Finally, there's time and space to close my personal challenge of 2024 by looking back at what happened and what I learned from it. Setting out beginning of the year, I had the following hypothesis.
I believe that contributing to communities in new, courageous ways will add value to the communities I'm part of and grow my own knowledge and skills. I've proven the hypothesis when...
- I have contributed in three new ways,
- other people engaged with these contributions, and
- I have learned three new things from each.
Little did I know just how much this turned out to be true! Here are the new kinds of courageous community contributions I've done during the year and what I learned from them.
Open Security Conference (osco)
What was it about? Launch an open space security conference together with Claudius Link, Dave van Stein, Janina Nemec, and Ulrich Viefhaus. We set out to create a people-centered international gathering for everyone
interested in cybersecurity, aiming to remove gatekeeping and barriers
where we can to make security more accessible. The idea of the Open Security Conference (#osco) was born.
How did it go? There are so many things going into organizing a conference, let alone launching a whole new one. We had to make a few hard decisions what to do for this first instance already, and what to park only for later editions if that first one proved our concept. The biggest trouble we had, though, was a topic we didn't have on our radar at first that we completely underestimated. For a few months, the whole conference was on the edge as we had to solve the problem of handling money without having any organization (yet). This took us nearly to a halt; until we figured out a way together with our amazing venue to have all money-related topics, including sponsoring, go through them. Having made it over that big hump, we actually made the whole thing happen: the first ever Open Security Conference (#osco) took place on October 4-6 in Rückersbach, near Frankfurt/Main in Germany! We had two amazing keynotes to kick it off the event, followed by the open space as main part of the conference. We worried if things would work out with a small first group and were very relieved that people really enjoyed it. Read for yourself how the first osco went! People raised a lot of interest in an #osco25, so we can already confirm that we will have a second edition in 2025. We even found five more organizers to grow it further, we're very grateful for their trust and support. Currently, the whole organizing team is on a break to recharge energy, so our website is still on the state of 2024. Yet if you're interested, you can already save the date of 2025, October 2-5 for our second edition! Follow us on social media, Mastodon and LinkedIn, to get all latest updates once we're regrouping next year.
Which three things did I learn for myself?
- Investing in creating an inclusive space from the start pays off. More often than not, this vision needed us to go the extra way. While we're keenly
aware of what we're still lacking (plus the things we're not aware yet),
we received really good feedback that the effort and positive impact was noticed and appreciated -
it was so much worth it.
- It is invaluable to have a mid-sized and diverse enough group to get a big endeavor off the ground. While it wasn't always straightforward what the most effective solution to a problem right now was, we managed to play to the strengths of our different personalities and experiences in the end.
- Having regular and frequent opportunities to reflect on how we're doing and trying out different approaches is crucial. This applies to any group you're working with. We postponed our retrospective to after the conference, while it would have really been worth doing them a lot earlier and regularly throughout the year.
Security Card Game
What was it about? Create a security card game together with Martin Schmidt and Philipp Zug. This idea has its origins at SoCraTes 2023 where I brought the topic of security to the conference and loved seeing lots of folks engage, like Martin and Philipp who invited me to their idea to create a game for fun and practice.
How did it go? We have the main concept, a constantly evolving set of rules and deck of cards. Thanks to Martin, we also have a way to play the game remotely; who knows if we'll also turn it into a physical card deck at some point (it would be great, wouldn't it?). In any case, we hope to bring it to open space conferences and the world. Check out our Security Card Game Github org in case you want to follow along, and make sure to read Martin's SecCardGame post to get a first impression of the game. Having played it a few times, we were keen to present it to others at SoCraTes 2024. To be frank, we were positively overwhelmed by all the folks coming to our session, showing lots of interest, and providing concrete feedback for us. We also found a new contributor as well to evolve the game further with!
Which three things did I learn for myself?
- Early and fast feedback is invaluable. Not a new learning in itself, and yet it turned out to be just as true in this space as well. We made it a point to try out the gameplay and different rules early on and continuously, without investing development time when it wasn't needed. This really paid off! Same as showing our rough and raw game already to the public without polishing it.
- Sometimes it's just fine to contribute in one way only. For example, for this card game I've mostly focused on the content of the cards, instead of the actual implementation. It was something I could do in between everything else, and it still helped as asynchronous contribution until we met again - when we could think of all kinds of things and ideas while being together.
- A little, relaxed, non-stressing, fun side-thing is a really nice side-thing. This initiative was the least stressful of all the things I've worked on throughout the year. We had set ourselves up for a great pace, continuous yet not overbearing, things moved further, not much investment was required in between, I really looked forward to our little sessions. It's nice to have things like this on the creative, energy-providing, playful side.
Project Snack Shop
What was it about? Build a full-stack open-source practice platform as an ensemble with Ben Dowen and Vernon Richards. We were taking the roles of the employees of the fictive company "Make-Believe Labs", taking on "Project Snack Shop" for a customer who wants to digitalize their well-running snack shop business by offering an online shop. This was intended as an as realistic as possible practice platform for all kinds of development activities. From our own vision, to the actual project offer and context, to the first proof of concepts, to team agreements, to design documents, to architectural decision records, exploring walking skeleton options with code, and more.
