From Self-Taught Programmer to Lead Security Architect

Richard Dubniczky is a Lead Security Architect at Zeiss, a PhD student, and a self-taught programmer. I had the pleasure of interviewing him to discuss his journey and hobbies.

What first drew you to the field of computer security, and how did that early interest evolve into your current focus on cybersecurity architecture?

To be honest, I was quite unsure what to do when I was in high school. I tried out a few things, including finance, photography, and tinkering with computers amongst other things. Eventually computers won the race so to speak, and my journey into the depths of Computer Science has begun. I started off as many other students, learning basic languages such as C, C#, Python and immersing myself in the details of each, alongside a particular interest towards web applications and servers.

As I started understanding how servers work, I also started seeing the mistakes I’ve made and how they could have a serious impact if someone found them. Quite quickly I figured out I wasn’t alone in making mistakes and I started playing around with other peoples’ “broken” services. I hacked into random websites on the internet, gained admin privileges on school computers, and I started amassing an arsenal of tools I could use. I still have the git repository of over 500 tools that I collected, wrote, or modified to my liking (this one is private, sorry). My biggest catch so far has been a critical vulnerability in Coinbase’s authentication flow.

At this point I had some experience with both blue and red team activities, which helped me secure a security engineering role at Prezi. I learned a lot there afterwards about massive scale AWS systems, completed certifications, took on more and more responsibility of owning services onto myself. Eventually I became Technical Lead of Security Engineering. As a technical lead, my job was not too dissimilar from an Architect, and I enjoyed the work that came with it. I’m definitely a more extroverted personality than most developers I know, so I didn’t mind the organizational duties next to the technical that comes with a leadership role. Eventually I joined Zeiss as their Lead Security Architect for everything to do with customer interactions.

This has been my journey in my last 10 years, so it definitely didn’t come quick or easy. I view the Security Architect role as a career that you prepare for, rather than “just a job” that you take up after leaving school.

What key advice would you offer to aspiring security professionals, particularly those interested in specializing in cryptography or architecture?

I believe my main superpower is curiosity. I’m deeply interested in everything to do with programming, services, technologies, exploits and tinkering. These are, however, not enough to be a good architect in my view. You also need the people skills and the drive for leadership.

I spent countless hours deep diving into technical topics, but I also spent a lot on working on social skills, understanding business needs and how the management and business oriented people think about issues.

Being an architect is just as much about selling your vision to people both above and below you as much as it’s about executing on it.

So my advice to You is diversification. You should be good at the technical, as well as the personal and the organization aspects of business. Security is never “just a priority”, you have to make it be the priority! If you have the drive to do this, then you’ll be a successful architect!

As a security architect, what are some of the most complex challenges you've faced in designing secure systems?

Nobody wants to write insecure software. This has been a general trend I’ve noticed over the years and whenever a gaping hole was pointed out to one of my colleagues, they often rushed to correct it as soon as possible. What’s the issue then?

People also always prioritize features over bugs. There is much more recognition on being the one who completes the shiny new features management asked for on time, rather than fixing five security bugs “many of them would never have been exploited anyways…”

The abundant use of external packages also makes this worse. Developers are usually easier persuaded to fix their own mistakes, rather than spend hours trying to migrate to a newer version of an obscure package that “we are barely using anyways.”

If pushing security into the spotlight is a constant fight, then the architect role also feels like a constant fight. My tactic was to get buy-in from as many of the developers as possible. Write our own shared security guidelines where everyone participates and they feel like these rules are their own! We are securing software according to our shared principles, so people are not forced into a system they feel does not take into account their perspectives enough.

There are plenty of challenges from a technical point of view as well, though I feel like they are much easier to manage. You are most likely pivoting to Security Architect from a Security Engineering role, so you’ve likely spent years tackling them before. Though, I’ve been thinking much more about the “why” of things rather than the “how”. It’s a difficult balance to be viewed as the person to turn to when in doubt rather than the one that always halts progress.

Congratulations on starting your PhD in Cybersecurity and Cryptography! How has the experience been balancing your research with your work as a security architect? Have there been any unexpected challenges or insights so far?

I’m relatively at the beginning of this journey, so my answer will definitely evolve in the upcoming years. I always enjoyed sharing my work in as much detail as possible (mostly through my GitHub repositories), so writing about them in an academic manner seems like a logical next step. It will get my ideas challenged and brought in front of the security community much more!

Doing a full time job and a Ph.D. at the same time is not something that’s for people who enjoy work-life balance. It comes with a lot of sacrifices that I had to clearly discuss with my family beforehand. One thing that helped me a lot in managing my time has been reading the books of brilliant thinkers and scientists of our time. Some of the ones that had the most impact on me are:

• The 7 Habits of Highly Effective People, by Stephen R. Covey
• Deep Work, by Cal Newport
• Never Split the Difference, by Chris Voss
• Why We Sleep, by Matthew Walker

One unexpected result from me starting my Ph.D. has been the tremendous amount of support I received. Both from family and friends, but also from my colleagues, many of whom expressed interest in joining in and helping with some papers, as well as the opportunity to publish some of my work. Working on papers at the cutting edge of technology is a cooperative venture, and one that yields many unexpected connections to great people!

What are your non-cyber related hobbies?

It might come as a surprise to You, but despite spending most of my time working or sleeping, I do have quite a few hobbies I enjoy doing with friends and family:

• Scuba diving & water sports: I always enjoyed being on the sea. Above it, on it, in it, or just around it are all great ways for me to turn off in the summer. Diving, swimming, surfing, and water skiing are my favorite outdoor activities of the year. In fact, I’m no more than 50m away from the sea as I’m writing this in August.
• Escape rooms: Going to neatly crafted escape rooms and eventually escaping and the timer slowly running out is one of the most fun activities I’ve participated in with friends or family. I already have 30+ under my belt easily.
• Photography: I demoted photography from a career aspect to a hobby, and it made it all the better! I travel a lot and making a couple of great pictures I will remember are super fun and make me pay attention to the beauty of my environment a lot more.

Where do you get your cybersecurity related news from?

Aside from the occasional “holy sh*t something’s on fire” from my colleagues? My main source of news is The Hacker News, IT Brew, as well as some blogs, YouTube channels and private forums I frequent. 

I wouldn’t necessarily give anyone a list of these, as they should evolve over time depending on your interests and specialization. Staying up to speed is as crucial as ever from the technical to the regulatory side of security as well.

Thanks for taking the time to answer these questions! Please link any social media you’d like below.

• LinkedIn: https://www.linkedin.com/in/dubniczky
• X: https://x.com/securicsi
• GitHub: https://github.com/dubniczky
• Email: richard@dubniczky.com

I’m not very active on social media, so I apologize if you don’t receive an answer.