The path I took to security was a combination of planning and dumb luck.   I spent years in an operational infrastructure role.   Many hats worn, many nights lost supporting operating systems, messaging systems, voice systems and networks.   In each role I had operational security responsibility but managed to avoid policy, procedure and the traditional information security responsibility.   The world changed during a disaster event at my company, the entire department was reorganized and traditional security was moved under operational security.    Now the journey really begins…