It is totally feasible. The reality of IT work is that maybe 20-30% of the work force is actually *technically* competent. The rest are project managers and people with very narrow skill sets who lack the critical thinking skills that allow them to be self sufficient and make real contributions. I do not mean to bash on good project managers, because in organizations of any real size, and for projects of any real complexity, good PMs are absolutely essential because they free up the skilled tech people to do the real heavy lifting.
There are plenty of mid-tier security companies out there (Accuvant, FishNet, etc) who could use people with real talent. Most major consulting firms (Deloitte, KPMG, etc) have forensic and threat response groups. I would not want to work for a big firm like that, and they usually just want college grads who they can burn out, but they are DESPERATE for real talent.
Follow some mid-tier security companies on LinkedIn and what not. Keep an eye on their marketing events. Go to them. Talk to the people. Explain your situation. Most people will tell you No. You only need one to say Yes and give you a chance.
Depending on where you live, I might even be able to put you in touch with some people. Does/. have an IM system yet? Figure out a way to get in touch with me. I have a somewhat similar background. I only learned enough ASM to write virii and crack video games, but that little bit of knowledge has been an asset for me at a few times over the course of my career.
This seems like a good topic because it has attracted the attention of a lot of people who work in the information security field. I deal with information security and have ever since going to 2600 meetings as a kid. My awareness of information security has always been a competitive advantage when looking for work, and has helped out tremendously in my IT career. I work for a company that deals with confidential, sensitive and personal information on a daily basis. We take security seriously because we have to, because our clients demand it. Our clients demand it because the government mandates that they care about it via regulation.
This leads me to my question, and I hope this produces some good discussions. How many of you guys who are decrying the lack of focus and importance that corporations place on cyber security, are for strong governmental regulation of private industry? It has been my experience, in over fifteen years of IT work, that the only places that "care" about security are those who have to because there are fines associated with not caring. As some have pointed out, security is viewed as a cost center. Unless there is a very real risk of a fine that exceeds the cost of security, the finance departments and executives are not going to "waste" resources on security initiatives.
Along the same line of thought, are there any other ways, besides regulation and fines, to make companies care about protecting their information? For example, companies that depend on intellectual property are probably willing to invest in security to protect it.
IT is a hobby that I was fortunate enough to turn into a career. Other than a couple of ROP classes in high school and a few certification exams, I have never received any formal education in IT. I have been lucky enough to have worked for good bosses who were also interested in being good mentors. In turn, I try to do the same for my employees by giving them an environment in which they can succeed, learn and grow as IT professionals.
IT is such a deep and wide field of expertise that in order to excel in it, you have to really enjoy it. Otherwise it will burn you out. Every day presents a new challenge to overcome. It takes a special kind of masochist to keep coming to work, day after day, knowing that no matter how hard you work, there will always be something else that breaks and needs fixing. Or even once you get beyond break fix and fire fighting, there is always the need for optimization and performance tuning.
If I want to sell a stock to my friend over my coffee table, who cares? Regulation is important, but at a certain point, it gets to be burdensome. Nobody is forcing people to use dark pools. They are there because they provide a benefit to the people who participate in them. Does it really matter what people buy and sell for via those venues? If so, please explain to me why.
Plenty of reasons to hold a stock short term. Not milliseconds short term, but less than a day. Let's say that you are an old fashioned investor and you find a company whose product you like. Wanting to support them, you purchase a bunch of their stock. Later in the day, some horrible news comes out about their CEO selling small children into sexual slavery.
I am sure that you can easily come up with many other, just as feasible scenarios where you might want to get rid of a stock that you recently purchased.
I agree. What do they mean "now" hiding in graphics cards? My dad, who was programming back in the 60s, suggested this to me when I started getting interested in assembly coding and viruses in the mid-1990s.
More like "Brilliant people expose the trouble you're currently in".
This is so true. I am far from brilliant, but one of the double edged facets of my personality is my tendency to focus on the problems in any given IT infrastructure, or in the processes and people that make up the infrastructure. On one hand it is valuable because it keeps me busy and makes it possible for continued improvement. On the other hand, nobody likes the guy who is always focused on problems and talking about what is broken.
Beyond a certain level of intelligence, people are going to be naturally curious and will instinctively think of ways to make things better. For an organization like the NSA, that personality type is dangerous. They do not want someone who is going to evaluate and think critically about the system. They want people who are going to keep it running, and not stop to question why they are doing what they are being asked to do.
