A Tester's Journey

Tuesday, August 19, 2025

The Calmness Tide - It Comes and Goes in Waves

Remember I'm doing a personal challenge this year? It's all around my inner critic and finding calmness again while being content with steady progress, even tiny steps. To be frank, the first half of the year was rather packed and exciting. Not the easiest moment to find calm in everything, so what better time to do this challenge than this year?

What happened?

Career-wise, I started a new job and also switched roles by doing so. As a security engineer, I'm now fully focusing on product security and all that comes with it. You could say I'm still a specialized generalist also in this field, yet that's food for thought for a dedicated post.

Starting out at my current company was challenging in different ways than I expected. Over six months in, I can now share I definitely made the right choice when picking this role, company and team. I really enjoy my time there and the impact we can have together. At this place, I can go at a sustainable pace (and am even encouraged to do so). I can contribute using the knowledge, skills, and network I've built over many years. At the same time, I can learn so much more in an area that intrigues me every day.

I love my new position as a security engineer. I found that it's both very similar to my past roles (e.g. with regards to building value in from the start, affecting change, fostering a collaborative learning culture, the holistic technical system knowledge, a whole variety of things to learn and do) - and it's also very different (now I'm focusing on security as one main quality aspect, and I'm in a central enabler team which brings different opportunities and challenges to face).

My team is just awesome. In the past, I've never joined a team where I encountered such maturity, accountability, and reliability in my team mates right from the start. We've grown into a real team in no time, and continue to find better ways to work together with each other and the engineering teams we support. Things like prioritization of the highest value initiatives, balancing reactive and proactive work, increasing resilience through sharing work, providing sounding boards and pairing. We even had first ensemble sessions. The usual, and yet from a different perspective.

The company keeps surprising me in very positive ways, especially when it comes to upper leadership and acknowledging both achievements and shortcomings, plus their own accountability in this. Taking concrete actions to find better ways. Mind me, this is not taken for granted at all. Also, I do appreciate the culture that's currently in place and keeps evolving. Yes, there's room for improvement (wouldn't it be boring if not?), and yet: when it comes to working with the other engineering teams I've encountered folks being genuinely open to exchange insights and learn from each other. This makes it so much easier for everyone to make informed decisions together on what is feasible and worth doing to increase our product's security posture.

Personally, I love that I worked on a variety of topics already. They went from improving the ease of vulnerability scanning, to security reviews and threat models, to assessing third party tools to integrate into our product. From investigating infrastructure alerts, to alert teams ourselves of new vulnerabilities discovered, to joining incident investigations. Discussing risk, thinking ahead on scaling and enabling teams. And many more. Well, there are lots of topics worth sharing and I'm going to see what I'll mold into future content.

That wasn't it, though.

Not by far. There are also the community things I'm pursuing next to work. Here's what I focused on during the first half of the year.

I'm co-organizing the Open Security Conference for the second year in a row. We've had to find ourselves in our new organizer team, and had quite some prep work to do. We're currently in the hot phase - registration is open, and the last operational bits need to get done to set things up for success. It's looking good though, and I'm really getting excited! By the way, we're looking for further sponsors to get the price down for everyone. In case you're interested or know companies who would, please reach out. We'd be truly grateful for your support!
The leadership workshop series that I co-facilitated with Shiva Krishnan for a first community cohort is now finally finished. Phew, that was some kind of a ride! It took us over a year, yet it's done and we've learned a ton. We were glad to hear from our cohort that this series was really valuable for them. It'll need further reflection how to move on in the future. For the current cohort format, we had heavily underestimated the difference between doing such things with colleagues at work or with community folks next to work, where personal schedules play an even bigger role. But we made it! At least for this year, this topic is actually concluded.
As a leisure side project, I'm still working on the security card game with my fellow co-conspirators. Slowly but steadily for real. The last SoCraTes really encouraged us to keep going. Good thing here is, while it still needs time investment, it's constrained and highly flexible, without imposed pressure.
I've started my first capture the flag (CTF) team for real. We participated in our first CTF this year and it was a blast. We keep meeting regularly for practice, and looking out for further intriguing CTFs we can tackle together. I've learned a lot already through this fun deliberate practice setup, including that I still have a long way to go. These challenges can be super frustrating. "Easy" labels got a whole new meaning here - it really depends on what you're already familiar with and what not, and how much is in your "go to" list of things to try based on experience. And yet, they're so worth it. I love that this team is very collaborative, really tackling challenges together which makes it special to me.
That not being enough, I've joined my second CTF group after SoCraTes. It's not really a team to take on CTFs together, yet people are regularly coming together online to try their hands on practice machines and help each other as they go. This is another interesting opportunity for me. I've already seen it help me hold myself more accountable to practice during the agreed time even if no one else is online.
Of course there's not only the "calm" part of my personal challenge this year, there's also the "steady" part. Meaning, I'm working actively on learning topics. I've started with a variety of things and realized that while variety is nice when you just want to follow your energy, I need more focus to perceive progress as it's very small each day. Right now, I've reduced my options to mostly the CTF hands-on practice opportunities I described above and reading books. I'm moving very slowly yet steadily, while trying to keep my inner critic at bay. No matter how fast others consume such books (like, over a weekend, while it takes me months). On some days that's easier than on others!
As I've done over many years, I'm still having both regular and on demand calls with community folks to exchange knowledge, ideas, and inspiration. Granted, they do cost time and yet they are a valuable investment into fostering my network and learning through serendipity. The good thing, more often than not, I'm regaining energy from such check-ins. They make me realize time and time again why I'm doing what I'm doing.
Conference season is starting in fall this year for me. I've paused things for the first half due to changing jobs. Every time I do so, I first have to figure out what's okay when it comes to speaking engagements and the off time that comes with it. I'm ever so grateful for my truly supportive and encouraging manager here! Again, not taken for granted. It makes it so much easier, though. So yeah, conference season starts in fall which also means preparation takes place before. Even though I'm giving sessions that I already gave last year, I still need to invest effort to arrange things. I have four conference speaking engagements lined up for the rest of the year (plus my own conference of course). At Agile Testing Days, I'm also co-chairing the brand-new security testing deep dive track. Enough to keep me busy for the rest of the year!
Last, definitely not least: Physical health is keeping me pretty busy as well next to my mental challenge. Fortunately, nothing too bad so far, yet stuff that has built up over many years is now cashing in. It's more than enough that I needed to prioritize this and deliberately work on a few areas in a more focused way. The bad news is that this is also consuming lots of time and energy, while at the same time I clearly need more rest and sleep. The good news is that this effort is perceivably paying off (slowly, very slowly - I'm needing lots of patience).

The Challenge of No, Not Now, Not Anymore, Just No

I realized a few things that would help me on my journey of struggling less. And most of these came rather quick and easy, like "I'm okay with only making little progress with my challenge topics". I was surprised how easy. Or being okay with balancing out my working hours every week. Others were fine too, like documenting influences on my health and indicators of calm. I was okay to document all the activities I'm doing, how much time I spend on them, and what I want to do differently in the future. I even managed to actually make some of these changes (at least temporarily). Yet then I struggled massively. I knew I couldn't go on doing everything, I had to cut things. Yet which? I had already cut them to only things I really want to do.

That made me realize, even though I'm saying "no" to lots of things already, I've accumulated way too many things that I've said "yes" to in the past and then just never let go. And I still say "yes" to new things as well. That simply doesn't add up, given I still have the same amount of hours every day that I can use to a highly variable degree that's different every day. So I tried coming up with a rather short list of things that are truly important to me as of now, and focus on those. Worked for a short while. This way, I even came up with yet a shorter list of things I claimed to be the main recipe to joy and calmness while learning! And then a very stressful period of six weeks followed, and I threw everything overboard. Maybe it truly is the recipe for me - and still I might not listen to it. So I created yet another new list of the things I'd like to transition my focus to. Plus a new version of my recipe, as you do.

And yet, nearly every week feels like a puzzle to solve, another round of Tetris (for the record, I hate Tetris), a house of cards that might collapse any moment an interruption occurs. It doesn't feel sustainable. At least not yet. Too often, it feels more like pressing on to make everything happen without stopping to think. Which also means, it's harder to celebrate achievements and enjoy the little moments for longer. It's harder to keep up my energy - even though I know I can do a lot if I have the energy.

