities in new, courageous ways will add value to the communities I'm part of and grow my own knowledge and skills. I've proven the hypothesis when...

• I have contributed in three new ways,
• other people engaged with these contributions, and
• I have learned three new things from each.

Little did I know just how much this turned out to be true! Here are the new kinds of courageous community contributions I've done during the year and what I learned from them.

 

Open Security Conference (osco)

What was it about? Launch an open space security conference together with Claudius Link, Dave van Stein, Janina Nemec, and Ulrich Viefhaus. We set out to create a people-centered international gathering for everyone interested in cybersecurity, aiming to remove gatekeeping and barriers where we can to make security more accessible. The idea of the Open Security Conference (#osco) was born.

How did it go? There are so many things going into organizing a conference, let alone launching a whole new one. We had to make a few hard decisions what to do for this first instance already, and what to park only for later editions if that first one proved our concept. The biggest trouble we had, though, was a topic we didn't have on our radar at first that we completely underestimated. For a few months, the whole conference was on the edge as we had to solve the problem of handling money without having any organization (yet). This took us nearly to a halt; until we figured out a way together with our amazing venue to have all money-related topics, including sponsoring, go through them. Having made it over that big hump, we actually made the whole thing happen: the first ever Open Security Conference (#osco) took place on October 4-6 in Rückersbach, near Frankfurt/Main in Germany! We had two amazing keynotes to kick it off the event, followed by the open space as main part of the conference. We worried if things would work out with a small first group and were very relieved that people really enjoyed it. Read for yourself how the first osco went! People raised a lot of interest in an #osco25, so we can already confirm that we will have a second edition in 2025. We even found five more organizers to grow it further, we're very grateful for their trust and support. Currently, the whole organizing team is on a break to recharge energy, so our website is still on the state of 2024. Yet if you're interested, you can already save the date of 2025, October 2-5 for our second edition! Follow us on social media, Mastodon and LinkedIn, to get all latest updates once we're regrouping next year.

Which three things did I learn for myself?

1. Investing in creating an inclusive space from the start pays off. More often than not, this vision needed us to go the extra way. While we're keenly aware of what we're still lacking (plus the things we're not aware yet), we received really good feedback that the effort and positive impact was noticed and appreciated - it was so much worth it. 
   
2. It is invaluable to have a mid-sized and diverse enough group to get a big endeavor off the ground. While it wasn't always straightforward what the most effective solution to a problem right now was, we managed to play to the strengths of our different personalities and experiences in the end.
3. Having regular and frequent opportunities to reflect on how we're doing and trying out different approaches is crucial. This applies to any group you're working with. We postponed our retrospective to after the conference, while it would have really been worth doing them a lot earlier and regularly throughout the year.

 

Security Card Game

What was it about? Create a security card game together with Martin Schmidt and Philipp Zug. This idea has its origins at SoCraTes 2023 where I brought the topic of security to the conference and loved seeing lots of folks engage, like Martin and Philipp who invited me to their idea to create a game for fun and practice. 

How did it go? We have the main concept, a constantly evolving set of rules and deck of cards. Thanks to Martin, we also have a way to play the game remotely; who knows if we'll also turn it into a physical card deck at some point (it would be great, wouldn't it?). In any case, we hope to bring it to open space conferences and the world. Check out our Security Card Game Github org in case you want to follow along, and make sure to read Martin's SecCardGame post to get a first impression of the game. Having played it a few times, we were keen to present it to others at SoCraTes 2024. To be frank, we were positively overwhelmed by all the folks coming to our session, showing lots of interest, and providing concrete feedback for us. We also found a new contributor as well to evolve the game further with!

Which three things did I learn for myself?

1. Early and fast feedback is invaluable. Not a new learning in itself, and yet it turned out to be just as true in this space as well. We made it a point to try out the gameplay and different rules early on and continuously, without investing development time when it wasn't needed. This really paid off! Same as showing our rough and raw game already to the public without polishing it.
   
2. Sometimes it's just fine to contribute in one way only. For example, for this card game I've mostly focused on the content of the cards, instead of the actual implementation. It was something I could do in between everything else, and it still helped as asynchronous contribution until we met again - when we could think of all kinds of things and ideas while being together.
   
3. A little, relaxed, non-stressing, fun side-thing is a really nice side-thing. This initiative was the least stressful of all the things I've worked on throughout the year. We had set ourselves up for a great pace, continuous yet not overbearing, things moved further, not much investment was required in between, I really looked forward to our little sessions. It's nice to have things like this on the creative, energy-providing, playful side.
   

