I will preface this by saying that I have been primarily remote since about 2013. While I did a fair bit of work visiting customers in their offices for a number of those years, I have not lived in the same state (or even the same time zone) as my direct manager since then. I learned many years ago that I thrive in a remote environment, where I can’t be sidelined by “drive-bys” and I’m not being jarred out of my thoughts by the sales floor gong or other raucous “collaboration”. Having a global pandemic push us all out of offices was amazing for me, because it put me on a level playing field for the first time in my career. Finally, I had just as much of a chance to build those connections with my leaders that allowed for advancement, because no one else was physically in front of them, either. Everything seemed to be coming up roses, despite the health crisis.
As life returns to the “new normal”, I’m seeing plenty of advocates for shifting to remote-first workforces. LinkedIn is chock full of people sharing productivity improvement statistics, touting their own successes in improving work-life balance, and criticising organisations pushing for “return to office”. It has felt to me that remote-first is quickly becoming the norm, and I was thrilled about what that meant for my own career prospects. A couple weeks ago, though, someone said something that stopped me dead in my tracks. They said they had an unpopular opinion to share: they were coming out as pro-RTO.
Their rationale was intriguing; they believed that remote work, especially as someone early career, fostered career stagnation. Others chimed in to agree, noting that when they aren’t in the office, they don’t get a chance to “rub elbows” with strategic leaders, which in turn limited their own growth opportunities. Here I was, I talking to a group of engineers, saying that the one thing I loved most about remote-first workforces was the very thing that they felt was holding them back. I definitely had to pause a beat to consider that perspective before weighing in with my thoughts.
I think that their observations are valid, but I also think that these experiences are symptoms of a larger problem, and I don’t believe being physically present in an office genuinely improves the experience. I don’t think we have a remote work problem; we have a remote leadership problem, and really, we just have a leadership problem in general. It has long been true in engineering organisations that if you’re a great engineer, it’s expected you’ll be a great leader, too. Individual contributors are promoted into people manager roles without any training or even any discussion about their own career goals and path. I have ranted about the other side of this problem in the past, that there is rarely a defined growth path for someone who wishes to remain a highly technical IC. Even where that path is defined, though, the corporate world at large does a pretty poor job of preparing engineers for the role of people leadership. Add in the unique challenges of leading a remote team, especially one that is globally distributed, and you have a recipe for disaster.
Don’t get me wrong. Many companies recognised this problem years ago and have tried to address it. The company where I was first thrown into a people manager role eventually rolled out a “Manager Boot Camp” two day intensive training, addressing things like conflict resolution, strategic planning, and performance management. My most recent company had an entire series of trainings for ICs and leaders alike around these same topics. Still, I can count on one hand with fingers left over the number of managers I’ve worked for who have taught me leadership skills by example, rather than by demonstrating negative behaviours that I don’t want to repeat. I fear that these young engineers are experiencing poor leadership, and, having nothing to compare it to, have inferred that this is simply a byproduct of remote culture.
Good leadership, in my opinion, is built on a strategic foundation. Where are we going and how are we going to get there? The best leaders I’ve worked for have all had a very clear vision and mission, and I understood exactly what my part was in fulfilling that vision. I hear a lot about SMART goals, but it seems the R, Relevant, is largely either overlooked or misunderstood. In nearly my nearly 30 years of work experience, I have worked for exactly one company where I was fully aware of our company vision and strategic goals, I had a firm understanding of the goals of my direct leaders defining the part we would play in reaching those goals, and my own goals were completely aligned and relevant as a result. That was also the only organisation I’ve ever been part of where each role was clearly defined, for both technical as well as leadership paths, outlining not only the technical expectations, but also the leadership and organisational impact expectations for each level.
By simply implementing these fundamental leadership principles in my own teams, I have had huge successes in growing interns and entry level engineers, even in a remote environment. Sure, it was hard for all of us. We had to learn to adopt effective means of asynchronous communications. We all had to find a balance between autonomy and collaboration. I had to trust that my team would come to me when they were stuck, but I also had to learn when and how to check in effectively to ensure that they were aligned and on track. As a result, I was able to grow interns and junior analysts into a fully staffed operational team in just over a year while my colleagues sat on their same open reqs for senior talent. More importantly, everyone on my team knew exactly what was expected of them, and they were able to create their own SMART goals that were truly relevant to our vision and mission, which also outlined their path forward.