One thing that did help me so far was pressing the pause button on blogging. It truly hurt and at the same time was a relief. Something simply had to go. Even though I wanted to take time to reflect on things publicly, I reduced it to my private space only. I still kept journaling throughout the year, and it paid off heavily so far. Not only to get some thoughts out of my head and documented for my future self, but also to see in hindsight how things actually progressed. All that, while only spending a few minutes per day on it, which is a huge difference compared to doing this more publicly on a blog or just social media, even when keeping things informal. What helped with this temporary decision was that I noticed I had stopped one thing for a whole while now, mostly related to my former work situation: posting public notes on social media on what happened day by day, what I learned, the experiments tried and insights gained. I simply didn't have the capacity and energy for it. My conscious decision to pause blogging for now was indeed a good one for the last months. Only these days are now starting to be way less hectic with more time to sit down and write about what's moving me. Let's see what happens.

There's more to cut, and cut for real. Probably a lot. Ruthlessly. To regain focus, headspace, and slack. Very tricky challenge for me. So this is by far not solved. Instead, I only became even more acutely aware of the issue. I do indeed spread myself too thin. I rush from one thing to the other, one due date to the next. It's a hamster wheel that keeps me from thinking. Yet calm thoughtful focus is what would help me most. Let alone that I also want to start (or re-start) other endeavors which do need time investment. More to think about.

So, probably the hardest thing that I'm still working on is shifting my priorities in how I (want to) spend my time. Haven't figured that one out yet. And as of today, that's strangely okay and not okay at the same time, and I still don't know what to do with it.

The Importance of Being Joyful

Speaking of slack. I really want to cut myself more slack. And I really keep struggling doing so. Slack for pure joy topics, like playing computer games. It's one of these things I truly do just for myself, no one else. In the last half year, whenever I had lots of tasks to do in front of me (like, every day), and yet I said "I don't care, I'll play a game first", that day was a good day. Preponing play before work seemed to somehow really wake me up, calibrate my brain and enable me to think. Any work I've done afterwards was way more effective than on other days. And these days felt good. I've found myself a new mantra this way: "Play first, work later". On bad days, it's still hard to unlearn the former "business before pleasure" indoctrination I grew up with. It just meant for me that play never comes as work never ends. I'm still optimistic that finally I can rewire my brain and replace this with the new narrative that works a lot better for me at this moment in time.

Another realization I've had was that I reserved "joy" for only those "pure personal joy without any other purpose" things. Like playing computer games as mentioned. Or... well, what else? Lots of other things also bring me joy, yet "they don't count" for my brain. Like enjoying a really nice cup of tea. Several times a day! So many different flavors! I could go on endlessly on how much joy this brings me as I absolutely adore tea, and it's my perfect example of finding lots of joy in the little things. Or how about reading fiction when already in bed? Yes, brings joy, yet nah doesn't count, that's just a normal thing I'm doing anyways. Nothing special. But that applies to lots of examples. Like watching an episode of a TV show during dinner. Or just taking a few conscious breaths of outside air. Or loving the rewarding payout of exercise (heck, even the time while I'm exercising). Or meeting friends I truly enjoy spending time with. Or when I realize I learned something new, that moment it clicked when another piece of the puzzle found its place. Why do I never count any of these as joy while they clearly are very joyful?

Paying Off Plenty

Overall, the last months were a lot. Surprisingly or not, my calm and steady journey pays off. Not because I was always as calm as I wanted to be, or as content with very small progress as I'd love to be. But because I listened a lot closer to my own needs, to my own wishes, to my brain and my body. I keep observing more what's going on with me in each moment and what makes me respond in which way. I become aware on further things that impact me in certain ways. Through journaling, I realized that my inner critic got rarely loud and noisy this year which is great news, as this would render it useless. Only sometimes it did alert me to something that was actually a valid concern. Like at times when I realized I indeed don't know enough on a certain subject, or when I haven't invested enough time into honing a skill while others clearly had. The rest of the time, my inner critic was actually quite calm. It's almost as if trusting my inner critic to have something valuable to say, actually calmed it down.

Calmness comes, calmness goes, and then it comes again. I can trust that the phases when I'm not calm (like, literally last week when my mind once again ran wild fearing nothing's going to work out) are indeed just that, phases. Usually, it's because I lack clarity or structure, or feel overwhelmed when too many things need my attention at once. When that happens, my ability to think degrades and I spend more and more time on just managing that. Once I get through this period, e.g. by getting all my thoughts written down before me were I can see them clearly, then bringing structure to them so I can tackle one by one and hence get things done (even if slowly) - then I'm riding the calmness wave again. And things feel good. What helps here immensely, is that my work environment really calmed down thanks to having switched jobs. Now for the rest, it's mostly my own brain and body. I can work with that.

My plans for the rest of the year? Continue this challenge. Create content. And contribute to conferences. Lots of C's, as it happens. But not without the main ingredient for everything: calm.

Sunday, August 3, 2025

SoCraTes 2025 - Coming Home

For the fourth time I've come home to SoCraTes, the International Conference for Software Craft and Testing. It already felt like coming home last year and I knew I wouldn't miss this edition. And it even felt more like home this year. I love this colorful crowd who are so eager to learn with and from each other. It's been a wonderful place for me to test out security-focused sessions that I could bring to conferences and find like-minded folks for lots of community initiatives I'm contributing to. Here's my report for 2025, to help my future me remember and maybe inspire more folks to give this awesome conference a try.

Arrival on the Day Before

I've had the pleasure to share my train ride with Martin Schmidt, a dear friend I met a few years back at SoCraTes, and hence slowly getting into the vibe of exchanging knowledge and experiences that would await us at the conference. Not only on all things tech and software, yet anything that moved us at that moment, ranging from personal lives, career situations, societal and socio-technical systems we're part of, hobbies, passionate projects, health, personal realizations, and more. Literally anything, as full humans. Which is what I love about this conference. We can't fully separate our work selves anyways - here we really don't have to.

SoCraTes cares for people. This shows from the start when we still tested ourselves for Covid before mingling with others - which was a great catch, unfortunately there were cases who then couldn't enjoy the conference. This evening, I've seen the first folks again I've already met the last years as well as new acquaintances. Like meeting Ruth Malan for the first time in person, after following her for a while on socials! Dinner time is perfect for this, checking in with each other, exchanging hopes for the next days. This is also why I love to come early when not as many people are there yet, it really eases me into the conferencing joy awaiting me without the mass of people instantly overwhelming me.

Training Day

This year, I did not give an official training myself, so I was completely free for a change which was also really nice. The training sessions I've joined were the following.

"Know your tools: git" by Martin Schmidt. Yes, I do know git and used it for a long time. And at the same time, I'm well aware of all the things git also offers that I don't know about. Lastly, I usually always learn something new when joining trainings by other folks as they will structure content differently, explain things in different ways, and so on. Hence, I was curious about what I'll learn from Martin! I really appreciated that he had various modules prepared so the audience could choose what they were most interested in learning about. Same applied to exercises versus theory, kudos to him for listening to people's needs here! Martin had prepared a whole website for the git training with instructions and all kinds of useful commands - such a good resource to take with us. Conclusion: I indeed knew quite a bit about git before and yet I learned about features new to me that come in hand.
"Digital Dominoes: Understanding Modern Security - From Supply Chain Attacks to the life cycle of a vulnerability" by Avraham Poupko. Avraham reminded us that while most of software security is a discussion that assumes malice, that there's an evil person on the other side who wants to take away what we consider to be ours, that there's also the side where it's about negligence, like losing stuff. He walked us through the lifecycle of a vulnerability and emphasized that confidence in a company can be really shattered through CVEs - no matter if they are fixed or not. Avraham elaborated on supply chain attacks and what common attack patterns are, how trusted and yet verified sources are crucial. He left us with a few practical action items: security by design, not by accident; patch fast, patch smart; and monitor everything, question anomalies.
"The Evolution of Team Co-intelligence: from Knowledge Work to Learning Work" by Diana Larsen. I've been following Diana for a long time on social media. This was my first opportunity to meet her in person and join one of her workshops! It was such a great session. We both learned theory and could instantly apply it in the group exercises, observing the group evolve and grow together. Diana provided lots of tangible advice, and language to talk about and take action on observations we make at our work places. For example, she shared how teams need purpose, autonomy and also co-intelligence to be effective motivated teams. She defined co-intelligence as collective intelligence + collaborative intelligence + trust + learning-centered - sharing ten qualities. We walked through all the steps we have to achieve to really reach high performing, or even resilient learning teams - and as with so many things, it has to start with building trust. Diana made us think of what we bring to our teams, what we can do to build co-intelligence, and what makes learning leaders. All of this has resonated a lot with me and my experience within teams so far.

