Angela Gunn, by contrast, didn’t discover info-sec as a career until she was on the wrong side of forty. Gunn, who had grown up in a small town in Nebraska, had studied philosophy at Occidental College, a small liberal arts college in Los Angeles. She thought she might want to write about architecture until learning, she said, “there’s very little money in that.” She figured she had scored big when she secured an interview with a new literary magazine called Wigwag that had been started by a group of exiles from The New Yorker, “but it closed before I even got to New York.” She would become a de facto tech journalist, not from any deep affinity for computers but “because that’s where the jobs were in the early 1990s.” She took a job at PC Magazine, where she quickly moved up the ladder from researcher to reporter to editor. That was in 1995, at the dawn of the internet and a perfect moment to be working as a tech journalist. She was just twenty-six when she was hired as the editor in chief of a new publication called WebWeek. Five months later, she let herself be wooed away by another startup magazine called Yahoo! Internet Life. Over the next few years, Gunn wrote for a number of well-regarded trade publications—columns for IEEE Internet Computing and Computer Shopper, product reviews for PC Magazine—before moving to Seattle, in 1999, for a job as tech editor at the city’s big alternative weekly, the Seattle Weekly. That was at the peak of Microsoft’s industry might and a couple of years after a relatively modest-sized online books-and-CD retailer named Amazon had gone public. At the Weekly, Gunn wrote a column she called Kiss My ASCII (ASCII—pronounced “ass-C” or “ass-key,” depending on whom you ask—is a computer standard for text dating back to the 1960s) and also contributed to its film and music sections.

Gunn never seemed to stay in one place long. Two years after moving to Seattle she was back in New York to rejoin the staff of Yahoo! Internet Life, which went out of business a year later. There was a brief stint as tech editor of TimeOut New York before Gunn moved to the Washington, D.C. area to take over as tech editor of USA Today, a national newspaper with a circulation in the millions. That proved a great job but also a burnout position and one that allowed her little time for her own writing. She stepped down as tech editor but continued writing for the paper and its website. She also moved back to Seattle, where she cohosted a short-lived revival of PC World’s Digital Duo, a PBS tech show focused on new products. At its peak, it ran on 184 public television stations around the country. “There’s always part of me that craves the new thing,” Gunn said.

Digital Duo was canceled at the end of 2005. Gunn thought about moving back to New York but she landed a gig with Computerworld, which wanted her to stay on the West Coast. Her interests were growing geekier, as were the outlets interested in publishing her work. Her change in focus meant a return to the more esoteric publications where she launched her journalism career. “As a journalist, I was looking into privacy,” Gunn said. “That led to security issues, and I was off to the races.”

The job at Microsoft was a happy accident. “I wasn’t looking for them and they weren’t looking for me specifically, either,” she said. A friend—someone who had written for her at Computerworld—had met with someone at Microsoft to talk about a new position working with some of its security people. The friend said he didn’t think he was right for the job but recommended Gunn. “Microsoft reached out to me to gauge my interest and I figured what the hell.” She knew Microsoft well from two decades of reporting and they knew her work. “They told me they felt I’d been pretty evenhanded in my coverage over the years,” she said, but they also couldn’t refrain from quoting a couple of sharp things she had written. In 2010, twenty years after she had taken her first job in journalism, Gunn showed up on Microsoft’s campus to work as a senior response communications manager within the company’s Trustworthy Computing program, which Bill Gates himself had announced, in the early 2000s, once the company belatedly decided to get serious about security. Gunn was now working incident response for the world’s largest software maker, a very fat target for people with bad intentions.

Most people spend only a few years, if that, in incident response. Just as emergency rooms are common entry points for recent medical school grads doing the internship or residency they must endure to become a doctor, so is incident response a standard route for people getting into info-sec. “When people ask me, ‘How do I get into this field?’ I tell them, ‘Go get an on-call gig,’ ” said Cisco’s Craig Williams. “Not at a help desk but something where you’re working on these breaking security issues.” For people at Cisco or Microsoft or Google, that means responding to news of a vulnerability in one of their products. A software team will work on a fix but meanwhile a quick patch must be applied, a makeshift intrusion prevention system deployed, and an autopsy performed to figure out what happened. At a firm like Gunn’s, it’s her and her team responding to an “incident,” which is what people in the industry tend to call it when a client phones to report a problem. The hours can be brutal but the pay excellent, even for those with little or no experience in info-sec. The average pay for an entry-level “incident analyst/responder” in 2018, according to CyberSeek’s Cybersecurity Career Pathway, was $99,000 a year, and yet there are thousands of openings in the field. Entry-level forensic work—what the survey describes as a “cybercrime analyst/investigator”—was paying $85,000 a year. Salaries are bound to be inflated for those fortunate enough, financially at least, to work in a big city for a huge corporation or a big international consulting firm.