When you find this balance, an even better thing happens, too – you find yourself in a state of flow. By clearly defining your vision and mission objectives and giving your team the autonomy to define how they each get there, you’re fostering intrinsic motivation. As Daniel Pink described in Drive, intrinsic motivation comes from autonomy, mastery, and purpose, and where you find this intrinsic motivation, you find flow. Your work becomes its own motivation, as you continuously to challenge yourself to make a measurable impact toward the common goal. You never have to ask what you need to do to move ahead, and you can start incorporating the expectations of higher levels whenever you find yourself needing a challenge. Similarly, when meeting the expectations of your level is enough of a challenge to keep you satisfied, you have the autonomy to shift your focus towards mastery, ensuring that you are demonstrating these skills to the absolute best of your ability, and finding purpose in your continuous improvement.
While I don’t claim to have everything figured out, I am pretty confident in saying that if your team feels stagnant or unsure of how to move upwards within your team simply because you cannot see them, that is a failure of you, their leader, not the environment. As long as your vision is clear, you should be able to validate and reassure their work towards that vision without looking over their shoulder, so we can all live our best, most productive work life possible without the disruptive chaos that’s so difficult for the neuro-spicy among us.
This one is very special to me, because in all this series, Eric is the first person I’m featuring who has been my direct leader. Eric is the person who taught me through his actions the difference between a manager and a leader. He is also the person who taught me the importance of work-life balance, appropriate stakeholder communications, and intrinsic motivation.
When I was moved under Eric in a re-org, I wasn’t sure what to expect. My team hadn’t had many interactions with his previous org, as we were all consultants and rather isolated within the company. I was also quite senior, having been consulting in this space for many years. I had been through a lot of managers who tried to implement strict time tracking (down to the minute) or ticketing workflows where every task is documented in extreme detail, and I had a bit of dread going into our first conversation, fearing that he would try to bring software development practices into customer-facing consulting.
What I found when we had our first one on one was the polar opposite of my expectations. When I launched into updates of what I was working on, expecting criticism or prompts for more detail to understand exactly how I was spending every minute of my time, he [gently] cut me off. He asked me, “Are you telling me this because you need me to act, or are you just venting?” It caught me off guard, because of the implicit trust his question conveyed. Up until then, I had been taught through actions that I needed to prove myself trustworthy to be allowed to manage my work independently. I was taught that documenting my efforts to a level that every minute of my time was accounted for was the only way to demonstrate that I was doing my job. With one simple question, Eric showed me that he trusted my assessment of my workload, and that while he was available to step in if needed, he would not do so unless asked. If only we had this conversation before my first managerial role, I may not have spent so many years actively avoiding people leadership! From this one interaction, I realised that I had a tendency to be overbearing and micromanage my team, because that was the only methodology that had been modeled for me.
He also taught me about the importance of work-life balance. In my first consulting role, the majority of my compensation came from my bonus, which was based solely on the number of billable hours I worked. My managers and teammates showed me that I could easily work two or even three engagements at a time, on-site with one client during the days, doing remote external testing at night, and writing my reports during plane rides, over the weekends, or instead of sleeping. If I wasn’t working 90+ hours a week, then I just wasn’t trying hard enough, and I wouldn’t be given the choice assignments. In this role, I had been trying to avoid burning out, so I had asked my previous manager what he felt was an acceptable amount of time off, given that we had moved to an unlimited PTO model. His answer was not very helpful, saying only, “Take however much time you need to maintain an acceptable quality of life.” What I really wanted to know was how much time off I could take without being penalised for it, and this response still made me feel like that answer was, “None.”
Eric gave me a number, saying that he made it his goal to take at least 20 days off each year, and then he reaffirmed that by actually taking his time off. When he was out of office, he was truly out. I never once saw him responding to emails or chatting in Slack. With a tangible target in mind, I stopped feeling guilty about taking off 2-3 days each quarter, and started taking full-week holidays at least few times a year. I felt like I was being given permission to stay off Slack and email, and for the first time ever, I returned from a holiday truly feeling refreshed and ready to get back to work. That year, I logged 22 full days of PTO, and I did not work through a single one of them, yet I had one of my most productive and impactful years since joining the company.