After training day, the main conference started with the official opening and the world café. This is a great opportunity to get to know more people early on. This year, we had a different question per room to think about as a group, and these questions went rather deep. Like "If you could send one piece of advice back to yourself from 10+ years ago, what would it be?", "What's a skill you wish you'd developed earlier in your career, but you're glad you're learning now?" and "What's the most valuable mistake you've made in the last year, and what did it teach you about your craft?". Pretty daunting to break the ice and get to know each other! Yet it was great to see people share and open up, trusting this process and the space. I admit, these questions made me realize a few things about myself as well.

Open Space Day 1

The main conference consists of two open space days. With this conference, this is truly special, as for an open space I've never seen a bigger crowd so far. At SoCraTes Germany, it's usually around 200 people, all co-creating the program of each day in the morning. You never know what exactly will happen, and yet there will be so many amazing sessions to choose from that fear of missing out is high. I learned over the years to just let it happen, go with the flow, and also listen better to my needs to take breaks or tackle a different task that's on my mind. And yet, of course, I also had to propose sessions myself. An open space is just too good an opportunity not to! Especially as this is chance to test-drive talks and workshops, to pull information from all those knowledgeable participants, to try something out together, to discuss societal topics, and so much more. Here's how my first open space day went.

Hallway track: I remember I was tired that morning and I couldn't decide which session I wanted to go to, there were many interesting ones. As it happens, I didn't have to in the end - as I met awesome folks in the hallway and just went with having a nice conversation there. Both insightful and helping my brain relax and ease into the day.
"Building Secure Enough Products" by me. I was really curious about what people experienced to be bumps when trying to build secure software, and what they perceived as boosters. Now that I'm in the position of security engineer, this was even more interesting to me to see what we can do at my company to foster a culture where security measures help people accelerate delivery of sound software and prevent the things that get in their way. Loved the engaged conversation and collection of topics!
"Sticky-Business" by Corstian Boerman. Corstian shared a fascinating story with me last year which led to many and more conversations. Because one day, he had found an envelope with a USB stick in his mailbox. This year, I nudged him to host a session to share this story of reverse engineering a USB thumb drive and what he learned from it with more people and was hyped that he agreed to do so! Make sure to check out his slides.
"Capture the Flag Together (For Beginners)" by me. I admit, SoCraTes was THE conference where I started these sessions and learned to love them. Like, for real. I've started them as very collaborative, whole group ensemble sessions to find the secret flags and solve these security puzzles together, using Hack the Box labs as our safe practice space. We've already found quite a lot of flags in the last years, and this year I decided to host a beginner session first before continuing the fun discoveries during the evening times. Seems it was a popular idea! Lots of people joined and we enjoyed cracking a few of the starting boxes together in just an hour. Some of these folks then also joined the evening sessions; it seems they got hooked just as I did back in the days! I just love seeing folks having fun learning more about security and ways to get into a system - it teaches us a lot about what we need to do (or should not do) to prevent this and defend the system.
"What does non-patriarchal, anti-capitalist* software delivery look like?" by Andrew Harmel-Law (*) Intersectional (anti-colonial, anti-racist, anti-classist, anti-sexist, anti-ableist, etc.) & inclusive. We don't just build and run software; we live in our codebases). What a very interesting conversation on all kinds of company systems and choices to deliver software. Lots of people engaged and shared their experiences and open questions, the challenges and opportunities they see. Quite a heavy topic at this point in the day, and still such a very much needed space to have these kinds of conversations. We will need to continue them and run experiments to find out what we can do to do better.

Dinner time! Lovely conversations. And it wouldn't be an open space and definitely not SoCraTes, if there weren't evening sessions suggested as well. Well, I was eager to host "Capture the Flag Together (For Adventurers)" sessions, of course! This evening, we spent four hours trying to solve a seasonal machine. We had found the user flag, yet the root flag still eluded us. Getting really tired, we concluded the session by midnight and called it a day, with the intention of trying it again the next night.

Oh, and it wouldn't be SoCraTes if we wouldn't play games either! Like the already traditional rounds of SET together with my dear friend Janina Nemec and anyone else who wanted to join.

Yeah, late nights and lack of sleep also come along with SoCraTes for me. Yes, it would be a lot wiser to join those who go to sleep early. No, I still cannot do this. Yes, I'm still (sort of) regretting this every single day after. And yet. It's just so good and such a unique chance during the year.

Open Space Day 2

In the beginning, it always feels like we're going to have so many days together, so much time to check in with everyone and learn and enjoy ourselves practicing whatever we're up for. And then the second open space day usually comes a lot sooner than expected! Well, here it was, with further sessions.

Hallway track: Yep, yet again I started the day opting out from a formal session and instead having a great conversation in the hallway. Maybe I should make this a habit, it really helped my slow morning brain going. This time, we talked about our varied experiences with AI tools. We also wondered about the utter lack of beginner positions these days. I mean, where should all those senior folks that companies are looking for come from in the end?
"Navigating Spaces". What a beautiful session, thanks so much to the host for creating the space for it. Lots of people opened up and shared parts of their identity and their struggles to navigate the spaces we're finding ourselves in, even within very open ones. We shared what helped us so far, what tips we tried and more. These ranged from embracing discomfort, doing things anyways, that companionship helps just as well as avoiding assumptions. Looking for the little indicators and signs of shared connection. Really thought-provoking and just wholesome.
"Hack the Parrot - Prompt Injection" by Jan Gregor Emge-Triebel. I had it on my list for a long time to practice prompt injection using Gandalf. Finally, this was my chance to do it for real! Loved that Jan hosted this session. We all learned a lot trying to trick an ever-evolving Gandalf into revealing the secret password to us. Such good fun and oh so relevant in our daily lives, as it's getting harder and harder by the day to get around LLMs and other AI tooling.
"Micro-retros, macro-retros, ad-hoc retros, continuous improvement" by Diana Larsen. Diana introduced us to lots of advice and tips on how to really achieve continuous improvement. Instead of waiting two weeks, we can include very brief retros in our everyday work. Sometimes, we need more folks to come together and reflect, not just our teams. Sometimes, we need additional retros on demand. Yet what matters is that we really activate our own learning by finding the right cadence, learning at the right scale, learning as frequently as possible, and continually improving.
"Getting into Security - Career Options" by me. I didn't plan to give this session, yet I was kindly asked to do so by another participant. How could I say no? I wondered if it would be interesting for more people, and then quickly realized - yes indeed, it was! Didn't expect so many folks to join and listen to me sharing my own journey into cybersecurity. For me it was also great practice in impromptu improvised storytelling - such a good skill to hone. It was great to realize that there's real interest, I might end up making a full session out of it. People appreciated me sharing my non-traditional way into tech and security, daring more as I went. They asked lots of questions, like how my everyday job looks like, about penetration testing, about certificates, and much more. And I was totally blown away when one person shared that I'm THE security person for them, given my history of bringing security sessions to SoCraTes. Just wow! That's also the beauty of an open space: be prepared to be surprised.

As the main part of the conference ended, dates for the upcoming sibling SoCraTes conferences were shared. The organizers were so kind to allow Janina Nemec and me to also plug our own open space conference, the Open Security Conference - which originated at SoCraTes 2023 thanks to Claudius Link. In case you're curious, registration is still open - maybe see you in October!

After a lovely dinner with my dear friend Thierry de Pauw and their daughter, it was time for evening sessions again. And, how else could it be, a bunch of courageous adventurers dared to look for the secret root flag in another round of "Capture the Flag Together (For Adventurers)"! We can proudly report, we did get it together within around 90min. And then we talked for another 90min. And then we got curious about further Hack the Box challenges, like for mobile. As the first one was really straightfoward, we dared more. And ended up sitting long past midnight to de-obfuscate a piece of decompiled software to finally also get that flag! Many, many thanks to every single one for joining me on these fantastic journeys. I really cherish going on them together with you all.

Workshop Day

The final day of SoCraTes is dedicated to workshops everyone can propose and host. I've often joined the code retreat this day, yet this year, Martin Schmidt, Philipp Zug and I wanted to host a session on our own security card game, one of those other endeavors originating at SoCraTes. Last year, we hosted a session to introduce the game to people and received lots of great input. This year, we wanted to show our progress and test out the new additions like reputation and game scenarios we've added. We had a small but lovely group who were super hyped about this game as it initiated such good conversations on all things security, and stories to share. Two of our participants even shared that the current state would already be good enough to use in workshops! Such lovely and really encouraging feedback. Once again, more ideas were gathered, and we'll continue working on this leisure-time, low pressure and fun side project.