We just let a guy go because he proved himself to be incompetent and a liability. Despite the fact that the guy was a complete screw up, we still gave him two months heads up that it was time for him to go find a new job. He resigned three days later.
I have been blessed with a lot of good opportunities, and one of those was to move into management and bring home serious amounts of money for doing something I love. I do not look down on the choices of others.
I do look down on whiners. I look down on people who complain about management without being willing to take the initiative to be a good manager themselves.
One more point here... " I think in this modern society, especially in the U.S., we overvalue the leaders and undervalue the followers to the point that we forget that leaders cannot do any good if they do not have good followers."
This has been the opposite of my experience. I was promoted into a leadership role because I was so good at what I do, that I was doing it 12+ hours every day and getting burnt out. I got to the point where I said, "Either find me some help, or I am leaving." At a good company, the executives are going to empower employees who are getting the job done. Sometimes that means giving them subordinates to lighten the load. I was entrusted with the careers of other people because I was able to articulate what needed to be done and provide strategies (project plans, business cases, etc) that demonstrated how to accomplish what needed to be done. The business knew that I was going to make good use of whatever resources they gave me.
If one of my guys quits, I can step into the breach and keep everything going until we find someone else. Conversely, I am grooming my team to step in and take my position when I get to the point that I want to do something else. I make sure that they have the technical skills and training to do their jobs, and for those who are interested, I also pass along what I am learning about management. The same relationship exists between me and my boss. He is teaching me how to be an executive.
After close to fifteen years of experience, it is a reasonable expectation that a competent developer has enough experience to contribute to a team effort. IT is very much a technical trade. There is an expectation of a master / apprentice style of relationship between senior team members and their junior counterparts. It is strange to have fifteen years of experience and not having demonstrated some quantifiable leadership traits.
You are at the point in your career where you are going to hit a salary cap if you do not want to step up and be a bigger contributor to the teams you are a part of. I know guys in that position and they are comfortable there. They are making six figure salaries and are okay with the trade off between a smaller paycheck and not having to deal with all of the project management and personnel / mentorship expectations that come along with leading teams.
Leaders are over valued because there are so few of them. Good leaders are hard to come by. There are plenty of people in leadership positions who should not be there. There is an old saying, "The person who wants the power the most, is the last person who should be trusted with it." There are plenty of people with degrees in "management" who do not have experience with the work the team they are managing is doing. In IT, those people are deadly. They have no idea what it takes to really get the job done, because they have never done it, do not know how to do it, and do not have any interest in learning how to do it.
Look at yourself. You do not have, or do not seem inclined to manifest, leadership attributes. There are a lot of people like you. A lot of followers who want others to lead. I just hope you are not the kind of follower who complains about other leaders, without being willing to be a leader yourself.
I moved into a management position after thirteen years in the trenches. I now have a staff of three (and growing). I provide guidance and advice to the CIO, and to IT staffs at Fortune 50 corporations. At this point in my career, my experience and ability to articulate in why the company needs to pursue a given IT initiative is significantly more valuable than my ability to push buttons, develop scripts and deploy a specific technology. My ability to vet vendors and see through the smoke and mirrors because I have enough successful implementations under my belt is more valuable than my ability to implement a given technology.
Management sucks and it requires some specific skills to deal with the levels of suck inherent in management. There are so many "leaders" who cannot even meet deadlines, or develop project plans, or articulate what their team spent the last week doing, and what they will be doing for the next week. There are plenty of leaders who say YES to everything because they cannot understand risk or do not know how to define the scope of a project.
Given your nearlly fifteen years of development experience, if I were looking to hire you, I would expect that you have been on enough teams to know what works and what does not. I would expect you to be able to run a team. I would expect you to be able to setup a source code repository. I would expect you to be able to manage an SDLC. In short, I would expect that you can do more than just crank out good code. What else are you bringing to the table? What good habits are you going to impart into the rest of the team? If your answer is, "I am going to show them how to sit in a cube, do their jobs and not contribute beyond that." the odds are I am going to pass you over for someone else who wants to be a senior level employee.
I was once told that a good leader empowers their employees, and then gets out of the way and lets them do their jobs. Can you help the people who you work with be better at what they do? If you can, grow a pair of balls and step up to the table. If you cannot, accept it and focus on what you are good at.
Jim Sauber, chief of staff for the National Association of Letter Carriers. 'The idea that somebody is going to walk down to their mailbox in Buffalo, New York, in the winter snow to get their mail is just crazy.'"
So the idea of someone walking to the curb to get their mail is crazy, but the idea of someone being out in the same weather for eight hours delivering the mail is sane?
