I've spent more than 15 years building and leading cybersecurity programs at several Fortune 500 companies in the Financial Services industry. I'm also the Founder & Managing Principal of Fraction Consulting where I get to do fractional CTO & CISO work and advise private capital firms.
As a result of my background, I often get asked the following question:
"How do I advance my career in the cybersecurity field?"
Here are the 3 steps I advise people to take:
Figure out what "advancement" means to you.
Is it just more 💰 (money is great don't get me wrong), or is it more responsibility, more autonomy, more respect?
Early in your career, you end up getting all of those things as you move from Jr analyst/engineer/operator into more senior-level roles, but you need to consider the path you want to take a few jobs/roles out.
Is becoming a security architect the goal (it's a fine goal)? Do you want to remain very deep and technical and go the lead/principal engineer route? Do you want to lead people eventually?
Think about how you work and problem solve. Do you like being the one with the answers or do you like getting people and teams together to get the answers?
Do you want to specialize in a particular area or technology stack or do you want to be a generalist?
All of these questions are to help people reflect inwardly and think through what they want to do. Once you've wrestled with those concepts you can move on to step #2.
Now that you have a better idea or concepts on what you want to do, you can start on your personal marketing and hype plan📈.
If you don't market yourself, then no one else will do it for you.
Having a personal marketing and hype plan will help you think about career progression.
So you want to be an architect, a manager, or a CISO one day? How will you get the right skills and market yourself to get you there?
Look at what is true and what you have (your current job), look at what you want (future roles/jobs), and then plan out how you will close those gaps.
A critical piece of the personal marketing and hype plan that is often overlooked - making your intentions known to anyone and everyone who will listen to you.
You can't expect people to read your mind to know what you want and you can't get mad when they don't help you with something you haven't communicated.
All career interactions are "selling points."
You sell yourself on the job interview, you sell your point of view in that meeting for the next direction to go in the project, you sell why something is more risky than it sounds on paper.
OK that's all great, but how do you *really* advance, especially in the corporate world in cybersecurity? That's step 3.
Build an audience. In AND outside of your sphere of control and sphere of influence.
You want people outside of the cybersecurity group at your company to know of you and what you can bring to the table and help them do.
Cybersecurity is just another method of effectively enabling the business to do what it was meant to do - sell products/services to customers.
Security is about business enablement first
You want someone from the engineering group or that business unit to tell your boss how helpful you were in helping them achieve what they needed in a safe and secure way.
You want to the CTO to comment to the CISO how you have really helped them out.
Building the audience builds your personal value and shows you know how to think and operate on a broader scale. The scale always gets broader as you advance and you can start showing this to let people know you are ready for that next level.
Step 1 - figure out what "advancement" means to you.
Step 2 - create a personal marketing plan to get there
Step 3 - build an audience inside and outside your space
This is a process you should revisit often as you move roles/companies, as new interests come up, and as you move through different phases of your life.
Take active control of this approach and don't wait for things to happen to you. Make this happen for yourself.
Nothing is guaranteed but this is the playbook that has helped me so far and I'm always refining it.
Previously published at https://twitter.com/mikepsecuritee/status/1308769654379347968