Hello friends,

If there are constant complaints in the world of security, it’s security leaders complaining that the business doesn’t take security seriously, and security staff complaining that they don’t see viable career paths in their organization. These aren’t universal, of course. But they are fairly pervasive, and for good reason.

I recently caught up with Mannie Romero, VP of Product Security at Early Warning, the company that operates the financial network Zelle. What impressed me in one of our initial conversations was how well developed Early Warning’s security organizational model is. I wanted to share some of their good practices with the community in hopes that others will take some inspiration.

If you’d ever like help thinking through your career model, please reach out.

In other news, RSAC is coming up! I’ll be out in San Francisco for the conference and I’d love to meet up with you. Whether you are thinking about a new role or looking for help in building out your team, I’d love to chat. Drop me a line and we can find a good time to connect.

Last piece of news, I’ll be speaking at the Rocky Mountain Information Security Conference (June 11-13, Denver). This is the premier infosec conference in the mountain west and there is a stellar speaker lineup announced. You can see the detailed agenda and register here.

Hope to see you there!

Enjoy,

Brad

Building the cybersecurity career path

Sometimes, a thing can be common sense- and nearly everyone agrees. But when you look at it and see how prevalent it is in reality, it’s almost never there.

Career path models in security are one of those things. Nearly any security leader would tell you that offering a structured, competitive career path is a great way to attract and retain talent. Employees certainly want to feel that they are part of an organization that recognizes their contributions and affords them opportunities to continue to grow and advance.

But how many companies actually have strong career models in place for their security team? Very few.

There are many reasons for this. When you are in firefighting mode, it can be hard to do ‘infrastructure’ projects like this. Job descriptions tend to be dusted off when somebody leaves and you need to backfill, not as part of a strategic effort. And it can be hard to make big changes to career models with incumbent teams, because you start to make significant organizational changes, and that comes at the cost of a lot of emotional energy, angst, and inevitably some amount of disappointment.

While difficult, it’s a worthwhile endeavor. Benefits of a strong career model include:

• Staff retention- people that move up through an organization are much more likely to remain loyal to the company. They feel rewarded, are regularly challenged, and build friendships that provide a fulfilling work experience.

• Staff engagement- people that have a clear and achievable career path are more motivated and committed to their work. They have a sense of direction and purpose, and they see how their work contributes to the bigger picture.

• Staff development- people that have opportunities to learn and grow are more productive and bring different perspectives. They acquire new skills and knowledge, and they apply them to improve their performance and solve problems.

So it’s hard to do. But it’s worthwhile. This is our guide to how to pull it off.

Components of a good career path model

There is no one size fits all career model for cyber. It depends immensely on the size, maturity, objectives of the cybersecurity program. It’s going to look very different for a Fortune 100 bank than it will for a mid-sized manufacturer, or a hospital that leans heavily on their MSSP.

But there are some basic components. There should be:

• As much commonality of titles and levels as possible across the org (e.g. associate, analyst, etc)

• Well documented gradation of expectations ‘up and down’ in a given area. Think about not just describing what the work is, but what good looks like for each step

• Consideration of movement- career paths these days are rarely just straight up. There should be thought given to lateral movement and how that ties into skill development.

• Consideration of common entry points from the outside. Where do you generally need to find external hires because there won’t be people internally that ‘build’ the requisite skill sets, and there’s not enough work to construct a talent pipeline into the senior roles?

• For every role, you should be able to identify at least one strong potential next step. This could be a vertical or a lateral move, depending on the individual's preferences and goals.

• Compensation ranges that are in line with market

• Titles that are in line with market

You can read more about how to construct a strong job description (and pitfalls to avoid) here.

Examples of career path structures across security domains

The career path structure for your security organization will depend on many factors, such as the size, scope, and nature of your business, the maturity and complexity of your security function, and the availability and diversity of your talent pool. There is no one-size-fits-all solution, and you should design your model based on the unique characteristics and needs of your organization.