"If that were the case, why would they need to request data from Google, Microsoft, Facebook, Yahoo, AOL, etc. All of these companies have discussed how the government requests data from them, and how they have to provide it. If the government simply had the private keys and could just sniff all traffic, they wouldn't need to."
It comes down to legality. If the government intends to eventually prosecute someone, they have to follow the legal process.
On the other hand, if all they want to do is snoop and "prevent terrorism", they can bypass the legal channels.
Does the NSA really have a problem decrypting SSL/TLS? I find it hard to believe that they do not have dedicated hardware with specialized processors that have been custom built to crack SSL/TLS.
As a "senior manager" who regularly interfaces with C-level executives, I think your observation is spot on. I am fortunate enough to have turned a hobby in computers into a serious career in IT. I enjoy what I do and the money is a beneficial side effect. I make well over six figures a year, but well less than the millions a year that those in the C-suite do.
Agreed. I have been fortunate in my career that I have had a series of real mentors who have been there to guide me through the various challenges that come up in IT consulting. Now that I am a manager, I foster the same kind of master / apprentice relationship with my employees. I am there to help them become competent IT professionals. They are there to help me keep the systems functioning and the users happy. I make everything happen by giving them responsibilities and tasks to accomplish, then being there for them as a resource if they get stuck.
In the process, I pass along to them the good habits that I have learned. I also try to point out some of the pitfalls that I have fallen into over the course of my career so that they can avoid them.
In my mind, a good IT manager needs a few key proficiencies.
1. They must have tech skills. The skills do not necessarily need to be current, but they need the fundamentals. They need to have successfully implemented projects across all the layers of the stack, from the physical, through the network, up into the OS and application layers. They have to have developed these skills in the trenches where they were facing deadlines and user expectations.
2. They must have business acumen. This is not always easy to develop. At the very least, they have to understand where IT fits within the organization that they work for. They have to understand and be able to make the case for why the business needs to continue spending money on IT. If they cannot do this, they will never be an effective part of the organization and will constantly be undermined by others who do not understand the importance of IT to the organization.
3. They must have people skills. As I have been finding out, not everyone you work with is a rock star. The same goes for employees. Some will be self starters who will do a great job. Others need a lot of mentoring and might have a crappy attitude. A manager needs to be able to assess people's strengthens and weaknesses, assign tasks accordingly, and come up with ways to retain the rock star employees, while also giving the mediocre employees a path to improve their skills and personal value.
Amen brother. This is my daily struggle. As I have been promoted into management, I find it frustrating and a huge waste of time. I have some employees who are rock stars and who I can delegate to, knowing full well that they will get the job done. Those employees are the exception to the rule. Most are like you describe above.... can't stay on focus, can't deliver realistic feedback, etc.
Get an MSDN subscription from Microsoft. The subscription will provide you with access to fully functional copies of all Microsoft back office server software (Exchange, SQL, SharePoint, etc). Setup a VMware ESX server, or use Microsoft Hyper-V. You can build your own lab environment and tinker away.
The road block you will eventually hit is that running SQL and Exchange in a small lab is nothing like running it at scale. There are massive differences in storage architectures and performance when you start trying to scale the technologies.
VMware has some good tech books on virtualization best practices for SQL and Exchange. Follow those. After 15 years in IT, it still amazes me how many jokers neglect to follow vendor best practices and just do whatever they feel like when it comes to deploying production systems. It is good for me, because I get paid well to fix other people's messes. It is not good for the economy, because money is unnecessarily wasted cleaning up problems that should have not been allowed to manifest in the first place.
I would say that the negativity is exactly what makes the tech industry as successful as it is. Geeks, being the borderline socially inept creatures that we are, generally, tend to care very little about the feelings of others and have no hesitation calling each other out. It makes us better. It encourages us to make sure that our ideas are sound before we share them. Then once we share them, we are encouraged to refine them, because we have to. Geeks are vicious. We will call each other out. Geeks have pretty finely calibrated bullshit detectors. That is why so many of us have a hard time moving into management and dealing with executives and sales people.
Slashdot Mirror
Unless they have insiders who are willing to testify, I think they are going to have a very hard time proving their case.
It is totally feasible. The reality of IT work is that maybe 20-30% of the work force is actually *technically* competent. The rest are project managers and people with very narrow skill sets who lack the critical thinking skills that allow them to be self sufficient and make real contributions. I do not mean to bash on good project managers, because in organizations of any real size, and for projects of any real complexity, good PMs are absolutely essential because they free up the skilled tech people to do the real heavy lifting.
