Don't forget to do your damn job and tell people about it

A good friend of mine who runs a great Appsec company, sent me this great article about a month ago. It wasn't new to me, but in recent weeks it's really been playing on my mind.

This hit its peak when I gave a guest lecture at QUT to a class full of people looking to get into tech and cybersecurity. It was a great opportunity and I am extremely grateful for the chance to help guide the next generation of engineers.

The job climate is obviously a little whack at the moment so the usual set of questions came up:

The kinds of advice I fall back to here beyond what they might be already doing are typically things like:

It struck me after this lecture had concluded that a lot of these behaviours are exactly the kinds of extracurriculars mentioned in this article.

These are the things that result in people getting stuck going from mid to senior and above roles (in an individual contributor space). The irony of this thought occurring while I was doing exactly the kind of activity that's the subject of this article is not lost on me. Nor is the fact that I am writing about it in a blog article.

It's a curious industry we work in (cybersecurity), the path to success in our roles is usually circuitous and tangled. The ability to demonstrate your impact when you're slowly cutting your way through the jungle is vital to your long term success, it's also a skill that a lot of people lack.

The most common method (at least from what I have seen) to make up for this shortfall is to focus on doing everything that isn't your job. You're part of the community, you're writing blog posts, maybe you maintain some open source projects. There is nothing wrong with that, we need people to shape communities, maintain software and share their thoughts; but you need to do your damn job be able to communicate the impact it's having.

The idea of both actually having impact and communicating it is something so thoroughly missed in both formal education and informal education. It's also arguably why a lot of big tech companies have such awful approaches to role changes (10k word role change docs read by people that you've never worked is so good right?). Forcing people to write large documents that justify their existence gives people that aren't doing their job, or lack the skills to demonstrate impact, the ability to spend time pretending they are doing their job. The need to create the appearance of impact also creates a whole graveyard of barely functioning PoC's propping up large tech companies. A lot of these same problems still exist in smaller contexts, the difference is that people just don't get promoted/maybe lose your job and/or the size of teams gets larger than it needs.

Here's the rub, I've always found it incredible just how much time people in security engineering roles have to write thought-pieces. Again irony, I am an engineering leader writing a thought piece blog. For full transparency, finding time write a blog is like herding cats for me, my participation in various groups and programs is a carefully negotiated dance and the rare occasion I get to do anything new it requires several rituals to all known gods.

Enterprise security is rough, product security is frequently non-existent and we are always talking about just how threats never stop coming. We speak constantly about how we always need more people. All of this is to say that if you're taking the time to write a blog or run a community group you should consider whether you're doing your job and demonstrating your impact. This is a super vital time to consider this, the world is changing and regardless of your position on AI it will have an impact on how people do their jobs, the types of roles that are available and the quality of work people expect.

So ask yourself an honest question am I:

If the answer is yes to both, then great, thank you for your time.

If the answer is no to either of these, well here is what can you do?