Confessions of an infosec has-been
My advice for newcomers after spending 25 years in tech.
Last Tuesday, I posted a social media poll soliciting topics for the next article. Alongside some reasonable choices, I jokingly included “life advice from an infosec has-been”. This option ended up receiving the most votes — so despite some misgivings, I’m going to hold up my end of the bargain.
It’s prudent to open with a caveat: I’ve had a good career in tech, but you might be asking a lottery winner for financial advice. I don’t think that success is purely a matter of luck, but sometimes, you succeed despite your habits or beliefs.
Breaking into the industry
I landed my first infosec gig in the late 1990s. At the time, we didn’t really have an industry to speak of. A handful of people had jobs here and there, but it wasn’t a career choice your parents would approve of.
It’s been said we had it easier back then; I’m not sure. We had less competition, but also far fewer opportunities to pursue. The community was pretty toxic, too: for example, we had militant “antisec” groups who doxxed, hacked, and harassed anyone who “sold out” and took a corporate job.
These crazy days might be over, but the field is still young. I think of it as a protoscience: a discipline with few immutable rules and plenty of breakthroughs yet to be made. Many of our best practitioners are self-taught, and it’s important to stay self-driven and relentlessly curious. To this day, some of the best instincts come from experimentation, not books.
When hiring, most tech companies still pay more attention to GitHub profiles and blogs than they do to certifications or academic degrees. With time, this will change: around 30% of occupations in the US require licensing, and that’s true not just for doctors or architects, but for florists, hairdressers, and nail care pros. Our industry will not escape this fate — and when that day comes, I suspect it will become less egalitarian and a lot less fun.
I’ve been asked many times which branch of infosec is best to specialize in. I don’t think it matters: there’s enough jobs available even for those who want to focus on arcane subjects such as homomorphic encryption or CPU trust zones. What’s more important is knowing how it fits the big picture; otherwise, you’ll struggle with threat models and might end up chasing ghosts.
My final advice to new folks is to not look up to others. Judge your progress by looking back at your own work. The most talented folks I worked with didn’t have their own Wikipedia pages and seldom entertained conference talks. At any given company, there’s little overlap between your best-known employees and the ones you want to retain at any cost.
Being an individual contributor
If there’s one skill I can credit for success, it’s learning how to write well. Corporate life is about convincing others — to prioritize problems, to get behind new solutions, to fund important work. Perhaps the most common error we make is assuming that the recipient is keen to master our trade. Imagine having to sit through a lecture on the theoretical underpinnings of corporate finance before they let you file an expense report.
The other insight I learned is that corporate life is all about results. If you see something that’s bugging you, and no one else is working on it, it’s your problem to solve. There are no points awarded for telling others what to do or penning a scathing expose. Conversely, the surest way to get ahead is to develop a reputation as someone who solves problems — and does it well.
The final skill to master is getting along with people you wouldn’t be friends with in personal life. Most technical disagreements are personality clashes in disguise. It’s best not to try and reform others; a better approach is to figure out what drives them and start speaking that language. In the same vein, don’t let work become your entire life. It’s hard to disengage from arguments when they feel like an attack on who you are.
Stepping into management
If you’re a successful senior engineer at a growing company, you will sooner or later be asked to become a manager. Most tech companies swear it’s not a promotion, but the inescapable reality is that they have less room for “chief architects” or “distinguished engineers” than for directors or VPs to take care of large orgs. In many cases, the management path is the easier way to get ahead.
For a newly-minted manager, the hardest skill to learn is knowing when to bite one’s tongue. In our IC lives, we were paid to be the smartest person in the room: to have brilliant ideas, to argue for them with passion, and to crank out high-quality code. As managers, we’re tasked with nourishing the next generation of technical leadership. The surest way to do this is to let people form their own opinions, try things out, and occasionally fail.
When you become a manager, consider yourself on the hook for business outcomes, and not merely a collection of projects or processes that happen to be owned by your folks. It’s easy to get sucked into endless incremental improvements to such initiatives of without ever asking if the overall direction still makes sense for the company. If you don’t ask these questions, someone else will — and it won’t be a pleasant chat.
Last but not least, expect your team to be sticklers for fairness. There’s plenty of conspiratorial lore about why companies do performance management, but the simple answer is that if you don’t do it, it will drive the people on your team insane. Whether they say it out loud or not, there are few things as demotivating as rubbing shoulders with a person who does much less than you, but gets paid the same or more. You should give low performers a fair shake, but don’t let problems fester for too long.
Putting it all in perspective
Time is a harsh mistress. A decade in front of a computer turns into three, children grow up and move out, a lifetime of microkitchen snacks brings about that diagnosis you didn’t want to hear.
I’d wager that in retirement, few of us are going to look back with pride at all the OKRs we delivered or all the service metrics we improved. My advice is to engineer your life around what truly matters. Being able to retire in your 40s or 50s might be worth a lot more than living extravagantly in the early years of your career.
A related suggestion is to avoid living paycheck-to-paycheck in tech. I survived the dot-com crash and the housing crisis — and learned this truth the hard way. I don’t know what the future holds, but the industry is as volatile as it is lucrative; the shifts are far more sudden and far more ugly than most people expect.
I write well-researched, original articles about geek culture, electronic circuit design, and more. If you like the content, please subscribe. It’s increasingly difficult to stay in touch with readers via social media; my typical post on X is shown to less than 5% of my followers and gets a ~0.2% clickthrough rate.
From antisec to maintaining life-perspective your writeup hits home. Solid wisdom to pass along.
Very nice writeup! A couple sentences really stood out for me:
1. "At any given company, there’s little overlap between your best-known employees and the ones you want to retain at any cost." So true. I've rarely seen those who want to be well known do the most valuable work for the company. I've seen occasional overlaps, but it isn't a high overlap.
"Most technical disagreements are personality clashes in disguise." I completely agree. I found that reasonable, collaborative people could work through technical disagreements and find resolutions, and, in the few cases they couldn't find resolutions, they'd respectfully escalate to get resolutions. However, in the common case of being personality clashes, problems continued to come up even if someone more senior resolved the current conflict.