Jako dumny gość drugiego odcinka podcastu QAudycja!

Tym razem miałem zaszczyt pojawić się jakos gość w drugim odcinku nowego podcastu Konrada z QAudycja​.

Opowiadałem o karierze w bezpieczeństwie, o cyberbezpieczeństwie Polski oraz mojej nowej przygodzie zawodowej.
Klasycznie pojawiła się też garść informacji o codziennym radzeniu sobie z życiem, w szczególności o intensywności, ludziach dobrych i negatywnych oraz o wpływie środowiska na to jak kształtuje się nasza ścieżka prywatna i zawodowa.

Serdecznie polecam, bo poziom pytań Konrada był fantastyczny a On dopiero się rozkręca!
Trzymam kciuki za sukces jego bloga oraz podcastu 💪.

Hacker’s approach to productivity and career development – Universal Truths

On 15th of November 2018 I gave a talk at TestWarez conference, where I wanted to share my experience and observations, to help others gain a bit richer perspective on life, which would help them solve non-trivial career related challenges.
Unfortunately I’ve ran out of time before I could close my story properly, which is why I’ve decided to create this blog post and ensure that people who attended my talk actually received what they were looking for. If you want to jump right into the subjects I haven’t managed to go through, scroll down to about 2/3 of this article.
If you haven’t attended the talk, just go ahead and read the parts that you feel could bring you some value

1542369778270_tjgxks (1378×811)

1. Who am I and why do I want to talk about things such as happiness in the workplace and career management?

I’m no guru and I don’t claim to be one. I’m just a man who’ve spent a significant part of his life chasing great career and while I’m doing my thing, I want to share the biggest so far takeaways of my life’s study. I’m not going to tell you that you can become a CEO of billion dollar organisation, or that you can earn $X if you do Y, or that you can become the greatest person on the planet. I don’t know that, and I don’t have such answers. But I do have answers which can help you get better at whatever you’ve decided to be doing. There are patterns that many people have noticed and shared in one form of another, and I want to do the same with my community. Create a list of things that are proven to not work, and things that are proven to have a potential of increasing the odds of your success. When you have that, you can try it out and see what happens.  Assuming obviously that you want to try something new, because you feel stuck.

If you’re happy, if you’re content and you’re living life on your terms then I don’t think I have anything for you, really. By all means continue doing things that you know are good for you. However, if you’re a person that have tried many things and still don’t see any significant change into the positive, then you might want to take a look here and there.

Many things I’m going to talk about here, are things you’ve most likely have heard about already and it may seem like nothing new is here. Which is about right, and that used to be my attitude as well. That’s the reason why I share such long back stories and create a context for what’s coming up next.  I’m sharing my knowledge in a way which I know worked for me and which made me who I am today.  First I had to attain a better understanding of things such as human nature and rules of the corporate world, to be capable of comprehending the cliché things that we often hear about. I had to understand why things are the way they are, I had to understand why we act the way we act and only after knowing that there are many moving elements which dictate our state of being, I could get myself to work on changing my position in life.
You really can’t solve a problem if you don’t know what the problem is, and more often than not what we believe to be a problem, in fact turns out to be just a facade for something much more complex. And explaining that complexity takes time, it takes years, but I want to try to compress is as much as possible to make it quickly digestible for everyone else. I do believe there are ways we can share our knowledge and help others understand the subject faster – for some it’s a kind of a shock therapy, because they come expecting a list of things they can take and implement right away to take their life’s on the next level. Then you drop a massive amount of knowledge, observations, and advice, and you let them think about it. You spark an inner thought process which makes people think “what if?”. “What if there is actually something about it, and there are ways to get what I wanted despite my past failures?”. That thought is what ignites the start of a bigger change. Sharing just a set of tips you’ve heard many times will often get forgotten without any action. Sharing a way of looking at the world which makes you question a thing or two, is the game.

In my career, I’ve had a privilege of working as a computer programmer, cybersecurity specialist, manager, team leader and business advisor. But it’s not about me and you probably shouldn’t care. Judge content based on its merits, not its author.
It’s that I’ve tasted many things which gave me an opportunity to interface with many fantastic people at various stages of their career at various organisations. For some reason I wanted to know what it is that differentiates people who’re under-performing, those who are achieving a lot and those who’re basically mediocre. What it is that differentiates people who thrive in the workplace, who love their job, who love themselves when they’re doing the specific type of work; from people who struggle to achieve their goals. I’ve had a privilege of not only collaborating with multiple companies of various sizes as an employee, but also were given a chance to recruit people into teams I was working in. I’ve recruited people into the IT sector for a roles with a paycheck as little as $400 per month and as much as $15k per month. I’ve seen people who were paid twice as much as the other person holding the same position at the same organisation and the question was – how come?
Although it’s not all about the money, it’s a lot about the money. Money is a reasonable indicator how well someone is performing at work, and it’s just something that’s more tangible than skills, knowledge or experience. It’s hard to compare people based on their skills or knowledge, but it’s really simple to compare two numbers. It’s especially easy, when you work with diverse organisations with people who get to the absolute TOP of corporate structure within 5 years and people who barely manage to get any movement across the career ladder over those 5 years.
Obviously there are people who simply choose to take it easy and who don’t care much, there are people who have different genetic predispositions and all that, but you know what I’m saying. I’m pretty sure you’ve met in your life two people who tried really hard, who wanted to achieve the same, yet they achieved completely different results.

So I started paying more attention, because I was really curious. Fast forward to over a decade later, I believe I came to conclusions and some universal truths which can be applied by many of us, obviously each and everyone of us getting different results. But there certainly are things that simply work.
Let me end this intro with the following statement, which should put some more clarity into what I’ve been trying to say:
I don’t believe you or me can become world-class NBA players just because we’ve watched how LeBron James got there.  That would be delusional and as far from the truth as one can get. But I definitely believe that we can learn from LeBron to become better at playing basketball than we currently are. No one can promise you or me, that we’ll become world-class at it. But if you put in the right type of work in the right amounts, there are high chances you’ll get better at it and that’s what most of us want and need.

1542369832423_pgxj6a (1295×582)

2. Why do I care enough to share it, instead of just doing my thing and investing the time to better myself?

Well, if you get to a point in which you’ve tested something on yourself, you made yourself happier and can see something is working, you just don’t want to keep that to yourself if you see people around you struggling with the exact same thing. It’s such a waste.

People are truly struggling and way too many people waste their potential because they don’t know any other way. I don’t really want to get into what people are doing, because it’s their lives and it’s up to them how they want to live it, but the thing is that many of people who’re struggling just don’t want to, or don’t know how to ask for help. They’re not unhappy because they want to. They are unhappy because they don’t know what else they can do, so they try many things, they fight, they put in the work, and they try to do something good. And sure, many people find their way, become happy as one can get and live a fulfilled and joyful life.
But why would we want others to waste their precious time on trying things that are known to simply not work? Or why would we want people to take a longer path if there is a faster way to get where they want to get, which would save them not only time but some pain, which is inevitable when you try new things.

To me it’s just a right thing to do. If someone doesn’t want to listen to the advice, they won’t and that’s absolutely cool. But if there happens to be a person who wants to try something new, then you’re at least giving that person an opportunity to learn about other ways than the ones they currently know about. Then it’s up to them to try it or not, but at least they get a chance to trying something else.

The problem with unhappy people is that the misery loves company and we’re very empathetic creatures. We’re humans and we’re bound to each other whether we like it or not. We affect each other and we influence each other. And understanding this concept allowed me to get through things I couldn’t wrap my head around before.
Success is cool and all that, but the internal success i.e. happiness is what most of us are really chasing. Also, if you’re happy, you can make others happy. If you’re unhappy and feel stuck, there are high changes that not only you’re not making others people happy but you’re actively making them unhappy.

So yeah, chasing happiness is something that really matters. Because by being stuck and being unhappy you’re not doing anyone any favor. Your state influences state of other people. And although we want good for people whom we hang out with and we don’t want to make them unhappy, we’re way too often lost in our thoughts, to realize that we’re unconsciously intoxicating lives of those around us.

I believe most people do their best and try to be the best they can. But sometimes it’s not a lack of enthusiasm or lack of ideas that’s stopping us from achieving our goals. It’s lack of consciousness and self-awareness that doesn’t allow us to connect the dots.

1542369807722_jdiy8x (1307×326)

 

3. So, do you want to save yourself and others some struggle and at the same time achieve more? Go ahead, there is a few things that are really important for you to get yourself on the right track.

First of all, I believe that we’re way too confused, especially in the early days of our careers. We don’t know what we’re supposed to be doing, so we try to follow people who we think like they have it all figured out. We read an online magazine and we read about top performers, those people everyone looks up to and secretly wants to be. And we try to replicate what they’re doing, which includes doing things such as heavy meditations, more rigid diets, following a heavily disciplined schedule, waking up at 4AM like the CEO from a cover of the Forbes magazine and other crazy things.

It’s absolutely a good idea to experiment and try those things, but for most of us – those tips simply won’t cut it. Each and everyone of us is different, and we need tweaks and adjustments to all the recommendations we hear from other people. We fail to recognize that magazines write about things people want to read, which not necessarily being at the same time things which will actually work for people reading it.

As an example of a process to dissect, let’s pick the sleep schedule, which is something many people try, after getting motivated from reading an article about some TOP performer. When we read about someone like Tim Cook who gets up at 4:30AM, we see the end result. What we fail to recognize is that Tim’s wake up time is a result of the process that he established for himself during his lifetime which also requires other changes to his schedules. Magazines want to tell you that you can be more successful and you’ll get more things done if you wake up at 4:30AM, because hope sells well. But they forget to mention that to wake up at 4:30AM and be productive by any measure, you need to go to bed at 8PM day earlier.