How did it go? This had been a fascinating endeavor I really wouldn't miss. It's been both fun and challenging to mimic the described scenario and act accordingly. Sometimes taking on certain roles we knew we wanted to play on, like team dynamics and patterns we've observed. Wait, did I just commit a change without telling anyone (he-he-he)? Was that commit message omitting quite a big relevant change? And more! Not everything is publicly shared, but you can follow our main Snack Shop repository to see the latest state. I really appreciate having a project from the scratch where we can try things out, do some things properly, do some things in quick and dirty ways, leave some problems in the system intentionally while discovering others as we evolved it. We also had planned to bring this more to the public in the sense of webinars or streams, getting ourselves even more out of the comfort zone. Ben managed to get us a webinar where we could use our little project to work on specific challenges that are likely to get asked in an interview situation. This was a big driver for us to evolve it just to that stage where we could do the session. Afterwards, we all lacked the time to drive our snack shop much further, yet it'll always be there to work on as a nice practice playground which is closer to a real work situation already by its setup.
Which three things did I learn for myself?
- Building things allows me to use skills I have, yet rarely have opportunity to hone. At the same time, doing so really boosted my confidence that I indeed can figure things out.
- Sometimes you have to build it yourself. There are so many practice apps out there for all kinds of purposes, it's wonderful. What we were aiming for, though, was rather unique, and I'm still not aware of any similar project. Especially doing it as an ensemble taking on different fictive roles and leaving trails and artifacts as it could be!
- Constraints can be really helpful to evolve a thing further. The webinar due date helped us massively to invest time for real, make tough calls on what to leave out, and have the thing shippable. While it's nice we don't have any pressure on the project anymore, now it's lying dormant. Constraints can really be liberating.
Leadership Workshops
What was it about? Offer Shiva Krishnan's and my leadership workshop series to the community. This program proved to be valuable to lots of people in the past, and it definitely helped both us grow immensely. Finally, the time had come to spread the word further and transform our workshops to an open community offer. This year we wanted to try it out with a small cohort.
How did it go? For this first community proof of concept, we decided not to have public registrations, yet to build on our networks. We thought if this goes well, we can plan for more afterwards. We tried to think of lots of things needed to bring these existing (and continuously evolving) workshops to the broader audience, like tools, communication channels, and more. We found lots of interested people. We hosted Q&A sessions to answer most frequently asked questions right away so everyone knew what to expect and what they would sign up for, especially given that this is a series of six workshops with quite some time investment required from participants. What we didn't expect was that all of the above was quite fine for folks, yet the real struggle was hidden in our vastly incompatible schedules! It took us a very long time, staying patient and trying lots of different approaches, to figure out the slots for the first two workshops. Especially as we had to split these workshops up into smaller parts, given that it wasn't happening during working time, but in addition to work for everyone. We're really happy that we found a small cohort of four people who stayed enthusiastic and dared taking this journey with us. The first two workshops are completed, four further ones will take place next year. While we originally aimed to complete all six this year, we're glad we can still do this and learn from fresh community feedback to evolve them further and hopefully bring more value to community.
Which three things did I learn for myself?
- It's hard to live up to your own values and leadership beliefs yet the impact of doing so matters. Especially when you give workshops on exactly this topic. Leading by example most often means not taking the easy route and finding ways that work for people while staying true to what you preach. It's been worth it big time, and I'm glad people now have a space that fits and continues to adapt to all of our needs.
- Community editions can be different to work sessions in unexpected ways. This turned out to be very true when having people co-create the space instead of just proclaiming a date and leaving it up to people whether they can join or not. Scheduling is a hot topic also in work contexts, especially across different roles and departments at the same company. The fact that we're working for very different companies in different modes, with very different private lives and personal needs as well, made our schedules even more diverse.
- Make the decision, especially when it's difficult. Originally, we wanted to start with a cohort of six people. Small and doable, while still viable. We had to make the tough decision to reduce the group to four folks to make it work at all, and communicate it accordingly. This was no easy decision at all, and at the same time the outcome shows us that it seems to have been the right decision in the end. We have a great group of engaged folks where the whole concept really works for everyone.
Conference Sessions on Security
What was it about? Give conference sessions on security. Ever since I've had my first pair testing sessions on security in 2018 I've been diving deeper into the area each year. I've given several sessions in company settings and at open spaces. This year it was time to extend my conference speaking to security topics and hence contribute in new ways in that space as well.