 

Project Snack Shop

What was it about? Build a full-stack open-source practice platform as an ensemble with Ben Dowen and Vernon Richards. We were taking the roles of the employees of the fictive company "Make-Believe Labs", taking on "Project Snack Shop" for a customer who wants to digitalize their well-running snack shop business by offering an online shop. This was intended as an as realistic as possible practice platform for all kinds of development activities. From our own vision, to the actual project offer and context, to the first proof of concepts, to team agreements, to design documents, to architectural decision records, exploring walking skeleton options with code, and more. 

How did it go? This had been a fascinating endeavor I really wouldn't miss. It's been both fun and challenging to mimic the described scenario and act accordingly. Sometimes taking on certain roles we knew we wanted to play on, like team dynamics and patterns we've observed. Wait, did I just commit a change without telling anyone (he-he-he)? Was that commit message omitting quite a big relevant change? And more! Not everything is publicly shared, but you can follow our main Snack Shop repository to see the latest state. I really appreciate having a project from the scratch where we can try things out, do some things properly, do some things in quick and dirty ways, leave some problems in the system intentionally while discovering others as we evolved it. We also had planned to bring this more to the public in the sense of webinars or streams, getting ourselves even more out of the comfort zone. Ben managed to get us a webinar where we could use our little project to work on specific challenges that are likely to get asked in an interview situation. This was a big driver for us to evolve it just to that stage where we could do the session. Afterwards, we all lacked the time to drive our snack shop much further, yet it'll always be there to work on as a nice practice playground which is closer to a real work situation already by its setup.

Which three things did I learn for myself?

1. Building things allows me to use skills I have, yet rarely have opportunity to hone. At the same time, doing so really boosted my confidence that I indeed can figure things out. 
2. Sometimes you have to build it yourself. There are so many practice apps out there for all kinds of purposes, it's wonderful. What we were aiming for, though, was rather unique, and I'm still not aware of any similar project. Especially doing it as an ensemble taking on different fictive roles and leaving trails and artifacts as it could be! 
3. Constraints can be really helpful to evolve a thing further. The webinar due date helped us massively to invest time for real, make tough calls on what to leave out, and have the thing shippable. While it's nice we don't have any pressure on the project anymore, now it's lying dormant. Constraints can really be liberating.
   

 

Leadership Workshops

What was it about? Offer Shiva Krishnan's and my leadership workshop series to the community. This program proved to be valuable to lots of people in the past, and it definitely helped both us grow immensely. Finally, the time had come to spread the word further and transform our workshops to an open community offer. This year we wanted to try it out with a small cohort. 

How did it go? For this first community proof of concept, we decided not to have public registrations, yet to build on our networks. We thought if this goes well, we can plan for more afterwards. We tried to think of lots of things needed to bring these existing (and continuously evolving) workshops to the broader audience, like tools, communication channels, and more. We found lots of interested people. We hosted Q&A sessions to answer most frequently asked questions right away so everyone knew what to expect and what they would sign up for, especially given that this is a series of six workshops with quite some time investment required from participants. What we didn't expect was that all of the above was quite fine for folks, yet the real struggle was hidden in our vastly incompatible schedules! It took us a very long time, staying patient and trying lots of different approaches, to figure out the slots for the first two workshops. Especially as we had to split these workshops up into smaller parts, given that it wasn't happening during working time, but in addition to work for everyone. We're really happy that we found a small cohort of four people who stayed enthusiastic and dared taking this journey with us. The first two workshops are completed, four further ones will take place next year. While we originally aimed to complete all six this year, we're glad we can still do this and learn from fresh community feedback to evolve them further and hopefully bring more value to community.

Which three things did I learn for myself?

1. It's hard to live up to your own values and leadership beliefs yet the impact of doing so matters. Especially when you give workshops on exactly this topic. Leading by example most often means not taking the easy route and finding ways that work for people while staying true to what you preach. It's been worth it big time, and I'm glad people now have a space that fits and continues to adapt to all of our needs.
2. Community editions can be different to work sessions in unexpected ways. This turned out to be very true when having people co-create the space instead of just proclaiming a date and leaving it up to people whether they can join or not. Scheduling is a hot topic also in work contexts, especially across different roles and departments at the same company. The fact that we're working for very different companies in different modes, with very different private lives and personal needs as well, made our schedules even more diverse.
3. Make the decision, especially when it's difficult. Originally, we wanted to start with a cohort of six people. Small and doable, while still viable. We had to make the tough decision to reduce the group to four folks to make it work at all, and communicate it accordingly. This was no easy decision at all, and at the same time the outcome shows us that it seems to have been the right decision in the end. We have a great group of engaged folks where the whole concept really works for everyone.
   