When you read about someone having a rigid diet, you don’t see the process it took someone to prepare their body for such a change. You see the result, but you’re not given enough insights into the process of getting there which is a key for improvement and which is something we must all do thoroughly.

It’s not enough to implement into our lives the elements that successful people do. More often than not, it’ll fail for very simple reasons such as the fact, that your body and your brain are complicated systems, which don’t adapt overnight. It takes a long long time for your brain and body to get used to different times you wake up. It takes a lot of time for your body to adjust the management of nutrients you’re feeding it with.

Combine waking up at 4:30AM with drastic change of messy diet into keto diet and the next thing you know is you’re an anxious zombie who instead of being more productive is an ass to anyone who just happens to be around.

You got to take it easy, and you got to find what’s right for you. And what’s right for you is what you’ve been testing for quite some time, not something a journalist put into the magazine.

1542370293511_hju2sg (1396×327)

I like to say that 99% of things TOP 1% performers do, aren’t practical for 99% of other people. By the same token, I do believe that if someone who in the past was in the position you’re now and achieved some sort of success, then you can follow their steps and get somewhere close to where they’re at. Most likely not to the same place, because there are too many differences between each one of us, but you can certainly change your position to some extent, as some thing are universal and in general work in many situations.

So if you want to be as great as some specific person you admire and to do the things they’re doing, then it’s a much better strategy to follow their footstep and try to replicate their success. Because if you look at it rationally, what makes you think that you can simply switch to doing some things overnight, if it took your idol months or years to get there?  Successful people decide to do those things you read about, not because they’ve decided to do them after reading an article, but because they know it’s right for them and they’ve been getting there their whole lives.

You got to get some respect to the journey, because by following it, you can make yourself more compatible with the end results that you’ve seen that other person to have.

1542370073429_c0ihqd (1464×795)

4. From what I’ve seen in my life, among my peers and all over the world, there are about four major areas which contribute to people’s lack of happiness in relation to their career.

  • People are stuck at the job, in which they feel they’re not being rewarded well enough
  • People feel like they’re somewhat stuck with their skills and career in general
  • People are stressed and they lack work-life balance
  • People are hopeless, because they’ve expected something else than they’ve received and they just can’t see anything beyond that

None of these things are trivial and there is no answer which will work for everyone, but there certainly are patterns which show why some people experience one or more states from the list above, and why some people don’t even know what these things mean – because they’ve never experienced it.

So if you’re experiencing any of those things, then it may be worthwhile to look at some of the things that can be done, to change that state of being. There are certainly a few mistakes related to a workplace, that people do which makes their career to develop way slower than in potentially could.

4.1. Sticking too long with one company

Some people feel like they’re getting nowhere, and they’re not getting paid enough and they’re not progressing as well as people in the industry, because they happened to be in the wrong organisation. It’s not that they’re not good enough or that they don’t deserve better compensation, it’s just that they’ve been working in one place for too long. In the current state of IT industry, there are zero reasons to stay with one company if the job is making you unhappy. There are so many companies, good, great, average, and bad ones, that you can’t possibly try them all during your lifetime. If you’re working in IT, you won’t run out of companies who’re looking for competent employees.

Sometimes it really can’t be said that given organisation is bad, just because you feel unhappy while working there. Some organisations are just made for some type of people, and for some people it may be the best company of their lives. Just because you have different expectations, doesn’t mean the company is bad. If you work for a company that’s producing a type of service which doesn’t generate that much revenue, then it’s not it’s fault. It’s their business model to do things they’re doing and it’s absolutely fair that they have a low compensation they can offer you compared to some other organisation. If you’re feeling like you’re expectations aren’t being met although you’ve talked to right people about it, then switch the company instead of being miserable and blaming company you work for, for not being another Facebook or Amazon. You got to understand that if you want to get paid as much as software engineers working for Facebook, you should try to get into Facebook instead of complaining that your company can’t offer you the amounts of money other people get at Facebook.
This may sound trivial but it’s really not that simple of a choice. We often have unreasonable expectations because we focus too much on our expectations instead of setting high standards for ourselves. If you want to expect something from your company, you must analyse how much does it cost you first.

Get out of your comfort zone and find the right place for yourself instead of making yourself miserable because of lack of courage to change your workplace.
There are always trade-offs and there are always risks as it is with anything in life. Those risks aren’t  go away and you probably won’t be less afraid of them anytime soon, but you can become more courageous and more willing to face them and to go after it regardless.

[On remote work

I believe remote work should be available to everyone, but it doesn’t mean anyone can do it. Working remotely can be great, but it can also get really ugly. You need to know what’s right for you and what you’re capable of doing. You need to study yourself to understand in what configuration you’re performing at your best. Just because there are many articles written by people who dropped their corporate job and went travelling all over the world and working remotely, doesn’t mean it’s a right choice for you. It’s tempting, it looks good on paper, but for some people it’s just a wrong thing to do. Just because there are many people saying that you can get much more work done while working in the home office – which can be true – doesn’t mean you’ll be able to achieve that. For most people, there are other ways to be productive and to achieve what they want to achieve, without trying to save as much time as possible by going remote. ]

4.2. Disrupting your career development by leaving an organisation too early

We’re humans and we are irrational. We can often get as far in our irrationality that we want to leave an organisation because we don’t like the commute or we don’t like the meeting that we’re required to attend or because we don’t like to hangout with some person that works in the same office. And instead of trying to resolve the issue, we get emotional, we forget how tiny actually is that thing which irritates us and we go way too far. If you don’t like your workplace, you need to analyse what it is that you actually don’t like. In my experience it rarely happens that the whole organisation is broken and everything is ugly. It’s just a one or few things that we tend not to like and sometimes can’t accept. But we need to have such dialogue with ourselves and understand what it really is that makes us unhappy at the workplace. Chances are that you actually enjoy doing what you’re doing, you have fun being around most people most of the time, you’re getting compensated well enough, but you really don’t like that one person which is bothering you or the long commute it takes to get to the office. But the feeling is so intense and negative when it happens, that you let your emotions take control and then you think like the entire world is against you and you must seek escape. And sometimes, the answer to a toxic coworker can as simple as switching a floor you work at or negotiating with the company an option for you to work remotely.

People who go ahead in life, nailed this skill down. They’ve understood that what they think is happening, may not really be the case. Human beings are complicated and we’re not trained in any school that I know of, how to detach and analyse our problems by looking at things for what they truly are as opposed to what our emotions are making us to see.

So detach and dissect each complicated situation to find the root cause for the bad situation you’ve found yourself in.

1542369894003_olyme2 (1240×391)

5. 10Xers aren’t superhumans. They just know how to get things done.

Many people experience a lot of stress, because they don’t feel like they’re learning enough. They experience stress because they miss deadlines and sometimes blame the company for putting too much workload on their shoulders. The thing is that if you want to develop your career, you just need to deal with the workload. And for many people, the reason they are stressed out, and they can’t manage their workload, isn’t because their company is expecting too much from their employees. It’s because people can’t put enough order to the chaos, they waste a ton of time and they have too little time and/or energy to get necessary things done. They get stressed out, and after a while they get anxious, because their life is falling apart. They can’t manage the workload, so they go home and work even more. They’re stressed even more, because they have no time to decompress. This puts them in the downwards spiral leading to anxiety and feeling hopeless.
I’m not saying it’s always the person’s fault, but way more often than we think, it really is. If you could only focus on doing the work you could easily get things done in the office, and then don’t touch anything work related when you get back home.

So if anything I’ve written in this paragraph feels familiar to what you’ve been experiencing lately, then I highly recommend you to take a closer look at how you really spend your time.

If you want to be productive, you should consider these things which really do matter:

5.1. You may not know how to get in the zone, how to put yourself in a flow state and do the deep work.

In a field such as IT, where we heavily rely on our creative brain we really need to focus. We can’t really multitask well, so if you want to do something well, you must focus on that thing alone. We’re living in a world of constant disruptions caused by our inability to control the distractions, which makes us unconsciously do things such as checking our phone each few minutes, browsing social medias each time you feel stuck at work and alike. If you’re stuck with something, you don’t know how to solve a problem at work, you don’t know how to use a programming library, then you’re not going to learn that by reading a motivational article or by checking what’s up on Snapchat. If you want to solve a problem, you must focus on solving a problem and getting deep into your work. If you need to learn an API, you must read about an API, understand how it works, try it out, and get back to major task of implementing that API. If each time you face an obstacle, you shift your focus on something else than removing that obstacle, you’re wasting your time. You’re not going to find a way in a background to solve a problem you’re facing for the first time, while browsing reddit. All your brain power must go into the task and getting it done. People who perform well just focus, and focus on getting work done.

Many people go to work for 8-10 hours, and if they actually counted, they’d realize they’ve worked maybe for 3-4 hours and the rest was spent on either doing something else or on “getting back to work”. So yeah, there are definitely people who in one year can achieve what for some other people take 3 years to achieve. It’s a simple math, if someone goes to work and work for 6 hours straight and know how to get into the zone, they can actually get 18 hours worth of work of someone who’s constantly falling for distractions, switching tasks and never getting into the zone.

1542369984852_zif9fv (1267×811)

5.2. Those people who outperform you, often don’t work more than 8 hours a day. Because for most of human beings it’s technically impossible to get our brain to produce meaningful work for any longer than that. They just use their time wisely, they don’t allow their primitive brain to take control and get quick dopamine shots. They have a discipline over their mind and they push regardless of the tricks their brain is trying to play. And they know how important it is to rest each day, so they get back home and they try to actively relax. They don’t lie to themselves that they can squeeze some more work in a day. They realize, that after a couple hours of deep work, they won’t be able to do anything worth the struggle. Because if you’ve been really working for those 8 hours, then your brain is exhausted. And you can put in 5 more hours, but for most of us, it’ll be worth maybe 1 hour of work. So instead of wasting those 5 hours, get some rest, enjoy your life and recharge for the battle of a next day.

