Change is a Constant

Recently I’ve been asked for various forms of career advice, from both newcomers and industry veterans alike. I’ve been asked for help with everything from reviewing resumes, to general advice on possible employer changes and even major career changes. These requests have been increasing, but the only (somewhat) common denominator so far seems to be the Pandemic. Normally there is an uptick in people making career moves in January and February, but perhaps people are getting a head start. I’ve recently pulled the trigger on my own job change (I left GE at the end of July), and have been extremely busy ever since, but I always like to make time to help people with making their own decisions. That last part is important…we’ll come back to it in a bit. Below are some thoughts on some of the things people have asked for help with…maybe you have these questions too.

What Do You Really Want

This may sound like a basic question, but it’s surprisingly difficult for many people to articulate. I think that’s one reason why I’ve been having these conversations: talking it out with someone you trust can help clarify your thoughts. I highly encourage you to have these conversations every few years. Your wants will absolutely change as your career progresses and your life changes. For example, if you are just starting out, maybe you want to travel and see the world. You can take a position with a large consultancy, and live that lifestyle. Maybe you are starting a family, and want to be present in your family’s lives. Maybe you are paying off student loans, and are taking care of older relatives, so health benefits and salary are more important to you. There are a million scenarios I could go through here, but the point is that you need to have an honest conversation with yourself, your family, and people you trust, and clearly identify what you want. It’s ok to want more than one thing (e.g. travel AND salary), as long as you prioritize them. If push comes to shove, which will you choose? Once you have that figured out, you can start down the path toward achieving that goal.

Blaze Your Own Trail

Many of the conversations I’ve had recently revolve around making major decisions in one’s career. This may be “breaking into the industry,” changing employers, changing from Red to Blue, or even leaving infosec altogether. While I love these chats, I often wonder whether or not I’m actually helping people, and here’s why: I’m me! In all seriousness, I sometimes haven’t faced the challenges or been in the situations we’re discussing, so I just listen carefully, try to understand all sides and angles, and ask gently probing questions. Do I have an opinion on the matter at hand? Probably. Is it what this person is looking for, or needs to hear? Not always. The fact of the matter is that what worked for me in my career, probably won’t work for many other people. My origin story is my own, just like your story is your own. Most people are more than happy to share what worked for them in their past and proudly proclaim that as “The Right Way To Do It.” That’s crap. In fact this kind of advice can often confuse people even more.

I was quoted in “Tribe of Hackers: Red Team” as saying “There’s no right way to become a Red Team member.” While I still firmly believe that, my perspective has widened to include much more of the infosec industry. This industry is so large, and changes so fast, that I now believe one can “choose their own adventure,” so to speak. Are you a defender looking to switch to offense? Do it! You’ll love it and bring valuable skills and perspective to the Red side. Are you a devops wizard tired of seeing security people slow down operations? Show them how it’s done! I’m not saying this kind of change is going to be as easy as snapping your fingers, but if you really want to try something new, I’m confident you will find a way. As you blaze your own trail, however, you will undoubtedly need a little help. But where to get this help?

It’s the Network

In this case, I’m talking about people: your professional network, made up of people you went to school or trained with, worked with, worked for, met on infosec twitter, at conferences…whoever. This network takes time and effort to develop, and isn’t easy or natural for some people. I assure you this is a valuable investment. As large as this industry is becoming, it’s still quite tightly-knit, and many people maintain professional relationships that span decades. They rely on this network for inside knowledge on everything from emerging TTPs to hiring decisions, and will gladly “put in a good word” for people they trust. Do yourself a favor and take advantage of your own connections when you’re making important decisions. You may already be familiar with the phrase “it’s not what you know, it’s who you know.” What this basically means is that if you apply for a position at a company, and you already know and get along with the hiring manager and maybe a couple of other people there, you’re probably going to be a very strong candidate for that position…even if someone “more qualified” also applies. I know, it doesn’t sound very fair, but unfortunately it’s often human nature that wins out over process. Simply knowing this can help you make better decisions, however…maybe you don’t want to work for a company like that. Like it or not, personal relationships matter, and sometimes one needs to take every advantage available.