There are plenty of mid-tier security companies out there (Accuvant, FishNet, etc) who could use people with real talent. Most major consulting firms (Deloitte, KPMG, etc) have forensic and threat response groups. I would not want to work for a big firm like that, and they usually just want college grads who they can burn out, but they are DESPERATE for real talent.
Follow some mid-tier security companies on LinkedIn and what not. Keep an eye on their marketing events. Go to them. Talk to the people. Explain your situation. Most people will tell you No. You only need one to say Yes and give you a chance.
Depending on where you live, I might even be able to put you in touch with some people. Does /. have an IM system yet? Figure out a way to get in touch with me. I have a somewhat similar background. I only learned enough ASM to write virii and crack video games, but that little bit of knowledge has been an asset for me at a few times over the course of my career.
This seems like a good topic because it has attracted the attention of a lot of people who work in the information security field. I deal with information security and have ever since going to 2600 meetings as a kid. My awareness of information security has always been a competitive advantage when looking for work, and has helped out tremendously in my IT career. I work for a company that deals with confidential, sensitive and personal information on a daily basis. We take security seriously because we have to, because our clients demand it. Our clients demand it because the government mandates that they care about it via regulation.
This leads me to my question, and I hope this produces some good discussions. How many of you guys who are decrying the lack of focus and importance that corporations place on cyber security, are for strong governmental regulation of private industry? It has been my experience, in over fifteen years of IT work, that the only places that "care" about security are those who have to because there are fines associated with not caring. As some have pointed out, security is viewed as a cost center. Unless there is a very real risk of a fine that exceeds the cost of security, the finance departments and executives are not going to "waste" resources on security initiatives.
Along the same line of thought, are there any other ways, besides regulation and fines, to make companies care about protecting their information? For example, companies that depend on intellectual property are probably willing to invest in security to protect it.
...you will never work a day in your life."
IT is a hobby that I was fortunate enough to turn into a career. Other than a couple of ROP classes in high school and a few certification exams, I have never received any formal education in IT. I have been lucky enough to have worked for good bosses who were also interested in being good mentors. In turn, I try to do the same for my employees by giving them an environment in which they can succeed, learn and grow as IT professionals.
IT is such a deep and wide field of expertise that in order to excel in it, you have to really enjoy it. Otherwise it will burn you out. Every day presents a new challenge to overcome. It takes a special kind of masochist to keep coming to work, day after day, knowing that no matter how hard you work, there will always be something else that breaks and needs fixing. Or even once you get beyond break fix and fire fighting, there is always the need for optimization and performance tuning.
If I want to sell a stock to my friend over my coffee table, who cares? Regulation is important, but at a certain point, it gets to be burdensome. Nobody is forcing people to use dark pools. They are there because they provide a benefit to the people who participate in them. Does it really matter what people buy and sell for via those venues? If so, please explain to me why.
Plenty of reasons to hold a stock short term. Not milliseconds short term, but less than a day. Let's say that you are an old fashioned investor and you find a company whose product you like. Wanting to support them, you purchase a bunch of their stock. Later in the day, some horrible news comes out about their CEO selling small children into sexual slavery.
I am sure that you can easily come up with many other, just as feasible scenarios where you might want to get rid of a stock that you recently purchased.
I agree. What do they mean "now" hiding in graphics cards? My dad, who was programming back in the 60s, suggested this to me when I started getting interested in assembly coding and viruses in the mid-1990s.
More like "Brilliant people expose the trouble you're currently in".
This is so true. I am far from brilliant, but one of the double edged facets of my personality is my tendency to focus on the problems in any given IT infrastructure, or in the processes and people that make up the infrastructure. On one hand it is valuable because it keeps me busy and makes it possible for continued improvement. On the other hand, nobody likes the guy who is always focused on problems and talking about what is broken.
Beyond a certain level of intelligence, people are going to be naturally curious and will instinctively think of ways to make things better. For an organization like the NSA, that personality type is dangerous. They do not want someone who is going to evaluate and think critically about the system. They want people who are going to keep it running, and not stop to question why they are doing what they are being asked to do.
We just let a guy go because he proved himself to be incompetent and a liability. Despite the fact that the guy was a complete screw up, we still gave him two months heads up that it was time for him to go find a new job. He resigned three days later.
I have been blessed with a lot of good opportunities, and one of those was to move into management and bring home serious amounts of money for doing something I love. I do not look down on the choices of others.