You’ll need that. You need that balance, and you need to understand the signals that come from your brain and your body and which are telling you when you can still push a bit, and when it’s time to back off.  And I promise you this is not easy by any means. And it’s impossible to learn to recognize such signals from your body, if you never go into a quiet place and you’re overwhelmed by a noise of distractions of the world we live in. You need that time off, that quiet time for yourself, to reflect. To think about your feelings, to think about your plans, to let yourself feel things. And if you don’t have the discipline, you don’t focus on getting the work done when you’re in the office, you won’t get that quiet time for self-reflection. You’ll be to stressed out and too busy.
That’s how complex we are. One thing that’s off and dysfunctional can put our whole life into jeopardy. That’s why I never create blog posts such as “10 things to make you XYZ”, because it’s worthless. There are way too many things you need to take care of first, before any of those 10 things have even a slight chance of bringing any value into your life.

1542369952028_lwczgd (1341×766)

5.3 People who go ahead in life, know how to be productive. And most people don’t really know what being productive entails. Replying to hundreds of emails a day and talking with coworkers on Slack doesn’t make you productive. It makes you feel productive, but what it actually does is making you busy. And being busy is far from being productive, because these two things have nothing in common. Your goal isn’t to be busy. You want your time, you want your life, you don’t want to be busy. What you want it to be productive, to get work done. The work that needs to be done and work that contributes to the bigger picture. Unless you’re working in a Customer Support role or something similar, replying to emails isn’t getting work done. Certainly not for most people who visit my blog, because most of you happen to be software engineers for whom getting work done means producing code, producing a product, creating an art that can be sold to a customer who pays for the service. That’s contributing to the bigger picture.

To be productive you must recognize the difference between being efficient and effective. People obsess with being efficient, and they’re being told that working hard will earn them what they want to earn in life. Which is silly, because what’s actually going to bring you closer to your goal, is indeed working hard, but working hard on things that are important.  You can be efficient at zeroing your mailbox, but is it effective for you and your organisation? It’s not. Communicating with people is necessary, but you should get that done as quickly as possible and get back to actual work.

Effectiveness is doing the right things. Efficiency is just doing things right. And you need both. You need to work hard but before you get yourself into the grind you must know how to work smart, it is to know what are the things your manager and your team wants you to focus on.

I don’t know a single person who got promoted for being the fastest person in the company in answering emails of their coworkers. But you bet I know people who got really far in live because they delivered important work on time.  Human being way too often fail to recognize that doing lots of work, doesn’t mean they’re doing the work that matters. And the person that signs checks for you, couldn’t care less how much you’ve worked if the outcome of said work hasn’t directly or indirectly produced a revenue for your company.

So that’s one of the biggest takeaways and lessons I’ve learnt in my career. The results are the only thing that matters to the business. Everything else is just a noise, so learn how to get things done.

6. Attitude matters

1542370257891_y0vyrk (1253×264)

I’m really not into the motivational coaching or things like that. I stay away from it, so don’t get me wrong, but there is something that is really real, and that is your mindset. If you have fixed mindset and you don’t believe you can achieve something big, you most likely won’t. It’s not about any law of attraction, or believing that if you constantly imagine you’re going to become a millionaire, you’re one day just going to become one. No one is coming to rescue you, and no one is going to knock on your door and hand you a check for $1M out of the blue.

You got to work for it, which is the crucial point. But to work for it, you must believe that there is something in it for you. Because how could you achieve something big, if you don’t believe it in so you don’t do anything about it? You need to have an internal motivation and you need to allow yourself to believe that you can achieve the thing you want to achieve. Then put in the work, and see if you were right. Time flies by anyways. You know what’s going to happen if you do nothing. But you have no idea what may happen if you take action.

1542370191258_wunryk (1303×652)

6.1 That’s why it’s so important to surround yourself with right people.
You’re the average of the 5 people you spend the most time with, is one of the most real lessons being shared out there. If you surround yourself with negative people, who complain about their life and do nothing to change their state, it’s easy to fall into the same category. It’s easy, because if you have people who accept your weaker self, it’s hard to push yourself to get better, because why would you sweat if everyone accepts you anyways? And those dreams won’t go away, they will just go into hiding and after 5 years it won’t be fun to look back and see that you haven’t really done much, and that time is gone and you’re not getting it back. It’s painful to realize that you could be enjoying the fruits of your work and living your dream, if you haven’t had allowed other people to dictate your will.

If you surround yourself with negative people, who point fingers at others, it’ll be hard to take ownership over your situation, because it’ll be easy to also blame everyone but you for your misery. And if you get yourself in such environment it’s going to be really, really hard to escape, because those people won’t feel secure enough to let you chase your dreams and achieve your goals. If you take ownership and you show that it’s possible to achieve something if you put in the work, you’ll make them feel bad with themselves. Because now they’ll have a living example that if you put in the work and stop expecting someone else to give you everything, you can do better in life. And that’s scary, because now it exposes them and leave them no excuse to stay where they are.

So be careful about your surroundings, because you really need great people in your life, who want good for you, or for both of you instead of thinking only about themselves. You need people who can support your mission, and whose mission you can support. You want to have a tribe where you all aim at doing better and wish each other the best instead of sitting together complaining how bad you’ve got it and how many reasons are there to not pursue your dreams. You’ve got to have hope, and you must guard it at all cost, so people don’t take it away from you, because human’s hopelessness is a tragedy.

It’ll be good for everyone if you own your decisions and you don’t let others put you down. Because if everything is on you, and you know that you’ve made a decision yourself, you can’t point fingers at anyone else. Which can be the case, and often is the case when you do something someone told you to do and it fails. You get bitter and angry at that person, because you know they made you do it – even though it was your final call to listen to them.
So don’t let let that happen. Take it all on yourself, and give yourself no chance to blame other people for your failures.

1542370209676_tzpspa (1288×743)

7. Communication – a skill no.1 

7.1. Your impact is limited by your inability to have meaningful conversations

I’ll keep it short here and will expand it a little bit later in the leadership chapter. But you know already that you can’t go far if you’re not productive, and you can’t be productive if you don’t know what are the critical things for the business. To know what’s critical for the business, you need to know how to listen to people and how to communicate well. So if you can’t communicate or don’t want to communicate, you can’t really be a 10Xer, let alone being a leader or someone at the top or organisation’s hierarchy.

7.2. You’re paid what you negotiate, not what you’re worth. Know your value and present it well

You get what you agreed upon and way too many people are underpaid for a simple reason, being lack of courage and actual social skills to negotiate better terms of employment. Although it’s ugly, the reality is that in 99.99% of companies you won’t face a situation in which a CFO approaches you and says “hey mate, you’ve been underpaid for the past 5 years. We’re going to compensate you for that, and we’ll triple your salary which is the current market value of someone like you!”. You got to take it into your hands, you need to learn how to communicate your expectations and understand the expectations of the other side. If you don’t do it, the most realistic scenario is that no one is going to do it for you. You’ve got to have your own back, ’cause people mind their own business, which is fair, but just don’t be naive.

 

I believe these are one of the most important general things everyone should know about, and now we can move into the actual recommendations for people who want to know what they can do right-away in their current situation.

1542370028759_pb3k5a (1078×764)

8. If you have between 0-18 months of experience, I really recommend you to focus on the following things that I see many newbies failing at:

  • Absorb the mindset, because that’s something very difficult to attain on your own
  • Learn about the industry, so you know what life has to offer
  • Get to know people, so you can learn how to communicate well and simply create a network of people whom you like
  • Stay humble, because at the beginnings there are high chances you know nothing, and although you can definitely bring some great, fresh perspective, it’s much better for you if you focus on listening and absorbing that knowledge. You’ll get a chance to say it all one day, so take it easy
  • Don’t stress about looking too far into the future. Just do what you’re told to do, try to do it well, and ensure you’re meeting expectations of your team and employer
  • Learn to rest and build work-life harmony, because if you don’t create a healthy foundations early on, it’ll get increasingly harder to create good habits when life gets busier and as we get older, sacrifices get more expensive

1542370161671_enpae0 (1383×815)

9. So you want to be a Senior now? Cool, we need more senior people courageous enough to take more responsibilities, so let me share with you some of my truths that can come helpful.

Generally, there are two ways to have a senior role in our industry. One if more about feeling senior, and it’s when you join some bullshit company where the only prerequisite to become senior is that you’ve been with the company for 3 years and you know all the legacy mess well enough to keep it all together.

The other one, which will likely last longer and allow you to remain senior between companies is to do the work others won’t, so you can get a role they can not have. To become a senior professional at a reasonable organisation, you need to put in the work that goes way beyond your current job description. Here’re some universal truths which just work:

  • Put an order to the chaos, because people perform better at calm environment without too much stress. Here’s where real 1000Xers are made – they help others become 10Xers
  • Communicate exceptionally well, because to put an order to the chaos you need to know how to listen when people share their concerns
  • Be a master of your craft, because being good at something means you can do things faster, better and inspire/help others
  • Connect the dots and remove the obstacles, because showing an initiative earns you respect and trust of your team
  • Lead by example, and let the example be work ethic, willingness to go an extra mile and having an honest intent to help others

1542370139582_qckh8y (1477×595)

10. Those are just some things, but based on my experience and observations, these are the things that simply need to be done. 
And although at this point you may reaffirm me and yourself that you’ve known it all for a long time, that’s not the point. No one, especially the nature and your company don’t care if you’ve known something. All that matters is if you’ve put it into work and made use of the knowledge you have.
It’s easy to attain knowledge. It’s a courage to do the work which differentiates people. So little, and at the same time so much.