“Frankly, it’s a job a lot of people burn out on,” said Cisco’s Williams. “But it’s one of those positions where you learn a ton. If you’re just getting into the field, it’s a great way to get up to speed.” Williams knew it wasn’t the right life for him early in his career at Cisco, when he and his wife were relatively new to Austin and out at a place called Trudy’s, known for selling margaritas so oversized that they cut you off at two. “I make it my personal challenge to finish two every time,” Williams told me. He had already polished off his second margarita when his cell phone went off. It was his boss. “He’s like, ‘There’s a worm in Thailand; we need you to come in and write an update,’ ” Williams said. He explained that he was in no condition to drive, let alone write a patch, but his boss wasn’t accepting his no. “So my wife drives me to the office and I write the update as she sits there looking at me like, ‘You have the weirdest job.’ ” Williams is still with Cisco as a company “director,” where he plays more of an ambassador role and not what anyone would describe as an on-call job. “That was my life when I first joined the company,” he said. “But as you can imagine, that’s not a super-sustainable model.”

Yet there are also people like Gunn, for whom incident response, if not the perfect job, seems as good as it gets in a world where you have to devote fifty or sixty or more hours every week to pay the bills and keep the lights on. “It’s a work style that feels comfortable to me,” Gunn said, adding, “I’d rather be summoned on a call at four in the morning a few times a year than sit there in a nine-to-five job being bored.” She had worked as a deadline journalist and agreed with me when I offered that her job now seems not unlike all those years she was working for websites in the business of breaking news. When I asked her if she’s happy doing what she’s doing, she laughed. “Have you ever known a truly happy journalist, ER worker, or first responder?” she countered. I conceded the point but then Gunn gave a direct answer to my question: “It’s a lot of crazy hours. Sometimes I’m surviving on caffeine. But I do like it. I’m enjoying it.”

Gunn had always been a talented journalist. So it was no surprise that she had the right instincts about security back when she was still writing about tech: she was writing increasingly about security in the second half of the 2000s, just as the computing world was moving in that direction. Security—along with privacy issues—was becoming more central to computing and becoming a greater priority inside the industry. News outlets started employing reporters who focused exclusively on security. Venture capitalists funded more security startups while more traditional corporate security companies that had always focused on physical security beefed up their cyber practice. So, too, did big-name accountant firms and other consultancies. And Microsoft was hardly alone. Every big name in computing, from Apple to Google to Facebook, has suffered embarrassing data breaches.

Microsoft was eight years into its transformation from security laggard to industry leader when Gunn joined the company. Gates had implemented Microsoft’s Trustworthy Computing program in 2002, and twelve months later, the “Slammer” worm hit one of Microsoft’s core products, SQL Server, the database software that helps run business around the world—“the storage backend,” as a former Microsoft engineer described it for me. Slammer infected roughly seventy-five thousand servers in ten minutes and caused problems across the globe, including flight delays and clogged ATM networks. “That caused Bill G [Bill Gates] to declare a major reset,” the engineer said. “The whole company stopped working on features, at least for a bit, and focused on security.” The job Gunn had been recruited to fill was created both to improve communications about security issues with the company’s developer community and also those who were using Microsoft products.

Gunn was on the job six weeks when the world learned about Stuxnet, one of the more insidious worms to ever infect computers connected to the internet. Inspectors for the International Atomic Energy Agency found that centrifuges at an Iranian uranium enrichment plant were failing at alarming rates yet couldn’t figure out why. Several months later, computers around the world were spontaneously crashing and rebooting. That was Stuxnet, which took advantage of multiple security holes in Windows and other software. The brilliance of Stuxnet was twofold. First, it covered its tracks. It hid the malicious files it added to a computer and took extra steps to cloak any processes it was initiating. Second, Stuxnet weaponized a computer: it didn’t steal information or wipe out a hard drive but instead hid out and did physical destruction to the Iranian nuclear facility—the world’s first digital weapon, reportedly created by Israel and the United States to disrupt Iran’s nuclear efforts.