 

Conference Sessions on Security

What was it about? Give conference sessions on security. Ever since I've had my first pair testing sessions on security in 2018 I've been diving deeper into the area each year. I've given several sessions in company settings and at open spaces. This year it was time to extend my conference speaking to security topics and hence contribute in new ways in that space as well. 

How did it go? At the beginning of the year, I felt I could at least try to submit security-related proposals to some conferences. It would already be worth daring the mere submission and learning from it. And then it was actually working out, way more than expected! The Software Teaming Online Conference gave me rather free rein, so I made use of it and hosted an ensemble session to Capture the Flag Together: Security for Everyone, co-facilitated by Lisa Crispin. This idea was based on sessions I've given many times at various open space conferences and at work as well, so I was on familiar ground to start with. Then Agile Testing Days accepted both of the new security sessions I've dared to submit! Hence, two brand-new sessions, the workshop First Steps in Mobile Security Testing and the talk A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day had to take place. And then SoCraTes also came and asked me to give a training again this year - maybe I could do something about security? I was so happy when I read their message, it seems all the security related sessions I gave at last year's SoCraTes had really caught their interest. So I decided to create yet another new workshop that would fit well as a foundational training: Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day. Overall, these four different security-focused sessions had been accepted by conferences, and I was very excited about these opportunities. Yet another highlight was to come. Encouraged by all this, I dared to submit my brand-new talk to my first security conference ever, BSides Munich - and it got accepted for their main stage! Speaking there was definitely one of my biggest achievements unlocked for this year. There's a recording of this inaugural talk which makes me even happier. And as it goes with speaking at a conference, it also helped me massively to get further connections in the security space.

Which three things did I learn for myself?

1. It's worth daring to share what you've already learned on your journey. A lesson I've re-learned for myself. You never know who's going to be in the committee or audience, it might just be a great fit. And you don't have to wait to be in an exact role, position, time at life, or whatnot to start sharing. It will help you gain confidence and a clearer understanding of the topic as you need to convey it in approachable and digestible means.
   
2. Sometimes, the answers are already within you. I've learned this the hard way: just because you've seen a workshop setup play out nicely, doesn't mean you can replicate it that easily. My mobile security workshop haunted me for months, not because of the content, yet due to the complex setup that I needed to break it down and make it as accessible to beginners as possible. I've asked lots of people at the conferences I've been to how they would tackle it and gained lots of good hints and tips. And yet, in the end, none of these really solved my problems. Instead, the answers were already within me, I just needed to build up the confidence to remember all the pieces of the puzzle that I've already worked with throughout my years in tech, and bring them together in a way that it solved this one. And indeed, once I had gathered further confidence, I managed to figure everything out. Even during the workshop when I still needed to debug a few things live. It worked, and I can use this to ground myself in what I actually know and trust myself more.
   
3. Putting yourself out there on stage creates so many new connections and hence opportunities. Again, not a new learning, yet a re-validated one. Especially my new talk helped a lot with this, initiating lots of interesting conversations already at the conferences and also afterwards on social media. It also led me to having a dedicated call to talk about security champion programs and how to overcome struggles with someone I unfortunately missed at the conference, yet was lovely to meet online! Connections with like-minded folks are just invaluable. This talk even helped my job search - that I wasn't even aware was needed when daring to submit the session in the first place. Lots of good came out for me so far from giving back to community.
   

 

Running out of Capacity

Obviously, there were more ideas for even further new contributions to community this year. Creating an own capture the flag (CTF) team, contributing to an existing open-source project, maybe even really start writing a book. I'm glad I held back with these. First, there are further years to come. Second, well... taking on this challenge to contribute in manifold new ways was already filling my schedule to the rim.