I’ll probably update this one day or the other, because there is much more to it, but all the things that I’ve shared should really cover most cases for people who’re new in the industry.

Good luck to you all, and please remember that it’s the path not the point on a map that  gets you to the destination. You had to invest quite some time to get to the conference venue, you didn’t just get out the house and made one huge jump from your home to the destination. You didn’t fight it, you didn’t complain that you can’t just teleport, so why would you expect to get results without putting in the work first? 🙂 It’s all about doing what needs to be done.

Nothing remarkable was ever achieved without putting in the work. That’s how things work and sooner you accept it, sooner you can start getting closer to achieving whatever you set for yourself to achieve.

Good luck. And maybe even more than luck – a discipline, because we all need more of it.

1542370109854_qlv8tp (1488×743)

Social Skills For Information Security Professionals: on leading by example, removing roadblocks and simplification

Show up, adapt and deliver results

Everyone needs to be made aware that security testing is a time consuming activity, so it must be included in release planning schedules.

It’s generally a good idea to jump in with security tests when QA Team is given their time to do the “regular” testing. While we’d love to receive stable and fully functional software after QA is done and functional bugfixes are in place, it’s not really practical in most fast moving environments. Asking for a separate time after everyone else had completed their tasks, would significantly slow software delivery. Slowing anything down is something we should try to avoid at all cost, because as I’ve mentioned previously, we must strive to minimize the costs of running security operations.

It’s great if your coworkers actually know about your existence and trust they have a go-to person in the company, who’s competent in security and eager to help them. We sometimes get ourselves off the radar while doing our work, and people start feeling like there isn’t anyone watching their backs anymore.  You can show your presence at the company by dropping suggestion here and there, by asking people if they need your help, by plugging security automation into Continuous Integration process and doing anything that’ll show people that you’re there, and that you care for them.


The CI/CD part is important because it’s beneficial when you have tools that give you clearer view on change management which enabled you to act accordingly and e.g. run your tests and respond in a timely manner demonstrating people that you’re on top of things.
l that you’re keeping an eye on everything, that you’ve got it all covered and you do stuff on your own. Showing people that you’re a person that takes ownership and goes an extra mile really matters, so if you talk to someone out of the blue about the issue you identified, even tho they hadn’t notified you about it, then you may change their perception of you to better.
That’s how you build respect really. You show up, you deliver results and you do stuff behind the scenes to make people’s life easier and then you come out letting them know about the cool stuff you’ve been working on lately.
If people see you hanging around all the time during design discussions, they’ll organically learn you’re needed and will let you know whenever there is something new coming up. Just be there for them and make it easy to approach you and ask for help. Professionals do enjoy companionship of other professionals, so if you become one and build such image of yourself, people will be happy to collaborate with you.

Become a leader capable of stepping out and delivering, especially in moments when people least expect it.

 

Make security simple

Simplify it for them

Security is often perceived as complex and cumbersome which makes engineers unwilling to work on it. Such attitude has its reasons, and I myself experienced that security processes at most companies actually suck and create problems.

You can make no mistake while making things simpler and carefully explaining your requirements. Easier and cheaper you make it to build secure products, more likely it’ll get included into SDLC. You need to take an ownership over the processes and simplify the frameworks, knowledge base and other resources so people can actually consume it and use it to add value to the business. Having a huge and rich in value knowledge base, doesn’t mean a thing unless you’ve got people actually using it. So make it simple and spread awareness about it, so your work doesn’t get lost in the noise of daily grind.

Developers have their own stuff to learn and they don’t want to waste time digging thru confusing documentation which doesn’t provide clear guidance on problems’ resolution. They’re looking for high quality resources, so you are expected to provide well described set of practical action items. Remember, that all I’m talking here is about making people leave their comfort zone. So you need to incentivise them learning new stuff, and generally lower you put the entry bar is better.

If you ask people out of the blue, to use some security product like 2FA or SSO integration, ensure it provides great user experience. No one wants to waste time on learning ugly UI, just because security folks require them to use yet another tool.

If you don’t keep it simple and your requests become too irritating, you won’t be able to build healthy long-term culture. You can not allow a situations to happen which make people create mind maps where security equals discomfort, pain, anxiety and shame.
To me, security is all about the mindset and it’s very little about technicals. Because we already have all the tools necessary to improve safety of our businesses, but what we often don’t have is a buy-in from stakeholders.

 

Everything is just a tool and the mission is the only thing that matters on the macro level

Technical actions are parts of your strategy, which is just a vehicle meant to help you achieve the goal. So if the goal is to secure your company, usage of specific tools is a tactic meant to bring you close to the goal. So don’t hang on to existing strategy or tactics, and tweak them as much as needed, because if something not contributing to the bigger picture, it needs to be thrown away, no matter how appealing it may be. If something works, that’s awesome. If something doesn’t work, then tweak it. If it still doesn’t work, and creates more confusion than it creates protection, then throw it out the window, and move to something else.
Do not fall into the dangerous trap of romanticizing your strategy or tactics. Those are just tools, and practicality beats romance every single time on all possible layers and dimensions.

 

Encourage and teach instead of demanding and judging

It’s easy to assume that your peers should have certain level of security awareness, but it’s as wrong as it gets. I’ve met successful senior software engineers and managers who after two decades of work experience had very limited knowledge about security engineering. Everyone comes from a different background and have worked on projects with different priorities, so the safest option is to assume that they haven’t had a chance to become security-savvy.

It’s on you to create a foundation on which you can build later on. It makes a lot of sense to create low-mid level security trainings to equalize the level of security awareness — both general safety(e.g. phishing) and technical security(e.g. secure coding) If you create such a baseline, you’ll be able to speed up discussions and save time in the future.
When you know that everyone is on the same page and you don’t need to repeat yourself on basics, you can go right into the specifics and discuss matters that matter.


It’s worth it and it made me much more productive so I encourage you to follow, even just to save you from a burnout caused by a need to repeat same things like a broken record.

 

Extensively explain security requirements and identified issues

Every time you file a bug report or request a product feature, pay attention to the communication vehicle. Elaborate as much as possible to make clear what your intent and business profits/risks are.

While writing technical details, consider using ELI5 approach, so there is no confusion along the way and no surprises when the code is shipped. Describe what the problem is and provide practical solution i.e. pseudocode, configuration excerpt or an actual piece of code that can be copy/pasted to fix the bug.  
While taking such approach, make sure that people understand you’re using ELI5, because some people may take it personally. It’s important to not hurt anybody’s feelings and it can happen if one thinks that you’re using ELI5 to diminish their knowledge even tho your intention was to make everything clear so they don’t need to waste time on individual research.
Express that you want to share your knowledge so they can learn quicker and to make it easy for next generations and juniors to understand what was the case. It may seem to be a small thing, but you don’t want to create toxic atmosphere because of such trivial misunderstanding.

 

No matter what your specialization is, we all share the same goal – improving the defense

Let me go a bit deeper on why I believe in overcommunication so much, because there are two reasons for it.

If you don’t want to be disappointed and anxious then overcommunicate. It’s simple, but in life, we tend to blame the other person that they haven’t understood us well, while it was us who haven’t expressed our thoughts clearly enough. Always blame yourself first and reflect if you’ve done the best job possible to ensure that there is no chance of someone misunderstanding your requirements. Yes, people should ask more questions if something isn’t crystal clear instead of jumping right into implementation, but life is what it is, everyone has their own struggles so you need to take this into consideration as well.


The other side is that engineers are often tired of cocky security rockstars who don’t bother putting in the work in helping engineers address the issue, besides finding the bug and shouting loud how great they are. Don’t drop a fancy vulnerability name with brief description of “Fix it, it’s simple, you can google it out!”. We’ve had enough of it, everyone is tired of it, so I implore you to not add to this bucket anymore. Finding a bug means 0 value for the business as long as the vulnerability hasn’t been addressed. Right, maybe you’ve made everyone aware of the risk, so they can take it into consideration, however that’s not an ultimate goal of a red teamer. Goal of every single one of us, is to improve the defense, not to boost our egos by trying to show people how much better we’ve got it than them. If you act this way, you aren’t better than anyone, you suck. I don’t want to put you down, maybe you have huge potential and skill set, but it’s ego that’s playing you like a marionette. Been there, done that, and then evolved to bring actual value to the business, rather than just for myself. Intentions are fantastic and I get that you may have it all good, but actions speak louder than anything else, so even when you think you’ve done your job as an offensive security professional, ask yourself a question what’s the actual outcome of your day’s work. Did you contribute to the bigger picture? If you haven’t then it doesn’t mean it’s your fault, maybe it’s business or indeed someone else’s responsibility to take it further. That’s fair enough.

All I’m saying is that you should give yourself some time to think about it, embrace that the result of your thinking may be uncomfortable and then take it to improve. Don’t beat yourself up, just improve, move forward and don’t waste energy on looking back.
Once again, if you get the results you want to get and everyone is happy – keep doing what you’re doing. But even then, ego check may be a good thing to do, to make sure you’re not getting out of sync with reality, because further you got with that, harder it’ll be to get back on the right track.

Czy tester oprogramowania musi znać język angielski?