Every time we spoke, I also felt that Eric was truly present. He was never answering other calls or responding to email during our one on ones. That time was for us, and he made it his priority. He made me feel valued simply by dedicating 30 minutes to checking in with me and seeing how I was doing. He took the time to get to know me as a human, and opened up about his life enough to show me that what we did at the office was not all there was to our lives. I got to hear all about his yoga practice, and shared in his experiences remodeling a campground into a wellness retreat. He encouraged my love of craft beer and my desire to turn that passion into a business. Years later, after I had already moved on to another company and role, he reinforced this message once again by leaving his executive leadership role to become an executive coach. I’m still not sure if he realised how much he had been applying this to his teams already, but seeing him wholly pursuing his passion reignited that flame in me.
Because of Eric, I decided to venture back into people leadership, as scary as it was. I still held onto all the negative feedback I’d received from my managers and my teams previously, just waiting to hear it again. Instead, I had multiple team members say that I was the best leader they’ve ever worked for. That was actually harder for me to hear than any of the negative things. It felt impossible and ingenuine, until it finally clicked; Eric was the best leader I’ve ever worked for, and by practicing what he taught me, I was giving others that same experience.
In the past year, I have found myself slipping away from these fundamental lessons that made me the leader I am today. With increasing pressure from my leaders, I started sacrificing my work-life balance. I went back to responding to emails and Slack at all hours of the day and night. I found myself moving one on ones more and more frequently, and I was distracted during these conversations. This was the expectation being modeled for me by my leader, and as a result, I was establishing that same expectation for my team. Looking back at the last year, I hate who I have become, and I can only imagine that my team’s sentiments have shifted, as well.
So, with two weeks remaining in 2025, I’m going to publicly voice my resolution for 2026: I am going to embody that leader Eric taught me to be. I am going to prioritise my work-life balance, and show my team that they need to do so, as well, in order to be effective. I am going to trust and empower my teams to find that intrinsic motivation to fuel their state of flow, knowing that their success keeps me in flow, too. And yes, Eric, I’m going to get back to making some darn good beer, too!
I was recently re-reading my old posts, just to see how they’ve held up with evolution within the industry as well as within my own thinking. When I came across When You Point a Finger, Three Point Back, I immediately sent this to my team, realising that it reaffirms a lot of the guidance I’ve been giving them on their growth. However, I also realised that the industry has evolved substantially in the time since I’ve written that, and I now have friends in the industry who are established experts and leaders in Digital Forensics and Incident Response (DFIR). It has emerged as its own specialisation in our ever-expanding threat landscape, which has definitely changed my perspective a bit.
While it’s a very good thing for the industry to be exploring the breadth and depth of DFIR, I do fear that we may be introducing an element of over-specialisation. Rather than a skillset that you acquire in a step along the way to your offensive security goals, we’re now expecting young analysts to declare their path early on, locking them into their choice for the duration of their career, and shielding them from the experiences they may gain from sitting on the other side of the keyboard.
One of the most common injuries for a ballerina is a dislocated knee. This happens when the outer muscles of a dancer’s legs become over-developed, and the inner muscles become under-developed, because a dancer isn’t supplementing with strength training outside of dance. When the dancer engages those muscles en pointe, the outer muscles exert pressure on the kneecap, pushing it away towards those weaker inner muscles, resulting in a dislocation. I think this is what we’re training towards in security, as well, when we have teams focusing solely on building their abductors (defensive security skills) or adductors (offensive security skills). It’s a recipe for [metaphorical] dislocated knees.
What I’ve advised my team to focus on is building these skills in balance with one another, so that they are continuously learning from themselves at each step. For my new in career analysts, I’ve encouraged them to learn basic penetration testing, being able to execute canned exploits to compromise systems with known vulnerabilities. Then, they can take these systems they’ve compromised and see what it looks like in the logs, allowing them to turn that exploitation into an indicator of compromise (IoC) for that attack. How else can you defend against attackers if you don’t know what an attack looks like?
This balanced building isn’t just for new in career, though. As you get better at both skills, you’ll start to build evasive techniques, learning to write your own exploits so you can compromise that same system without tripping your own IoCs. This in turn leads you to building out more resilient IoCs that catch rapidly morphing exploitation. More resilient IoCs in turn push you to develop new evasive techniques and methodologies in your exploitation to impede detection and investigation. It’s a never-ending cycle, where are continuously learning from your expanded experiences, offensive skills feeding into defensive skills.