Dropbox has a well-known and world-class career framework for their engineering roles (these are mostly software engineering, but do include security engineer roles). It’s available here and worth browsing for inspiration: https://dropbox.github.io/dbx-career-framework/

You can also check out Cyberseek, which provides an interactive map of career pathways. It’s based on the NICE framework from NIST. I have to say, I applaud the initiative for both NICE and Cyberseek, but they seem to be somewhat disconnected from reality (featuring roles that don’t often exist IRL), and with excruciating level of detail in the knowledge, skills and abilities in the NICE framework, which total up to ~1,000)

Here are examples of potential path structures across security domains. This will be different for every company and should be designed based on unique characteristics and needs of the business.

Within enterprises, the two areas that will tend to lend themselves best to ladders within a function are security operations and security engineering (which can include sub-domains such as application security, cloud security, IAM, etc).

I spoke with Mannie Romero, VP of Product Security at Early Warning (Zelle) about their career path model. They have a fairly mature structure as far as cybersecurity departments go. One of the interesting things that Mannie noted is that at Zelle the career paths of security engineers and architects are parallel. While it may be common in some organizations for engineering to feed into architecture, Zelle’s security leadership found that since the nature of the jobs are substantially different (engineering, often more ‘hands on keyboard’ direct project work- architecture often more collaborative, varied work), they created flexibility for engineers to hop between the two paths based on the person’s own job satisfaction and career aspirations.

More broadly, give thought to the structure of parallel movement. It’s a great way to provide staff the opportunity to build new skills and explore different areas that may fit their interests and underlying skills.

Clearly, the career models for smaller companies (with small teams) are going to look very different than at larger companies, where you have entire teams that are specialized around one area. This doesn’t mean that you can’t have career pathways, though. The jobs just have a wider range of responsibilities and skills required.

As you design your career path model, you should also consider the tradeoffs between productivity and cost. Balance the benefits of having more skilled and experienced staff with the costs of hiring and retaining them. Also consider the opportunities and challenges of having more junior or entry-level roles that can serve as a talent pipeline and a source of cost savings.

Other questions you may ask yourself:

• Where is there enough work to build a ladder to progress with seniority? Where can you build in entry points via internships or entry-level roles in order to build strong talent?

• How do you balance the need for specialization and generalization? Some roles may require deep and narrow expertise, while others may require broad and versatile skills. How do you create career paths that accommodate both types of roles and workers?

• How do you align your career path model with your business strategy and goals? How do you ensure that your career paths support your current and future needs, and that you have the right mix of skills and capabilities to deliver value and achieve your objectives?

Good practices

As you design your career path model, here are some good practices that you can follow:

• Try to avoid baking hard ‘years of experience’ into the requirements. This can be, but isn’t always, a proxy for skill level. You can pass by people that would do a great job, and simultaneously set people that aren’t ready for handle the higher expectations up for failure. Try to define the requirements based on specific technical skills and performance expectations you would have for the role.

• Allow for development along technical career paths that don’t require somebody to be a people leader to advance. Oftentimes very strong and high-end technical talent aren’t as skilled at people leadership, or that’s not of interest to them.

• Make sure your career model is closely tied in with your performance management process. Use the career model as a framework to discuss aspirations, potential future steps, and the mutual expectations for both parties to get there.

• In your role descriptions, don’t just think about ‘what’ the work is… think about expectations for ‘how’ the work gets done. Many companies use some version of a matrix with the ‘what’ on one axis (what you delivered, whether you met your goals, etc), and the ‘how’ on another axis (which includes behaviors, cultural alignment indicators, etc). So consider in your job descriptions not just including detail on work expectations, but also specification of what increasing seniority looks like in terms of contributions to the organization, interface with other teams, and leadership.

There’s a lot about career pathing that is cultural, not programmatic. Building a culture that rewards and encourages mentorship, taking risks on placing people with great potential but limited experience into new roles, and being OK with some amount of strong talent that you’ve developed heading out the door all show an emphasis on people, their skills, and their growth. And that will attract good talent. Recently on the CISO series podcast, David Spark, Andy Ellis (YL Ventures), and Joshua Brown (CISO, H&R Block) discussed our piece on talent retention and Andy noted that having an ‘open exit door’ philosophy (where people you’ve helped develop feel free and supported to move beyond the company) is such a testament to caring that it in fact works the opposite way- people look around and realize they have it really good, and choose to stay.