Od kiedy zwracam uwagę na tematy rozmów w społecznościach ludzi stawiających pierwsze kroki w IT, zauważam często pojawiające się pytanie: “czy język angielski jest w branży IT bardzo ważny?”.
W trakcie rozmowy bardzo często okazuje się jednak, że stajemy się ofiarami nieumiejętnego zadawania pytań i mimo odpowiedzi wielu osób nadal nie czujemy aby zaspokoiły one nasz głód wiedzy oraz walidacji.
W tym konkretnym przypadku, właściwym pytaniem, tworzącym przestrzeń na wartościowe odpowiedzi byłoby coś podobnego do “Czy są firmy, które zatrudniają ludzi bez znajomości angielskiego?”
I na tak postawione pytanie, można odpowiedzieć bardzo szybko i zamknąć dyskusję w kilka minut, zamiast rozgrzebywać mnóstwo wątków pobocznych, które nie mają szansy na uwzględnienie kontekstu w którym znajduje się osoba pytająca oraz dają ogromne pole do popisu dla ego odpowiadających.
Odpowiedź na powyższe pytanie brzmi – tak, jak najbardziej istnieją takie firmy. I właśnie ta informacja powinna Cię na tym etapie interesować, bo reszta firm nie ma znaczenia podczas gdy szukasz pierwszego miejsca do zaczepienia się i spróbowania swoich sił w tej branży.
A w międzyczasie uczysz się tego czego potrzebujesz, aż dojdziesz do punktu w którym nie musisz zadawać tego oryginalnego pytania bo Cię ono nie dotyczy.
Dla każdego kto zastanawia się czy jest wystarczająco dobrym by znaleźć pracę polegam przetestować swoje siły w realnym świecie, zamiast zapychać sobie głowę setkami porad ludzi z sieci, którzy nigdy Cię nie spotkali i nie mają pojęcia o Twoim faktycznym położeniu.
Spróbuj swoich sił w kilku rozmowach rekrutacyjnych a rekruterzy już bardzo chętnie powiedzą Ci czy się nadajesz czy nie. Żadna odpowiedź z sieci nie będzie nawet odrobinę bliska wiarygodności, jaką możesz uzyskać poprzez faktyczne wystawienie się na pole bitwy.
Niech realny rynek zweryfikuje Twoje silne i słabe strony, a jeśli już musisz otrzymać weryfikację wstępną, to daj uderz na priv, umówimy się na 15 minutową rozmowę Skype w języku angielskim i dam Ci znać jak prezentujesz się na tle konkurencji 😉
Mniej zastanawiania się, mniej szukania zewnętrznej walidacji. Po prostu bierzmy się do roboty!
PS. I uczmy się zadawać lepsze pytania, bo nieumiejętnie zadane pytanie sprawia, że ego odpowiadających skupia się na nich zamiast próbować wnieść wartość w życie osoby szukającej pomocy.
Wielu ludzi chętnie Ci pomoże bo mają dobre intencje, jednak musisz im to ułatwić oraz starać się nie wystawiać na próbę ich umiejętności dyscypliny myśli i słów.
Link do podcasta, w który mówię na ten temat odrobinę więcej:

Ty też wyglądasz ku długim weekendom i domowej ciszy?

A każdemu kto nie może doczekać się długiego weekendu i spokojnego czasu w domu, polecam materiał, który nagraliśmy parę miesięcy temu z Michał Bąk o zarządzaniu swoim życiem pracując zdalnie 

Niektórzy z nas są stworzeni do tego by pracować w ciszy i w komforcie swoich czterech ścian, jednak wielu z nas nie próbuje nawet znaleźć dla siebie rozwiązania i godzi się na framework stworzony przez społeczeństwo.

Dla mnie praca zdalna to narzędzie, które sprawia że nie tylko jestem lepszym pracownikiem, ale i czuję się bardziej spełniony prywatnie i pozwala mi to na skupienie się na rzeczach w życiu ważnych.

Jeśli rozważasz pracę zdalną, bądź chciałbyś dowiedzieć się odrobinę o wyzwaniach związanych z tym trybem pracy, rzuć okiem na ten wywiad, w którym dzielę się lekcjami płynącymi z ponad 7 lat spędzonych pracując zdalnie.

Powodzenia i szukajcie miejsca dla siebie. Życie jest zbyt krótkie by pracować w miejscu, które nie daje komfortu; natomiast jest wystarczająco długie by testować i w końcu znaleźć coś odpowiedniego.

 

Znalazłam pracę jako programista, ale co dalej?

Pytanie z którym spotykam się relatywnie często, i pochodzi ono z dobrego miejsca. Pytanie to wywodzi się z chęci robienia rzeczy dobrych oraz chęci zapewnienia siebie samego jak i innych, że zrobiło się wszystko co w swojej mocy by się jak najlepiej wykazać.

Odpowiedź jest całkiem uniwersalna i powinna zostać zastosowana do całości życia, zarówno prywatnego jak i zawodowego – pozwól sobie nacieszyć się tym co właśnie osiągnęłaś, pozwól sobie robić rzeczy które sprawiają Ci przyjemność. A w przyszłości nie zaglądaj zbyt intensywnie w przeszłość, żałując, że nie zrobiłaś czegoś wcześniej, bo pomysł, że “dzięki temu zaoszczędziłabym sobie miesiące spędzone w jednym miejscu” jest zbyt często złudne by mu ufać. Zawsze będziemy “mądrzejsi” patrząc wstecz – a przynajmniej powinniśmy być – więc często będzie się wydawać, że można było podjąć lepszą decyzję.

Skoro jej nie podjęłaś, to znaczy że nie mogłaś jej podjąć, bo nie miałaś wystarczającej wiedzy/doświadczeń/informacji, więc “co by było gdyby” jest stratą czasu. Przecież chcemy dla siebie jak najlepiej, więc jeśli czegoś nie zrobiłaś, to po prostu znaczy że Ty sprzed X miesięcy, nie byłaś w stanie spojrzeć na sytuację w taki sposób jak Ty teraz.

Szczęście kryje się w świadomym doświadczaniu każdego dnia, a nie zaglądaniu w to co jeszcze przed nami i co musimy zrobić.
Niczego nie musisz. Jedyne co musisz to żyć i się tym życiem cieszyć. Cała reszta przyjdzie z czasem, więc zaufaj sobie i zaufaj procesowi.
Strach przed tym, że w przyszłości będziemy żałować przeszłości to największa trucizna sprawiająca, że brakuje miejsca na doświadczanie teraźniejszości.

Take it easy, you’ve got time. More than you think 🙂

Zapraszam na podcast!

Social Skills For Information Security Professionals: On Credibility, Awareness and Business

Align strategy with business stakeholders first

Who’s actually responsible for investments in security?

Security issues don’t pop up out of nowhere. Code, products, infrastructure and business quality is always a responsibility of a human being.  So why don’t we treat it as such, and we seem to be always obsessing about technology rather than going after the root cause, which happen to be the people?

However, while talking about the “responsible person”, I rarely think about a software engineer who writes code, but about company’s management layer. Because it’s up to business leaders to decide on all investments. Including how much time employees will be allowed to devote to security and quality in their day to day work. If software engineers are expected to produce inhuman amounts of code, they can not afford focusing on security best practices. Managers who reward software engineers based only on amount of produced features, are the ones truly responsible for insecure products.

Just ten years ago I used to religiously believe that the responsibility for insecure code is all on programmers. After many years working with businesses all over the world, I’ve learnt that my perception couldn’t had been more wrong.

It rarely happens that engineers don’t want to build high quality products, but at the end of the day what they want vs what they’re ought to be doing, may be a two completely different things.
Most software engineers I’ve met were actually very interested in concepts related to application security, infrastructure security and the whole hacking theater. It’s fancy, it’s all over the place, people want to be a part of it, but their fantastic attitude doesn’t matter if we keep blocking them from joining the tribe.

 

The challenge is that more often than not, middle management isn’t held responsible enough for products’ safety. They’re usually rewarded just for shipping feature-rich and functional product on time, and the ‘security-thing’ is somewhere at the bottom of a software release checklist.

It’s also up to the executives, how much time and money they invest in employees education. If you expect your employees to learn about security in their personal time, that’s called being delusional, not visionaire. Because if a software engineer wants to spend time after hours learning something, then most likely they’ll be looking into some new programming library or framework, rather than stressing about complex concepts such as application security they have had unfriendly experience with at work.

 

It all goes top to bottom, the culture and tone set by execs is a real thing

There is a long and rough path ahead of us, till secure software engineering will be considered a part of basic quality assurance processes. It takes a lot of time and effort to make everyone conscious of potential consequences of security negligence, which means the earlier you start educating them, is better.

If execs don’t incentivize middle management to keep an eye on security, then middle management won’t incentivize software engineers to write code securely. If you don’t start from the top of an organization’s hierarchy you’ll have a hard time succeeding with your security initiatives.

Engineers, like most other human beings, generally don’t like to step out and do things their managers don’t want them to spend time on. And that’s for a good reason. In a healthy corporate culture, you want engineers that trust their leaders and focus on bringing value to the organisation. You want people who’re don’t raise a riot against policies set by business leaders, unless there have some good reasons to do so. Many, many people work in IT just to provide for their families, so being anxious that not all of them are questioning the status quo, is just ludicrous. Let others live the lives they want to live, because it’s not for any of us, to judge anyone else. If you want something to change, then focus all your energy on helping yourself drive a change, rather than oppressing people to follow your lead. If you start something that’s worthwhile and sensible, I promise you that there will be people willing to follow.

So if you notice someone stepping up to raise software engineering standards, you can’t miss such rare opportunity to convert it into a long-term partnership. Show your appreciation on the spot, because if someone is risking something for you, you better watch their back.