So, what did I learn overall? That this year was wild. It was a constant hamster wheel. Having work being very stressful as well did not help at all. Private life was okay, though not that easy to navigate either. Overall, it was wildly too much and I really need a break now. I could have chosen a break in between at any time, yet it would have meant letting a lot of people down, including myself - so there's little to no surprise that I didn't take any break. Yet looking back at a year when I neglected most of my pure self-care activities like playing computer games (only picked it up again this month), reading fiction books (lay dormant for months as well), drawing (I remember I did it once during this year for a gift and that was about it). All of these bring me a lot of joy, and that source of energy became non-existent. At least I still invested a bit in exercising, yet as I'm doing team sports it would have also meant letting others down so of course I didn't cut short in this area. Well, it really helps my own health, so I'm still happy I didn't. But the big personal lesson for me here is that for a year that I intentionally set out with "energy & joy" as my motto but that was exactly what I lacked most - is that I must not repeat this. Whatever I do next, for any challenge, I need to build in self-care once more deliberately. Otherwise, I'll trick myself, just as I did this year. 

The second big lesson? Each of these new contributions could have been a personal challenge of the year. Cramming them together in the same year meant I had less focus on each of them, and over-committed myself, hence putting artificial self-made stress on myself when life was already stressing me out enough without me adding to it on top.

One more final lesson: anything you say yes to means you have to say no to something else. I'll have to see what other endeavors that I used to do are those I have to say no to next year, as many of the above community contributions are to be continued in 2025 - they don't just simply stop now. At the same time, I need the capacity and freedom to also go new ways and have actual slack time.

 

In Conclusion

My 2024 personal challenge is hereby officially closed. Looking at all the things I've worked on this year as part of it, I can definitely confirm that I have contributed in more than three new ways this year, that other people engaged with each of these contributions, and that I have learned at least three things from each.

I'm very grateful for all my co-conspirators in all of the endeavors described above. Without you all, my pieces alone would not have completed the puzzles we were working on together. Many, many thanks to everyone! 

This year's personal challenge to contribute in new ways had been quite a heavy one for me, and yet it helped me set myself up for good things to happen in 2025 - and I'm here for it!

Agile Testing Days 2024 - Reunion for Quality

I started this post right after returning from the Agile Testing Days, yet I've only come around to finish it now. It's been yet again such a great conference with amazing folks, and it just deserves a proper blog post to share and remind my future self what it was like this year.

 

Monday - Arrival Day

This year, the conference started only on Tuesday of the week. Traveling on Monday, I could already build up the usual excitement before this conference that back in 2015 was my very first conference ever which laid so many foundations for my career. With its content, yet even more with its amazing folks and the space it created every year since. A space to bring your whole self, to explore what could be, to truly connect with people, and to grow beyond what I thought was imaginable.

Arriving at the hotel, I was greeted with a huge banner that welcomed me home. And as a returning alumna, this indeed hit home and resonated more with me than I already knew it would. It's one of my homes indeed and I'm grateful I discovered it so many years ago for myself.

Thank you ❤️💕 #agileTD

[image or embed]

— Alex Schladebeck (@alexschl.bsky.social) November 21, 2024 at 4:13 PM

Arriving day also means that meeting the first folks - including those I've met many years ago the first time and we've built strong connections ever since. Folks like João Proença, Elizabeth Zagroba, Thierry de Pauw, Anne Colder, Vincent Wijnen, Michael Kutz, Dragan Spiridonov, and so many more. Also meeting people I haven't had the chance yet to fully connect with, so we made up for it this year! Like with Filip Hric, whom I had the pleasure to have dinner with on this first evening, and going full circle having dinner on the last evening as well. It's been lovely to see first-timers as well and have them slowly introduce to the wider community. Agile Testing Days can feel wildly overwhelming with everything going on, so having a chance to make things smoother for those who experience it for the first time is just great.

This evening was full of wonderful conversations over dinner, ending up in the bar, and then going to bed with a renewed sense of this community where I so much belong even though (or actually because?) I never fitted in completely. Which is perfectly fine.

Tuesday - Tutorial Day

Whenever I have the opportunity to do so, I opt for taking a full-day tutorial. This year, the tutorial I chose was "Empowering Inclusive Testing: A Guide to Accessibility" by Laveena Ramchandani. I really enjoyed this training on all things accessibility. It provided foundations as well as where and how to go deeper. Laveena explained regulations, tools, and set the space for us to practice preparing for difficult conversations advocating for making our products more accessible and hence more usable for everyone. She did a great job structuring and facilitating the tutorial, equipping us with concrete actions to take back to work. Obviously, we can't solve or know everything just after a one-day training, and yet there's a lot we can take with us and start doing right away to make things better.

