Speak python? Is that enough to succeed in security?
Opinions expressed are solely my own and do not express the views or opinions of my employer
It’s really humbling to see the interest and support for what started out as a single post, but is quickly becoming a series of humble posts aimed at helping people at the early stages of their career in security. I have decided to continue the series by focusing on the skills and traits that are typically overlooked by a lot of people in the security profession. I believe that these skills and traits play such a critical role in the success of a security team (and therefore your success as a member of that team), but sadly are often neglected in favour of the more technical skills.
The ability to work as a team even when you aren’t
In my opinion, teamwork and the ability to work constructively with others is the most critical skill that you can cultivate early on in your career. You will need to quickly learn how to build rapport, earn trust, actively listen and communicate effectively. Why? Because you will soon realize that to get things done in any organisation, you will need to somehow convince others to do it for you and more often than not, they will be outside the security team.
Sound hard? Well its actually the easy part — even harder is the fact that people outside of security also need you to get things done that may seem in contradiction to security. Sadly they won’t have any idea why they need you, and won’t have a clue about security in most cases either. But If you can convince them that you are trying to help them get what they want, while still sticking to your objective — it will make you and the security team a lot more successful in the long term.
The art and science of telling a story
Just as important to your success will be your ability to communicate. We work in what is perceived to be an extremely complicated and technical industry, and have to work with stakeholders across the organisation with varying degrees of technical proficiency. Talking about homomorphic encryption just won’t be equally exciting for everyone.
There is an art to being able to communicate effectively to so many stakeholders, and it starts with knowing your audience and being able to tell the same story customized to each and every audience. The art is being able to provide a familiar backdrop and context to the the audience and bring them along on the journey to ultimately convince them of your point of view. For example, if you are in the insurance business, you could use insurance/cyber analogies regarding the great fire of London and the emergence of modern insurance.
It can be hard to perfect, but there is a science to it as well, and this is the area that I urge everyone to work on. So why not do your homework and create stories in advance. If you have a story inventory prepared ahead of time with a well thought out way of presenting arguments and a consistent simple message that you can refer back to, it is only a matter of bringing them out for each situation. It works well in interviews too.
The curiosity needed to learn
For long term success, you will need to be able to learn and grow over time and that requires curiosity. Security changes on a continuous basis and the most successful security professionals are those with an overwhelming drive to consume new information, but more importantly are always trying to learn something new and figure out new ways of doing things on their own.
I’m not necessarily talking about formal education or certifications — it could be a voracious appetite for reading security white-papers, a daily routine that involves listening to your favourite podcasts, hands on experimenting within AWS or working on a open source project. These are all ways of demonstrating your insatiable curiosity to become a better security professional so keep at it.
A “well-deserved” sense of pride
This may be a personal perspective on success, but I take great pride in my work and like to think it has contributed to my success. As a result, I love working with people that take pride in everything they do — from the smallest task to the most complex task. Anything that has their name on it, has to be deserving of it and it’s a pleasure to work them as a result, because you know you can expect quality.
They pay attention to detail. They aim to be Pixel perfect. They expect Zero defects. Perfect grammar and spelling is the norm. Sounds great right? Perhaps a little daunting for us mere mortals? The thing I’ve realised is that it doesn’t usually come naturally — it didn’t for me and it probably doesn’t for you: everyone makes mistakes.
What makes the difference is the effort that someone will take to make their work something to be proud of. They spend an extra few minutes checking for spelling mistakes, they ask others to proof read, they check and double check facts, figures and calculations. They do this so often, that they do it subconsciously.
So best advice I can give you is to start putting that extra effort in now. Does your resume have any spelling mistakes? Have you checked your LinkedIn profile for errors? These may seem simple, but they are the first things that a potential hiring manager sees and I want you to have that sense of well deserved pride when you read them yourself.
The tenacity to get the job done
I can’t reiterate how important tenacity is for a successful career in security! On a daily basis, you will tackle problems that change significantly from day to day, with almost no end in sight. You will need to tackle problems so complex that there literally is no silver bullet, just a lot of hard work. You will need to get used to hearing no, but still find ways to get things do.
It is a hard skill to work on though so don’t give up! (even with pedantic advice like that)
I can only urge you to be persistent and follow up, to keep fastidious track of any outstanding actions (even the hard seemingly impossible actions), and think creatively to find ways to get the job done in different ways. If you keep tackling the hard actions, you will find they eventually get done.
The backbone to say NO
I thought long and hard on what other traits successful security people have; and I kept coming back to a comment I overheard in a parenting podcast. The advice for raising strong confident children with great ethics was to teach them that “No” was in fact a complete sentence.
It really resonated with me in that I think our role as security professionals is to educate everyone about the dangers and risks of security. It struck me that the best security people I know hardly ever say no, but when they say NO — they mean it! And often it’s even when they weren’t even asked directly. So don’t be afraid to say no. Even more importantly don’t be afraid to escalate or even seek advice from your support network — if you’re unsure. All of us need support and help and each situation may be different.
I personally hope that more and more people in our profession have the backbone to say no when needed, regardless of the situation and potential impact on your professional reputation and career.
Did these resonate?
I would love to see some of these adopted by hiring managers in their search for talent, but I’m also hoping it will encourage new starters in the security profession to work on these areas.
Let me know what you think and feel free to reach out to me directly to ask for any advice