If you want to push people a bit so they leave their comfort zones, you must be very clear about your expectations and also provide them with some incentives. It doesn’t need to be tangible, just make sure you express your appreciation for an employee going an extra mile and paying attention to code quality.  If you want to create a tribe that follows your lead and steps up, then you need to decrease the discomfort as much as possible. Essentially, you must make people comfortable in the discomfort they’re about to experience. You achieve that, by making them (feel) safe with your leadership.

 

I’m telling you all these, because I’ve seen a handful of my friends burning out. They had no support from the TOP so they’ve tried to take a lead alone, and incompetently enforce their narrative on regular employees. Which then led to toxic atmosphere, very aggressive tone and broken relationships. So be careful, because no matter how big your mission is, office politics apply to every single one of us.

 

Set common goals with management and executives

Senior management must be advocates of healthy security culture, otherwise it’s a Sisyphean task to do all the things from the bottom up. Without healthy leadership of an executive team, it’s very problematic to achieve tangible security improvements without huge costs without compromising quality of your personal life.

So before you start bothering engineers with your requests, make sure you have official support from executives, because engineers need clear and integral guidance coming from the top. Don’t confuse them more than they’re already by their other duties.

A good way to achieve effectiveness of your security program, is try to learn as much as you can about the high-level business objectives of your company and what are the points of focus for people sitting in management roles. Understand their perspective and gain the leverage.
It’s hard and dangerous to provide you with a generic recommendations, because each organization and each executive is different. It’s all in your hands to learn and feel how to approach them on individual basis.

 

Settle down on authority at earliest possible

Security is an executive level issue so it would be really useful if you were in a position to influence all stakeholders at the organization. You shouldn’t be wasting your time on back and forth discussions on why something must be done, or why it must be done this way or another. In a healthy corporate culture it would be enough if you just had a security role and everyone should follow your lead from the day one with a credit of trust. But such organisations don’t really exist. Every single organisation is dysfunctional to some extent, and sometimes you’ll face people which you can not lead as a servant-leader and you’re forced to use your authority in order to execute.
I’ve seen it many times that security professional had great intentions, attitude and leadership skills but they couldn’t complete their tasks, because there is always that one person in a company whom you must approach differently.

It’s CEO’s job to create a culture, where every employee trust new coworkers and respect them with a friendly attitude. Executives should make it clear to the middle-management that you are a serious business stakeholder, no different than any one of them, and they should respect your guidance.

If managers are only penalized and rewarded for shipping working product on time, they won’t want to invest in security which in most organisations almost always slows down software development process to some extent. So execs must make it clear that products security is a part of quality and should be treated as a regular, acceptable software development cost.

Thanks to that you may not need to waste time arguing with people why their teams needs to invest in security and all that stuff. You should be able to focus on effective execution rather than discussions caused by dysfunctional corporate culture and lack of proper communication. Being at the lowest of an organization chart, you’ll likely to have hard time working with non-security savvy management who has no interest in focusing on security. That’s how business works, if there are no incentives then why would anyone want to listen to you, especially when you’re a fresh-hire?

 

Deciding on those bureaucratic matters at the earliest, can save you a lot of anxiety and frustration. I realize that plenty of us want to act like big boys and girls, who can obviously handle everything without anyone having your back, but that isn’t smart. Cost of maintaining your ego really isn’t worth all those bad consequences that may come if you push too hard.
By consequences I not only think of  toxic corporate atmosphere but also about your professional burnout and health issues that may arise when you’re too stressed and anxious for a long periods of time.

With power comes great responsibility so always aim to be empathetic to your people and don’t fall into the trap of taking advantage of your authority just because you can. Use this leverage only in exceptional situations when you’ve tried everything else and it failed.
You want to be in power but you should hope that you will never face a situation when you need to use it.

Build credibility and learn the language of business

Stay away from spreading confusion and FUD

Credibility is something you ought to be building from the day one of your career and tender till the very last day, when you say the final goodbye. What I’m trying to say here, is that the way of doing things really matters. We’re often so goal focused that we don’t pay too much attention to the byproducts of our actions. Sometimes, those byproducts bite back in the future.
Even if you achieved expected outcome, you must consider if you’ve used the best tools for the job, meaning have you persuaded people to do something thanks to your leadership status, or have you spread fear, uncertainty and doubt(FUD)? If the second is the case, then you may expect it to haunt you in the future.


If you’re a renowned expert in your field, you still must remain humble. You still need to build your internal reputation from the ground up by working nicely with people in your organization. You coworkers expect you to comply with their code and aren’t easily impressed by your status outside of the company. So if you’re a rockstar that’s perfect, and you should leverage it to make your life easier, however you should be aware of its shortcomings.
I’ve seen plenty of folks who ended up disappointed, because they believed that everyone will know their reputation and they’ll be treated differently because of their prior achievements. And when we think we’re THE ONES, we tend to forget about the need to play nicely with others. No matter what your perception of yourself is, I promise you that others have it completely different.

Learning how to weigh your words, so that people understand your intentions well, will ease a lot of interactions. Security field is very special, because we often tend to be the  ones who worry more than managers and executives, because they simply don’t realize the true nature of security risks. However, if you complain too often, people may start labeling you as a frustrated person, who doesn’t understand that business is an art of tradeoffs. They may become afraid that all you care about is building a fortress and slowing down the business growth.
We have our reasons, but our good motives don’t matter much if others don’t know about it. You must work out a relationships in which people understand that you’re trying to help them do their work safely, that you’re the enabler and troubleshooter, not the troublemaker.

So you really want to be perceived by business people and other coworkers like someone who has it all under control.  When discussing severe security issues you’ve had discovered, you must be careful, so your language and tone aren’t unclear, negative or overwhelming. As an InfoSec Pro myself, I know why you’re using certain jargon, but everyone else outside of our little echo chamber have no idea what’s going on. Don’t be too simple in your  speech, just be impossible to be misunderstood.

While it may sound counter-intuitive, sometimes it actually makes sense to slightly underrate the issue you’re reporting, so they accept it without anxiety and you can make a progress. Small progress always trumps no progress, and good now is better than ideal never.

Because of the negative tone, we had set for all-things-security in the past few decades, people overreact when you have even a little aggressive tone. Security folks who too-passionately want to secure companies they work for, often don’t comply with a corporate communication code. Overreaction may ultimately lead to them ignoring you, which is one of the biggest challenges to overcome after the damage had been done.

The most practical advice I can give you is that we must learn how do adapt at the fast pace. Yes, it does mean that you won’t get as much technical work done at the beginnings, but building credibility and foundations really pays off in the long run. Because once you’ve built credibility as a “smart security leader who knows business, risk management and knows how to work with people”, you can progressively start expressing your thoughts more in-depth.
So be careful about all that and once you’ve figured it out for yourself, stick to it. Different things work for different people and organisations, so keep doing what works for you. You do you, keep that in mind thru the whole book and life actually. If being passionate and verbose works for you and everything is good, then I’m happy for you! Keep doing what you’re doing, but revisit often so you don’t fall into the trap of being too romantic about your past approach. Effectiveness and practicality trumps attachment every single time, so stay alert and don’t let your ego blindfold you.

“Make it till you make it” is much better strategy than “Fake it till you make it”

If you feel that what you’re doing is right, then you shouldn’t let anyone who doesn’t know you influence your point of view. But bear in mind, that when you act a certain way and don’t listen to suggestions from others, you gotta take it all on your shoulders when stuff goes sideways.
If you act overly confident to the extent that it may be perceived as narcissistic cockiness, yet you make too many mistakes, people will lose respect to you very quickly. Humility is a huge tool you should use, to give yourself a space for making mistakes.

For example, if someone asks you for help but you aren’t sure of the answer, be honest about it and tell that person that you’re going to figure it out for them, but you need to do your homework first to make sure you provide quality advice.
Then do the homework digilitently, and get back to that person with all the details they needed.
Never let your ego try to make things up, because people are smarter than you think. If you fake too much, they’ll figure you out and you may end up forever labeled like an incompetent imposter.

Fake it till you make it, doesn’t really work and I much more prefer a version “Make it till you make it”. Learn stuff, be humble, reiterate till you’re pretty good at things you do. Competence inspires confidence, so till you have serious body of work to backup your words, just do stuff in silence and don’t try to overdo it.

Everyone is a target these days, but are they truly aware of it?

Vast majority of startups and SMBs – especially outside of tech world – tend to have this dangerous believe, that  they’re too small to become a target for malicious hackers.
When you look at the statistics and reverse engineer hacker’s mindset you can figure out why it’s actually the opposite way around. Hackers, cyber thieves, script kiddies and other malicious actors, come after the easiest targets not only because of the instant reward that stimulates their brains, but because hacking is these days is more of a business than it is a hobby.
Thieves seek quick wins, because like most business owners, they realize that time is their most precious resource. So they’re more likely to attack organizations with weak security posture, because in a week they can hack dozen of them, rather than spending a month without certainty that there will be any return of investment.

It’s not to say, there aren’t hacking groups that go for the big brands, it’s just there are far more average skilled hackers than there are sophisticated and well funded hacking groups. And that leads to a very important point. As an owner of a small business consider your investments as something that is supposed to stop those lone wolfs, rather than trying to spend a lot of money on trying to protect yourself against gangs or state sponsored attackers.