If you happen to walk by while I’m on a call with my team, you may hear my new rally cry, “No dislocated knees!” Rather than encourage specialisation in one side or the other, I’m encouraging everyone, regardless of level, to work on these skills equally. I’ve included both offensive and defensive expectations in every band of my leveling guide. No one needs to pick the red pill or the blue pill; this isn’t The Matrix!
Eventually, we’re all forced into specialisations. That’s inevitable, as the industry continues to expand beyond the limits of individual comprehension. No one can possibly be an expert in every facet of such a broad industry. However, I believe being able to context-switch between offensive and defensive concepts and techniques is essential to being an expert in either. That is why I, along with my team, will be making a concerted effort to grow our skills in whichever side is weakest, continuously working back and forth between these as we strive to be well-rounded experts in whichever path we ultimately choose to follow as a specialty.
This has been sitting in my drafts for longer than I care to admit, and today’s passing of the torch seemed like the right time to get these thoughts out there.
With so much of my family based in San Antonio, it’s no surprise the part that Coach Pop has played in forming who I am today. I’m not really into sports of any kind, but I follow and support the Spurs because it’s just what you do when you have ties to San Antonio. My first memories of conscious interest in the Spurs start around 1989, with David Robinson’s rookie year, when Pop was lead assistant to coach Larry Brown. Some rough years were had after that, Popovich ended up doing a stint with Golden State, but he eventually returned to the Spurs in 1994 as GM, to find a team anchored by wild child Dennis Rodman.
Now, I love seeing my team win as much as the next person, and Rodman was certainly securing those wins, but hearing the reports of family and friends about their personal experiences being on the receiving end of his bad behaviour within the community, I had to question whether the cost was too high. The way Pop handled this situation was to send a loud and clear message: We don’t do that here. While some may see their beef as a blemish on both their careers, I, along with the most of the city of San Antonio, saw Pop prioritising the well being of our community over the team’s record. He firmly believed that he and his team had an obligation to serve the community and build it up, not to tear it down. He taught me about one’s obligation to their community through his swift and harsh consequences when players were having a negative impact, as well as through his acts of service, both alone and with his players. From visits to the schools to serving at community dinners, he established the Spurs as servants to the city of San Antonio. He knew that professional athletes are role models to young people in the community, and his actions showed how seriously he viewed that as a personal responsibility.
In 1996, I returned to San Antonio as an adult with a family of my own. The Spurs were on the back end of a slump and “the dark years”, but David Robinson was a shining star showing the path forward, winning the MVP title. Red McCombs was out, HemisFair Arena was a pile of asbestos-filled rubble, and Pop was back as GM. The Spurs were consistently making it to the playoffs, getting closer and closer to a title run, but they were still outplayed in the Western Conference Finals. By the end of the year, Robinson would be named be named one of the 50 Greatest Players in NBA History, and Pop would take his place as head coach. Despite all of these rising stars, they finished the 1997 season with the third worst record in the league, and won the draft lottery, which Pop used to secure power forward Tim Duncan.
While the Spurs still ultimately got knocked out in the Western Conference Finals again in 1998, their season record showed the true story – the “Twin Towers” were not only driving the team’s offence, but also anchoring the defence. In the 1999 season, they went into the finals as the top seed in the Western Conference and tied with the Jazz for the best regular season record. When they finally achieved their long-sought championship title, it shouldn’t have been a surprise to anyone. Instead, I learned the true meaning of “poor sportsmanship” when I heard Lakers’ coach Phil Jackson dismiss their wins, saying that because of the shortened season and series as a result of the strikes earlier in the season, “It will always be an asterisk year.” He doubled down when he insulted the entire community and culture of San Antonio in his bitter criticism of our celebrations, which he called “floating a trash barge down an over-glorified drainage ditch”. A lesser person may have taken the bait and escalated the trash talk, but Pop ignored it, and ensured the focus remained where it belonged – on the people of San Antonio, without whom there would be no Spurs.
