A personal note. After two and a half years at the online-gaming operator, I am moving on. The new role is a security consulting engagement at the Royal Botanic Garden Edinburgh — substantively different from gaming infrastructure, with its own interesting constraints.
This is going to be a longer-than-usual personal post. The career transitions I write about are infrequent enough that they deserve careful treatment, and the lessons from the past few years are worth recording explicitly.
What I take from the gaming-operator role
The online-gaming environment is operationally demanding in ways general infrastructure is not. Three specific dimensions:
Availability requirements are severe. Downtime is direct revenue loss, with consequences that compound — a customer who experiences poor availability today is less likely to play tomorrow. The pressure on uptime is constant; the engineering tolerance for any kind of outage is low.
Transaction volumes are large and time-sensitive. Real-money gambling and gaming requires that financial transactions complete reliably and quickly. The infrastructure must handle peak loads without degradation; the security controls must operate without introducing perceptible latency.
The regulatory environment is non-trivial. Multiple jurisdictions, different requirements per market, ongoing audit and reporting obligations. The compliance overhead is substantial; the security and compliance functions are tightly coupled.
The combination has been instructive. The role gave me my first sustained experience of running production security at the level where it cannot be allowed to fail.
What the gaming-operator role taught me
Four specific lessons that I will carry forward.
Operational rigour matters more than technical sophistication. Most of the security improvements I deployed were not technically novel — patches, segmentation, monitoring, incident response. The technical content was familiar from years of writing about it. The operational discipline of consistently applying these practices, at scale, day after day, was what produced the security outcomes. The discipline is hard; the technology is easy.
Internal politics matter for security outcomes. The security function exists alongside other functions — engineering, operations, product, compliance. The relative priority of security against other concerns is determined by relationships, by communication, by the demonstrated value of the security function over time. Security teams that cannot navigate the internal politics produce worse outcomes than security teams with less technical capability but better relationships.
The 24/7 operational rhythm has a personal cost. Running production infrastructure where availability is critical means being on-call. Being on-call sustainably means having robust on-call rotations, clear escalation procedures, and the discipline to disconnect when off-duty. I learned a lot about how to do this; I also learned that the cost is real, even when the discipline is good.
Mentoring matters more than I had appreciated. I worked alongside several less-experienced colleagues who learned the craft over the period. Watching their development, contributing to it, seeing them eventually become independent — this turned out to be one of the most rewarding aspects of the role. I had not previously thought of myself as someone who taught; the gaming role made me realise that I had been teaching the whole time, often without recognising it.
What is next
The new engagement is structurally different from the gaming role.
Defined consulting period rather than open-ended employment. The Royal Botanic Garden engagement has a specific scope and duration — initial penetration testing, identification of issues with the network's security posture, assessment of the existing intrusion-detection and prevention systems, then a refresh of the supporting security architecture. The work is bounded; the deliverables are specific.
Different operational context. A botanical research institution has different priorities, different risk profiles, and different operational constraints than a commercial gaming operator. The defensive disciplines are similar but the implementation context is different.
Different working pattern. Consulting engagements involve travel, focused intensity during the engagement, and clear hand-off at the end. The pattern is different from sustained employment; the rhythm is different; the satisfaction is different.
I am looking forward to it. The change of pace will be welcome; the new context will be educational.
What this means for the notebook
The weekly cadence continues unchanged. The technical focus may shift slightly — consulting engagements expose me to a wider variety of operational situations than sustained employment in a single environment. The notebook may reflect that variety.
The specific writing about the new engagement will be limited. Consulting work involves client confidentiality; specific incidents and configurations cannot be written about directly. The general patterns can be discussed; the particular client cannot.
For my own writing discipline: the consulting period will be a useful test of whether the notebook can sustain its quality across different work contexts. The pattern of writing weekly through the gaming role has been stable for two and a half years; the pattern through consulting will be a different test.
A reflection on career shape
The broader pattern of my career through the past nine years has been: long-term technical employment (DEC government contract for seven years), shorter-term role with combined responsibilities (gaming operator for two and a half years), now consulting. Each transition has expanded the operational variety I have encountered.
The pattern is not what I had planned. When I started at DEC, I expected a long career at one employer, similar to the engineers around me. The actual trajectory has been more varied. The variety has been valuable; the cumulative experience is broader than a single-employer career would have produced.