In the afternoon, I had planned to join another workshop, yet things turned out differently. You know, as they tend to do at SoCraTes! Instead of another workshop, I had wonderful conversations with various folks keeping me company. Talks about organizing conferences, company cultures, career choices, computer games, creating IDEs, and so much more.

The day flew by, and more and more people left the event, going back home. As usual, I chose to leave the next day only, as this way I could ease out of this awesome conference space and still enjoy the company of the last people standing. The last years, we've found various fun activities to end this last day. This year, things happened differently. After having dinner, my table round got small, down to two people. And then it grew again organically with more and more folks joining in over the course of many hours. We had a wonderful round of around eleven people, mainly having a group conversation about anything. People showed their pieces of art and craft. People shared fun stories. We talked about the past and the future. Or sat silently with each other at times, just enjoying our company and being there together. And as the night grew longer, the group grew smaller again, until we finally also went to bed.

A very wholesome ending to a wholesome conference.

All in All

My huge thanks go out to so many people I've met again this year, and many people I met for the first time. You all know who you are. You are all awesome at co-creating this place together. My special observation this year was that this time, I didn't have to spend energy on calling out unfortunate behavior, calming down dominant voices taking up all space, and instead holding space for everyone to share. Or non-inclusive language and the like. This year, folks were really considerate, at least in the bubbles I've been part of. It just felt good and allowed us to spend our energy on things we wanted to spend it on. This was a real glimpse of how it could be.

Did I mention this conference offers and encourages physical kudos cards? Years back, I was hesitant about this. Nowadays, I absolutely love them. It's such a fascinating thing to give someone a kudos card, thanking them for what they did or who they are, and seeing their eyes light up. It's incredibly touching to receive those cards as well. I hold mine dear over years to come.

Another thing I've noticed is that more and more folks seem to bring security-related sessions, and I love seeing it. We have even created a new channel for us security enthusiasts on the SoCraTes Discord, and sharing doesn't stop just because the conference ended for this year. I think we have something going on here. This crowd really likes to learn more and do better. And as always, they continue realizing they do know a lot that helps on this journey. Personally, the collaborative capture the flag sessions are really the banger. They bring all kinds of people together, create a great atmosphere, and facilitate us learning so much from each other. Going through frustrations together and also celebrating our wins. Just awesome and wholesome.

I'm still processing all the insights and inspiration and energy I once again gained from SoCraTes. This conference has a fixed slot in my calendar also for next year. Therefore, my final shout-out goes to the organizers: Huge thanks for creating this wonderful space for all of us every year again and again! It's been awesome and getting better every year.

Monday, March 10, 2025

Calm and Steady - The Joy and Overload of Starting Something New

I've been postponing this blog post for a while. Once again, I'm finding myself in the situation that I literally have to push myself to sit down and start writing with the intent to publish something in the end. To show up and let whatever comes out of it be good enough.

Interestingly, as I've picked up journaling for this year's personal challenge of #CalmAndSteady, there's nothing holding me back from taking note of what's going on in my head day by day. Yet blogging... is a bigger step after all that takes a lot more time. Even though I'm doing this for myself and my own learning in the first place. Well, I've just learned again the last month that my ramblings, musings and public reflections seem to have helped someone in my circle. I'm always super glad to hear this, it's the best bonus I could imagine! My posts definitely aren't for everyone, yet if they help anyone move a step forward on their own journey, what more could I want?

Alright, let's get to it and look at my last month. So many things happened! It's been really good, and really overwhelming at the same time. While rationally knowing there's only so much I can do given the time and energy left to me, I still had a hard time giving myself grace. I'm still learning to keep my calm, and that steady can also mean a tiny fraction of a small step a day as long as there's movement.

New Job, New Role

First the obvious: I've started out at a new company, as a security engineer on their cloud security team, focusing mainly on product security. So many uncertainties and at the same time opportunities come with this! I'm super glad I took this leap, it's already been very rewarding. My new team is awesome: folks are lovely, really knowledgeable, and actively helping each other grow. The domain and product are very interesting and challenging, offering an intriguing mix of valuable legacy and modern innovation. There's plenty of opportunity to have positive impact and really grow there as well. I even have the pleasure (and pain) to dive into yet again a partially new tech stack! Granted, I really do enjoy figuring things out and comparing mental models with what I've worked with before, so that can be counted as a plus.

A new job comes with different constraints and freedoms to adapt to. Based on that, I had to shift my daily rhythm once again, which always takes time adjusting to. Also, adapting to being on-site at the office at times, which comes with all downsides and also benefits. I really forgot how much time is lost just crossing distances, though! Plus dealing with noises, too low room temperature, and so on. And yet it's lovely to see my teammates and other colleagues in person and enjoying lunch together, I really missed that. I'm glad I have a basic grasp of this company's and team's rhythm by now so I can also organize my community endeavors around it without too much of a hassle.

Learning something new can really have a toll on you. I've totally underestimated how much it would on me, it didn't feel like it while going through it. The onboarding was and still is great, the pace feels very sustainable, I enjoy learning lots of things and exploring more every day. And yet. It seems time is just running away from me. I lack energy. Especially in addition with a changed daily rhythm, changed nutrition, changed physical routine, changed room temperature, and so on - rationally, I know it's a lot of change to digest. And yet what I achieve every day next to work feels so little. Guess what, here's the giving myself grace part once more.

Best things: I was neither doubted nor frowned upon by any colleague of any role so far, not even once. Never had that before when joining a new company and team, let alone when taking on a new role! It's just beautiful to see how it can be. On top of that, I was appreciated for speaking at conferences, people highlighted it as a good thing and actively made it possible, just as agreed when taking up the offer. What a relief! And finally, I managed to already contribute hands-on - which I love, as I'm learning so much more when getting my hands on something. This also allows me to figure more things out and ask further questions I wouldn't have known to ask otherwise. The first feedback I've received based on my contributions was very promising and validating, what a relief for my anxious mind! So, after only one month, I'm rather confident already that I really do have a place in this company, team and role, that I can actually grow with them and I will have the space to do so. The last time I had this feeling so quickly was when I started out at Flixbus, where I also took quite a leap and it paid off big time.

By the way, just being on this new role, I already gained new ideas for blog posts and talks. Nothing I've followed up on yet, but more opportunities to spend time sharing more than my personal reflections will come again.

Everything, All at Once

Let me repeat: the last month had been quite overwhelming, and also rewarding. All at the same time. In hindsight, there seems to have been a number of coincidences all happening in the same month - February might not have been the smartest month to start my new job just because of everything else happening at this time. It's also been the month when people who made up their resolutions in January started reaching out to collaborate on new endeavors. It's been a month where folks in my circles were looking for a new job and asked for support. I've given my first mock interview this way and it seemed to have helped prepare the other person for their real interview! Definitely a big win. It's been a month when several conferences, podcasts and other events invited speakers or ran calls for papers, which kept me busy. It's also been the month when we fully picked up organizing our own conference again, the Open Security Conference, onboarding lots of new folks to the team (yay!). It's been a month when several private appointments with family and friends took place. It's still been volleyball season with games to be played. And of course, thanks to my changed situation, folks reached out to inquire about my new job, to pick up usual catch-up calls, and also continue shared endeavors.

Well, all this happened within just a few weeks while I was trying to settle at my new company, figure out whether my vacation plans would still work out and if conferences I planned to submit to would be feasible at all, how my new schedule and rhythm is like so I can plan other endeavors around it.

Oh, and do I have to mention the state of the world? Global and local just as well. Considering there was a very important election going on in my country and the outcome was exactly what I feared it to be - it's been indeed everything all at once in February. Well, after the election is before the election, and every day counts towards working toward a better future, and there are manifold ways to contribute to it.

Looking back, it's no wonder I felt slightly (haha) overwhelmed and lacking energy. The month of March will stay quite busy as well, yet better as a few things could have been clarified already. Afterwards, I plan to keep space for myself to just enjoy the ride and not add much of anything else to my list this year. Instead, I hope to rather reduce things where I can and introduce more slack in my private time. Let's see how long I can keep this up.

Calm and steady enough?

Depending on how you look at it, my personal challenge for the year is either going super slowly and by far not as steady as I wished for; or alternatively, it's going super well as I've been continuously tested to stay calm and confident throughout the month while not feeling at my best capacity or basically having time for anything. Rationally, I realize I did spend lots of time on lots of things, just different ones than I set out to do.

This month, I didn't pick up any new topics. Despite not having much time, I did make some progress on the following ones.

