Career Hacking: Tips and Tricks to Making the Most of your Career
One of the best ways to ensure that you have an amazing career that is filled with challenges, enjoyment, and growth, is to consistently work to improve yourself and your surroundings. Early in my Army career, I was taught that it is important to “improve your foxhole every day.” This simply means to find small ways to better yourself and your surroundings every day. With that in mind, I put together a talk for BSidesNoVA 2020 and presented it in our Career Village. The talk wasn’t recorded so I went ahead and recorded a session at home. Feel free to read the rest of this article or simply watch the video located here:
Note: Pretty much any section below could be its own blog series. I’m hoping to at least point folks in the right direction on each of these topics.
Build a Strong Network
You cannot have a successful career on your own. You need to have a team that you can work with and rely on to get things done. Networking and team-building are about being able to fill in your skill gaps with the help of friends and colleagues and being able to fill in their skill gaps with your own knowledge. Great teams aren’t great teams just because they have skills though; they must communicate and trust each other. This section provides a few different methods that I have used to hack my professional network to build trust and tear down barriers between teams.
One Up, One Down, One Left, One Right
This concept is simple: learn the basic job of the folks around you so you can provide better support to them and communicate with them on their terms. For example, if you’re a SOC analyst and you work with the risk team a lot, spend some time learning their terminology and regular processes so you can provide better input into their work-stream. They will be grateful that they don’t have to translate your inputs into their standard language and tasks will get accomplished more effectively for both teams.
A few ways to get to know other teams and their processes:
- Volunteer to support projects that you hear about
- Engage them in a brief side convo after a meeting or near the coffee pot
- Read team documentation that is available… yes, even if it means using SharePoint
Attitude is Everything
Building your network requires having the right attitude. You don’t want to be the person on the team that says, “I’m not here to make friends” or “I’m just here for the paycheck”. Nobody wants to work with that person, and you won’t find yourself getting a lot of support from teammates. Instead you want to engage others with a positive attitude, showing them that you are grateful for their time and expertise.
PRO TIP: Say hello to people in the hall and get to know the people in other teams
Being truly grateful and sincere with those that have done great things can go a long way to tear down barriers between teams and individuals. One of the methods that I’ve used previously is to send strategic “thank you” notes to the managers of another team to thank them for the great work that an individual did on a project or in a meeting. If you’ve ever had someone publicly thank you for your efforts, that feels pretty awesome. It feels even better when they thank your manager directly and you hear from your leadership that someone appreciates you. This method works to engage both the individual and the manager, and it can lead to improved relationships in future projects.
I just wanted to drop a note to say that we appreciated <name>’s help in today’s <name of meeting/project> meeting. Their assistance brought a lot of value to the discussion and we wanted to say thank you for their invaluable time.
Okay, don’t be Ron Burgundy with your “thank you” notes. Instead, take a lesson from Dale Carnegie’s How to Win Friends and Influence People: BE SINCERE. People can tell when you have true appreciation for their efforts or when you are showering them with flattery.
“The difference between appreciation and flattery? That is simple. One is sincere and the other insincere. One comes from the heart out the other from the teeth out. One is unselfish the other selfish. One is universally admired the other universally condemned.”
From How to Win Friends and Influence People by Dale Carnegie
Celebrating Team Wins
Recognizing, celebrating, and documenting team wins is another great way to build an awesome team. This means that you shift your language from “I” and “me” to “we” and “the team” when you talk about success. This goes a long way to build team morale and it prevents you from alienating anyone on the team that may be struggling.
A method I used previously in my career is to write out a quick 3–5 sentence to my lead explaining the team win that I observed. This approach was a great way to put something in their inbox that they can then forward to their leadership as a “good news” story. Your lead will appreciate it and so will their management. These write-ups are great vignettes to add to Monthly Status Reports or other program management tracking efforts. Metrics and KPIs are important for measuring a team, but these success stories contextualize those numbers and keep the briefings engaging. Here’s a quick example:
On March 3rd, <TEAM NAME> published a Flash Report on tax-themed phishing emails. Multiple stakeholders provided feedback and kudos on the report, and at least five users submitted phishing samples to the team mailbox for further analysis. The team is collaborating with the Malware Lab to extract samples and conduct analysis of the submissions.
Leveling up Your Skillset
Working on yourself is critical to your career growth. You can start by having a plan for your future and working towards those future positions by learning new skills, filling new roles, and crushing accomplishments along the way. There are plenty of resources and mentors that are available, but ultimately this work is up to you.
Know Where You are Going
Infosec is a huge field that requires a lot of different personalities and skills to function. You do not need to master them all and getting into this field can feel like you are climbing a mountain. So let’s start with a few maps that will make that climb a bit easier. The idea here is to find the ideal next role and work backwards to identify what you must achieve to reach that next position. What skills do you need? What intermediate positions do you need to fill?