I do look down on whiners. I look down on people who complain about management without being willing to take the initiative to be a good manager themselves.
That is true too.
I appreciate Lao Tzu's take on it.
One more point here... " I think in this modern society, especially in the U.S., we overvalue the leaders and undervalue the followers to the point that we forget that leaders cannot do any good if they do not have good followers."
This has been the opposite of my experience. I was promoted into a leadership role because I was so good at what I do, that I was doing it 12+ hours every day and getting burnt out. I got to the point where I said, "Either find me some help, or I am leaving." At a good company, the executives are going to empower employees who are getting the job done. Sometimes that means giving them subordinates to lighten the load. I was entrusted with the careers of other people because I was able to articulate what needed to be done and provide strategies (project plans, business cases, etc) that demonstrated how to accomplish what needed to be done. The business knew that I was going to make good use of whatever resources they gave me.
If one of my guys quits, I can step into the breach and keep everything going until we find someone else. Conversely, I am grooming my team to step in and take my position when I get to the point that I want to do something else. I make sure that they have the technical skills and training to do their jobs, and for those who are interested, I also pass along what I am learning about management. The same relationship exists between me and my boss. He is teaching me how to be an executive.
After close to fifteen years of experience, it is a reasonable expectation that a competent developer has enough experience to contribute to a team effort. IT is very much a technical trade. There is an expectation of a master / apprentice style of relationship between senior team members and their junior counterparts. It is strange to have fifteen years of experience and not having demonstrated some quantifiable leadership traits.
You are at the point in your career where you are going to hit a salary cap if you do not want to step up and be a bigger contributor to the teams you are a part of. I know guys in that position and they are comfortable there. They are making six figure salaries and are okay with the trade off between a smaller paycheck and not having to deal with all of the project management and personnel / mentorship expectations that come along with leading teams.
Leaders are over valued because there are so few of them. Good leaders are hard to come by. There are plenty of people in leadership positions who should not be there. There is an old saying, "The person who wants the power the most, is the last person who should be trusted with it." There are plenty of people with degrees in "management" who do not have experience with the work the team they are managing is doing. In IT, those people are deadly. They have no idea what it takes to really get the job done, because they have never done it, do not know how to do it, and do not have any interest in learning how to do it.
Look at yourself. You do not have, or do not seem inclined to manifest, leadership attributes. There are a lot of people like you. A lot of followers who want others to lead. I just hope you are not the kind of follower who complains about other leaders, without being willing to be a leader yourself.
I moved into a management position after thirteen years in the trenches. I now have a staff of three (and growing). I provide guidance and advice to the CIO, and to IT staffs at Fortune 50 corporations. At this point in my career, my experience and ability to articulate in why the company needs to pursue a given IT initiative is significantly more valuable than my ability to push buttons, develop scripts and deploy a specific technology. My ability to vet vendors and see through the smoke and mirrors because I have enough successful implementations under my belt is more valuable than my ability to implement a given technology.
Management sucks and it requires some specific skills to deal with the levels of suck inherent in management. There are so many "leaders" who cannot even meet deadlines, or develop project plans, or articulate what their team spent the last week doing, and what they will be doing for the next week. There are plenty of leaders who say YES to everything because they cannot understand risk or do not know how to define the scope of a project.
Given your nearlly fifteen years of development experience, if I were looking to hire you, I would expect that you have been on enough teams to know what works and what does not. I would expect you to be able to run a team. I would expect you to be able to setup a source code repository. I would expect you to be able to manage an SDLC. In short, I would expect that you can do more than just crank out good code. What else are you bringing to the table? What good habits are you going to impart into the rest of the team? If your answer is, "I am going to show them how to sit in a cube, do their jobs and not contribute beyond that." the odds are I am going to pass you over for someone else who wants to be a senior level employee.
I was once told that a good leader empowers their employees, and then gets out of the way and lets them do their jobs. Can you help the people who you work with be better at what they do? If you can, grow a pair of balls and step up to the table. If you cannot, accept it and focus on what you are good at.
Jim Sauber, chief of staff for the National Association of Letter Carriers. 'The idea that somebody is going to walk down to their mailbox in Buffalo, New York, in the winter snow to get their mail is just crazy.'"
So the idea of someone walking to the curb to get their mail is crazy, but the idea of someone being out in the same weather for eight hours delivering the mail is sane?
"If that were the case, why would they need to request data from Google, Microsoft, Facebook, Yahoo, AOL, etc. All of these companies have discussed how the government requests data from them, and how they have to provide it. If the government simply had the private keys and could just sniff all traffic, they wouldn't need to."