Continue reading "Threats: What Every Engineer Should Learn From Star Wars" by Adam Shostack. I'm really slow in reading. And yet this book is still worth it, showcasing different ways how threats can manifest.
Adding to my flashcards here and there as I came across concepts to take note of. Didn't practice on them, yet extended them as I go and that was good enough for me this month.
Finally founded a small CTF team! It's actually happening, we just had our kickoff call and our first CTF participation is already scheduled. Literally can't wait for learning together on this.

A bit of Hack the Box challenges for myself. Not much, and yet I'm always learning so much when working on them. Even when having to look up things in walkthroughs, the eureka moments are strong here.
A few C# exercises on Exercism. As I started at my new company and am learning a lot about C# and .NET framework there, I decided not to pursue these exercises further in my free time as of now. Coding exercises are sometimes nice to have, you can limit your thinking to a certain space and can just do a small thing. That being said, I tend to learn more on something that contributes value to a higher goal besides merely finishing an exercise. (I do notice I don't apply the same logic to the Hack the Box challenges, curiously.)
I completed the other Semgrep Academy courses I wanted to do. So that one's now ticked off my list! Feels good to finish something.

I've experimented with a few approaches to my challenge, mainly how much energy and time to invest in what, and in what order to prioritize things during my day. Sometimes it worked, sometimes it didn't. In the end, only the current day and moment can tell me where my energies are flowing and what I'm currently able to invest. Sometimes I have to build up energy by doing seemingly unrelated, or even potentially wasteful things before I'm up for the actual thing. And that's okay as well. It's about giving myself grace and stay calm. (Yeah, I have to repeat this over and over for myself.)

That applies to my joy topics as well. Turns out, I fail investing in them daily. Not that there's no joy at all, I've integrated enjoyable stuff into my days quite well already (like sipping on luxurious tea, or listening to audiobooks). Yet additional pure joy topics (like playing computer games) need more time, headspace, and energy for me. I've done a lot better investing in these things during the weekend. Weekly "pure joy for myself" topics seem to work for me, while my learning topics can indeed be tiny daily steps to make progress.

My needs had been covered quite well-ish during this month. A bit more sleep, a bit more exercise, a bit more warmth would have been good. The next months to come can offer more of that. Journaling still works out super well for me, I'm gaining lots of benefit without it costing me much time.

I've came across thought-provoking inspiration from community folks this month that felt so relevant to my endeavor that I want to leave these peices here for my future self.

Alan Page shared a very resonating piece in one of his recent newsletters: “So, I’m reminding myself of something as I sit in my favorite local coffee shop: It’s okay to write even when it feels hard. It’s ok to write, even if the subject isn’t riveting or compelling. It’s okay to create, even when it comes in fits and starts. It’s okay to show up imperfectly, with half-formed thoughts, as long as we keep showing up.” This really reminded me of working on showing up. Even if I don’t feel like it on that day. When I did show up on bad days it worked super well for me in the past, I know it can work. Yet it's the same thing what’s been holding me back, or rather how I’ve been holding myself back many times, on so many things I set out to do: not showing up for myself. What a profound reminder.
I came across a post on Mastodon that included this quote: "Anything worth doing is worth doing badly." Of course, context is crucial for such statements. It does present a perfect reminder to myself for my challenge though: Anything done is better than nothing done. Poorly done is better than nothing done.
Mark Techson shared this piece of gold: “Need to figure out what I have to let go of to make room for what I want 🤝🏾” So much this... I'm not there yet. Yet.
On a related note, Amy Edmondson asked this amazing reflection question: “How can I let go of the things that are keeping me stuck?” Phew, hitting the nail on the head.
Just a few days ago I told someone else to give themselves grace, that time and energy comes in waves, and tides will rise again. Yeah. The actual target audience was me, myself and I.

I did gain confidence through working hands-on on actual tasks, and getting feedback through both the personal realization that I've figured things out as well as external validation from other folks appreciating my work. In addition, I did gain confidence and showed up stronger in other areas of life (like volleyball) as well which is such a nice payoff for my personal challenge.

So overall, steady-ish and calm-ish it was the last weeks. And that's okay for some time as well. I've still did some things, some theory and some practice, some solo and some social stuff. I've done plenty of learning at work, naturally. Doesn't count towards my challenge, and still. I've realized a bunch of times that I've actually gained confidence, and that definitely counts for something. The best: my inner critic had been pleasantly calm this whole month, and rightfully so. That's a huge win, considering all the things that happened. And in hindsight I did better at giving myself grace even though it didn't feel like it.

Yes, there's more that I could do for things I want to do. Yes, there's less I could do for things that don't help me forward. Yes, I could say yes less often to make space for myself and better opportunities to come. It's a learning journey after all. And yes, I'm still excited about this specific personal journey in 2025.

Friday, January 31, 2025

Calm and Steady - Off to a Good Start

The blog post to make a new personal challenge public is usually the most exciting to write. The first post afterwards to share progress is usually the most difficult. Once that initial one is out of the way, I often have a better hunch on what I want to share in what way, whether I use a template for structure or not, how refined the post should be, and so on.

That's exactly why I literally just sat down to type whatever comes into my head at that moment in time. And I intended to share it, as rough and raw as I could allow it to be. I did go over it once more, yet kept in mind that there's more value in sharing early than in over-polishing.

The first month of my new "Calm and Steady" personal challenge is coming to an end. Here's what I've done so far, what worked and what didn't, and the insights I gained.

Journaling Using a Template for the Win

I knew I would need some way to track what I'm doing so I can look back and decide on potential course corrections. Additionally, I am well aware that I think in writing - so I like to write to think. Putting words down in writing often help me realize things better than any other way. That's why I set out to start journaling not only for work, but also for personal endeavors like this.

I've made a conscious choice not to get lost in tooling paralysis but pick the first tool that could possibly work. I needed something that allowed me to get started quickly without hassle yet won't block future migrations. For this case, I tried Notion. It never really matched my needs before, yet using it for a month now I can say it was totally worth making this call. Fast, easy, synced, editable everywhere, not too constrained, and I can just export my notes in markdown and move somewhere else whenever I want to.

Next, I created a template for my daily journal page. I've iterated over this a few times now and just adapted it to what I needed. Having a few sections available meant I could focus my time on the actual content and still check boxes I wanted to evaluate later on. I also made a deliberate choice to have only few free text sections and the rest quickly interactive checkboxes and buttons to save time and lower the burden to do this daily. Here are my current template sections:

Thoughts: anything noteworthy I want to record or reflect on.
Practice or Theory: what small step I took today to make steady progress.
Joy just for the Sake of Joy: whatever I did just for myself, where joy was the self-purpose.
Needs Covered: which of my daily or less regular needs I've satisfied today.
Voice of My Inner Critic: how calm or loud my inner critic got and why.
Mood of the Day: how I've perceived the day overall.
Sunday Joy Check: whether what I'm doing still brings me joy or I should change anything.

Turns out, this worked surprisingly well for me! It's been giving my thoughts both structure and freedom. I have a daily reminder to fill it, and I actually did so every day. Nice.

Enough Options, not too Many

Based on initial ideation, I chose to start the following topics which provide a mix of theory and practice, solo and social time.

Read "Threats: What Every Engineer Should Learn From Star Wars" by Adam Shostack. I have a pile of potentially awesome books on my reading list, and I know it takes me long time to go through any of them. This is the book on the top of my pile, so I finally started it. Didn't make much progress yet, but it's been insightful already.
Write my own flashcards with concepts I come across. Doing so, I followed my original idea to cater to my brain's needs. I started an Anki deck to which I added any terms and concepts I encountered during my daily work on topics. It still grows organically. I wondered when to start learning using these cards in a regular manner to memorize the concepts. I tried the mechanism once as a proof of concept which was already helpful. I think I'll continue building the deck a bit further before I introduce a regular routine.
Explore the Exercism C# track. I like the platform's way of introducing language concepts and allowing you to practice in steps, as well as see other folks' solutions and improve yours iteratively. My upcoming role has a focus on the .NET platform with which I haven't had many touch points yet, and I'm curious about concepts and conventions in C#.
Solve Hack the Box labs. I just love these security puzzles to practice. I'm still a newbie and there's much to learn, so this involves going through frustration until you either have the eureka moment or the humbleness to look things up and learn by following walkthroughs. Yet any little step equips you better for the next, and it's just fun. Also, it's a great one to do socially together and I'm glad I had great company during this month.
Found a CTF team. It's been on my list for 1.5 years, and guess what? It's now happening indeed! I have a small group of folks who are still interested to join me in this experiment. Once I have a hunch on my work schedule rhythm, I'll organize first informal practice sessions and we'll see where it leads us.
Do Semgrep Academy courses. Back when Tanya Janca offered her We Hack Purple courses, I've already enjoyed the AppSec Level Foundation 1 course. Now it was time to complete level 2 and 3 as well. They were validating of what I already know, filling gaps of what I didn't know yet, and they equipped me with tangible advice for real work situations. Hence, I decided to continue with the other free courses offered, like on secure coding.

