Originally based on this Twitter thread:
- Figure out for yourself what "advancement" means (i.e., more money, better title, more challenging problems to solve, etc.)
- Market yourself and ask others for help to achieve what you want
- Build a brand an audience around #1 and #2
I've spent more than 15 years operating in, building, and leading cybersecurity programs at several Fortune 500 companies in the Financial Services and Insurance industries. At the time of writing this, I was also the founder of Fraction Consulting which was acquired by Defiance Ventures. I built out Fraction Consulting by doing fractional CTO/CISO gigs and research and investment advisory for private capital firms.
As a result of my background, I often get asked the following question:
"How do I advance my career in the cybersecurity field?"
Here are the three steps I advise people to take:
Figure out what "advancement" means to you.
Is it just more money (money is great, don't get me wrong), or is it more responsibility, more autonomy, more respect?
Early in your career, you end up getting all of those things as you move from Jr analyst/engineer/operator into more senior-level roles, but you need to consider the path you want to take a few jobs/roles out.
Is becoming a security architect the goal? Do you want to remain very deep and technical and go the lead/principal engineer route? Do you want to lead people eventually?
Think about how you work and problem solve. Do you like being the one with the answers, or do you like getting people and teams together to get the answers?
Do you want to specialize in a particular area or technology stack, or do you want to be a generalist?
All of these questions are to help people reflect inwardly and think through what they want to do. Once you've wrestled with those concepts, you can move on to step 2.
Now that you have a better idea or concepts on what you want to do, you can start your personal marketing and hype plan.
If you don't market yourself, then no one else will do it for you.
Having a personal marketing and hype plan will help you think about career progression.
So, you want to be an architect, a manager, or a CISO one day? How will you get the right skills and market yourself to get you there?
Look at what is true and what you have (your current job), look at what you want (future roles/jobs), and then plan out how you will close those gaps.
Making your intentions known to anyone and everyone who will listen to you is a critical piece of the personal marketing and hype plan often overlooked.
You can't expect people to read your mind to know what you want, and you can't get mad when they don't help you with something you haven't communicated.
All career interactions are "selling points."
You sell yourself on the job interview; you sell your point of view in that meeting for the next direction to go in the project, you sell why something is riskier than it sounds on paper.
OK, that's all great, but how do you really advance, especially in the corporate world in cybersecurity? That's step 3.
Build an audience in AND outside of your sphere of control and sphere of influence.
You want people outside of the cybersecurity group at your company to know of you and what you can bring to the table and help them do.
Cybersecurity is just another method of effectively enabling the business to do what it was meant to do - sell products/services to customers.
Security is about business enablement first.
You want someone from the engineering group or that business unit to tell your boss how helpful you were in achieving what they needed safely and securely.
You want the CTO to comment to the CISO on how you have helped them out. You want the developers and engineers in IT to be excited when you're at the table and helping them solve their problems AND be secure.
Building the audience builds your value and shows you know how to think and operate on a broader scale. The scale always gets broader as you advance, and you can start showing this to let people know you are ready for that next level.
This playbook is a process you should often revisit as you move roles/companies, as new interests come up, and as you move through different phases of your life.
Take active control of this approach, and don't wait for things to happen to you. Make this happen for yourself.
Nothing is guaranteed, but this is the playbook that has helped me so far, and I'm always refining it. Now, take this playbook and make it your own.
Get the free weekly newsletter recapping funding news in the cybersecurity space.