After the tutorial, the conference unofficially opened with the first keynote "To Heck With Your Automation Principles" by Vincent Wijnen and Paul Holland. What an entertaining start into the conference! Well presented, getting the audience to think, engage, and see how context needs to influence which heuristics to try.

Finally, time for dinner. I love that dinner groups are getting organized for everyone, not just the speakers. In my case, I did join the speakers dinner, which was lovely as always. I really enjoyed the insightful table conversations on lots of deep topics with Ash Coleman Hynie and Vernon Richards (both of whom were such a pleasant surprise to see at this conference!), Dr. Rochelle Carr, João Proença and Sérgio Freire.

#AgileTD speakers dinner. Always special!

[image or embed]

— João Proença (@jrosaproenca.bsky.social) November 19, 2024 at 8:03 PM

 

Wednesday - Conference Day 1

The first full conference day was there, and with it came the full frenzy of Agile Testing Days! And also re-meeting so many awesome folks. Like Toyer Mamoojee and his whole family, who's been my learning partner since 2016 (can you imagine?). Like Janina Nemec, my co-conspirator for the Open Security Conference and long-time SET playing buddy. Like Gitte Klitgaard, whose wisdom, courage, and kindness had a huge impact on me ever since I've met her first here at Agile Testing Days. Here are the sessions I've joined on this day.

• Lean Coffee by Ashley Hunsberger and Lisa Crispin. Ever since the first Agile Testing Days I've made it a tradition to join the very first day's lean coffee session. It's quite hard for me to get up that early yet I know it's always worth it - and I still have most energy on the first day. Once again, I had a really nice group of folks we discussed interesting topics with. If you have a chance to catch a lean coffee session anywhere, bring your topics and let it surprise you. This time I've asked what are other ways to spread information and connect people beyond communities of practice that people experienced working. The gathered insights: spread information to read where people are like Google's "Testing on the toilet" initiative (that now became "Tech on the toilet"), go on mystery lunches, offer shadowing so folks can see the actual work, publish newspapers instead of only newsletters, have a marketplace with a booth to present yourself, and use the coffee kitchen (or remote analog) which is just never getting old.
  
• Keynote "Playful Leadership" by Portia Tung. Great opening keynote that people could relate with, setting the scene for the conference to play, dare something, grow with others around you, and listen to your physical responses. Very confident, authentic, and playful stage presence, love how Portia was leading by example.
  
• "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" by me. Just one week ago I've given the inaugural instance of this brand-new talk at BSides Munich. This second time I've had a very different kind of audience in front of me - yet was it really that different? The talk worked just as well, and I loved all the kinds of insightful conversations and new connections that evolved based on it during the next days. For anybody who missed the chance, the BSides edition's recording had been published already.
  

  Make things a bit more secure than yesterday every day! That would help us all! „A Security Champion‘s Journey“ - a great talk by @lisihocke.bsky.social at #AgileTD ! Thank you!
  
  [image or embed]

  — Jens Höft (@jenshoeft.bsky.social) November 20, 2024 at 11:26 AM

• Keynote "Breaking Accessibility Barriers" by Laveena Ramchandani. I really liked that Laveena used the stage to raise awareness on critical issues we encounter every day, with many sites and products not being accessible for way more people than you might think - including yourself! The best part was when she let the audience feel the frustration and emotional roller-coaster of something not behaving as expected. A crucial topic very well presented!
  
• Workshop "Collect your explorer badge" by Udita Sharma and me. We were honored to get asked to repeat this workshop this year after we've given it last year at Agile Testing Days for the first time. Once again, we had an engaged group to explore this different approach to come up with exploratory testing ideas which are easy to grasp and quick to convey to anyone else. I've made great experiences with this approach also with my own team this year, having people come up with great ideas to learn more about our product, new features or anything else we needed more information on to make better decisions. Many thanks to Udita for coming up with the original idea to this workshop and doing it together with me this year!
  
• Keynote "The Obvious, the Obscured, and the Illusion: Navigating the Noise of GenAI in Testing" by Rahul Verma. I liked the call for action to get to know tools for what they are and how you can combine them to solve actual problems that they are fit to solve. This is too often forgotten over the hype that new technology can bring with.
  