So how does one start building a network, especially when just starting out? Unfortunately, there are no shortcuts here. It takes time, patience, and most of all, trust. Typically, you will establish professional relationships with people on your immediate team, your boss, and other people you work closely with. You will begin to grow mutual respect and trust with one or two of those people…and then they’ll take another job at a different company. While that kind of sucks in the short term, you now have a connection you trust at that new company. This process will repeat itself throughout your career, but it takes time. To speed things up a bit, you can get involved in local or virtual CTF events, submit talks to smaller local conferences, and even shitposting on social media seems to work for some people. However you approach building your network, be sure to focus on mutual respect and trust. It’s very hard to find a job in a security-related field if you have an untrustworthy reputation, because the stakes are just too high. You have to put in the work, and earn it, but it’s absolutely worthwhile.

Tailor that Resume

I’ve seen a lot of resumes. Here’s the deal: resumes are tools to get you past the recruiter or screening process and into a conversation with the hiring manager. That’s it. It’s not a contract, it’s not your life story, and it’s not your hopes and dreams. Don’t lie on your resume, but don’t be afraid to toss in some key words that you know will get you through the initial screenings. Tailor your resume to roughly match the posted position description. Keep it concise, though, as the hiring manager will spend maybe 10-30 seconds skimming it before giving the recruiter a “thumbs-up” to schedule an interview and then moving on to the next resume. It may sound uncaring, but there’s often a huge stack of resumes to get through. Your job is to make those seconds count by clearly showing you have the knowledge, skills, and experience to do the job. Don’t make them wade through paragraphs full of fluff to find the good stuff. Again, the goal here is that conversation with the hiring manager, where you really make your pitch.

The Interview Process

Hopefully, you engaged in “a little light stalking” prior to submitting your resume, but if not, you need to do so as soon as possible. I could always tell which candidates were “stalking” me when I was hiring (OPSEC!), and that made me want to learn more about them, too. Before the first interview, you need to learn everything you can about the company’s culture, what they do, and how they do it. This knowledge will give you confidence that will be apparent in everything from your posture and how you carry yourself, to how you answer questions. You will also have informed questions for the interviewers, which will impress them and show them that you care. You want an interview to essentially be a conversation, and not a game of “20 questions.” Don’t be overly aggressive with your questions or attempt to take control of the conversation; remain respectful and professional at all times. Don’t make the interviewer pry to get answers, either…time is valuable and they will become frustrated.

Depending on the role, you may have one interview, or several. Either way, your objective in this process is to clearly communicate the value you could bring to the organization. This doesn’t mean simply proving you’re qualified for the job, however. It means showing them that they can’t afford to not hire you. By communicating that you will bring value to the company beyond that described in the job description, you gain tremendous leverage in the salary negotiation process.

If you are just starting out, you may be wondering how to show what value you could bring to the organization, which is perfectly valid. As a hiring manager, I looked at junior hires as investments. I wanted to be as sure as possible my investment in time, training, and mentorship would pay dividends in the form of sustained, superior performance. To that end, I was always looking for and prioritizing traits like passion and motivation over purely technical skills. If someone had the drive and determination to succeed, we could fill in any technical gaps through training, either formal or on-the-job. My point here is that one can bring value to an organization, above and beyond the job description, regardless of level. You “just” need to figure out what that value is, and communicate it clearly during the interview process. Once you have mastered this, the interviews will quickly turn to “talking numbers.”

Salary Negotiation

Patrick McKenzie (@patio11) wrote an amazing blog post on this process, so I’ll link to it here. Seriously, if you don’t do anything else, read that post. It will almost certainly improve your strategy, earning you thousands more every year. He also lists some more resources at the bottom of the page, including posts that helped him, and even an actual book on salary negotiation. Take a look! Below are a couple of quick pointers:

  • Negotiate for total compensation, not just salary. Be mindful of time off, retirement, healthcare, bonuses, and other benefits. Get the best total compensation package you can.
  • “Virtually any amount of money available to you personally is mouse droppings to your prospective employer.” That’s a quote lifted directly from Patrick’s post, because it’s important to understand. Don’t be afraid to ask for what you feel you’re worth; you won’t upset anyone.
  • Never start salary negotiations until you and the employer have agreed that you would be a good fit, and that you would be hired if an agreement on compensation can be reached.
  • Never give a number first! Wait until an offer is made, and then go from there. It’s HR’s job to hire you as cheaply as possible. Don’t forget that’s not your problem.
  • Be prepared to walk away if things don’t feel right, or an agreement doesn’t seem likely. Trust your instincts.


A lot of people are contemplating career changes right now, and hopefully this post is helpful in clarifying some of those thoughts. Don’t be afraid to blaze your own trail, leverage the help of your professional network, and skillfully negotiate for a fat new compensation package. Good luck, and if you still have questions, please feel free to ping me on twitter! My DMs are open.