Management needs to understand that while big organizations can often survive a security breach, small ones can’t afford it, often because of its impact on their public image. If business providing enterprise solutions has stable position on the market and great product, most customers will stay because it’s expensive to transit whole enterprise to another vendor. But if you’re a small startup that has been compromised, you’ll have hard time preserving your customers. Not only that, because in this era, breaches get overblown on social medias and PR/marketing-wise you’re finished even in terms of new, potential customers. This is really important thing to mention here, because recently I’ve seen many article saying that “it’s cheaper to get hacked than secure an organization” which are nonsense and are doing a lot of harm to us who work on executives’ security awareness.
Basic security isn’t that expensive and articles like that make more bad than good, so ensure everyone understands business risk management including dangers coming from social media scandals and get the solid perspective on why security breaches bring different results to different organizations.

You can earn some love from your marketing and sales people if they learn that you’re protecting the business to make their job easier, so they won’t need to explain to each prospect why you were hacked and convincing them that the company is in much better shape nowadays.
Be smart and unite people from various departments to help you achieve your goals.

InfoSec Career Paths vs Programming Skills – The Basics

On Peerlyst, in my Q&A session, Eric Geek‍ asked:

Is being a great developer vital when choosing information security as a professional career?

My answer below:

Beneficial? Yes.
Necessary? By no means. Demand for development skills in infosec is raising, but the demand for general infosec specialists is growing even higher.

I know many fantastic security professionals, who just hate programming. They’ll code a bit to help themselves, to build some simple automation for their tasks, but they’d never write any serious application.

The market for infosec professionals is so wild, that it’ll eat almost anyone with any interest in security and some technical acumen.

Software engineers can easily become information security specialists

… and they bring a lot to the table, for organisations that need that kind of skill set.

The work required for software engineer/programmer to become security specialist will vary a lot depending on the person and their existing skills, aspirations and predispositions.

If you are a software engineer, then I would recommend to learn more about application security and then move into secure software engineering roles. While in that position, your goal should be to gain exposure to technologies and security processes. This will make it easier for you to switch between other professions within the cybersecurity industry.

If for example you’re a software QA engineer and you know how to test software, it doesn’t take much to start including security tests in your day to day work. It will allow you to realize after a couple of months that you’ve gotten the grasp of quite a few security issues!

If you’re a network engineer, then it makes sense to learn more about infrastructure and network security in order to move into positions such as network security engineer, incident response engineer, or a network penetration tester.

This approach should help you if you want to transition into cyber security at low cost and low anxiety. It makes it easier to make that transition, because if you have a solid background in building something it will come easier to you to figure out how to break it and secure it.

If you’re comfortable in a given specialisation, you won’t feel scared of the amounts of new knowledge you’ll need to possess and this will lower stress to ease you into the learning process.

So a software engineer who wants to transition into security role, should try applying security principles to whatever they’re currently doing — try to learn how to break the things they’ve built, and then how to make them more secure and impenetrable as possible. If you reiterate enough, you can become a security-savvy engineer who can easily add ‘security’ in front of their existing job title and becoming a security specialist in any given field.

I would suggest adding some good eye opening resources to your knowledge base. One that holds value for all types of security operations is learning about basic Security Architecture Principles. And then learning more depending on which fields of cybersecurity you want to explore.

Here are some great materials for Web and Mobile Applications:

  • OWASP TOP10
  • OWASP Application Security Verification Standard(ASVS)
  • OWASP Security Code Review Guide
  • OWASP Web Applications Testing Guide
  • OWASP Mobile Testing Guide

Network and Infrastructure Security:

But the most foolproof and effective methods of learning security skills to me is doing the following: google stuff out. Start doing some fundamental research in your craft and google is your best friend here, and always will be. Sooner you learn the art of googling, is better because we use it a ton in our day to day work.

If you’re writing code in C++, then google “C++ security vulnerabilities”, or “writing secure code in C++”. If you’re deploying apps in cloud, such as AWS, then google “how to secure AWS applications”, “secure deployments in AWS” and so on. Learn as much as you can from search results and from the latest news, this will expand your security expertise as time goes by.

This way you’ll learn security skills relevant to what you’re currently doing and keep up with the latest cybersecurity trends, which will allow you to live and breath that knowledge and put it to practice in your projects.

You can become valued security professional from any IT specialization

I often get a question on how to become a security professional. And my answer is – by becoming a professional in any other field, or by working your way up from anything you’re currently doing. Reverse engineer requirements from job offers in your area and learn what they want you to know. Then strike at them as soon as you feel comfortable with your skills. Research & reverse engineer job offers & learn & practice & go on interviews & understand what you were missing and why they haven’t accepted you & learn the missing pieces & rinse & repeat until you get a job.

Appreciate the journey and don’t underestimate the value of having a varied background, do it all at the beginning because you’ve got time.

I started my adventure in IT from the very bottom, working as a computer technician, network admin, web programmer, and system administrator. After many years, I got involved in security. I do not regret the time I spent in previous positions because taking an indirect path provided many valuable experiences, all of which gave me perspective. My range of experience allows me to understand the problems many employees face, enabling me to make better decisions for the companies and teams I work with. I believe the security industry could benefit greatly from more diversity

However, if we’re considering a position where you have zero experience in security whatsoever, but have experience in other fields of IT, then I recommend becoming an expert in a different field. Start applying security concepts to your field of specialization. This has worked for so many talented professionals I know. Too many people want to get into security without prior experience in anything IT related. This doesn’t make most of them very valuable professionals because they tend to make myopic decisions without considering business context. Security is merely an addition to business operations, designed to support its longevity. It doesn’t exist on its own.

You can read pentesting and bug bounties blogs, but pasting random payloads without deep understanding will prevent you from contributing much to your organization. Dive deep into anything you learn, stay curious, and enjoy ‘expert’ status in a few years.

Here are a few viable and popular career options:

Web App Security TesterSome skill in coding is good. It’s not necessary, but it is beneficial and it’s usually what separates wannabe experts from true experts. Learn how software stacks work and get a handle on web programming languages like Java, PHP and their respective frameworks. To break something and improve its resiliency afterward, you should understand how it all works. Once you review all the OWASP resources, you’ll know what to do next

Network SecuritySimple bash/perl/python/ruby coding if any. Create a local lab network consisting of various components. Deploy services like LAMP (Linux, Apache, MySQL, PHP) stack and research how to secure each element. While building, study what issues can arise during configuration and maintenance so you know what to avoid and how to test them when sysadmins hadn’t the time, interest or knowledge to do so. Then, focus on PTES (Penetration Testing Execution Standard) Technical Guidelines to discover ways in which penetration testers and hackers can attack your network. Reverse engineer their methods to build proper defenses against future attacks.

Compliance and AuditingZero programming skill required for most roles. Learn about underlying technology and business models. You want to understand how businesses operate so you can protect them and ensure new regulations don’t hinder company innovation. Grab some good business books and gain business exposure by learning from executives and managers with real-world experience. Study industry best practices, like those from the Center for Internet Security, as well as regulated standards like HIPAA, PCI-DSS, DISA STIG, ISO 27001, SOC2 to understand how to make your organization compliant without negatively impacting productivity.

Cryptographer/CryptoanalystDepending on a chosen niche, coding may be just an addition for tests of implementations, protocols and algorithms cracking. If you want to become an expert in this field, I recommend attending a university with strong mathematical and cryptography programs. This is a fascinating field that requires prior and substantial mathematical knowledge, so if you go through heavy math, learning to code will be your least worry 🙂

Security ConsultantDepending on the context, most roles require zero coding, some require some. This position will help you gain experience working in IT or IT security, so you can understand the business and broaden your horizons. If you decide that you want to stay in consulting, research what big companies are doing, technology they use, and regulations they’re subject to, then learn how to manage these for them.

Vulnerability ResearcherAll-in or ZERO. This narrow specialization requires focus in at least one field. Become proficient in at least one programming language, framework, and operating system. Then focus on a narrow set of functions in a given product or service. Examples include studying assembly, C programming language, learning how video transcoding works, and identifying weak spots in a library such as FFmpeg. Zero coding is required if you want to be a bug bounty hunter, who keep calling themselves “vulnerability researchers”

Software Security Expert – Software engineers often become security experts. Be proficient in at least one technology stack, then apply all relevant security knowledge to making products safer. Strengthen security across your organization, responding to the demands of your colleagues and customers.

If you want to speed up the process of becoming values security professional, pick technology that truly interests you and learn as much as you can about it. So instead of being Web App pentester, become a Node.JS security expert. Be a specialist, not a generalist. Go for a narrow niche. Find something that sparks your curiosity and become passionate about it. Know things only 0.01% of people using the technology knows and your pockets won’t be able to hold amounts of money companies will pour into it 🙂

The most important advice here is to look for employment as soon as possible because nothing can beat the quality of learning you get on the real job. It’s the actual job and job market that shows you what is required and what is not.

Almost ZERO programming experience required for Penetration Testers

Don’t get me wrong, pentester who knows how to program and code is invaluable, but some pentesters are such great manual testers that they will find a great employment no matter what. Despite the current state of pentesting in US where actually cool stuff is happening, you still have 95% of countries who’re a decade behind in terms of their cybersecurity posture, and in there all you need is to study OWASP Testing Guide to fill your pockets big time.

Let’s consider a few scenarios and then jump to job specific recommendations.

If you already have some security experience, then check out a few renowned books that are highly rated on Amazon with the title containing word “Pentesting” to build your foundation. Then go for an Offensive Security’s lab and certification – OSCP, which as of now is the most respected entry-level certification for penetration testers. Consume as much content as you can, but don’t allow yourself to get lost in the universe of theory. The best pentesters are those who put their knowledge into practice and get their hands dirty.

If don’t have security experience but work in other IT fields, then the recommendation is for you to become an expert in a different field and then start applying security concepts to your field of specialization. That route worked for many great people working in the industry that I know. If you’re a Java programmer, study how you can test applications written in Java. If you’re an IT OPS engineer deploying services in the cloud(AWS/GCP/Azure) then learn about potential security issues and learn how to pentest those services. Learning will come much easier if you have the proper background.

