Career Hacking: Tips and Tricks to Making the Most of your Career

Andy Piazza
14 min readApr 17, 2020

--

One of the best ways to ensure that you have an amazing career that is filled with challenges, enjoyment, and growth, is to consistently work to improve yourself and your surroundings. Early in my Army career, I was taught that it is important to “improve your foxhole every day.” This simply means to find small ways to better yourself and your surroundings every day. With that in mind, I put together a talk for BSidesNoVA 2020 and presented it in our Career Village. The talk wasn’t recorded so I went ahead and recorded a session at home. Feel free to read the rest of this article or simply watch the video located here:

Career Hacking: Tips and Tricks to Making the Most of your Career

Note: Pretty much any section below could be its own blog series. I’m hoping to at least point folks in the right direction on each of these topics.

Build a Strong Network

You cannot have a successful career on your own. You need to have a team that you can work with and rely on to get things done. Networking and team-building are about being able to fill in your skill gaps with the help of friends and colleagues and being able to fill in their skill gaps with your own knowledge. Great teams aren’t great teams just because they have skills though; they must communicate and trust each other. This section provides a few different methods that I have used to hack my professional network to build trust and tear down barriers between teams.

One Up, One Down, One Left, One Right

This concept is simple: learn the basic job of the folks around you so you can provide better support to them and communicate with them on their terms. For example, if you’re a SOC analyst and you work with the risk team a lot, spend some time learning their terminology and regular processes so you can provide better input into their work-stream. They will be grateful that they don’t have to translate your inputs into their standard language and tasks will get accomplished more effectively for both teams.

A few ways to get to know other teams and their processes:

  • Volunteer to support projects that you hear about
  • Engage them in a brief side convo after a meeting or near the coffee pot
  • Read team documentation that is available… yes, even if it means using SharePoint

Attitude is Everything

Building your network requires having the right attitude. You don’t want to be the person on the team that says, “I’m not here to make friends” or “I’m just here for the paycheck”. Nobody wants to work with that person, and you won’t find yourself getting a lot of support from teammates. Instead you want to engage others with a positive attitude, showing them that you are grateful for their time and expertise.

PRO TIP: Say hello to people in the hall and get to know the people in other teams

Source: https://twitter.com/aloria/status/1227355805139292168

Attitude-of-Gratitude

Being truly grateful and sincere with those that have done great things can go a long way to tear down barriers between teams and individuals. One of the methods that I’ve used previously is to send strategic “thank you” notes to the managers of another team to thank them for the great work that an individual did on a project or in a meeting. If you’ve ever had someone publicly thank you for your efforts, that feels pretty awesome. It feels even better when they thank your manager directly and you hear from your leadership that someone appreciates you. This method works to engage both the individual and the manager, and it can lead to improved relationships in future projects.

Good afternoon,

I just wanted to drop a note to say that we appreciated <name>’s help in today’s <name of meeting/project> meeting. Their assistance brought a lot of value to the discussion and we wanted to say thank you for their invaluable time.

Okay, don’t be Ron Burgundy with your “thank you” notes. Instead, take a lesson from Dale Carnegie’s How to Win Friends and Influence People: BE SINCERE. People can tell when you have true appreciation for their efforts or when you are showering them with flattery.

“The difference between appreciation and flattery? That is simple. One is sincere and the other insincere. One comes from the heart out the other from the teeth out. One is unselfish the other selfish. One is universally admired the other universally condemned.”

From How to Win Friends and Influence People by Dale Carnegie

Celebrating Team Wins

Recognizing, celebrating, and documenting team wins is another great way to build an awesome team. This means that you shift your language from “I” and “me” to “we” and “the team” when you talk about success. This goes a long way to build team morale and it prevents you from alienating anyone on the team that may be struggling.

A method I used previously in my career is to write out a quick 3–5 sentence to my lead explaining the team win that I observed. This approach was a great way to put something in their inbox that they can then forward to their leadership as a “good news” story. Your lead will appreciate it and so will their management. These write-ups are great vignettes to add to Monthly Status Reports or other program management tracking efforts. Metrics and KPIs are important for measuring a team, but these success stories contextualize those numbers and keep the briefings engaging. Here’s a quick example:

Good afternoon,

On March 3rd, <TEAM NAME> published a Flash Report on tax-themed phishing emails. Multiple stakeholders provided feedback and kudos on the report, and at least five users submitted phishing samples to the team mailbox for further analysis. The team is collaborating with the Malware Lab to extract samples and conduct analysis of the submissions.

Leveling up Your Skillset

Working on yourself is critical to your career growth. You can start by having a plan for your future and working towards those future positions by learning new skills, filling new roles, and crushing accomplishments along the way. There are plenty of resources and mentors that are available, but ultimately this work is up to you.

