From Retargeting to RCE: My journey from advertising to cybersecurity

Kevin Huang
Jul 28, 2020 · 12 min read
Mackenzie Davis as Cameron Howe in “Halt and Catch Fire”. I aspire to be as 1337 as her.

My decision to attend a bootcamp for cybersecurity was a surprise for many around me.

My parents didn’t get why I’d give up on a steady high-paying job, especially with the quarantine recession looming around the corner.

My boss and the head of people were caught off-guard as I seemed to be hitting my stride in maturing my side of the business.

My peers were surprised that I’d choose cybersecurity rather software engineering or data science, which were much more popular routes.

It’s a bit of a long story, but I hope my meandering 20s can be of some help to other folks trying to find their way.

For those who don’t know me well, I had attended a specialized arts program in high school with the intent to become a designer later on. I liked the idea of doing something creative as a profession, as opposed to becoming a doctor or lawyer like my parents wanted.

Concerned about my future, a family friend who had gotten his MFA later in life recommended that I get a general education first so my options wouldn’t be limited. There were, after all, plenty of washed up creatives that didn’t have backup career paths. After a long wrestle with self-doubt, I gave up a spot at RISD (Rhode Island School of Design) to “sell out” and go to business school at NYU, trading charcoal smudges and ink fumes for Powerpoints and starched collars.

Although economics and theoretical finance did rekindle an appreciation for quantitative work, I honestly couldn’t see myself being either an investment banker or management consultant. I chose instead to major in marketing as it seemed like a nice link to my creative past, and eventually landed my first gig at a well-known advertising agency.

Anyone who has worked in advertising can confirm that it’s easy to get caught up in the rhythm of agency life. You start out getting paid shit, so you pick up extra work to impress your boss and get promoted faster. There’s a certain camaraderie among your class of plebs (interns and assistants) due to the shared suffering, and it’s fun to commiserate together over free booze sponsored by a vendor (you’re too poor to buy your own).

As you climb the ladder, you sometimes get praised by the client or management (hopefully getting a promotion or better assignment). This addictive dopamine kick helps you forget the fact that you now make less than your assistant now that you don’t qualify for overtime. You and your peers begin to see that there’s less space at the top of the food chain, and start to become more competitive about who has the better clients, who’s busier, etc.

During a particularly dark and slightly alcoholic period of my advertising career, I stumbled across a memoir that art director Linds Redding wrote while struggling with cancer. It cut deep because I realized that the old creative side of me also yearned for some kind of purpose and legacy, and that I wasn’t sure why I was running this particular rat race.

This was the con. Convincing myself that there was nowhere I’d rather be was just a coping mechanism. I can see that now. It wasn’t really important. Or of any consequence at all, really. How could it be? We were just shifting product. Our product, and the clients’. Just meeting the quota. “Feeding the beast” as I called it on my more cynical days.

So was it worth it?

Well, of course not. It turns out it was just advertising. There was no higher calling. No ultimate prize. Just a lot of faded, yellowing newsprint, and old video cassettes in an obsolete format I can’t play anymore, even if I was interested. Oh yes, and a lot of framed certificates and little gold statuettes. A shit-load of empty Prozac boxes, wine bottles, a lot of grey hair and a tumour of indeterminate dimensions.

It sounds like I’m feeling sorry for myself again. I’m not. It was fun for quite a lot of the time. I was pretty good at it. I met a lot of funny, talented and clever people, got to become an overnight expert in everything from shower-heads to sheep-dip, got to scratch my creative itch on a daily basis, and earned enough money to raise the family that I love, and even see them occasionally.

But what I didn’t do, with the benefit of perspective, is anything of any lasting importance. At least creatively speaking. Economically I probably helped shift some merchandise. Enhanced a few companies bottom lines. Helped make one or two wealthy men a bit wealthier than they already were.

As a life, it all seemed like such a good idea at the time.

It dawned on me that although I was good at my job, improving the return on ad spend for advertisers was not really the mark I* wanted to make upon the world. From then on, I shifted gears towards finding out “what I wanted to be when I grew up”, and away from blindly climbing a ladder I wasn’t sure I wanted to reach the top of.

*I have many comrades who are still passionate about advertising/marketing, and don’t mean to disparage that in any way. It just wasn’t my cup of tea.

