Mastodawn

CyberGhostIL Jun 17, 2024

Two controversial pieces of cybersecurity career advice I give to a lot of people I talk to on mentorship calls:

1) Don't become a manager unless you genuinely want to be a servant leader and devote yourself to people and program management for the joy and fulfillment of it.

2) Don't become a red teamer unless you genuinely in your heart of hearts want to be a red teamer, you understand what the role entails (even the boring parts), and you are willing to very deeply commit extra time and effort. They're generally much more competitive roles.

@hacks4pancakes i can’t agree more. I have seen a lot of good engineers became awful managers because ‘that is where the money is’ or become red teamers because they want to ‘ break things’ without understanding what it entails and what are the costs (for you) to become so.

@hacks4pancakes also: be humble. I have had serious conversations in the past with red teamers that do not understand the nuisances of building and maintaining an architecture (and updating it) when the business does not understand the impact of not doing so. And telling the people that is constantly fighting for budget that their work is ‘shit’ it’s not the way to help.

Phogna Bologna Jun 16, 2024

@Ilthea @hacks4pancakes Every position from manager up to (if not thru) C-Level is "managing people." And so few people can do it.

deedasmi Jun 16, 2024

@hacks4pancakes The second is a big one. My work bought everyone on incident response OSCP. I’ve done red teaming before. It’s not my jam. I don’t enjoy it. I think a lot of my coworkers found out it wasn’t for them too haha. A lot of them enjoyed learning some of the how, but they all got frustrated at how much extra is involved in the trade.

@deedasmi I would NEVER dissuade someone who has done the homework and knows it is what they love. It's a matter of having a killer training background and resume, then.

deedasmi Jun 16, 2024

@hacks4pancakes absolutely! I handed my seat off to a contractor that didn’t get the benefit. I joined most of the study groups and helped where I could blind. It’s also amazing for a blue teamer to see how a red team works and how TTPs develop. People just see how many zero days and hacks are happening in the media and they make assumptions of what the work is like. It’s not glamorous until it is for a brief moment. Then it’s back to hard, detailed work.

Random Damage 🌻Jun 16, 2024

@hacks4pancakes the writing.

ALL the writing.

Red Teamers who are good at writing are a blessing to their organizations

egyp7 Jun 16, 2024

@RandomDamage @hacks4pancakes writing skills are at least, if not more important than hacking skills.

Graham Sutherland / Polynomial Jun 16, 2024

@egypt @RandomDamage @hacks4pancakes communication is more important than technical chops imo. the part of the job people rarely talk about when folks are looking to get into pentesting or red teaming is that you have to really understand the client's wants and needs, help form a threat model you can work from, and be able to guide them through the process of the test, the results of it, and remediation. and often you're navigating company politics or contractor relationships at the same time.

Graham Sutherland / Polynomial Jun 16, 2024

@egypt @RandomDamage @hacks4pancakes folks think of reports as the big communication aspect of the job but most of the really critical stuff comes down to navigating conference calls with different parties who want different things and have different levels of technical knowledge. the communication goes way beyond written explanation of technical stuff. we're deep into customer relationship management territory.

Graham Sutherland / Polynomial Jun 16, 2024

@RandomDamage @hacks4pancakes 100%. I don't care how hot shit you are at finding vulns in stuff, writing tools, and all the other technical stuff - if you can't communicate the details in writing then you can't do the job.

language barrier is fine - most places have peer review or editorial staff to help with that. but communication is like 80% of the job role, you need to commit to being good at it.

〠Jun 20, 2024

@gsuberland @RandomDamage @hacks4pancakes
This.

Ľuboš Moščovič

@hacks4pancakes
I see nothing controversial in these statements.
The job roles have to be clearly understood, what it really mean - all the good, the bad and even the ugly parts and only if you believe and want to take it all, with passion on top of that, then it's possibly the right career decision.

Mike Sheward Jun 16, 2024

@hacks4pancakes the thing that I always remind folks about Red Teaming / Pen Testing is that the only tangible output of these functions to the customer or business is the reporting. So guess which part of the process takes up the most of your time.