In the many years since then, I have continued to watch and learn from Coach Popovich’s signature style of leading by example. While no one can ever accuse him of doing anything quietly, he has never been performative about doing the right thing. When he appointed Becky Hammon as assistant coach, making her the first female coach in NBA history, he made it clear that he felt she was the best person for the job, and under his mentorship, she was able to prove him right. He has repeatedly shown us that when you have a voice that is heard and respected, it is your moral duty to use that voice to speak up for those who can’t. When so many people have opted to “not get political”, Pop used his voice to call out his peers, his organisation, his community, and even international leaders on their acts of social injustice.
So, to Gregg Popovich – thank you for exemplifying what it means to be a leader. Your legacy will live on through all of the lives that you have touched. Mitch Johnson has some might large shoes to fill, but we all know he is in good hands, learning from the undisputed best.
I said I’d write a few of these posts and, having referenced Dan in my last post, I realised he should be next. This is a hard one to write, as I still haven’t quite processed his death, and I wish like hell he were still around to hear this. I don’t think I could accomplish as much or make a difference in as many lives as he did in his short life even if I live to 100, but losing him has reminded me of a lesson I learned some time ago, that we will always live on as long as we’re remembered by those whose lives we touch. I’ve had this sitting in my drafts for months and I feel like after his induction into the Internet Hall of Fame yesterday, it’s way past time to hit “publish”.
I suspect anyone who has had any interaction with Dan, no matter how brief, has stories like mine. In a community that has turned gatekeeping into a fine art, he was one of the few people who was inherently trusting and welcoming. No question was too dumb and he always somehow made you feel like you had something worthwhile to contribute to the conversation. I managed to establish myself within the security community rather early on and I had been staffing various cons when I got to know him, but I was still working in a different field professionally and considered myself an outsider. When I moved to Seattle in late 2005, I turned my hobby into a profession, and Dan was one of the folks who made sure I got off to a good start. I felt so out of place and constantly second guessed what I felt was rudimentary knowledge, but Dan always engaged me in stimulating conversations and even sought out my opinions specifically in discussions. He recognised my strengths before I did and showed me that as little as I felt I knew about the topic, I had actually keyed in on something unique that others hadn’t. He even led me straight down the path of my first vulnerability discovery. Sometimes I question how much of that was actually my own, but he wouldn’t have dreamed of taking credit for anything more than prompting me to follow the trail I’d found.
When I first started out in consulting, it was brutal. I only shadowed a couple engagements before I was sent out to fend for myself, and I didn’t feel like I actually knew what I was doing. I ended up calling him in tears, completely overwhelmed with feelings of inadequacy and having no idea how to advocate for myself. He gave me the best piece of advice I have ever received in my career: “We’re ALL faking it. The trick is figuring it out before your customer does.” More than 15 years later, I can’t say I’m faking it any less. The more I learn, the more I realise I don’t know. Thanks to Dan, though, I can acknowledge that I still may have something of value to offer in spite of – nay, BECAUSE of my lack of expertise. I have a different perspective than the person who built something, so just because I didn’t invent a protocol doesn’t mean I’m not capable of seeing a flaw in it. Dan truly believed that there was no such thing as a dumb question, and that anyone with enough curiosity to be asking about something had the potential to make it better.
Thank you, Dan, for believing in me, and for making me believe in myself.
Reflecting on Chef Kristi’s incredible success yesterday really made me think about my own trajectory and my tendency to mentally downplay the significance of my own accomplishments. While I can’t say I’ve had my face on the giant screens at the sportsball stadium (seriously, how cool was that?!), I realise I have made some huge leaps and I need to embrace that, too.
Most of you know that it was a difficult decision to move into my current role. In my last position, I was a big fish in a little pond. I felt valued and respected, and every day, I had an opportunity to share what felt like a wealth of knowledge to peers and customers. When I went looking for a new challenge, my choice ultimately came down to two options. The first option was head of security for an e-commerce startup, and the second was as a technical leader in product security architecture for an extremely well known and established network security product vendor. They were completely different roles, but in one, I would continue to be the big fish in a small pond, while the other would make me a guppy in the ocean. For some insane reason, I picked the latter.
Y’all, I can’t even lie. It is HARD. Every day, I go to meetings and I feel like the dumbest person in the room. Every single person I work with makes brilliant contributions to innovating our field every single day. Every time I interview someone for my team, my imposter syndrome gets worse and worse, as I can’t understand how I managed to get hired into this role with so many more intelligent applicants to chose from. Much like when I was brand new to infosec and moved to the place where all these brilliant people I respected were, I feel completely out of place in every discussion.