It comes down to legality. If the government intends to eventually prosecute someone, they have to follow the legal process.
On the other hand, if all they want to do is snoop and "prevent terrorism", they can bypass the legal channels.
Does the NSA really have a problem decrypting SSL/TLS? I find it hard to believe that they do not have dedicated hardware with specialized processors that have been custom built to crack SSL/TLS.
...how do you prove a secret program actually stops?
You withdraw the funding for it in the appropriations bills.
If you are really worried about it, just ship the media to yourself. FedEx, DHL, whatever.
Unless people know what your application is, it will be difficult recommend a hosting provider.
Is the issue with the provider, or your staff?
Who is responsible for the application? You or the provider?
Most providers simply provide the infrastructure. Application support is on the customer.
If you guys do not know what you are doing, taking your mess somewhere else might not fix it.
As a "senior manager" who regularly interfaces with C-level executives, I think your observation is spot on. I am fortunate enough to have turned a hobby in computers into a serious career in IT. I enjoy what I do and the money is a beneficial side effect. I make well over six figures a year, but well less than the millions a year that those in the C-suite do.
Agreed. I have been fortunate in my career that I have had a series of real mentors who have been there to guide me through the various challenges that come up in IT consulting. Now that I am a manager, I foster the same kind of master / apprentice relationship with my employees. I am there to help them become competent IT professionals. They are there to help me keep the systems functioning and the users happy. I make everything happen by giving them responsibilities and tasks to accomplish, then being there for them as a resource if they get stuck.
In the process, I pass along to them the good habits that I have learned. I also try to point out some of the pitfalls that I have fallen into over the course of my career so that they can avoid them.
In my mind, a good IT manager needs a few key proficiencies.
1. They must have tech skills. The skills do not necessarily need to be current, but they need the fundamentals. They need to have successfully implemented projects across all the layers of the stack, from the physical, through the network, up into the OS and application layers. They have to have developed these skills in the trenches where they were facing deadlines and user expectations.
2. They must have business acumen. This is not always easy to develop. At the very least, they have to understand where IT fits within the organization that they work for. They have to understand and be able to make the case for why the business needs to continue spending money on IT. If they cannot do this, they will never be an effective part of the organization and will constantly be undermined by others who do not understand the importance of IT to the organization.
3. They must have people skills. As I have been finding out, not everyone you work with is a rock star. The same goes for employees. Some will be self starters who will do a great job. Others need a lot of mentoring and might have a crappy attitude. A manager needs to be able to assess people's strengthens and weaknesses, assign tasks accordingly, and come up with ways to retain the rock star employees, while also giving the mediocre employees a path to improve their skills and personal value.
Amen brother. This is my daily struggle. As I have been promoted into management, I find it frustrating and a huge waste of time. I have some employees who are rock stars and who I can delegate to, knowing full well that they will get the job done. Those employees are the exception to the rule. Most are like you describe above.... can't stay on focus, can't deliver realistic feedback, etc.
Get an MSDN subscription from Microsoft. The subscription will provide you with access to fully functional copies of all Microsoft back office server software (Exchange, SQL, SharePoint, etc). Setup a VMware ESX server, or use Microsoft Hyper-V. You can build your own lab environment and tinker away.
The road block you will eventually hit is that running SQL and Exchange in a small lab is nothing like running it at scale. There are massive differences in storage architectures and performance when you start trying to scale the technologies.
VMware has some good tech books on virtualization best practices for SQL and Exchange. Follow those. After 15 years in IT, it still amazes me how many jokers neglect to follow vendor best practices and just do whatever they feel like when it comes to deploying production systems. It is good for me, because I get paid well to fix other people's messes. It is not good for the economy, because money is unnecessarily wasted cleaning up problems that should have not been allowed to manifest in the first place.
So rather than one big chunk of space debris hitting the Earth, we instead get a bunch of smaller pieces?
Whatcouldpossiblygowrong?
I would say that the negativity is exactly what makes the tech industry as successful as it is. Geeks, being the borderline socially inept creatures that we are, generally, tend to care very little about the feelings of others and have no hesitation calling each other out. It makes us better. It encourages us to make sure that our ideas are sound before we share them. Then once we share them, we are encouraged to refine them, because we have to. Geeks are vicious. We will call each other out. Geeks have pretty finely calibrated bullshit detectors. That is why so many of us have a hard time moving into management and dealing with executives and sales people.