Altytwo Altryness, BS

@SecureOwl @hacks4pancakes also, guess which part of the job makes the largest difference in your career prospects. =D

Joel Bennett Jun 16, 2024

@SecureOwl @hacks4pancakes I don't know, the red team at work managed to make CrowdStrike isolate one of our database servers and take down half the QA environment.

That was ... tangible 😉

Wayne Dixon Jun 16, 2024

@hacks4pancakes having been the 1st, I can say this is 100% accurate. When you’re a manager you don’t get to do the grunt work and if you enjoy that, don’t become a manager.

Pusher of Pixels Jun 16, 2024

@waynedixon @hacks4pancakes

pure software dev here and absolutely agree. Decades of push to move me into mgmt. I am a grunt and I like grunting!

@hacks4pancakes
Your point number one holds true in deciding between any individual contributor position to a management position. Great advice!

@erraggy it's definitely not so much about the cool hacking. A lot of pen tests use the exact same basic ttps, scripts, and exploitation because it still works.

JohnMashey Jun 16, 2024

@hacks4pancakes
Good advice, 2) specific to cyber-security, but 1) (don’t become manager unless…) is much more general & should not be controversial.
I’d add: if you want to be a manager, make sure you’re in organization that knows how to develop individual contributors (who might want to) into managers, 1st-level mgrs to 2nd-level, etc.
This was institutionalized when I was at Bell Labs. Silicon Valley has been more variable, sometimes individuals promoted with varying degrees of readiness.

JohnMashey Jun 16, 2024

@hacks4pancakes
For instance, at Bell Labs, yearly merit review was done by lab (typically 100-150 people, likely 3-5 Dept Heads, each with 4-5 supervisors). We spent half the time talking about personnel development, like:
A) who’s ready & interested in promotion
B) who’s doing a great job at X, but needs a different assignment for broadening
C) who needs project lead role to see how they do
D) who should attend an internal management training course
E) Who’s happy indefinitely as individual.

JohnMashey Jun 16, 2024

@hacks4pancakes
One more piece, now that I'm home and could scan an old page from October 1980.
This was from my Director, who gave to his Department Heads, explaining how they'd be appraised.
Mine passed this along to his Supervisors, including me, ...
i.e., for folks who might aspire to another promotion, sometime.
I.e., Member Technical Staff => Supervisor required some of this, but on smaller scale (typical group ~4-8 people).
"III. People" is about half, note especially III.1 a & b.

Graham Sutherland / Polynomial Jun 16, 2024

@hacks4pancakes second one applies to general pentesting too. you are going to spend around 70-80% of your working hours on short (1-3 days) engagements for very uninteresting cookie-cutter webapps, build reviews, VAs, etc., writing reports for those tests, writing scopes for those tests, and on calls with clients and account managers to discuss the tests and the reports. it's the core loop of the job.

Graham Sutherland / Polynomial Jun 16, 2024

@hacks4pancakes there are cool specialised roles out there for senior positions, but you generally have to do your 5+ years in the trenches first, and it's *really* not worth it if that initial job loop isn't at least somewhat enjoyable to you.

Hal Pomeranz Jun 16, 2024

@hacks4pancakes My own experience was that I was forced onto the management track because employers didn’t know what to do with a senior technical contributor who wished to stay “hands on keyboard”. This is why I left W2 employment and became an independent consultant. Perhaps things are different now.

@hal_pomeranz Very much so, outside the government.

Hal Pomeranz Jun 16, 2024

@hacks4pancakes Honestly, that’s good to hear. While I have enjoyed the challenges that come from running my own business, I recognize that it’s not the path for everybody.

Phillip of Mastodon Jun 16, 2024

@hacks4pancakes I would add a corollary to (1): You can be a leader—and lead work—without being a manager. In fact, it’s probably easier in many orgs.

Binary Large Octopus Jun 16, 2024

@hacks4pancakes Nothing can ruin a team of excellent people with good skills and motivation more effectively than a "manager" that is just pushing around numbers and tries to control people inside some "management framework".
Too few managers understand that their job of actually about caring of and protecting the employees who do the actual work.

WowSuchCyber Jun 16, 2024

@hacks4pancakes shit where were you 8 month ago when I took option 1 without knowing 😭😭😭 this is so true... my life is PowerPoint now

The Doctor Jun 16, 2024

@hacks4pancakes Having a high tolerance for disappointment is part of it, too. Coming back for a second or third reassessment and finding that they haven't cleaned up from the last time you were there is disheartening.