PRO TIP: You don’t have to master everything.
Check out Henry Jiang’s “Map of Cybersecurity Domains”, take a deep breath that you can do this, and then give him a follow via LinkedIn to track any new updates to this amazing piece of art.
This one from MITRE’s “Ten Strategies of a World-Class Cybersecurity Operations Center” is pretty awesome if you’re on the Ops side of infosec.
So now you know where you want to be going, time to have a little honest time with yourself. I use the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework to gauge what I know and what I need to know to be successful in my role. The US-CERT website is hosting a great lookup tool to navigate the NICE dataset. You can look up your specific role and figure out what the government and industry have defined as the expected Knowledge, Skills, and Abilities for that role. Here’s there Threat Analysis description that I use to track my career.
NICE Cybersecurity Workforce Framework
The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework)…
Here’s how I do a self-assessment: I grab a copy of NICE Framework supplemental spreadsheet located HERE https://www.nist.gov/file/372581 and navigate to the KSAs for my role. I complete a quick self-assessment on a 1–5 scale, where one is “I don’t know this stuff” and five is “I know this material and sought after for advice on this topic”. A baseline score of three is what I aim for, and to me, that means “I know enough here to be effective”. Once I’ve run through all of the KSAs with a quick score, I can sort it to find the lowest scores. These are the areas that I should invest my time in improving upon- either through self-study or working with smart folks in my community. My self-assessment looks something like:
Passive and Active Learning
Traditionally, passive learning is listening to a professor or reading through material without real engagement. I use audiobooks, podcasts, and even webinars as my passive learning sources. I will listen to these sources while I drive, wash dishes, and other repetitive tasks. This is a great way to get exposure to wide breadth of material and topics.
When I find something engaging, I switch to active learning. This is more “hands-on” training, like studying with flashcards or completing a lab project. This is the type of learning where it is critical to mark off time on your calendar to focus and practice a new skill or study new material.
It is critical that you mix your learning styles with both passive and active sources. For the sake of formatting (Medium doesn’t like sub-bullets yet…), I’m throwing in a screenshot of my slide.
It’s important to point out here as I list some great passive resources- any one of these can be an active resource if you want it to be. For example, a SANS Summit talk on malware analysis can just be passive experience as you listen to the presenter, or you can try to mimic the speakers research in your own lab, making this an active experience.
PRO TIP: Here’s the link from the slide to a list of great awesome podcasts
Collection of awesome podcasts. Contribute to rShetty/awesome-podcasts development by creating an account on GitHub.
Learn — Train — Do
This is a technique that I heard on a podcast years ago and I really wish I could give proper credit, but I cannot remember the source and my Google-Fu didn’t help (10,000 internet points to any OSINT-warriors out there that can find the original source for me!).
This technique consists of three categories of activity that I schedule out on my calendar. You should aim to get an hour-per-category on your calendar every week, every other week, or at least every month — as your schedule allows. But once you put these on your calendar, do your best to stick to them. Your career progression will skyrocket with this technique.
- Learn a new skill or process that supports your career path
- Train an existing skill or process to mature your existing capabilities
- Do a task that you must do, but don’t necessarily find pleasure in
Learning a new skill that is tangential to your current career path is a great way to broaden your horizons and make you a more valuable teammate. For example, as a threat analyst, I don’t really need to know how to code, but learning some basic Python coding may lead to me being faster at routine tasks. That means I can get more done for my team in a shorter period of time. Efficiency is usually a great thing to strive towards.
Training a skill that I already know is a great way to practice the “sharpen your axe” technique. While practicing a skill that I already have in my toolkit, I may find that someone wrote a script to make it faster, or I may discover that I was skipping a step and biasing my output. When training an existing skill, its important to walk through existing documentation (school material or team SOPs) to ensure that you are executing the task to a standard and to check if your SOPs require updating for the rest of the team.
The Do category is equally as critical as the Learn and Train categories. In this scheduled hour, you knock out a task that you must do to be successful, but it may be something that you don’t find joy in or isn’t immediately beneficial to your team. For example, my previous role was to peer-review my team’s products. I enjoy mentoring analysts, challenging their assumptions, and discussing assessments. I don’t enjoy the look on my analysts’ faces when they first open a Word document with a bunch of tracked changes. Even when you know it is coming, its jarring and creates a divide. But I had to do this task to ensure that our products were published to the community. So I put an hour on my calendar first thing in the morning and I’d generally stick it that schedule. Another great example is basic knowledge management tasks. It may be your responsibility to manage a team distro list. You have all sorts of competing tasks that are more enjoyable and more important. But your team relies on you to keep those updated. You put thirty minutes on your calendar every week to check if there are any updates. If there are, you knock them out quickly. If not, you get thirty minutes back in your schedule to focus on something else.