Making this happen

It can be a daunting exercise to build a career model for an organization- particularly if there is likely to be significant organizational change associated with it. The good news is that staff is overwhelmingly likely to welcome and appreciate anything that will give them more clarity on their future career development. This is a sign of investment in your people.

I recommend being honest and transparent from the outset on the effort. You will want engage a number of people in the design, so it makes sense to be upfront with people about the effort and the desired benefits. From the outset, communicate:

• Your objectives (the scope and expectations)

• The timeline and process

• How people can provide input to the process and share ideas

• What types of changes to expect once the design work is complete

It’s important to note that a career path refresh is not necessary an organizational re-design. The career model is independent of organizational structure, number of roles, etc. You may choose to tackle some amount of organizational realignment in parallel, but there’s very much a distinction from the model (which should be relatively constant) and the regular flow of organizational decisions on hiring, firing, backfilling, promoting, etc.

In the design process, you’ll want to:

• Setup a common framework for roles and responsibilities, and make sure that’s aligned with overall company constructs.

• Take stock of the work to be done, and how that aligns against roles. There are many decisions to be made here about specialization and breath of expectations/ work by role.

• Incorporate employee feedback into the design. Seek input and opinions from your staff on what they value, what they aspire to, and what they need to succeed. Ask them what works well today and what should be changed.

• Benchmark compensation by role. There are many services you can use to support this effort. Our quarterly market reports can give you a starting point.

Once design is complete, decide how much change you want to implement right away. Will you move gradually, only making updates when new roles or opened? Or will you snap the existing organization into the new model? I generally recommend the ‘rip off the band-aid’ approach, since generally this is an employee-friendly exercise to begin with. If you are not changing people’s compensation, usually they are pretty accommodating to title changes and adjustments to their roles and responsibilities.

What I’m reading

This is a new section, to share awesome content that I’ve come across. Enjoy, and share what you’ve been reading too! 

🚪Phil Venables has fantastic analysis of the big, largely unsolved challenges in cybersecurity. It’s a gauntlet for those that are building new businesses, and very much worth a read. Infosec hard problems

💡Ethan Mollick runs a great substack called One Useful Thing on how to usefully leverage LLM models (in their current incarnations). He has a great post on prompt engineering here. Highly recommend his newsletter for all those that want to be on the cutting edge of AI capabilities.

🏗️Speaking of AI, check out this four part series on the underlying technological history of AI from the Babbage podcast at the Economist. You need an Economist subscription to listen.

🤖Also on AI, Daniel Miessler wrote a long but excellent essay on the future of AI. He looks at it from the angle of humanity, and looking at the predictable elements of humanity intersecting with ever advancing tech. He just turned it into a video (also long 😊)

🪟Microsoft is feeling some serious heat after an in-depth review by the cross-departmental Cyber Safety Review Board of Microsoft’s cybersecurity practices on the heels of a 2023 nation state breach. The report is fairly scathing.

Jobs

This week we are featuring appsec roles. As always, check out our job board for hundreds of opportunities, all classified by security domain and NIST/ NICE specialization.

💼Anthropic. Application Security Engineer. San Francisco, New York, or London. $300-405K.

💼SpaceX. Principal Security Software Engineer (Blue Team). Hawthorne, CA. $221-270K.

💼Nvidia. Offensive Security Researcher. Santa Clara, Austin, Durham, or Seattle. $216-414K.

💼Box. Application Security Architect. Remote. $191-280K.

💼Sketchers. Sr. Application Security Engineer. Remote. $160-180K.

💼Verkada. Sr. Staff Application Security Engineer. San Mateo, CA. $130-280K.

Events

One of the (awesome) features of our new website is a comprehensive list of upcoming conferences. It’s one of the largest collections of cybersecurity conferences available. Check it out!

A few of the exciting ones in store over the next few months:

🤝Bsides Seattle. Seattle, WA. April 27.

🤝BSides San Francisco. May 4-5.

🤝RSA Security Conference. San Francisco, CA. May 6-9.

🤝Hack Miami. Sunny Isles Beach, FL. May 15-18.

🤝NetDiligence San Diego. May 20-22.

Thinking about your next move? Join our network

Looking for awesome talent? Post a need for free

Crux is the talent platform for cybersecurity. Check us out