Confessions of an infosec has-been
Confessions of an infosec has-been
My advice for newcomers after spending 25 years in tech.
Last Tuesday, I posted a social media poll soliciting topics for the next article. Alongside some reasonable choices, I jokingly included “life advice from an infosec has-been”. This option ended up receiving the most votes — so despite some misgivings, I’m going to hold up my end of the bargain.
It’s prudent to open with a caveat: I’ve had a good career in tech, but you might be asking a lottery winner for financial advice. I don’t think that success is purely a matter of luck, but sometimes, you succeed despite your habits or beliefs.
Breaking into the industry
I landed my first infosec gig in the late 1990s. At the time, we didn’t really have an industry to speak of. A handful of people worked here and there, but it wasn’t a career choice your parents would approve of.
It’s been said we had it easier back then; I’m not sure. We had less competition, but also far fewer opportunities to pursue. The community was pretty toxic, too: for example, we had militant “antisec” groups who doxxed, hacked, and harassed anyone who “sold out” and took a corporate job.
These crazy days might be over, but the field is still young. I think of it as a protoscience: a discipline with few immutable rules and plenty of breakthroughs yet to be made. Many of our best practitioners are self-taught, and it’s important to stay self-driven and relentlessly curious. To this day, some of the best instincts come from experimentation, not books.
When hiring, most tech companies still pay more attention to GitHub profiles and blogs than they do to certifications or academic degrees. With time, this will change: around 30% of occupations in the US require licensing, and that’s true not just for doctors or architects, but for florists, hairdressers, and nail care pros. Our industry will not escape this fate — and when that day comes, I suspect it will become less egalitarian and a lot less fun.
I’ve been asked many times which branch of infosec is best to specialize in. I don’t think it matters: there’s enough jobs available even for those who want to focus on arcane subjects such as homomorphic encryption or CPU design. What’s more important is knowing how it fits the big picture; otherwise, you’ll struggle with threat models and might end up chasing ghosts.
My final advice to new folks is to not look up to others. Judge your progress by looking back at your own work. The most talented folks I worked with didn’t have their own Wikipedia pages and seldom entertained conference talks. At any given company, there’s little overlap between your best-known employees and the ones you want to retain at any cost.
Being an individual contributor
If there’s one skill I can credit for success, it’s learning how to write well. Corporate life is about convincing others — to prioritize problems, to get behind new solutions, to fund important work. Perhaps the most common error we make is assuming that the recipient is keen to master our trade. Imagine having to sit through a lecture on the theoretical underpinnings of corporate finance before they let you file an expense report.
The other insight I learned is that corporate life is all about results. If you see something that’s bugging you, and nobody else is working on it, it’s your problem to solve. There are no points awarded for telling others what to do or penning a scathing expose. Conversely, the surest way to get ahead is to develop a reputation as someone who solves problems — and does it well.
The final skill to master is getting along with people you wouldn’t be friends with in personal life. Most technical disagreements are personality clashes in disguise. It’s best not to try and reform others; a better approach is to figure out what drives them and start speaking that language. In the same vein, don’t let work become your entire life. It’s hard to disengage from arguments when they feel like an attack on who you are.
Stepping into management
If you’re a successful, senior engineer at a growing company, you will sooner or later be asked to become a manager. Most tech companies swear it’s not a promotion, but the inescapable reality is that they have less room for “chief architects” or “distinguished engineers” than for directors or VPs to take care of large orgs.
For a newly-minted manager, the hardest skill to learn is knowing when to bite one’s tongue. In our IC lives, we were paid to be the smartest person in the room: to have brilliant ideas, to argue for them with passion, and to crank out high-quality code. As managers, we’re tasked with nourishing the next generation of technical leadership. The surest way to do this is to let people form their own opinions, try things out, and occasionally fail.
When you become a manager, consider yourself on the hook for business outcomes, and not merely a collection of projects or processes owned by your folks. It’s easy to get sucked into endless incremental improvements to such initiatives of without ever asking if the overall direction still makes sense for the company. If you don’t ask these questions, somebody else will.
Last but not least, expect your team to be sticklers for fairness. There’s plenty of conspiratorial lore about why companies do performance management, but the simple answer is that if you don’t, it will drive the people on your team insane. Whether they say it out loud or not, there are few things as demotivating as constantly bumping into a person who does much less than you, but gets paid the same or more. You should give low performers a fair shake, but don’t let problems fester for too long.
Putting it all in perspective
Time is a harsh mistress. A decade in front of a computer turns into three, children grow up and move out, a lifetime of microkitchen snacks brings about that diagnosis you didn’t want to hear.
I’d wager that in retirement, few of us are going to look back with pride at all the OKRs we delivered or all the service metrics we improved. My advice is to engineer your life around what truly matters. Being able to retire in your 40s or 50s might be worth a lot more than living extravagantly in the early years of your career.
A related suggestion is to avoid living paycheck-to-paycheck in tech. I survived the dot-com crash and the housing crisis — and learned this truth the hard way. I don’t know what the future holds, but the industry is as volatile as it is lucrative; the shifts are far more sudden and far more ugly than most people expect.
From antisec to maintaining life-perspective your writeup hits home. Solid wisdom to pass along.
Thanks for this article. Though I am not part of infosec (other than a brief engagement with someone early in my career that almost led me down a infosec + nation-state intelligence services route) I could relate to much of what you wrote. The point about personality clashes masquerading as technical disagreements is well made and now, with the benefit of hindsight I can see that often it was me who was the problem!