Get these categories on your calendar and stick to them!
— ATTENTION MANAGERS —
If you’re a manager, not only should you still be practicing your craft and using this method — nobody likes having a manager who can’t do some of the tasks they manage — but I also recommend that you encourage your teams to schedule these sessions during business hours. Not only is investing in your team the right thing to do for them, your team’s output will greatly benefit from this focused time. As I mention in my “Implementing Team Training that Works” article, you can train and work at the same time if you have your folks train with real-world material. Need to learn advanced Excel formulas? Export some data from the ticketing management system into CSV and work with that data. Can you calculate the average ticket age with a formula? Learning a new skill and answering business questions at the same time.
PRO-TIP: Learning and training with your datasets will expose you to solutions that you never knew you could ask of your data.
Implementing Team Training that Works
So you just read my last article (Developing Team Documentation that Matters), and you’re thinking “cool story bro, but…
Hacking the Humble Bundle
No not like that. Humble Bundle is a great org, don’t pwn them.
Every few months, Humble Bundle drops an amazing set of eBooks (usually PDF format) for anywhere from $15 to $25. This is a really great deal for the quality and quantity of books that you get through their site. My personal collection consists of nearly 200 PDFs and I have probably spent less than $100 on them. Their bundle topics range from general infosec to coding and data sciences. They recently did a bundle for kids coding that I picked up.
Pro Tip: The kids coding books are awesome resources because they break down concepts really well.
Don’t just jump into the coolest looking book. Instead, I recommend that you read the intro chapter to each one of the books. Then go back through and read the intro paragraph or two of each chapter of each book. Once you’ve completed this, you should pick a topic and deep dive that book. This is a great way to get an introductory understanding to a lot of topics, expose you to new subjects you haven’t considered before, and to identify potential areas of interest. It also prevents you from getting burned out on a topic that doesn’t interest you, but you’re hardheaded like me so you committed yourself to the miserable learning experience. Don’t do that! Scroll back, read the intros to everything, then jump into a topic of interest.
Moving on up!
It is super scary to decide when its time to move on to a new role or company. Is it the right time? Is this the right fit? My take on this will be relatively short, and I have links in the last section of this article that are written by some folks that are far smarter than me. For now, here’s my take:
You should look to move to a new role every three to five years, roughly. “What, come on?! What about getting certs, leveling up, companies aren’t loyal to you- why be loyal to them?” There’s a lot of advice out there and none of it is necessarily wrong. This is my advice: stay committed to a position for for at least two years to ensure that you are getting the experiences necessary to be really good in that position. This is about loyalty to yourself and ensuring that you can reach some serious achievements in that role.
PRO TIP: If you don’t know what to put on your resume as honest accomplishments, you probably have not been in the role long enough to level up.
In the 3–5 year space, you want to begin considering if you’ve reached your maximum effective range for that position. Yep, that’s another Army term. I mean: have you reached as far as you can go in this position before everything else is a slow arc towards crashing into the ground? Have you peaked? Have you accomplished all of the things that you are likely to accomplish here? Questions I start to ask myself around this point:
- Has it been a few months since I’ve been excited about this work?
- Am I re-solving problems that we fixed years ago?
- Am I no longer getting management’s buy-in for new projects?
Recap & Closing
Ultimately, it is your career. You can have awesome managers, mentors, and colleagues. You can watch all of the right talks and read all of the right books & blogs. But it is your career. Only you can put in the work to build a strong network, a strong skillset, and a strong drive to mature in your career. Here’s a quick recap of tools that I keep in my toolbox for those tasks:
- Strategic THANK YOU!’s
- One Up, One Down, One Left, One Right
- Celebrate and document the Team Wins
- Know yourself and your where you want to go in your career
- Learn, Train, Do
- Read, watch, and listen to a variety of content
- Be awesome
As promised, here are some amazing resources from those far smarter than me, so you’ll be left in great hands.
The Difficult Decision to Switch Jobs
Over a month ago, I made the difficult decision to leave MITRE and join Red Canary as a Principal Intelligence Analyst…
Starting an InfoSec Career — The Megamix — Chapter 7
Chapter 7: Landing the Job So, we’ve come this far in your infosec journey. You’ve studied hard, attended conferences…
How to Build a Cybersecurity Career [2019 Update] | Daniel Miessler
I’ve been doing Information Security (now called Cybersecurity by many) for around 20 years now, and I’ve spent most of…
And one last Hat/Tip:
Chris Crawford, I reference as “the Professor” in the video, has is own amazing content here on Medium. He was also kind enough to peer-review all of my slides for this talk and he gave me some amazing and honest feedback. So if it still sucks, its his fault too :) Thanks Chris!