How to Rapidly Progress your Cyber Security Career

May 2, 2024·
Jacob Larsen
Jacob Larsen
· 6 min read

Preface

I highly recommend checking out Mike Privette’s course “Avoiding Career Lateral Movement”, available here. I quote and paraphrase Mike a lot in this article, as I enrolled in his course a few years ago, which played a demonstrable impact in my personal security career development.

Direction

The keyword in the blog title, is “your”. How to rapidly progress your cyber security career. You are only person on your career journey. You need to ask yourself, what and where do you want to go? What are you seeking in your career? It could be:

  • Flexibility.
  • Remuneration.
  • A specific title.
  • A position in a specialist security niche (e.g. red team, ransomware incident responder).
  • A role with FAANG.
  • Security leadership.
  • Or a combination of the above.

You need to identify where you want to go. Progression in the context of this article is dependent on your objective, which will be different compared to others.

The harsh truth

“Years of experience, do not equate to, experience in years.” - Mike Privette

It doesn’t matter how many “years of experience” you have. I’ve seen people with 2 years of experience lead solution design, get executive buy-in, and assist CISOs to prepare board presentations on updated cyber security strategies. However, I’ve also seen people with 10 years of experience, struggle to formulate an assessment and provide actionable advice, excluding regurgitating compliance requirements.

You can earn more experience than others, in a more compressed timeline.

However, this requires you to see different scenarios - organisations with varying objectives, complexity, constraints, and maturity levels. You need the opportunity to solve a problem successfully, but also solve a problem unsuccessfully, with hiccups and mistakes along the way, which will act as lessons learned for the next pursuit. After a few years in a role, you will hit a ceiling point in learnings and growth. At this point, it’s time to pivot to a new role with different responsibilities, whether that be within your current company or externally in the market.

It’s in your hands

Rapidly progressing your career, is not something that will come passively. You must play an active role, and nobody can do it except for you. It will require hard work, and you cannot hold yourself back. You need to show up and grind even on the days when you don’t want to.

Simply fulfilling the duties of your job description won’t elevate you in your career progression. It’s not enough to just do your job, you need to:

  • Deliver work that others won’t.
  • Respectfully challenge what others won’t.
  • Mentor and help others solve their problems.
  • Improve insufficient process to create a scalable impact.
  • Run into the fire, to do the hard and frustrating work first.
  • Provide and execute solutions, not just identify issues.

This will earn you more experience, increasing your skillset and providing a competitive advantage compared to others as you move forward.

If the next role you are seeking requires a skillset which your current position or organisation can’t provide, you need to find incremental ways to close the gap. This will require a focused commitment of energy and time. This can include:

  • Side projects.
  • Conference talks.
  • Volunteering time.
  • Seeking a mentor.

Personal brand

“It’s not ‘who you know’, it’s ‘who knows you.’” - Mike Privette

You will get opportunities others won’t through your personal brand. You must build a strong personal brand, as it’s critical to establish a network. This doesn’t just apply to your local industry, it applies within your company too, both in your reporting line and cross-departments.

By following through with commitments, taking on challenging work, and demonstrating high performance, you will build trust with your manager. This is the key to unlocking progression in your existing role. You need your manager and their colleagues, to see you as a peer. You need to create a direct relationship with your manager’s manager.

Your brand is elevated, not by how hard you worked, but by what outcomes you deliver. Executives care about reporting and data representation, as it informs all of their decision making. If you can develop the ability to anticipate their needs, and adapt your communication to include metrics and identified trends, you will be perceived as operating at a higher level than your current role. CISOs are not interested in security metrics, they are only interested in risk metrics.

To progress, you need to acquire an advocate for your career. An advocate is a person who can speak up for you at higher management level, and can get your name and skillset visibility into hard to reach places. This could be within your current reporting line, or even outside in a different management chain.

Progression evaluation

On a six-monthly basis, you should evaluate your progression towards your career goal. Are you heading in the right direction to fulfil the required skillset and experience of the role you are seeking?

This isn’t solely measured by remuneration or position title (depending on your career goal). Consider what you have learnt to gain experience. When you hit the ceiling point of your current role in growth, you will find yourself in a very comfortable place. You know a lot of people in the organisation, and you will be able to complete your responsibilities to a high level.

However, you might not be learning anything new, or only making minor incremental improvements. At this point, it’s time to look elsewhere. You need to challenge yourself, see new scenarios, solve problems in different ways, and develop a new skillset.

Pursuing new opportunities

“Be patient, but be a shark when it comes to the right opportunity.” - Mike Privette

Your next role should scare you. However, you need to make sure you take the leap of faith, and restart the “sink or swim” process again. You can’t hold yourself back.

That being said, you should only pursue new opportunities that will stretch you. If you can complete 90% of the required responsibilities of advertised position, you will be making a “lateral move” in your career. You should only pursue roles where you can do ~50% of the required skillset. You need to consider, how will this new opportunity align me closer to my defined career objective (from the beginning of this post)? You must not just think of the new opportunity, but how it will position you long term for the role after that, to meet your objective.

If the new role doesn’t fit this criteria, don’t move. Never accept an offer because you think it’s “all you can get”. You need to be a shark, and be open to what opportunities are out there, but patient, waiting for the right one at the right time.

Jacob Larsen
Authors
Jacob Larsen
Offensive Security Team Lead
I have a deep interest in threat research, and work as an offensive security team lead. I have a diverse background in strategic cyber advisory roles.