One of many things I appreciate about my media buying background is that it fostered a natural appreciation for math that I’d forgotten. At its heart, advertising is similar to managing an investment portfolio — as media buyers, we’d try to allocate our clients’ budget in a way that would maximize the return (spend money to make more money). By performing controlled testing, we could figure out whether the “information gain” from purchasing consumer data exceeded the costs, which then enabled us to make recommendations based on cold hard math rather than sales hype.

After moving “in-house” at several brands to work as a pure data analyst, I was also given the opportunity to see how theoretical concepts from my undergrad education played out in the real world. For example, promotion pricing tests at a DTC (direct to consumer) subscription brand were vivid displays of price elasticity in action. We ended the tests not simply knowing which option was better, but also gaining an understanding on how consumers respond to certain variables in a nonlinear fashion.

We weren’t performing rocket science, but I began to see that math was not merely useful for bean-counting. Just as literature models the human condition, math allows us to ponder and understand how the world behaves. As we see the world more accurately, we can identify value and opportunities that others can’t.

For example, one of my research projects showed that “retargeting” (sending you ads after you leave a site), the bread and butter of most display advertising, isn’t very effective at causing people to buy stuff — it just good at claiming attribution credit for people who would have bought it later anyway. We were able to convince the client to shift their dollars towards broad reach targeting instead, focusing on bringing in new potential customers.

“Sabermetrics” as dramatized by “Moneyball”

My work in analytics also led me to study Python programming, where I became enthralled by our ability to use basic building blocks like lists and loops to solve increasingly more difficult problems. It was really exciting for me when I was able to make my own duct-tape solutions work in lieu of formal data engineering resources. Programming is intellectually stimulating in its own philosophical way — I fondly remember a night where the engineering director gave me a heated lesson on what “truthy” and “falsey” meant in Python, a challenging concept to digest given the amount of bourbon we’d just consumed.

Through all this, I began to see technical work as an alluring stage to discover where I wanted to be.

At this point you’re probably wondering why I didn’t choose to specialize in either data science or software engineering.

Data science is indeed super cool, and I am very grateful for the exposure I had to it while working as an in-house analyst. There were, however, a good handful of reasons why I decided not to go down that path:

  • Depending on where you go, data science can be pretty elitist; there are a lot of hiring managers who might not look at you if you don’t have a PhD.
  • On the flip side, the democratization of data science education has produced a glut of entry level data scientists, making it much harder to compete for that entry level role. The advanced practitioners have had to rebrand themselves as machine-learning engineers.
  • Much of the time spent as an analyst or data scientist is in cleaning up messy data and in producing reporting (not necessarily analysis!). Many companies say they want data science when what they really want is business intelligence.

I had considered software engineering bootcamps after seeing several friends pivot from non-tech backgrounds, and happened to stumble across Fullstack Academy’s Hacking 101 intro workshop while researching options. It was really eye-opening to see what was happening outside of election interference — a few years ago, hackers managed to take down parts of the Ukrainian power grid (and there’s evidence that some US systems may also be compromised as sleeper cells).

Cyber attacks invoke the image of a hidden specter, but these stories of damage occurring in the physical world made the threat much more real. Modern wars will be fought primarily with keyboards, not guns.

This is what really piqued my interest in cybersecurity over engineering; although building cool things does sound fun, the prospect of there being a “just war” to be fought appealed to my desire for purpose. I’m the furthest thing from a jarhead, but being able to protect people while also learning a ton about computers sounded like an awesome gig.

In retrospect, the seeds of cybersecurity had already been sown at the beginning of my career. My first job was extremely pivotal because it had exposed me to “surveillance capitalism” — our team specialized in campaigns utilizing user data peddled on the open market (yes, I was to blame for some of those creepy ads). It was easy to take for granted where that data actually came from, because we were dealing with cookie counts in the millions. Things like GDPR (General Data Protection Regulation) only came years after I started working, and as advertisers we merely griped about how it made our jobs harder.

I realized the weight of advertiser responsibility towards consumer privacy later on, when I was tasked with encrypting user data prior to sharing it with vendors. If you’ve ever received mail ads after submitting your email in a web form, it’s very likely that the advertising brand shared your data with an intermediary vendor that has compiled your data for physical targeting. What is merely one lead out of many for an advertiser is also a risk of life-changing identity theft for an innocent civilian if handled improperly.

Startup hype a la WeWork has glorified growth and valuations above all, but in truth, a fast car needs good brakes. Cybersecurity fills a critical gap in development and operations where prioritization of speed over security can really leave a door open to disaster.