For my own writing about career: more posts on the operational dimensions of different roles, the lessons from each, the patterns that recur across diverse contexts. The notebook readers who are themselves at career junctions may find this useful.
What I will be paying attention to during the consulting engagement
Three specific things.
The botanical institution's specific risk profile. Research institutions have different risks than commercial operations — research data is the primary asset; financial transactions are secondary; the threat actors include different categories than commercial operations face.
The transition from broad operational responsibility to specific assessment work. I have been a hands-on operator for years; the consulting role is more of an assessor. The skill differences are real; the transition will require attention.
My own learning during the engagement. Each new context teaches things; the consulting engagement will teach a different set of things than the previous roles taught.
What I want to take from the consulting engagement
Broader perspective on UK organisational security. Consulting exposes me to multiple organisations' contexts in ways sustained employment does not. The cumulative pattern across organisations should inform my own thinking about defensive disciplines.
Skills in formal assessment and reporting. The consulting role requires specific deliverables — assessment reports, recommendations, structured findings. The discipline of producing these to professional standards is different from the discipline of writing a notebook post.
Possible additional consulting work afterward. If the initial engagement goes well, there may be follow-on opportunities or referrals. The career shape is becoming, on the available trajectory, more consulting-oriented.
A small thank-you to the gaming operator
The organisation I am leaving has been a good place to work. The colleagues are competent; the leadership is reasonable; the operational discipline is stronger than at most organisations I have observed. The two and a half years have been productive, educational, and on balance rewarding.
For anyone considering working in the online-gaming sector: the operational demands are real but the work is interesting, the pay is competitive, and the learning is substantial. The constraints (availability, transaction volume, regulatory complexity) are demanding but produce engineers who can handle pressure that other sectors do not provide.
I may write more about the gaming sector specifically over the next year, with appropriate confidentiality. The lessons are general enough that they should generalise.
What is next-next
Beyond the immediate consulting engagement, I have been thinking about the longer trajectory. Possibilities include:
- Continuing in consulting, building up a portfolio of engagements across different sectors.
- Returning to a sustained employment role, perhaps at a security-focused organisation rather than at a sector-specific one.
- Founding something — the structural defensive work I have been writing about for years could be the basis of an offering, if I had the appetite for that kind of work.
- Some combination of the above.
I do not have a definitive plan. The next several months of consulting will inform the direction. The notebook will, presumably, document the choices as they are made.
For anyone reading this who is themselves at a similar career juncture: the writing exercise of articulating one's options publicly is itself useful. I have been doing it for years; the discipline produces better thinking than internal deliberation alone.
A closing reflection
Nine years into a career that started at DEC, seven years into the notebook, two transitions in the past three years. The trajectory has been more varied than I had planned and, on balance, more rewarding.
The field continues to develop in ways that produce work for thoughtful practitioners. The operational disciplines I have been writing about are increasingly mainstream; the ones that are not yet mainstream are increasingly visible as gaps. The work continues to matter.
For my own work going forward: continued writing, continued reading, continued operational involvement. The specific configuration may change; the underlying discipline does not.
More as the consulting engagement begins.
A longer reflection on consulting and the career trajectory
Let me extend the role-transition post with deeper reflection on what the consulting engagement may produce and on the broader career trajectory it represents.
What I expect to learn from consulting
Consulting work produces different kinds of learning than sustained employment. Specific things I expect from the period:
Breadth across organisations. Each engagement is a different operational context. Patterns visible across multiple engagements are more generalisable than patterns visible within a single organisation.
The discipline of formal deliverables. Consulting outputs are typically formal — written reports, presented findings, structured recommendations. The discipline of producing these to professional standards is different from internal operational work.
Client-relationship skills. Sustained employment involves internal politics; consulting involves client politics. The dynamics are different; both require navigation.
Negotiation and scoping. Consulting engagements have negotiated scope. The discipline of scoping work, communicating constraints, and managing expectations is more central to consulting than to employment.
What I am unsure about
Three things I am genuinely uncertain about as I begin the consulting work:
Whether I will enjoy it. Consulting has a different cadence than employment — bursts of intensity during engagements, lulls between. Some practitioners thrive on this; some find it draining. I do not know yet which I will be.
Whether my temperament suits client-relationship work. I have been writing publicly for seven years and am comfortable with technical communication. Client-relationship communication is different — more diplomatic, more aware of organisational politics, more focused on outcomes the client values.