“Stuxnet was my first big case,” Gunn said. “That was brutal.” The fact that she was so new to the field only added to the “weirdness,” she said. “My poor boss. We weren’t close but he says to me, ‘You do this, you’re not going to be a journalist anymore.’ This is a month or two into Stuxnet. He asks me, ‘You sure you want to do this? Because if you want to go back, we can pretend this never happened.’ Basically, he was asking me, ‘Are you in or are you out?’ ”

Gunn wasn’t going anywhere. There was something intoxicating about being on the inside after all those years as a journalist on the outside. She had found out about Stuxnet before most of the rest of the world when she was summoned to what she called the “ssirp room.” (A shortened version of what at Microsoft they call the Software Security Incident Response Process, or SSIRP.) Weeks passed before they pieced together what had happened. “We’re talking meetings that lasted for hours with people you’re scared to make eye contact with because they’re screaming,” she said. “But you start to figure out what’s going. What’s on fire and needs immediate attention and what can wait until tomorrow.” There were showers downstairs for those days when there was no time to make it home. “All of us had a locker for a change of clothes. There were nap rooms. A towel service. Food. It wasn’t uncommon to spend three days on-site.”

Gunn coordinated communication for the company’s incident response group. Much of the job boiled down to managing how Microsoft spoke to the wider world about Stuxnet or some other piece of malware introduced through a security flaw in a company product. Often that plan centered on a speech delivered in a large ballroom at one of the big industry conferences: Black Hat, Hack in the Box, RSA. Gunn fielded press calls on security-related topics, and handled communications from contractors, consultants, third-party software makers, and others outside the company. She provided answers when she could and, when she couldn’t, routed the query to the right person. Gunn delivered regular security bulletins—one or two in a quiet month, a dozen or more in a busier one, and, when necessary, published a special advisory. She blogged about security issues on the Microsoft website and served as a writing coach and editor for members of her group who wanted to write about whatever small disaster hit Windows or another Microsoft product.

Yet the part of the job Gunn loved—the part she spoke of with passion years later—were the hours spent in the ssirp room after they had learned of a new security breach. “There’s this excitement,” she said. “You’re constantly on the phone, figuring out what’s happening, getting your guys together, getting control of this thing.” She was fascinated by the glimpses it gave into the people she worked with: those who rose to the occasion and those who couldn’t handle the pressure. “A lot of incident response training comes from watching people who are really good at it do it,” she said. A small incident might mean only a few days in the room but the drama stretched out for weeks when it was a massive problem like Stuxnet. “You worked on an issue you were assigned to until it was time to stand down,” Gunn said. Some chafed at that kind of pressure but Gunn seemed to thrive on it. “When I shifted to another position inside Microsoft, I missed it,” she said. Sitting across from me at Bedlam Coffee, she mimed out the feeling she had once she had shifted to that new job at Microsoft. She stared longingly at a make-believe door now off-limits and then said in falsetto, as if a child, “You mean I can’t go into the ssirp room anymore?”

Gunn’s first job in info-sec ended when, a little over two and a half years after she had started at Microsoft, in the fall of 2012 she received a promotion from senior response communications manager to senior security strategist. Her job now was to help Microsoft figure out how it should talk to the larger world about vulnerabilities in its software. She represented the company at conferences, promoted interesting research being conducted at Microsoft, and helped introduce “bug bounty” programs to college campuses. This last initiative proved a radical shift for any software maker. Rather than fight the impulse of hackers to find holes in a product, Microsoft would pay a reward to any who reported a vulnerability in its software.

Yet the commute from her home in Seattle across Lake Washington to Redmond, where Microsoft is headquartered, was taking a toll, as was workplace drama inside the company’s security unit. Fifteen months after her promotion, Gunn left Microsoft for Hewlett-Packard, where her friend Dave Weinstein, whom she had met while both were working security at Microsoft, had landed a year earlier. HP had taken custody of the Zero Day Initiative, an effort by white-hat hackers to create a kind of clearinghouse of software flaws that lead to cyberattacks and security breaches. There, Weinstein was among those analyzing the bugs that researchers sent to Zero Day in the hopes of being paid a bounty for finding a security flaw. “We told you how much we were willing to pay for the bug and the researcher said yes or no,” Weinstein said. “If they said yes, that meant they sold us the intellectual property in the bug, and then we would study it and use it” to better combat malware. The attraction for Gunn was a chance to work “threat intelligence” and, not incidentally, take a break from the intensity of IR work inside a place like Microsoft. She didn’t go to HP thinking she was done with IR but she was happy for the time away. “People cycle in and out all the time,” Gunn said. Once again, she was working as a writer and editor. She oversaw the white papers, blog posts, public speeches, and tweets produced by Zero Day engineers while also publishing her own original research.

Gunn enjoyed working at HP. The hours were good, her colleagues congenial, the work interesting. There were also holidays with family. “Most people in IR can’t remember a December holiday that went without a hitch,” she said. “There are always calls on Christmas and Thanksgiving, even when I was covering this stuff as a journalist.” Yet she also missed being in the room and the camaraderie that came with doing battle against a formidable new bug. There were also the good feelings that came with a job that let Gunn compare herself to the gunslinger in an old-time western who saves the town from t...