I think back to those times, though, and as dumb as I felt, there were people helping and encouraging me instead of reaffirming my own beliefs. When I got my first consulting gig and called Dan Kaminsky in tears because I couldn’t do it and someone was going to figure out I wasn’t qualified for my job, he told me, “Octal, we’re ALL faking it. The trick is figuring it out before your customer does.”
I thought I was committed to learning. I thought I was keeping up. In reality, I had become complacent. I learned a few new tricks here and there, but I have spent several years resting on my laurels, and it’s time to get back to work. I think back to that choice 15 years ago that led me to Seattle, though, and I remember what I learned from that experience: When you surround yourself with the smartest people you know, people who set the bar high and still manage to leap over it, you can’t help but get carried along with that tide and meet that bar yourself. So, I find myself trusting that once again, I should embrace this opportunity to grow again, rather than be intimidated by the talents of those around me. By growing others we grow ourselves, and I’m just on the other end of that equation again. Soon, I’ll have no trouble keeping pace with this new pack, and I’ll get to be the one cheering on those who are challenged to keep up, rather than feeling like I’m slowing everyone down, but today, it’s my turn to let them grow me, to let them challenge me, and for me to recognise the success in that even from the back of this pack, we’re still way ahead of the pack behind us.
[Foreword: I shared this on my personal social media in light of an event I was attending yesterday, but it sparked a serious fire of reflection on my current growth and those who got me here. I’ve decided to share it here so that I can also share the continuing thoughts that I shared today, and I will expand this into a series of posts highlighting some of the others who have made me the person I am today.]
Many years ago, I happened upon a lovely woman slinging her black eyed pea hummus at a farmer’s market when we lived in the CD. We chatted about road trips through the region and connected on social media. I had no idea that I had just met one of the strongest and most influential women I will ever come across in my life.
We moved out of the city and I lost my access to her incredible hummus 
, but I saw she was doing big things. She was building up her catering business, and also putting her influence and energy into building up other Black owned businesses in Seattle. She was feeding high end corporate customers, and feeding her community. When the pandemic hit right as she was opening her restaurant, she continued to invest in her community, and took a lot of really courageous leaps of faith that her business would be lifted as a result.
Tonight, I finally get to experience firsthand the wonderful food of Kristi Chef Brown (and get that hummus fix that I’ve been craving for so many years) again, as a guest of Field to Table. This event features notable Seattle area chefs in a catered fine dining experience on Lumen Field to benefit Big Table, an organisation which helps hospitality workers in need. Soon, I hope to experience her restaurant Communion Seattle, which makes me drool every time I read the menu, but tonight is even more amazing to me, to see her recognised as one of the top chefs in our area, and to be able to experience the signature menu she has crafted for this special event.
To Chef Kristi – I know I’m one of so many people watching and cheering from the sidelines, but please know just how much you inspire me. I have watched you build your little cottage industry into not an empire, but a strong community, building together with others, rather than on the backs of others. You have shown me that we are stronger together, and that if you give first to your community, your community will lift you up in return. I recognise the extreme privilege it is that I can experience this event, and I am overjoyed to be able to witness this recognition of your immensely hard work over the years. I can’t wait to see what you do next!!
Many years ago, I received a seemingly random text from a friend. He said he was sitting in a meeting and it suddenly dawned on him, “You have no thumbs!” The response from the table was, “So? We’ve never had thumbs before!”
Obviously, everyone at the table had actual thumbs, but he was referring to discovering missing functionality in the product he was working on which he considered as fundamental to its function as our thumbs are to our hands. Lately, I’ve been thinking about this exchange quite frequently, as we work to innovate and solve our old problems in a more efficient way. It feels like every day, I have the same conversation day in and day out, trying to convince people that thumbs are nice to have.
Let’s face it – most problems in security are not new. Sure, every once in a while, a technology comes along that requires new controls and a new way of looking at things. We’re hitting challenges of scale that we never dreamt possible 20 years ago. Most of our fundamental problems have been solved for quite a while, though. However, we also have technologies available to us now that we never dreamt possible 20 years ago. The scalability of cloud services and containerisation lead to mind blowing possibilities. So… why are we still dependent on 20 year old workflows?