How did it go? At the beginning of the year, I felt I could at least try to submit security-related proposals to some conferences. It would already be worth daring the mere submission and learning from it. And then it was actually working out, way more than expected! The Software Teaming Online Conference gave me rather free rein, so I made use of it and hosted an ensemble session to Capture the Flag Together: Security for Everyone, co-facilitated by Lisa Crispin. This idea was based on sessions I've given many times at various open space conferences and at work as well, so I was on familiar ground to start with. Then Agile Testing Days accepted both of the new security sessions I've dared to submit! Hence, two brand-new sessions, the workshop First Steps in Mobile Security Testing and the talk A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day had to take place. And then SoCraTes also came and asked me to give a training again this year - maybe I could do something about security? I was so happy when I read their message, it seems all the security related sessions I gave at last year's SoCraTes had really caught their interest. So I decided to create yet another new workshop that would fit well as a foundational training: Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day. Overall, these four different security-focused sessions had been accepted by conferences, and I was very excited about these opportunities. Yet another highlight was to come. Encouraged by all this, I dared to submit my brand-new talk to my first security conference ever, BSides Munich - and it got accepted for their main stage! Speaking there was definitely one of my biggest achievements unlocked for this year. There's a recording of this inaugural talk which makes me even happier. And as it goes with speaking at a conference, it also helped me massively to get further connections in the security space.
Which three things did I learn for myself?
- It's worth daring to share what you've already learned on your journey. A lesson I've re-learned for myself. You never know who's going to be in the committee or audience, it might just be a great fit. And you don't have to wait to be in an exact role, position, time at life, or whatnot to start sharing. It will help you gain confidence and a clearer understanding of the topic as you need to convey it in approachable and digestible means.
- Sometimes, the answers are already within you. I've learned this the hard way: just because you've seen a workshop setup play out nicely, doesn't mean you can replicate it that easily. My mobile security workshop haunted me for months, not because of the content, yet due to the complex setup that I needed to break it down and make it as accessible to beginners as possible. I've asked lots of people at the conferences I've been to how they would tackle it and gained lots of good hints and tips. And yet, in the end, none of these really solved my problems. Instead, the answers were already within me, I just needed to build up the confidence to remember all the pieces of the puzzle that I've already worked with throughout my years in tech, and bring them together in a way that it solved this one. And indeed, once I had gathered further confidence, I managed to figure everything out. Even during the workshop when I still needed to debug a few things live. It worked, and I can use this to ground myself in what I actually know and trust myself more.
- Putting yourself out there on stage creates so many new connections and hence opportunities. Again, not a new learning, yet a re-validated one. Especially my new talk helped a lot with this, initiating lots of interesting conversations already at the conferences and also afterwards on social media. It also led me to having a dedicated call to talk about security champion programs and how to overcome struggles with someone I unfortunately missed at the conference, yet was lovely to meet online! Connections with like-minded folks are just invaluable. This talk even helped my job search - that I wasn't even aware was needed when daring to submit the session in the first place. Lots of good came out for me so far from giving back to community.
Running out of Capacity
Obviously, there were more ideas for even further new contributions to community this year. Creating an own capture the flag (CTF) team, contributing to an existing open-source project, maybe even really start writing a book. I'm glad I held back with these. First, there are further years to come. Second, well... taking on this challenge to contribute in manifold new ways was already filling my schedule to the rim.
So, what did I learn overall? That this year was wild. It was a constant hamster wheel. Having work being very stressful as well did not help at all. Private life was okay, though not that easy to navigate either. Overall, it was wildly too much and I really need a break now. I could have chosen a break in between at any time, yet it would have meant letting a lot of people down, including myself - so there's little to no surprise that I didn't take any break. Yet looking back at a year when I neglected most of my pure self-care activities like playing computer games (only picked it up again this month), reading fiction books (lay dormant for months as well), drawing (I remember I did it once during this year for a gift and that was about it). All of these bring me a lot of joy, and that source of energy became non-existent. At least I still invested a bit in exercising, yet as I'm doing team sports it would have also meant letting others down so of course I didn't cut short in this area. Well, it really helps my own health, so I'm still happy I didn't. But the big personal lesson for me here is that for a year that I intentionally set out with "energy & joy" as my motto but that was exactly what I lacked most - is that I must not repeat this. Whatever I do next, for any challenge, I need to build in self-care once more deliberately. Otherwise, I'll trick myself, just as I did this year.
The second big lesson? Each of these new contributions could have been a personal challenge of the year. Cramming them together in the same year meant I had less focus on each of them, and over-committed myself, hence putting artificial self-made stress on myself when life was already stressing me out enough without me adding to it on top.
One more final lesson: anything you say yes to means you have to say no to something else. I'll have to see what other endeavors that I used to do are those I have to say no to next year, as many of the above community contributions are to be continued in 2025 - they don't just simply stop now. At the same time, I need the capacity and freedom to also go new ways and have actual slack time.
In Conclusion
My 2024 personal challenge is hereby officially closed. Looking at all the things I've worked on this year as part of it, I can definitely confirm that I have contributed in more than three new ways this year, that other people engaged with each of these contributions, and that I have learned at least three things from each.
I'm very grateful for all my co-conspirators in all of the endeavors described above. Without you all, my pieces alone would not have completed the puzzles we were working on together. Many, many thanks to everyone!
This year's personal challenge to contribute in new ways had been quite a heavy one for me, and yet it helped me set myself up for good things to happen in 2025 - and I'm here for it!
No comments:
Post a Comment