Know Where You are Going

Infosec is a huge field that requires a lot of different personalities and skills to function. You do not need to master them all and getting into this field can feel like you are climbing a mountain. So let’s start with a few maps that will make that climb a bit easier. The idea here is to find the ideal next role and work backwards to identify what you must achieve to reach that next position. What skills do you need? What intermediate positions do you need to fill?

PRO TIP: You don’t have to master everything.

Check out Henry Jiang’s “Map of Cybersecurity Domains”, take a deep breath that you can do this, and then give him a follow via LinkedIn to track any new updates to this amazing piece of art.

Source: https://medium.com/r/?url=https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fmap-cybersecurity-domains-version-20-henry-jiang-ciso-cissp%2F

This one from MITRE’s “Ten Strategies of a World-Class Cybersecurity Operations Center” is pretty awesome if you’re on the Ops side of infosec.

Source: https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf

NICE Self-Assessments

So now you know where you want to be going, time to have a little honest time with yourself. I use the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework to gauge what I know and what I need to know to be successful in my role. The US-CERT website is hosting a great lookup tool to navigate the NICE dataset. You can look up your specific role and figure out what the government and industry have defined as the expected Knowledge, Skills, and Abilities for that role. Here’s there Threat Analysis description that I use to track my career.

US-CERT’s NICE Framework Tool View of Threat Analysis Role
KSA’s for Threat Analysis

Here’s how I do a self-assessment: I grab a copy of NICE Framework supplemental spreadsheet located HERE https://www.nist.gov/file/372581 and navigate to the KSAs for my role. I complete a quick self-assessment on a 1–5 scale, where one is “I don’t know this stuff” and five is “I know this material and sought after for advice on this topic”. A baseline score of three is what I aim for, and to me, that means “I know enough here to be effective”. Once I’ve run through all of the KSAs with a quick score, I can sort it to find the lowest scores. These are the areas that I should invest my time in improving upon- either through self-study or working with smart folks in my community. My self-assessment looks something like:

NICE Self-Assessment Example

Passive and Active Learning

Traditionally, passive learning is listening to a professor or reading through material without real engagement. I use audiobooks, podcasts, and even webinars as my passive learning sources. I will listen to these sources while I drive, wash dishes, and other repetitive tasks. This is a great way to get exposure to wide breadth of material and topics.

When I find something engaging, I switch to active learning. This is more “hands-on” training, like studying with flashcards or completing a lab project. This is the type of learning where it is critical to mark off time on your calendar to focus and practice a new skill or study new material.

It is critical that you mix your learning styles with both passive and active sources. For the sake of formatting (Medium doesn’t like sub-bullets yet…), I’m throwing in a screenshot of my slide.

It’s important to point out here as I list some great passive resources- any one of these can be an active resource if you want it to be. For example, a SANS Summit talk on malware analysis can just be passive experience as you listen to the presenter, or you can try to mimic the speakers research in your own lab, making this an active experience.

PRO TIP: Here’s the link from the slide to a list of great awesome podcasts

Learn — Train — Do

This is a technique that I heard on a podcast years ago and I really wish I could give proper credit, but I cannot remember the source and my Google-Fu didn’t help (10,000 internet points to any OSINT-warriors out there that can find the original source for me!).

This technique consists of three categories of activity that I schedule out on my calendar. You should aim to get an hour-per-category on your calendar every week, every other week, or at least every month — as your schedule allows. But once you put these on your calendar, do your best to stick to them. Your career progression will skyrocket with this technique.

  • Learn a new skill or process that supports your career path
  • Train an existing skill or process to mature your existing capabilities
  • Do a task that you must do, but don’t necessarily find pleasure in

Learning a new skill that is tangential to your current career path is a great way to broaden your horizons and make you a more valuable teammate. For example, as a threat analyst, I don’t really need to know how to code, but learning some basic Python coding may lead to me being faster at routine tasks. That means I can get more done for my team in a shorter period of time. Efficiency is usually a great thing to strive towards.

Training a skill that I already know is a great way to practice the “sharpen your axe” technique. While practicing a skill that I already have in my toolkit, I may find that someone wrote a script to make it faster, or I may discover that I was skipping a step and biasing my output. When training an existing skill, its important to walk through existing documentation (school material or team SOPs) to ensure that you are executing the task to a standard and to check if your SOPs require updating for the rest of the team.