It was time for dinner. I've always had great conversations over food and drinks at conferences, this one wasn't any different. The first conference evening is also reserved for the big costume party (where everyone without costume is just as welcome, which I personally just love). Hence, we could already enjoy the amazing costumes folks came up with on the theme of time traveling. Just loved it. My special kudos go out to Anne Colder and Vincent Wijnen who came up with the brilliant idea to take their amazing costumes from last year, traveling back in time - yet having the device fail in the most curious ways including a body swap! Absolutely hilarious and ingeniously implemented.

Time travelling women! #agiletd

[image or embed]

— Alex Schladebeck (@alexschl.bsky.social) November 20, 2024 at 7:29 PM

Then it was time for the big thing that everyone had been waiting for: "The Owl Problem", the first ever musical that Agile Testing Days (and any other conference?) has ever seen. Fully composed, enacted and brought to life by community folks. What an amazing event, so much effort in there, so much courage! Huge shout-out and kudos to the whole crew, you've moved mountains with your performance. The whole audience was in awe of you all bringing everything you got on the table and make it such a memorable event.

The Owl Problem @ #AgileTD ! 🦄🦄🦄🦄🦄

[image or embed]

— Jens Höft (@jenshoeft.bsky.social) November 20, 2024 at 9:49 PM

 

Thursday - Conference Day 2

Next conference day, and I could already feel the tiredness in my bones. Agile Testing Days can be a lot, and no matter how much I can easily advise others on taking it slow and skip sessions and take the rest you need, I fail badly at the same advice for myself. Every year again. Probably because I don't regret going full in and getting the most out of it, and yet it might still not be the wisest decision I make in a year. This day, I've joined the following sessions.

• Keynote "Technical coaching development teams using the Samman method" by Emily Bache. Loved this keynote by Emily, so many important points delivered in such a concise way. Even though I knew the Samman Method already, I've still taken new insights with me when it comes to skill building which triggered thoughts related to my own situation. Emily delivers her content in such a professional and relatable way, I just love that she took the Agile Testing Days stage and people had the opportunity to learn from her.
  
• "Make a fearless start with security testing" by Sander van Beek. Sander did a great job breaking down important security concepts to provide digestible starting points for beginners to continue their own security journey from. I always enjoy learning from others how they convey such topics, and also taking sketchnotes so this kind of content can be spread further.
  
• Keynote "Testing, Identity, and Symbols" by Jenna Charlton. Jenna really made me think with their keynote about my own identity, or rather identities I gathered so far in my life, and those I'm about to add to all of this. Where I feel I belong already, where not, where not yet. And where others might struggle in different ways than I am.
  
• Workshop "First Steps in Mobile Security Testing" by me. My third and final session to give this year was a brand-new workshop. Probably the most daring one, definitely the most complex one I've ever given. I've had the concept in my mind for quite a long time, yet what made this workshop so difficult to prepare for that it haunted me for many months was the setup. This should be a first steps workshop for everyone who was new to either mobile, or security, or both. With an unknown audience and an unknown range of their existing knowledge and skills. In just two hours of time. Well, I might write a separate blog post just on the setup part to fully grasp the extent of this, and hopefully help others find a suitable solution quicker. All in all, this workshop helped me gain insights on how I can reduce the struggles even further for folks. And despite the struggles we still had, it seems to have helped folks to take their first steps in mobile security testing - and giving them this experience was exactly what I set out to do. Special shout-out to Andrej Thiele who wasn't only so kind to share feedback with me afterwards, yet also took time to listen to me on some personal struggles I've been facing - hugely appreciated!
  
• Keynote "I'm managing just fine!" by Lena Nyström and Heather Reid. Such a great presentation of such fundamental questions and situations I could really relate to. I loved how Heather and Lena weaved their own experiences and stories in and how they delivered them in re-acting parts of their actual conversations and their insights gained. It triggered lots of thoughts on my own situation and decisions, what made me go this way so far and why I opt for what to be my next step.
  

There were lots of great evening activities offered. This year, I chose to prioritize self-care and instead opted for having dinner out in Potsdam together with a bunch of folks. Sometimes, getting out, having a smaller group, having a differently loud environment, just helps. This time it was such a good opportunity to also check in with Ashley Hunsberger and Richard Bradshaw. 

Returning to the conference, we've found the brilliant Sophie Kuester and the outcome of her late night snack exchange. Just loved her idea last year already to ask folks to bring special treats from their regions and have all of us enjoy each other's delicacies! Really brings people together. This year I've missed most of it, and yet still enjoyed so many of these sweet and savory explorations. Many thanks to Sophie for this amazing edition in the purest spirit of Agile Testing Days!

