𝛑
𝛑

My Story

I have spent my whole career in information security, mostly around enterprise security and data security. I have gone from security engineer to security architect, and I would honestly say I love this job, take it seriously, and feel responsible for it. I also know where I fall short. I quietly look up to the veterans standing on the mountaintop; that’s the reminder I use to keep learning. Whenever I hit a wall, I look at what good peers of my generation are shipping and use that to push myself forward.

Today I’m a Senior Information Security Architect at AMEX in China, reporting into the CISO. If you care about the resume-shaped version of my career, my LinkedIn is probably a better read. I’ve been through several 0-to-1 security build-outs, and along the way I’ve slowly traded youthful bravado for something steadier. I got into security through web pentesting — writing crawlers and web shells was my entry ticket. Then I went from BTCC (a Chinese crypto exchange), where the security stack was basically stitched together from open source, to Ele.me / Alibaba, where nearly everything was built in-house at scale, and started leading the architecture and rollout of large security projects. The day after I joined Ele.me, the company officially merged with Koubei to form Alibaba Local Services; the Alibaba playbook forced me to think in systems, and I devoured every internal security doc on ATA that I could find. Then at PayPal I helped stand up a data center from zero and began to see how the platforms hyperscalers build in-house map onto the commercial products the rest of the industry buys. Two full data-center build-outs left me feeling confident and accomplished; the next two taught me to step back and take operations and management seriously — no single person can do all of it. I never miss a chance to learn either, so I made a point of understanding the security designs inside the companies PayPal had acquired. Not long after being promoted at PayPal, I followed the first manager I truly respected — someone who was mentor as much as boss — over to KuCoin. My plan going in was to spend five years there. Reality had other ideas. Even though my manager shielded me from most of the non-technical noise, I still had to look for the next step. “One day in crypto is a year anywhere else” isn’t a joke. The upside is that I got a lot of ideas and designs into production, evolving from single-product security work into full-stack security solutions, and I shipped a few small internal security products of my own. Playing the bad-cop role of tracking the whole team’s delivery also made it painfully clear that resource allocation lives and dies with the CISO’s vision. Good or bad — it’s the foundation everything else rests on. That period was where my technical growth accelerated the fastest.

Then I landed at my current company (AMEX), and got a firsthand view of how far behind card schemes can be, of the bureaucracy inside partnerships with UnionPay (China’s national card scheme), and of just how conservative and legacy-heavy traditional banking still is. Coming from fintech and web3 back into the most old-school corner of payments — the card schemes — the work is no longer 0-to-1. It’s more like -1-to-0. If you skim my posts from this period, most of them are reflections and post-mortems on failed designs. My worldview widened, but my technical growth was close to zero, and I stopped feeling confident. Real learning requires continuous practice. Fortunately, I ran into another manager I could respect — the second in my career. The two of us have spent plenty of time frustrated together over correct designs that just can’t ship, and plenty of time consoling each other with the old line about “not being alone on this road.” Rotting process and arrogant bureaucracy don’t stop you from learning the business, though. If my old temper was version 1.0 — flammable, explosive — the version I run today is 2.0, much better at absorbing friction. What I got out of this stretch was a full-picture understanding of communication, and of how process, management, and operational ledgers hold things up in a heavily regulated environment (in China, MLPS-style dengbao compliance and regulator-driven programs shape almost every control). That has forced a lot of reflection. Back at PayPal I set myself an annual goal — cut down on anger, cut down on impatience, cut down on greed — and for a while I thought I had it under control. Turns out the environment was doing most of the work; once you leave that soil and run into idiots, the aggression comes right back. Real training on those things only happens in painful environments, but that doesn’t mean you should go chase pain either. Don’t invent suffering for yourself. Stay unimpressed by titles and haloes. Be someone worth respecting — and start by respecting yourself.

Between 2020 and 2023 I worked remotely, and I picked up seal carving, archery, tea, cycling, and camping. I still don’t have patience for elaborate rituals. Tea should be drunk, not performed — knowing about tea culture is fine, you don’t have to perform it. Archery is fine as long as you don’t hurt yourself or anyone else. Camping is fine if the view is nice and the friends are real. If cycling feels good, spin the pedals; if it doesn’t, walk it off. Plain and honest, basically. After a lot of thinking about life over the last year or so, my head got quieter, and I started learning how to be friends with time.

I don’t have much tolerance for people who aren’t sincere. Sometimes I see peers who already made it to CISO and I feel a little envious. I see clickbait Chinese security accounts going viral on WeChat and feel a flash of jealousy. But once I realized I couldn’t and wouldn’t play that game, I got calm about it. No more envy, no more anxiety. I uninstalled Maimai (China’s professional networking app) more than two years ago and honestly haven’t missed it. I keep thinking about how to move my career forward, how to budget my energy, how to keep learning while also being present for my kid. Oh — I have a little son, a bit over two years old, and I love him a lot. I think of myself as a “new-style Chinese dad”: I tell my son I love him, out loud. Having him has also made me a lot easier to move to tears. For the last ten years I almost never cried, but when a nurse can’t get the IV in on the first try, the parents may end up crying before the kid does. I’ll probably write more about him in the future.

There was a stretch where I felt lost, and I started reading the Tao Te Ching, the I Ching, Zi Ping Zhen Quan and Bing Jian (classical Chinese texts on Taoist philosophy, divination, physiognomy, and character reading), and dabbling in divination — Gao Dao’s I Ching lectures, Ye He Lao Ren’s writings, the whole thing. Eventually I figured out I don’t actually understand any of it. Ha. That’s roughly where How the Wind Rises from a Blade of Grass came from. Several security folks whose work I follow seem to secretly harbor the dream of becoming a man of letters. I won’t claim that dream, but I do hope that one day I can pivot into being a writer. Wherever you are and whatever your position is, being clear about what you actually want to do matters more than anything else. I update my reading log once a year — you can find my bookshelf here.