The Do category is equally as critical as the Learn and Train categories. In this scheduled hour, you knock out a task that you must do to be successful, but it may be something that you don’t find joy in or isn’t immediately beneficial to your team. For example, my previous role was to peer-review my team’s products. I enjoy mentoring analysts, challenging their assumptions, and discussing assessments. I don’t enjoy the look on my analysts’ faces when they first open a Word document with a bunch of tracked changes. Even when you know it is coming, its jarring and creates a divide. But I had to do this task to ensure that our products were published to the community. So I put an hour on my calendar first thing in the morning and I’d generally stick it that schedule. Another great example is basic knowledge management tasks. It may be your responsibility to manage a team distro list. You have all sorts of competing tasks that are more enjoyable and more important. But your team relies on you to keep those updated. You put thirty minutes on your calendar every week to check if there are any updates. If there are, you knock them out quickly. If not, you get thirty minutes back in your schedule to focus on something else.

Get these categories on your calendar and stick to them!

— ATTENTION MANAGERS —

If you’re a manager, not only should you still be practicing your craft and using this method — nobody likes having a manager who can’t do some of the tasks they manage — but I also recommend that you encourage your teams to schedule these sessions during business hours. Not only is investing in your team the right thing to do for them, your team’s output will greatly benefit from this focused time. As I mention in my “Implementing Team Training that Works” article, you can train and work at the same time if you have your folks train with real-world material. Need to learn advanced Excel formulas? Export some data from the ticketing management system into CSV and work with that data. Can you calculate the average ticket age with a formula? Learning a new skill and answering business questions at the same time.

PRO-TIP: Learning and training with your datasets will expose you to solutions that you never knew you could ask of your data.

Hacking the Humble Bundle

No not like that. Humble Bundle is a great org, don’t pwn them.

Every few months, Humble Bundle drops an amazing set of eBooks (usually PDF format) for anywhere from $15 to $25. This is a really great deal for the quality and quantity of books that you get through their site. My personal collection consists of nearly 200 PDFs and I have probably spent less than $100 on them. Their bundle topics range from general infosec to coding and data sciences. They recently did a bundle for kids coding that I picked up.

Pro Tip: The kids coding books are awesome resources because they break down concepts really well.

Don’t just jump into the coolest looking book. Instead, I recommend that you read the intro chapter to each one of the books. Then go back through and read the intro paragraph or two of each chapter of each book. Once you’ve completed this, you should pick a topic and deep dive that book. This is a great way to get an introductory understanding to a lot of topics, expose you to new subjects you haven’t considered before, and to identify potential areas of interest. It also prevents you from getting burned out on a topic that doesn’t interest you, but you’re hardheaded like me so you committed yourself to the miserable learning experience. Don’t do that! Scroll back, read the intros to everything, then jump into a topic of interest.

Moving on up!

It is super scary to decide when its time to move on to a new role or company. Is it the right time? Is this the right fit? My take on this will be relatively short, and I have links in the last section of this article that are written by some folks that are far smarter than me. For now, here’s my take:

You should look to move to a new role every three to five years, roughly. “What, come on?! What about getting certs, leveling up, companies aren’t loyal to you- why be loyal to them?” There’s a lot of advice out there and none of it is necessarily wrong. This is my advice: stay committed to a position for for at least two years to ensure that you are getting the experiences necessary to be really good in that position. This is about loyalty to yourself and ensuring that you can reach some serious achievements in that role.

PRO TIP: If you don’t know what to put on your resume as honest accomplishments, you probably have not been in the role long enough to level up.

In the 3–5 year space, you want to begin considering if you’ve reached your maximum effective range for that position. Yep, that’s another Army term. I mean: have you reached as far as you can go in this position before everything else is a slow arc towards crashing into the ground? Have you peaked? Have you accomplished all of the things that you are likely to accomplish here? Questions I start to ask myself around this point:

  • Has it been a few months since I’ve been excited about this work?
  • Am I re-solving problems that we fixed years ago?
  • Am I no longer getting management’s buy-in for new projects?

Recap & Closing

Ultimately, it is your career. You can have awesome managers, mentors, and colleagues. You can watch all of the right talks and read all of the right books & blogs. But it is your career. Only you can put in the work to build a strong network, a strong skillset, and a strong drive to mature in your career. Here’s a quick recap of tools that I keep in my toolbox for those tasks:

  • Strategic THANK YOU!’s
  • One Up, One Down, One Left, One Right
  • Celebrate and document the Team Wins
  • Know yourself and your where you want to go in your career
  • Learn, Train, Do
  • Read, watch, and listen to a variety of content
  • Be awesome

Awesome Resources:

As promised, here are some amazing resources from those far smarter than me, so you’ll be left in great hands.

And one last Hat/Tip:

Chris Crawford, I reference as “the Professor” in the video, has is own amazing content here on Medium. He was also kind enough to peer-review all of my slides for this talk and he gave me some amazing and honest feedback. So if it still sucks, its his fault too :) Thanks Chris!

--

--

Andy Piazza

I enjoy writing, mentoring, and sharing knowledge. I’m klrgrz (killer grizz) on Twitter. I do stuff n things with cyber threat intel.