Hey #AgileTD friends (and if you're wondering, yes, you ARE a friend) help yourselves to the greatness that is our collaborative candy bar! #SnacksSnacksSnacks #CrewLove #SnacksAreAwesome #TummyAche #HeartBurn

[image or embed]

— Mlle Sophie Pofie (@mllesophiepofie.bsky.social) November 21, 2024 at 11:00 PM

This was also the night when I finally had the opportunity and pleasure to spend more time with Tobias Geyer and talk a lot about things that are moving us, like what impact we have on other people's lives and the systems we live in, and what else we can do to make the spaces we're in more inclusive, using our privilege. Thanks a lot for sharing these thoughts also beyond the conference boundaries! It's a continuous effort and we all need to continue learning and unlearning.

 

Friday - Conference Day 3

There it was already, the last conference day. Agile Testing Days is a whole week, and at the beginning time seems to extend, we have so much of it in front of us together. And suddenly the last day already arrived and time had just flown by. In addition, the tiredness came to the forefront on this day. This year, Agile Testing Days was hosted as a hybrid event, with the main part on-site as usual, yet all the talks being recorded and streamed, plus online activities happening as well. I didn't have any energy to join online at the same time, yet I knew I could come back to sessions also afterwards. Which allowed me to make a wise decision and skip the first sessions on this day to catch at least some sleep. So here are the sessions I did participate in this day.

• "Mistaken Identities" by Sanne Visser and João Proença. Such a deep and crucial topic, delivered in such an entertaining way. Awesome stage performance of both Sanne and João telling all the stories how their identities got mixed up and what they tried to cope with the situations thrown at them. I loved that they used the opportunity to remind people of how quickly things can go wrong, even without bad intentions, and how tools we have can be used for malicious purposes as well. We need to be mindful and considerate when building these tools.
  
• Keynote "Diamonds in the Rough" by Ashley Hunsberger. This keynote really made me think - what fuels my motivation nowadays? I have crafted my jobs in the past, yet what job would I craft myself right now and here? What potential is still lying dormant that would really relight my fire? So many more questions, based on the research and models presented. I loved that Ashley showed both deep vulnerability and such strength on stage, what a role model for all of us to learn from.
  
• "Love in Bytes: QA Engineering for Work-Life Symphony" by Toyer Mamoojee and Reumaysa Mamoojee. How often do we transfer lessons learned from one area of our lives to another? Well, in this talk I learned we should do it more often! We don't learn strategies, techniques and tools for our work context alone. Toyer and Reumaysa showcased how we can benefit from them in our everyday personal life just as well - and vice versa. The stories made the content very relatable, and the paired presentation worked out really well.
  
• "Test like a developer, develop like a tester" by Filip Hric. We need more people spreading the word! I really appreciate Filip for showcasing how we don't need to have such a divide between roles in the same team when we're working on the same goal together. And how much we can learn from each other as well. Very well presented, too!
  

And there it was. The closing session, the many thanks and appreciations to organizers, volunteers and everyone. Final pictures, of course also with the unicorn we all shared the stage with. It was done. Such a happy sad wonderful feeling, it gets me every time.

Lots of people had left already at this point. Some people were staying around, clinging to this community spirit, not willing to let go just yet. Another amazing dinner group, enjoying awesome food together. My chance to also get to know Elizabeth Simister - loved our conversation!

Enjoying more snacks at the hotel. Having an absolute blast witnessing Elizabeth Zagroba run her by now infamous No Vehicles in the Park game with us. Having the day fade out on such insightful conversations on work places, careers, opportunities and more together with Thierry de Pauw, Toyer Mamoojee, and Janina Nemec. Many thanks to all of you.

 

Saturday - Departure Day

Another Agile Testing Days in the books. One that was brilliant in content. One where I once again still got most out of the hallway track, together with all these amazing folks. One that helped me immensely on my current situation searching for a new job, exploring new possibilities. One where I gave back once again to this community I continue to receive so much from. This conference is a very special reunion for quality in all kinds of aspects. We're truly stronger together.

Me: "I really have a lot of mugs, maybe I should get rid of some..." Looks at mugs and keeps all. Gets mug in speaker gift from #agileTD Me: "ok I need one more mug" :)

[image or embed]

— Gitte Klitgaard (@nativewired.com) November 25, 2024 at 5:31 PM