I have joked that the entire security industry has Stockholm syndrome. We absolutely despise the products available to us for our old problems – vulnerability management, patch management, or incident management, just to name a few – but we accept that the basic workflows they all share is simply the best we can get. When we think about innovation, we’re usually thinking about how nice it would be to get this feature over here implemented in this other vendor’s product to do this thing that works well for one specific use case.
What if there were better options, though? What if someone told you today that you could have opposable thumbs to give you leverage you’ve never had before? Would you be open to that conversation? So often, I see folks slamming the door on innovation because “We’ve never had thumbs before!” Sure, your workflow is working as fine as it was 20 years ago when you first implemented it, but was it ever truly efficient? Are your metrics telling an effective story of success? Can you directly attribute a change in trends to actions your workflow drove?
It’s high time we stop accepting that the way we’ve always done things is the best way to do it. Challenge convention. Solve old problems in new ways with new technology. Think about what would be possible if we started over with the lessons we’ve learned, rather than accepting the “old trusty” solutions you’ve always depended on. We’ve never had thumbs before, but they sure are handy!
We seem to have a lot of great work going on to increase diversity in our talent pool, through mentorship and outreach, for STEM generally and specifically in infosec. We’ve even started to recognise the need for sponsorship in tandem with mentorship, helping open doors for the talent we’ve identified and getting them through their first steps.
But then what? We support each other as peers for a while, some staying on a technical track and some veering over to a leadership track. How are we continuing to support, sponsor, and mentor those we have had this relationship with as they grow? We see diversity in our teams increasing, but it makes the glass ceiling seem even more real when I look at the CISOs around me and am hard pressed to even find one who looks like me. In the absence of representation, what are we doing to make sure that we’re not only opening these doors, but holding them open for those who have followed us?
It seems the more I move into leadership functions, the more my peers seem to be cautious about showing their hands. The same people who were eager to give a tip or make an introduction 10 years ago are suddenly close-lipped when it comes to personal growth. We’re suddenly terrible about just supporting each other as peers, talking about some of the hard challenges, allowing others to learn from our past experiences and share knowledge the way we always have about more technical topics. For those on leadership tracks, it seems like we’re almost embarrassed to talk about things that aren’t cool hacks or crazy things we’ve built and discuss instead how we handle a difficult conversation with one of our directs or how to speak to a board on some emerging new risk.Â
How do we rekindle the spirit of collaboration that got us all here now that we’re the ones running the industry we built? How do we get back to the innovation which came from sharing the cool stuff we were doing, and apply it to the challenges that seem a little more mundane? Is there someone out there willing to please hold the door?Â
This is a simple infographic that boils down a very complex thought pattern. When I spent several months working closely with a colleague from our Customer Support team​ last year, he mentioned using “we” instead of “I” when working with a customer – a tactic he leveraged to make the customer feel as if we’re working proactively WITH them to resolve the issue. He also got me away from saying “problem”. “We” have “challenges” or “issues”, but it’s never a “problem” for our customer.
This mindset developed in support has turned out to be a huge key in developing my leadership skills, as well. Using the same strategy that I have used with customers to guide them to a successful outcome, I’m able to guide my team to successful outcomes as well. The concept is the same – we’re working together, leveraging our unique skills and talents, to overcome obstacles and achieve a common goal. A year ago, I would have thought that was a bunch of buzz word hype, but these minor shifts in vocabulary have resulted in major changes in my thought processes. This one tiny change, catching myself every time that I would say “I” or “problem”, is the foundation of how I approach leadership.
Leading without authority is likely the biggest challenge most of us will confront in our careers. It’s easy to drive a team to our goals when we have authority over them, but a true leader doesn’t need it. To be able to lead and influence strictly through the goodwill and trust placed in me by others without having to rely on “because I said so” type responses is my ultimate goal.
Up until this point, I’ve relied on technical expertise to establish authority in my career. That’s still valid; I’ve often said that I never want to be the sort of boss who asks people to do things that I myself can’t do. That type of authority only gets you so far, though. To truly break out of the pack, I have to be the person people come to for guidance or advice even when I don’t have designated authority. Only then will I have confidence that I can handle a leadership position without falling back on these easy “boss” mistakes.
Road to CISO 