Frank Endrullat 🌻Jun 16, 2024

@hacks4pancakes About 15 years ago I was given the chance to build BlueCoat’s EMEA PacketShaper support team after the Packeteer acquisition. None of the Dutchies wanted to relocate to the UK… 🤷‍♂️

I enjoyed managing the transition as a project, and subsequently was the team lead for the new team in the UK for a year or so. I learned that I rather be a techie / run a project than a manager.

On the other hand, without this experience I would probably not know. Now I do. 😃

Christof Sack Jun 16, 2024

@hacks4pancakes to your first point. What I learned since I transitioned to manager is that most people in cyber don't need to be "managed" but either need to be coached or enabled. You can't be a classic manager type since you need the technical skills and understanding to gain respect by the team and also need to be a part of it to give them what they need from you. At the same time, you need to understand that you won't touch a command line much at all anymore or you will burn out in no time.

Adam Barnett Jun 17, 2024

@InFy @hacks4pancakes I was nodding along until near the end, thought to myself “aha! I’m a manager, but I’m still in a shell every day without fail doing all sorts of things to lead from the front!” and then I read the final bit about burnout and… yeah.

badsynthesis Jun 16, 2024

@hacks4pancakes Anecdata on point 2: I thought I wanted into red teaming so convinced my manager to pay for oscp, but it turned out I prefer building stuff. Red teaming is not my kind of problem solving.

So I stayed in software engineering, and have not regretted it yet.

Robert Jun 16, 2024

@hacks4pancakes Good advice 💯

@hacks4pancakes This. 100%.

LeeRayl Jun 16, 2024

@hacks4pancakes 2 times in my career I was asked if I would manage a small team and be able to contribute. I told them that managing teams is a full time position with huge responsibilities that I am willing to do but it’s one or the other. People mean too much to half ass their growth and development

🇺🇦Jun 16, 2024

@hacks4pancakes I've definitely found myself contemplating the merits of being the interface between the technical team for IR, etc and the customer who needs enough mental framework to understand without making their eyes glaze and brains shut down.

Magnesium Jun 16, 2024

@hacks4pancakes I give a huge vouch for #1 (and don't know anything about #2). You have to be wired for management before you step into the role. Other people's lives are not your play things because you have some corporate vision of hierarchical progress.

muleTiger Jun 16, 2024

@hacks4pancakes Added quirk on 1 that absolutely happened to me. Know and believe if/when your your boss as a manager will let you devote your time and learning to servant leadership and program management. When becoming manager, I knew my boss wanted a more “technical manager” role. Thought I could do both. I could not. Ended up writing more code in 2 years as a manager than I had in the 5+years before. Hard to servant lead in that case.

@hacks4pancakes I don't fully agree.
For 1), I think that would be ideal. But if you really want to progress in career, management is the only way. And there are many incompetent ones. If they can make it, you can too. But yes, better follow your heart and do what you like. I did the same and ignored career path.
For 2), I think no time outside work time can be expected. Probably depends a lot on your country and company culture. Also certs should be paid by employer, unless it's more for yourself and your career instead of a requirement for your current work.

Peter Dodemont Jun 16, 2024

@hacks4pancakes Solid advice and definitely lots of people don't follow number 1. The amount of terrible managers I have had over the years makes it obvious they are in it for the money.

The one I give to junior people is, try lots of different roles and don't be afraid to jump ship to another company. So many people stick with the company even when it's clear they aren't going to get what they want from them. Usually because of some warped feeling of responsibility to the company.

Gay Antifa Leftist Jun 16, 2024

@hacks4pancakes 1st one can be generalized to just about any field i think

AMS Jun 16, 2024

@hacks4pancakes I stayed out of real infosec entirely for that reason. It seems 95% of the infosec job description is all the things I hate about doing EE (product development and research). Namely report writing and fighting with MBAs about spending money on doing important things.

Jam L.Jun 18, 2024

@hacks4pancakes What if folks don't want to be red team, but the roles out there require that background? So many folks are looking for red teamers to turn into Senior AppSec Engineers.