Know Thyself, Advice from CISO Dan Fitzgerald

When I asked for advice on growing your security career from a bunch of colleagues in my network, I was amazed at the quality of the responses. Most of the responses appear in these two posts (here* and here). Matt Konda wrote a very personal tale on growing his career which included 15 different tips. I highlighted his advice in a single post here. Then Dan Fitzgerald sent me a great piece he calls Nosce Te Ipsum or Know Thyself. It is wonderful advice on the struggles of being a security professional that also deserves it’s own post.*

I met Dan not too long ago. We coincidentally live in the same town which, while not huge, is filled with security professionals. We’re both trying to get the very local security community together. Dan has since joined a very interesting startup called Uptake, leading their security function. His essay appears below.

“Nosce Te Ipsum” (Know thyself)

Most things I read about career choices make strong statements about “…doing what you love and the money will follow…” or words to that effect. The spirit of this idea is wonderful, but I rarely hear a different perspective. Life is a series of choices and balancing acts and we don’t always wind up in an idyllic vocation; sometimes it’s just a job. Sometimes work is unpleasant. Sometimes we don’t feel inspired. Other times even a lousy role can be great.

There are things I love about being an InfoSec practitioner: solving hard problems, smart people, new technology, touching all the aspects of business and IT, coaching team members, giving talks, and training. The feeling of bringing home a successful project or the little victories of white-boarding a complex security topic with someone and seeing the light go on for them (especially if they usually argue with you!) are all golden moments.

There are also plenty of things I dislike about security work. It can feel like rolling Sisyphus’s boulder uphill and watching it role back to crush your foot. In the services world, the demands of creating revenue can be tough. In industry (or any organization), being a lone voice at an organization that does not see the value of security can be disheartening.

It’s hard to step back from a rough patch in any career or job, but developing the skills to manage yourself when your InfoSec role is not the “job you love” are important. Whatever it takes to get back to feeling fresh and finding enjoyment in your role, you need to do. Mix it up. Schedule a massage one afternoon. Change your routines. If a huge project is overwhelming, focus on an area that you know will give you momentum.

Doing security well and having a successful career is a journey. It is more marathon than sprint. It requires perseverance and a lot of patience. We deal with all kinds of people and situations. We’re frequently challenged, under resourced, ignored, or argued with.

Not everyone is cut out for the work we do. Everyone has to find their own balance and determine if there is a career which will bring them closer to “…doing what you love…”. To me the key is taking time to understand yourself in an honest and practical way. What are your weaknesses, strengths, and what makes you feel happy with your work? What kind of lifestyle do you want to have this year, next year, 5 years, or 15 years from now? What interests you intellectually?

To simplify it from there; talk to people, do research, and plan. Careers are long journeys. In today’s workforce, many of us will have numerous roles before we leave the our vocations.

The mistakes we make along the way are there to help us refine and learn what works and what doesn’t. Above all else, try to make whatever you are doing fun! If you can’t, then it’s time to adjust and ask yourself these questions. Maybe it’s time for a change, or maybe you already have your dream job and don’t even realize it!