I ended up taking the leap to attend Fullstack Academy because I knew how long it would take me to learn all that material while frequently working overtime. Reflecting on the sheer volume of learning that happened, I’m glad I made that choice despite the financial consequences.

My friends who were bootcamp alums warned me that I’d have pretty much no life outside of school, and they were pretty much right. I almost didn’t mind the quarantine situation because I was studying and practicing cyber from the time I woke up to the time I went to sleep. The need to be dedicated to putting in the work cannot be overemphasized, because there’s so much to learn and absorb. I’ve earned a few industry-standard certifications (OSCP and CySA+), and still often feel like I don’t know enough to do the job.

I didn’t mind the grind, however, because I had such a great time doing it! I honestly think learning about cybersecurity can be a cool hobby even if you don’t intend to practice it professionally.

A few things I’d like to share for those considering a career in cybersecurity and/or a training program like Fullstack Academy:

Be comfortable with uncertainty.

The teachers and fellows are certainly available and helpful, but will intentionally avoid spoon-feeding you the answers to teach you problem-solving skills for the future. Don’t know how to do something? Try Googling it (first, at least).

If you are someone who needs a lot of structure, I would advise that you think carefully about quitting your day job because you will need to spend a lot of time on self-study. The cyber community is quite generous with its time, but this is a trade that also requires self-reliance.

Get ready to read and write…a lot.

Cybersecurity training has become a lot more accessible with video and podcast tutorials, etc. However, there are also many resources that are reading-only; depending on the Python module you’re using, the source documentation may be the only reference available.

Although videos and podcasts are more accessible and “fun”, the written word is extremely valuable in transmitting complex logic. This applies also to future deliverables as a cybersecurity professional — the client may forget the details of your presentation, but they’ll at least have your write-up to fall back on.

It’s ok to suck at first.

I went to high school with George Hotz, who was credited to be the first person to unlock the iPhone. There are people like him who just have a natural talent for hacking, and I’ve become ok with not being one of them.

What I’ve learned through earning the OSCP certification is that a lot of this comes down to grit. You can learn to do many things in cybersecurity, given enough time and effort (“Try Harder”, per Offensive Security). Give yourself some slack and patience and have faith in the process.

It reminds me of when I was working as a cook at a Japanese restaurant, my head chef didn’t mind that I had zero professional experience. What he demanded instead was that I maintain the kaizen attitude of improving myself at least a little bit each day, learning from my mistakes and purposefully training my skills.

Towards the end of my program, one of my bootcamp fellows (https://github.com/binexisHATT) reminded us: “This is not the beginning of the end; it’s the end of the beginning.”

That could not be any truer. At this moment, I am funemployed and still don’t know what my dream job or the next 5 years looks like. The one thing that I know for sure is that I want to keep exploring this field for it in itself, not simply for the sake of making a lot of money. As someone whose first experience with cybersecurity was a formal training program, I’ve been having a lot of fun catching up on industry history and community lore — the L0pht crew sounded like a dope place to be, and I look forward to finding a tribe of my own.

Perhaps by following my interests and enjoying each step of the way, I’ll have found my calling at the end of the road. After all, it seems like I’ve arrived at this point not by careful planning, but via culmination of all the detours and scenic routes life has taken me on.

“You look at where you’re going and where you are and it never makes much sense, but then you look back at where you’ve been and a pattern seems to emerge. And if you project forward from that pattern, then sometimes you can come up with something.

Mountains should be climbed with as little effort as possible and without desire. The reality of your own nature should determine the speed. If you become restless, speed up. If you become winded, slow down. You climb the mountain in an equilibrium between restlessness and exhaustion. Then, when you’re no longer thinking ahead, each footstep isn’t just a means to an end but a unique event in itself. This leaf has jagged edges. This rock looks loose. From this place the snow is less visible, even though closer. These are things you should notice anyway. To live only for some future goal is shallow. It’s the sides of the mountain which sustain life, not the top. Here’s where things grow.

But of course, without the top you can’t have any sides. It’s the top that defines the sides. So on we go — we have a long way — no hurry — just one step after the next — with a little Chautauqua for entertainment .
― Robert M. Pirsig, Zen and the Art of Motorcycle Maintenance: An Inquiry Into Values

Atelier de Sécurité

Thought pieces & guides for aspiring cybersecurity practitioners.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store