Turns out, the variety of topics helps me go with my energies each day. At the same time, I've also realized I've reached the limit of topics in focus at the same time. I hope to finish some the next month to maintain flexibility to change my way based on new learnings.

Same applies to my "joy for the sake of joy" bucket. I draw from a good variety of things I love doing as I go, depending on whatever I'm up to at any given day.

Spotting Behavioral Patterns

In the beginning, I've been quite diligent with keeping my joy topics going every day. I did notice how much I limited time for these things, though, or that I usually put them at the end of the day after everything else was done (business before pleasure and such). In the last weeks, I've once again started to neglect them completely, prioritizing everything else. The things I do for this challenge still bring me joy, yet that's a known pattern that I need to be very cautious about and take deliberate action against.

On a positive note, I've been way better in keeping my needs satisfied. Not super great, but way better than last year. Having my needs as part of my journaling template really helps me not to lose sight of them.

I've identified a detractor I didn't expect: social media. It probably sounds like an obvious one to many, yet I've been rather constrained about it most of the times. That being said, the last months my social media time got really out of hand. I'm spread across too many platforms and formats these days, I didn't filter content enough, and I didn't prioritize my time for the most valuable places. I've started experimenting with a few course corrections in order to get back to a sustainable pace and still get the value out of social media without getting drawn in. Healthy boundaries and such.

Once more, I've realized that I need to tackle smaller tasks and quick wins first to free up headspace and gain momentum to manage bigger ones. Not to feel paralyzing overwhelm and staying in a state of anxiousness, but instead taking action to re-gain a state of calmness.

Going Steady, but Keeping Calm?

Looking back, my inner critic was doing quite a great job this month. The inner voices mostly kept calm and rightfully so. Only rarely they flagged something, mostly valid concerns. It's been a good, restful and rather calm month in general, which made it easier. Yet practicing while being in good shape can help prepare a lot for wilder times.

I've also learned a few things based on the concerns my inner critic alerted me on.

An alert might feel overwhelming at first, loud and noisy. It might seem unhelpful in the moment. I might only learn if it was valid or not in hindsight. And still there might be something important going on, something to learn from. This happened to me during a volleyball game I had this month (yes, the inner critic also applies to other areas in life). I made the decision to take myself out of the game, hoping to give us a winning chance - my critic was loud in that moment in all possible ways. A week later my coach gave me invaluable feedback that my decision had indeed been a good one for the team and how it showed maturity. In hindsight, my critic was letting me do the right thing yet I wouldn't have needed to doubt my decision.

Whenever I just rush do things quickly and get them out of the way, I fall back to automated thinking and approaches I’ve used most times before. Yet those don't work well when I'm confronted with a new domain or challenge I don't solve every day. Which means, rushing when trying to navigate less experienced terrain makes my critic go loud. To find good solutions (that don’t need to take long either), I need to take some time and calm space, really look at the problem at hand, and think about how to approach it. That’s the frame in which I can make use of other knowledge and pieces of the puzzle I already have that aren't automated yet. Therefore, a reminder to myself: use system 2 to think slowly about problems and you have all your tools available to solve them.

Picking up puzzle pieces as I go sometimes feels really slow (hello, critic!). And yet it proved to be an invaluable approach for me during my whole career. This month, I've learned once again that gathering pieces together with others can turn out to become really valuable for them as well. It's worth it and we all get better as we go. I need to stay patient.

In conclusion, all this helps me see my inner critic in another light. I already knew I could learn from it rationally, and now I have further evidence including the emotional experience. That insight alone was already worth starting this whole challenge. I hope to turn it into further calmness. Also, I'm curious how things will play out the next month when I'm starting at a new company, in a new role. Stay tuned!

Monday, January 6, 2025

Calm and Steady as She Goes

Personal challenges serve me well as my themes to focus on in a year and grow with them. It's that time of the year again to reveal what I'm setting out to do in 2025!

As it turned out in the past years, my brain already starts thinking about the next year's big challenging scary endeavor before finishing up the current one. To enable myself to keep going and completing that first, I'm taking notes for next year whenever any thought pops up. And as usual, I share these raw notes for my future self, mostly unedited. Here are those I took during 2024.

Consider security certificate as next year challenge (as I want to start speaking at security conferences, and grow into security related jobs, or just be taken seriously, or just prove it to myself)

Just reading books - catching up on all

Start a capture the flag (CTF) team, finally

Maybe just continue new contributions anyway - at least 3 of them will continue overlapping into 2025

Definitely include fun activities and self-care, like games, books, volleyball and fitness, just rest, and more - was way too few this year

Focus on the fun in learning (while continuing ongoing 2024 endeavors)
fun: gamify things (participate in 1 CTF)
frequent: deliberate regular practice as a habit (including CTF teams, solo puzzles, programming exercises, etc.)
foundations: learn theory for conceptual foundations, e.g. using flashcards, for “prove and show yourself” situations, potential interviews, and certifications (do 1 security related certificate to validate yourself and increase your market value)
Theory and practice: a flag a week, a cert a year - security first, development second

Journal

Fun, practice, theory - integrated in everyday, leaving space, in this priority

Focus on new job

Practice and theory, emphasis on fun. Security and development. Only constraint: 15min on anything every day, computer games every week.

Have two buckets, do one of each every day - depending on energy that day:
security or development, play or theory (CTF, book, flashcards, kata, build, ...), alone or with others
joy for self-purpose and care: play (not casual), draw / paint, read fiction
Make use of what works even on bad days: habits and streaks

Be mindful of other tasks and commitments: conference speaking, work, open security conference (osco), leadership workshops, card deck game, accountability partnership

Build in system so I can't automatically fall back on the exact same easiest thing every day

Blog every week what I learned, allow myself to post in bullet points only to still learn in public and share insights, also for my future self

Idea from Tobias Geyer for keeping myself accountable regarding self-care: accountability buddy :)

You'll notice duplicates and different formulations of roughly similar ideas. I usually just add notes as I go on purpose so I see how my thinking evolved over time. Also, some ideas I've listed in 2024 had been overhauled and outdated by reality in the meantime. For example, I don't need to prepare for my entry in a security role and related interviews any longer, I already had to do them without said prep - and I made it! I'm still so grateful. Certificates would still be useful of course for market value and some seem to be actually useful regarding their content. Maybe something to head for the year after.

That aside, looking at my notes, can you see the red thread showing up for 2025 already? The things that repeated in my head over and over? I see it and yet I need to write it down and formulate it out. Why? It helps me get down to the core challenge, forces me to structure those thoughts into a clear hypothesis and allows me to check in with myself from time to time to see how I'm doing and hence keeping myself accountable. This way I can also make it public, which again holds me accountable in a different way. And another one is to have a learning partner to check in with from time to time (thanks for being there, Toyer Mamoojee!). Or maybe multiple, e.g. one per topic or realm, and why not? Whatever works. I'll figure out what will work for me this year.

The Challenge

What is the actual challenge for me this year? Well, this one needs some background and explanation.

I got challenged throughout my career, even life, regarding what I'm doing, what I'm not doing, or not doing enough of it, or not be enough, or be too much, and whatever. Be it the evergreen "you're not technical (enough)" while certain people will keep moving the respective goalpost just for the sake of gatekeeping and keeping me busy and preoccupied with trying to reach an unreachable goal, no matter how often I've proven I am indeed technical. And where I'm not yet, I'm capable of becoming more technical. It doesn't stop with this classic, though. I've also heard "you're not your job" a lot of times. While in general I agree, this one stings just as well, given how much I enjoy tech and work on a variety of tech-related things in my non-work time. My identity is manifold and at the same time parts of it are indeed deeply rooted in my job. I'm fine with it. I'm super privileged to love what I do for a living and gain a lot from it for the other parts of my life.

There are more challenges like these two examples. I've actively invested in unlearning my people pleasing tendencies for some time now. It's hard. On bad days, I fall back to old behavior patterns. On some days, I get past them without feeling overly selfish. And yet they come back to me time and time again. My inner critic is very trained on getting loud whenever I might disappoint people and their expectations to me. No matter how conflicting they might be (hence setting me up for failure), or whether I concur at all in the first place. I don't want this inner fight anymore that costs so much energy and focus when it's not needed (there are valid topics where the inner critic is a very useful mechanism, it doesn't exist without a purpose).

