*This starts a series of posts on advice other information security professionals have for growing their career. As with my *podcast, I think it’s important to get advice from a variety of sources on how to grow your information security career. As I’ve searched the internet and talked with others, there aren’t a lot of resources out there with career advice.
*So I went to a few people I knew and asked them for a few thoughts on growing their career. Matt Konda wrote a manifesto. Matt has taken an interesting route to becoming a security professional. He started out as a developer. In the middle of his career, he ended up as a developer at Trustwave, helping them create their security products. That led him down a path of becoming an information security professional. He now runs his own security consultancy, *Jemurai* and is on the Global Board of Directors for OWASP.*
Learn to meditate. I recommend Headspace.com.
Learn about personal finance. I like an old book called “The Wealthy Barber”. Establish your own criteria and expectations for financial success.
Value people. Back in the late 90’s Sun Microsystems had a commercial in which it stated that “The network is the computer.” In a professional sense, your network is your career. Don’t burn bridges. Learn to ask questions that engage people and let them tell you about them. Listen. Learn to communicate so that people get your message the way you intend it. Understand why things are the way they are in your team and what your boss and their boss’s motivations are. Everybody has a story that brought them to the point you see them at.
Your career is a marathon not a sprint. Work hard, but only to the extent that it is sustainable. Have fun. Take breaks. Change direction. Seek balance. Then be patient. Don’t overvalue one type of skill over another. Don’t expect instant gratification. But don’t accept stagnation. Change jobs or grow responsibilities every 2–5 years.
Learn from your mistakes. As easy as it is to write down career advice now, I needed to make mistakes to learn and I’ve made a ton. At the same time, don’t be unethical. Work hard and be earnest. People remember. A lot of my current professional network are people I did right by way back … For my part, the very few people that I remember and will not work with again by my choice, it is because they cut corners and didn’t do the right thing.
When you identify your weaknesses, use a system to help yourself face them. For me, 10 years ago I was good at putting my head down and building things. I was good at getting my teams to be motivated, to believe in themselves and deliver strong technical quality, but I wasn’t thinking about the big picture of whether we would succeed or fail. To try to address this when it was pointed out by my boss, I set my own calendar reminder every morning to force myself to think about risks to the project, changes in direction, personnel issues, and I got much better at managing risk to the project proactively. Eventually I didn’t need the calendar reminder anymore, I had addressed that weakness.
One of the best lessons I have learned was from Larry Podmolik and I’ve used it since with developers and CEO’s alike with very good results. Nobody wants you to come to them with a problem. Of course, you can’t avoid all problems. But if you do go to someone with a problem, do your best to think of solutions and even have a course of action that you think is the best — but then get advice. Lots of times the advice will help and it may even send you in a different direction, but if you haven’t thought through the options first yourself you’ll be missing a learning opportunity and coming off as just asking for help when you get in trouble. Furthermore, if you go through the exercise of thinking of 3 options and weighing them, you may actually know the right answer better than you did before and you can avoid going up the chain with every little thing. Cultivate this independence. Ultimately, once they trust you, every boss wants you to just take care of things — that’s how scale works and your responsibilities grow.
Identify a mentor or five. Be proactive about staying in touch with them. Revisit this every year or two to add more. Don’t be afraid to be explicit about it — “Hey, you know I’d like to get lunch or coffee because I would really like you to be a mentor for me as my career grows.”
Develop independent thinking and your own professional identity. Give yourself time but don’t be afraid to try things.
Many of the biggest constraints that will eventually feel like they have shaped your career are in your own head. I have some great examples of those.
One example is having time with my family was a major goal and despite being risk averse, I managed to break out of the safety of salaried full time work to find a balance that allowed me to be fully present at home. It seemed risky as hell. I had at least one terrible financial year. I am fortunate to have a partner with insurance and a salary to ease the initial setback. Looking back it was exactly the right thing to do. It was only in my head that I could only be safely employed at a company. I was right that my goal of being present for my kids could be realized.
Another great example is now when I’m trying to build and grow a company. I’ve never felt very comfortable with financial risks. I don’t know how to do payroll, benefits, or any HR really — though I’ve hired and fired many people when working for companies. The mentality of letting go of certain issues i see with a given approach or solution because it is broadly better was surprisingly challenging for me as a techie. In this sense, the great can be the enemy of the good. I needed to grow my own mind (still in the process of that) to identify the things that I need to get engaged with on a detailed basis and the things that I just need to get done so that I can achieve my goals with the business. Also, no matter who you are, unless you are the CEO of your own successful company, you probably think in monetary terms that are self limiting.
Building on that, another example is how transformative selling for yourself is. If you work for a company, you have a certain ceiling … if you work independently and sell through partners, you have a different ceiling and different challenges. When you can get to the point where you’re selling for yourself you can truly realize a whole different potential. It is not for everyone and it certainly wasn’t for me when I started, but now I can really feel good about helping people with their problems while making more money than I ever did working directly for companies.
If you have developed a network, independent thinking and financial responsibility, you can literally work on whatever problem you think is most important to you and make it a profitable rewarding journey. That’s what I would aim for.
Thanks to Matt for his valuable input. Look for the next post in the series on how others recommend growing your information security career.