Whether the consulting income is reliable. Sustained employment provides predictable income; consulting income depends on engagement pipeline. The transition involves some financial uncertainty.
I will know more in six months.
The Royal Botanic Garden specifics
The specific engagement is operationally interesting. A botanical research institution has different security concerns than commercial operations:
Research data is the primary asset. Centuries of botanical research, current research projects, breeding records, conservation data. This is the institutional value; protecting it is the security priority.
The user population includes many academic researchers. Academic research culture values openness, collaboration, and information sharing. The security disciplines must accommodate this without compromising the data.
The threat actors include different categories than commercial. Industrial espionage in research areas, activist groups concerned with conservation issues, opportunistic attackers — the threat profile is different.
The regulatory environment is different. UK research institutions have specific data-protection obligations, FOI obligations, and academic-integrity obligations. The compliance picture is non-trivial but different from commercial.
The combination produces a security challenge that is interesting in ways my previous roles have not been.
What this might mean for the longer trajectory
Three possible directions for the next 5-10 years:
Continued consulting. If the engagement goes well and produces follow-on opportunities, the consulting trajectory could become my dominant work pattern. The cumulative experience would be substantial; the financial sustainability would depend on engagement pipeline.
Founding something. The structural defensive disciplines I have been writing about for years could be the basis of a service offering. Founding a security consultancy is a substantial undertaking; whether I have the appetite is unclear.
Returning to sustained employment. A larger, security-focused organisation could provide both the operational depth I value and the structural stability that consulting may not. Specific opportunities that might fit are infrequent but exist.
I do not have a definitive plan. The next several months of consulting will inform the direction.
What I want to maintain regardless of trajectory
Three things I will not give up:
The notebook. Eight years of weekly writing; the discipline is firmly established; the value compounds. The notebook will continue regardless of how the work-life evolves.
The community connections. The relationships from years of conferences and correspondence are valuable independently of any specific employer. These continue.
The reading discipline. Phrack, Bugtraq, source code, the ongoing learning. The reading is what makes the writing possible; both continue.
The calibration discipline. Predictions with explicit probabilities, honest scoring. The cumulative practice produces better thinking.
The core practices continue. The work-life context evolves around them.
A small thank-you
The gaming-operator role I am leaving has been a good place to work. Three specific colleagues there have been particularly supportive; each will receive a personal thank-you note this week.
For anyone reading this who has worked with me at the gaming operator: thank you for the years. The work was demanding; the company was good; the cumulative experience is valuable.
More as the consulting engagement begins.
A small note on the work going forward
Let me close with brief practical notes about the next several months.
The consulting engagement at the Royal Botanic Garden is, on present plans, four months of focused work. The deliverables are specific; the scope is bounded; the timeline is defined.
During the engagement, the notebook continues at standard cadence. Specific writing about the engagement itself will be limited by client confidentiality; general patterns and lessons will be shareable.
After the engagement: I do not have a definitive plan. Possible directions include further consulting, return to sustained employment, or some founding activity. The choice will be informed by how the consulting period goes.
For anyone who has been corresponding with me regularly: the pattern continues. The transition does not change my availability for technical correspondence; it does change the topics I can write about specifically.
For anyone who has not corresponded: this is a reasonable moment to start. The career transition is interesting; the technical work continues; the community remains valuable.
More as the consulting engagement begins.
A note on the writing during the engagement
Let me close with practical notes about the notebook's content during the consulting period.
The specific things I will be writing about during the engagement:
General operational patterns. The patterns visible in the work, framed generally enough to be useful without disclosing specifics about the client.
Reflections on consulting practice. The discipline of consulting work, the rhythm, the constraints, the lessons.
Continued tracking of the broader field. Worms, advisories, structural shifts — the same coverage as in previous years.
Reading and thinking. Phrack, Bugtraq, source code, the ongoing reading discipline.
Predictions and calibration. The annual rhythm continues regardless of work configuration.
The specific things I will not be writing about:
Client-specific incidents. Confidentiality limits direct discussion of specific events at the client.
Specific technical findings at the client. Findings inform my general writing without being directly attributable.
Specific organisational politics at the client. Internal dynamics are not appropriate for public writing.
The constraint is bounded; the writing continues.
More as the engagement begins.