I want to set out to calm these inner voices that are especially strong in moments when I feel dumb, that I'm not knowing my own craft well enough, or that I'm not being allowed to enjoy my craft no matter my current abilities. I've once again had quite a few of these moments in 2024, like during a code retreat at a conference, in a work situation with a former teammate, and more. They sting, they hurt more than they should, and I take them to heart way more than is helpful. They linger in my head and take up way more space than they deserve instead of me just acknowledging that this happened and moving on. Instead of just building on the countless positive indicators that I am going my way the way I do and it's fine like it is.

One particular case when my inner critic gets too loud is the following. Whenever other people use specific terminology related to what they're doing, e.g. techniques, patterns, strategies, you name it - my brain struggles to remember what it was about. That doesn't happen for things I've been most used to as I've had plenty of opportunity to practice over the years, let's say "exploratory testing". But if someone says "dependency injection" I'm beating myself up for not instantly being able to provide its exact definition even though I've also had plenty of touch points and made use of this concept over and over myself. And that's what's nagging me: my inner critic shouting "I'm blanking out, but I should know, I should be able to explain!" and certain outer critics pointing out "see, I told you you're not technical". While at the same time knowing that first, there are lots of folks who don't judge me for it. Second, I've just not had the same opportunity to learn and practice certain concepts compared to others who focused on it. And third, my brain and body need a lot of repetition to memorize anything, I've learned that already in my childhood. So now I could do lots of different things; I could keep whining about it, I could stop bothering, or I could give myself more opportunities based on my specific needs and calm those voices. For 2025, I'm choosing the latter.

A dear community friend told me that haters gonna hate - whoever wants to put me in any corner will do so. No matter what I do. I can only control what's in my realm, which is my own inner critic demanding to prove myself to myself and others. Therefore, I need to focus on myself.

That is exactly what makes this challenge scary for me. It's about facing my inner demons and taking action instead of just letting them roam around. It's about focusing on me and not on what the rest of the world tells me or I assume they would tell me. It's working on myself. My last challenge of 2024 was very outward facing, contributing to community. This one is contributing to myself.

One more thought. Going back to my previous challenges, a whole lot of them are about gaining confidence. To speak on stages. To go deeper into coding. I also have a whole talk on gaining technical confidence. See a pattern? Even after 15 years in tech I'm still seeking for that inner and outer peace of a calm mind. This year it's on. On my own terms, in my own ways, I'll find a way to become calm enough. Never jump to perfection, right? Just continuously do steps to become better. And calmer.

My Needs

This year, I took additional time to reflect on my new challenge, goal setting, and especially my own needs. Here are a few things that really helped me gain further clarity.

Cosima Laube shared a great technique, the "W.I.N. manual" (W.I.N. = What I Need). She asks to note down our answers to a few questions. The core one is "What do I need to do well, enabling me to be the best version of myself?" Daily, weekly, monthly, a few times a year? And lastly, what are things that are not helpful at all, that drain my energy? This exercise doesn't take long, doesn't have to be overly comprehensive, and yet reveals a lot of insights. For me my needs are focused around taking care of my body and brain, managing my cognitive load, giving myself calm space and time where I can think, taking continuous tiny steps. Allowing the pieces of the puzzle that I pick up as I go form a picture over time. Giving myself joyful and playful moments. My energy drainers and detractors revolve around pressure: due dates, social expectations (or my interpretation of them), allowing myself to be pulled in other directions, my ambition setting myself up for failure and getting angry at myself for it, my brain trying to puzzle out incompatible input and getting stuck, my body alerting me on neglected needs or even forcing me to stop.
This reflection made me remember an exercise I had done already in 2023, thanks to a dear former teammate who worked on making our company's work environment more accessible. She introduced the idea of creating an "inclusivity passport" to gain clarity on our own needs and offer a way to communicate those of them that we want to share with our colleagues. It asked us to think through our needs when it comes to touch, vision, hearing, speech, cognition, and anything else. It was immensely helpful for me and I gained further insights about myself. For example, I found myself listing most of my own needs in the cognition category. Here are some excerpts, that are especially relevant for my personal challenge: "I need time to think without too tight constraints. I can only focus on one thing at a time. If my cognitive load gets too high, I literally won't be able to think at all anymore, everything slows down to a halt. I can get very anxious, hence I'm trying to keep myself in a calm place as much as possible - that's where I do my best work and in general am the best human I can be. Hands-on repetition helps me learn new things."
I have a magnet board at home. Over the years, I just added to it, leaving whatever was there before. A few days ago, I decided to redo it, and look what I came across as reminders from my past self: "Calm is a choice". "Sometimes we need to stop to be able to think". "Energy is limited". Yep, so very fitting.
Last week, I happened to listen to a podcast with Brook Schoenfield where he dropped a few gems which resonated heavily with me. Let me incompletely paraphrase some core points here: "Keep listening. Just because you don't know what's going on doesn't mean your brain won't get enough of the background over time to begin to reveal the form. Don't be in a rush, let it happen, it takes a while (unless you're naturally predisposed). For us mere mortals we gotta wait and do the time, eventually it takes form."
Mark Techson posted a video on how to nail the goals you set yourself. He asked three questions. First, what was holding you back in the past from getting this done? Well, for me it was often no action just talking, plus investing time in other things that drained my energy and capacity - basically not keeping space for this and especially my own needs. Second, what do I stand to gain if I actually hit this goal? What's in it for me? My response was peace of mind, calmness, the "I got this" feeling, confidence. But also less worry, less anxiety etc. over things that are not worth it. Gaining back control over my own mind and the things I have in my own hands. Finally, what do I stand to lose? Phew. My self-belief, confidence and trust in myself. Hence, all the things I could do and have impact on where I need exactly that. Control over my life as I allow other people to dictate it.

Listing all these needs and thoughts and seeing them right in front of me, I realized that these are all things that I have in my own hand. Phew... I can literally gain back control and choose to be calm and slow and steady. Or whatever else is helpful in the moment.

Last year's challenge was very fruitful and yet turned out to be very stressful as well. This year, knowing there will also be a lot going on in life in general, I want to take it slower. Because that's what my brain and body really need. As ambitious as I am, I want to start taking things in ways I can take them best. Slowly, steadily it is.

The Hypothesis

I believe that learning in ways that fit my own personal needs, every day for just a bit, combining theory and practice, will soothe my inner critic, and allow myself to focus on the joy of (re)discovering knowledge and skills while holding space for whatever else I want to use my time for during the year.

I've proven the hypothesis when my inner critic focuses on their original task again to alert me on actual concerns, and I've had a good time with what I learned and worked on.

The Experiment

I like to keep my hypotheses on a higher level, rather overarching and generic while crisp enough, yet I also yearn for concrete details that will guide me on my first steps and also help with evaluating the hypothesis in the end to prove or disprove it. Here's the tangible experiment I have in mind to test the above hypothesis.

The learning topics pay into application or cloud security in some way. Narrowing things down a bit should provide focus while still being broad enough to provide plenty of flexibility to see where my energy is going.
It's completely up to me whether I go for theory or practice on any day, as long as both parts are represented every week.
For theory, I'm going for systems that helped my brain learn back in formal education - like using flashcards to memorize terms and definitions. I acknowledge that I need repetition first before I grow understanding.
For practice, there are lots of options to choose from, like capture the flag challenges, developing a practice project, contributing to open source, building tools for myself, and so on. These can be very temporary throw-away projects or things that have long-term value. Anything counts as long as I apply my knowledge and practice deliberately.
To support my brain, I build a habit of doing something every day. Can be as tiny as a 1-minute effort or as big as spending hours. Just something to do and focus on. It doesn't have to bring me further and I don't have to make any perceivable progress of sorts.
Every week, I check in with myself if what I'm doing brings me joy. As simple as that. If yes, great keep going, if not, I change one thing and then see the following week whether this improved the situation or I keep experimenting.
I take note of moments when my inner critic gets loud again on things where there's no need. I just take note, there's no need for further reflection (it'll happen anyways without myself forcing it in). I just acknowledge this happened.

To capture the last two, and maybe also my basic needs, I'll probably start journaling again. I might or might not blog about what I learn as well. I think in writing, so stuff like that really helps me. I'll figure out what works, I can make up my mind any time during the year.

The Timeline

I'm officially starting my challenge right after publishing this post. I keep it running for at least 4 weeks. I'm stopping latest at the end of October 2025. This time it's a hard stop wherever I will be at that moment in time, there's no prolongation. I might stop any time beforehand whenever I see it's not helpful, or causing me a miserable time.

This year, I've tried a few things out already before posting this. See what might work, set up a basic structure to start with. Weighing a few things in my mind, see how it feels. Not overdoing anything, as whatever I come up with should also fit in a very busy day. Experimenting a bit upfront just helped me formulate this challenge.

The Hashtag

Why is a hashtag or tag line important to me? This is how I refer to my challenge in my own mind. It's also how I describe it to others, so it helps to make it descriptive, crisp, and concise. It took me a while to figure out a good one for this challenge yet it was crucial to gain further clarity of its core. Sometimes it's about trusting the process and believing I'll get there.

After trying out lots of different variations, I settled on #CalmAndSteady. That's the phrase my mind kept coming back to. It already sticks. I can just as well let it stick. Yes, I'll be learning stuff as I go. Yet the core is all about me and how I approach things and how I respond to things. It's about which system and space I create for myself, catering to my own needs and caring for myself. Calm is about grounding myself, finding that inner peace and quiet, freeing myself from anger and anxiety where possible. Calm my inner worries and give me back the time and energy to focus on what's important to me. Calm that critic. Steady is about keep on keeping on, taking tiny step by step. Not overdoing, not jumping to perfection, just consistently keeping at it. Progress and growth will follow.

I wanted to formulate things positively, so "calm and steady" works. It also works for other parts in life. For example, I really want to get healthier again while my body reminds me of my age every day. I need to take it a lot slower than many years back, and not rush at all; otherwise, I'll have to pay a price and be even more patient with myself again. So yes, this year is a "work on myself" year. Calm and steady includes that patience that I'll need with myself to wait until pieces come together and fall into their places. It also includes that peaceful inner state of mind that keeps me enabled to act, no matter what else might come on the outside. I'd very much like that. Especially given the state of the world.

Anything else?

Oh, there will be plenty of "elses" throughout the year! Lots of things will happen. Life itself, a new job, a new role, conference speaking, sports, games, books, travel, friends, family, the world, whatnot.

This challenge is intended to fit neatly into life and still be helpful. Let's see how it goes. Off I go!

Friday, December 27, 2024

2024 - What a Wild Ride

At the end of each year, I sit down to look back and take account of the past year in writing. I've made it my own tradition to help myself acknowledge all the things that happened during the year, especially any achievements of sorts.

I started the year with lots of hope of great things to happen (they did), lots of challenges to tackle (that sentiment nailed it), lots of joy on the way (not as much as hoped for), and lots of energy replenished (phew... nope). The year was an unexpectedly wild ride and it really drained my energy reserves. The good news is that I'm ending the year on a very positive note with a lot of hope for the future. The struggles paid off and I'm grateful for my past self that I've pulled through.

Dear future self, here are my accomplishments of 2024.

My sixth personal challenge of courageous new community contributions really took off, took quite a toll, and was still so much worth it. I've helped bring lots of things to life: a whole new conference, a practice app, a card deck game, a leadership workshop series - and I've given conference sessions on security for the first time. It's been massive and I've dedicated a whole separate post on closing the challenge, so I won't repeat most things in detail here.
One thing I will indeed repeat, as it was a true #AchievementUnlocked moment for me: I've spoken at my first security conference this year, BSides Munich! Super grateful for this opportunity, and it came at a perfect time right when I kicked off my job search, for which this specific speaking engagement paid off even more. One interviewer shared they watched the recording and liked it (phew, yay!). My future manager was sitting in the talk (I can't make this up)! When it comes to the community, this talk helped me make further connections. For example, I had a call with a new acquaintance to exchange inspiration and ideas to evolve a security champion program further. I got invited to participate in university research around DevSecOps. And you can imagine my surprise when I've discovered my very own talk been referenced in Katilyst's security champion newsletter that I had subscribed to earlier this year! Mind-blowing. By the way, in case you'd like to hear about how my work as security champion evolved over the last years, check out the recording.
I've had 12 speaking engagements this year, which makes it overall 103 since I've started out in 2017. Crossing the threshold of over 100 gigs is definitely something to celebrate! Looking at conference sessions alone, I've given 8 sessions at 6 conferences in 3 countries this year. In all time, that makes it 48 sessions at 27 conferences in 12 countries. I really have to count and see these numbers for myself, I'm still in awe that I really did all this. My past self wouldn't have believed me one bit.
Including this one, I've written 10 blog posts this year. This number still surprises me as I remember that next to everything else going on this year, there was little to no time left at all for writing. A pity, as I do think in writing, and I do write this blog for myself in the first place, for sharing in the second. Maybe there's more space for it in 2025, I'll see it when I'll do that year's review.
My main social media platforms this year had turned out to be still Mastodon on first place, followed by Bluesky (especially after the recent wave of folks joining). Instagram surprisingly landed on third place (being a lot better than I ever expected it to be). My LinkedIn presence grew as well. It's by far not my favorite platform to consume content, yet it has its very own purpose for career networking endeavors. Overall, I'm grateful for everyone out there posting meaningful content over the course of the year that made me think, made me read, made me listen, made me learn. I'll continue curating my own feeds hoping to pay it forward.
I've invested in a few other community endeavors over the year as well. Like continuing my accountability and learning partnership with Toyer Mamoojee, security pair testing sessions with Peter Kofler, joining a few code reading club sessions (unfortunately a lot less than I had hoped for). I've also had several calls and even on-site meetings with other dear community friends over the year, with us sharing on various topics ranging from learning cybersecurity, to startup ideas, to community dynamics, to anything and everything that moves us.
At work, this year was a wild ride as well. My team and I had a tough time deciding on all the incoming requests and their actual priorities, and catered as best we could to those with highest importance given the circumstances. Compliance of all kinds was a big topic, too. We had several incidents which allowed us to learn how our system could fail in new and surprising ways and implement respective mitigations. Lots of tricky data migrations to get right. Quite some team fluctuation as well, people leaving and coming. In the end we were a smaller core team still doing our best to keep up with occurring demands from all sides, and getting our valued legacy product back in shape. Given the circumstances, we've mostly smashed it. Well, until things changed completely.
Me, my team and lots of other colleagues had been laid off due to the company's business pivoting. I'm very proud of my team, on the sound culture we've built and fostered for us, how we showed up for each other over time, and how we even in the moment when everything came to an end celebrated what we had and gave each other feedback along on our ways. Kudos to everyone! We really had a good ride together. It's never nice to go through layoffs, and yet it's actually been surprisingly good to get laid off as a whole team, just having it end together at this moment in time. It's been like a band-aid being ripped off. Based on our talks, we all preferred this option over a slower and potentially more painful end, like getting chipped away at and dissolved over time.
My amazing network really stepped up in words and action, spreading the news of my unexpected job search, sharing opportunities, making connections. This kind of invaluable sponsorship, plus me putting a lot of effort into a high intensity search, plus my personal challenge endeavors (again building on my network) this year, allowed me to find a new job within 6 weeks, contract signed within 8 weeks. I have to write these numbers down for my future self, and even for my present self as I still can't believe this happened so fast, especially given the current market. Closing everything just before the end of the year. And not just finding just any job but one that I really, really want. And on top of that, a role change that I hoped for in the next years to come. Now it's already here, and I'm so ready for it. I've witnessed the magic of "one door closes and many other doors open" before, yet this year this phrase became a whole new meaning for me.
This year's personal challenge was all about new community contributions. Here's a new work-related contribution that I didn't foresee beginning of the year. From next year onward, I'll continue my path as a security engineer. When looking back at the kinds of contributions I've done this year and how many had security at their center, it does make a lot of sense, though. I just thought it wouldn't come to it that fast. There will be many more new challenges awaiting me on this next part of my journey, and I bet a few well-known ones as well. I honestly can't wait.
It feels like a milestone in my career to get this new role and hence opportunity to explore next year. A dear community friend helped me put up a mirror for myself: she said all this is not coming suddenly for me. I've been building this up over many, many years, the knowledge, the network, the path for myself. Lots of little building blocks all over the place providing the foundation for this next step that now has a big meaning. It's been about persistence, continuously moving forward, little by little. About pushing myself also in times I didn't feel like it, like just right after the layoffs that came at a time when I just wanted to breathe and rest. She heard me saying how tired I was all over the year. She's been celebrating this huge step for me, it's all coming together. I'm very grateful for having such dear friends offering reflections in times I really need to see them. And she's been right: the compounding effect of all the little things I've done in my career is indeed real, and very impactful now for me. I'm grateful for my past self pushing through.

Here I am. It's the end of the year again. It's been once again helpful for me to look back and see all of the above. Now I'm already super curious what my review for 2025 will look like!

Pages