If you haven’t ever worked in IT, but want to work in security, well this one is tricky and hard because general security isn’t an entry-level role. Too many people want to get into security without prior experience with anything IT-related, which doesn’t make them very valuable professionals because lots of decision they make are myopic and don’t consider business context. You can get easily get excited reading pentesting and bug bounties blogs, but as long if you’re just pasting random payloads without deep understanding of a matter, then you’re not contributing much to your organization. Same way you won’t get a sixpack by reading about pushups, you won’t become a great penetration tester without going into the field and testing stuff.
So go deep in anything you learn about, and enjoy ‘expert’ status in just a few years.

And now let’s take a look at some of your options when you’re completely fresh to the field.

Web/Mobile App Pentester  – Learn how to code. It’s not necessary, but beneficial and that’s what usually differentiates expert wannabes and true experts. Learn how software stacks work to get a grasp of web programming languages such as Java, PHP and their respective frameworks. To break something and improve, then it’s the resiliency afterwards you should understand how it all works. It doesn’t mean you must be a guru software engineer, but you can’t go wrong knowing the basics.
Once you’ve completed all the resources from OWASP you’ll know what to do next.

Network/Desktop Apps Pentester – Create a local lab of a network with various components in it. Deploy some services such as LAMP(Linux, Apache, MySQL, PHP) stack and then google out how to secure each of those elements. While building, study what issues can arise during the configuration and further maintenance, so you know what issues to avoid and how to test them in the future in other environments where sysadmins hadn’t had time, the interest or knowledge to secure their instances the way you could. Navigate to PTES (Penetration Testing Execution Standard) Technical Guidelines and see what are the ways penetration testers and hackers could potentially attack your network, then reverse engineer their attack methods and build defenses so they attacks no longer work.

Specialized Pentester – Pick one technology and go as deep as you can. So instead of being a Web App Pentester, become Node.JS Security Expert. Become a specialist instead of being a generalist and cut the learning process in half or even more. Find something you’re curious about, learn more about it, and become passionate about the field, put in a few solid years of dedication, and you’ll get whatever you want to have. (Well, not precisely everything you want, but you get the point)

Red Teamer – All of the above recommendations apply including social engineering and physical security attacks. You may not have the technical predispositions to be a great web pentester, but if you have been gifted with empathy and social skills then you can still achieve a lot!

There are hundreds of blogs of people who documented their journey, and I recommend you to look into real world examples of people who’ve moved into a pentesting career. Learning from the successes and mistakes of others is very cost-effective. Also, I’ll recommend you a bulletproof method of finding a job as a pentester. An importance most people don’t realize:

  • Find a few dozens of pentesting job offers in your area
  • Extract the most common requirements, both high level and detailed technical skills
  • Know what to study and what employers really need
  • Don’t waste time on learning everything. Learn the minimum possible to get the job and be a valuable team member. From there your career is highly malleable, you can adapt to what your organization needs you to do.

So yeah, you can flourish in the infosec field without having more than one week of study in programming. The market is the ultimate judge. Some companies require programming skills as a must-have, and some don’t care. Find what suits you best and keep on rockin’!

Sharing Udemy Courses and Certifications in CV and resume

I’ve noticed this post today on my LinkedIn wall:
I just saw my first resume where the candidate highlighted Udemy certifications.  I think this is a great idea.  While certainly not stand-alone, these are a great way to show deep interest in an area.
~ Mike Johnson, CISO at Lyft

And I’d like to add my comment to his words:

1 is better than 0.

Don’t shy away from demonstrating your effort even the one that ended up with tiny successes. Any thing you’ve accomplished show determination and drive.

In some recruitments it’s really a matter of 1% difference between candidates that leads to hiring decision.

This is especially the case for more junior roles. Be so good they can’t ignore you, and show everything that you believe can differentiate you from the crowd. Online courses, blog, small github repository, speaking at local meetups.

It all matters more than you’d think.
If still in doubt, ask yourself a question – what can I REALLY lose if I put it in there?

Go and get some. There is nothing but ego that’s stopping you from showing little successes. Don’t force the big game and act put.
If you don’t put those small wins because you don’t want to be perceived as someone to whom these things matter, and afraid it’ll undermine your bigger wins then stop. It’s ego talking and in this case, it’s your enemy.
If a hiring manager makes a judgment that you must have had achieved nothing greater because you’ve shared the smaller things, then it’s likely you’re better off without them anyways.

Appreciate everything, but foremost importantly- appreciate yourself and your effort.

Cyber efektywność, czyli jak złamać umysł hackera i pracować mądrzej

Mam dziś dla Was najdłuższy w moim życiu, a jednocześnie najprzyjemniejszy podcast, nagrany dzięki gościnności Kamil Zarębski z Fabryka Tłumaczeń.
Mimo, że nagrane ładnych kilka miesięcy temu, właśnie nasze dzieło ukazało się publicznie dostępne online.

Serdecznie zapraszam do odsłuchania, bo nieskromnie mówiąc, zawarliśmy tam całkiem sporo wskazówek, podsumowujących wieloletnie eksperymenty które przeprowadzałem w swoim życiu. Więc jeśli chcesz być mądrzejszy niż byłem ja, to polecam!
Ja tam bym chciał, żeby taki podcast pojawił się 10 lat temu, i żebym w 3 godziny zaoszczędził sobie kolejnych 87600 godzin życia. Całkiem dobre ROI 

A oto podsumowanie podcastu według Kamila, który słowem pisanym sprawił, że zarumieniły mi się poliki i zmotywowały do dalszego działania:

Cyber bezpieczeństwo – ukryte zagrożenia

Wydaje nam się, że jesteśmy bezpieczni. Jak się okazuje, bezpieczeństwo w transakcjach biznesowych to temat, który owiany jest mitami i często poruszany w sytuacji nagłych i ogromnych wycieków danych. Świadomość statystycznego Kowalskiego, czy Dyzmy biznesu jest jednak nie zadowalająca. Co zrobić, aby ustrzec się przed niepotrzebnymi stratami lub jak uniknąć narażenia swoich danych na wyciek. A może nie chcesz handlować swoimi danymi w zamian za bezpłatny dostęp do treści?

Zastanawiałem się jakie dzisiaj przygotować dla Was słowa wstępu i przyznam, że nie było to takie łatwe, bo dzisiejszy gość w miarę tego jak zgłębialiśmy się w coraz to bardziej wnikliwe pytania odkrywał przede mną różne pokłady swojej biznesowej i prywatnej ekspresji. I tak sobie pomyślałem, że ten odcinek będzie jednak w tym biznesowym cyklu dość ważny. Poruszymy w nim bowiem zagadnienia, które nie często słyszy się na publicznym forum, ale bardzo chętnie odkrywamy i poznajemy takie treści w kontakcie personalnym. Myślę, że ta dzisiejsza rozmowa i jej treść, była możliwa, dzięki temu, że mój gość jest bardzo otwartym człowiekiem. Świetnie łączy techniczne umiejętności z komunikacją międzyludzką. Wyciska z dnia, wszystkie minuty i pozostawia tylko “kwadrans” na nudę. Trochę się śmieję, bo faktycznie to ich nie ma. Prowadzi bowiem kilka firm i zajmuje się doradzaniem biznesom w rozwoju ich usług, dbając w dużym stopniu o zabezpieczenie i gwarancję spokoju w świecie IT.

Porozmawiamy między innymi o tym:

  • Skąd decyzja Dawida o tak nieoczywistym zawodzie w IT? Czy wejście do tej branży jest rekrutacją odwrotną? Mówię tu o “masterach”? W mediach słyszy się zatrudniają hackerów, jak to często się zdarza?
  • Czy brak literatury/ szkoleń w języku polskim zmusiły go do nauki języka angielskiego? Czujesz, że to Twój język, myślisz w nim?
  • Jak udało mu się dostać do pracy w firmie z Doliny Krzemowej?
  • Jakie emocje towarzyszyły mu podczas pracy tam i jak postrzega kulturę pracy amerykańskiej firmy?
  • Czy myślał o karierze za oceanem? Giganci przecież kuszą, prestiż, inny styl życia, możliwości?
  • Co pozwala w Polsce rozwijać swoje kompetencje zawodowe?
  • Czy polskie firmy są dobre w programowaniu? Mówię tu o wszelkich aspektach. Od technikaliów po bezpieczeństwo?
  • Czy jest w Polsce ekspert od cybersecurity?
  • 3 najbardziej poważne błędy polskich firm w zabezpieczeniach?
  • 3 najlepsze rekomendacje dotyczące prostych zabezpieczeń.
  • Inspiracje książkowe, osobowościowe i filmowe.

Zapraszam do 26 odcinka podcastu Inna Kultura Biznesu, w którym porozmawiam z Dawidem Bałutem, przedsiębiorczym i ambitnym cyber ochroniarzem biznesów, które rozwijają się w sieci.

POSŁUCHAJ:

Wygrana na wartościowych relacjach.
Musicie przyznać, że jest to zdecydowanie jeden z najdłuższych odcinków jakie do tej pory się ukazały. W moim przekonaniu jednak, czas który poświęciliście na tę rozmowę, może dać Wam kilka wartościowych wskazówek, w którym kierunku podążać rozwijając własną firmę, projekty za które jesteście odpowiedzialni oraz będziecie mogli inaczej spojrzeć, na wszystkich, którzy Was otaczają. Zdecydowanie jednym z takich elementów, który do mnie trafił to patrzenie na wszystko, co mamy zamiar robić z intencją. Czyli świadomością celu jaki, chcemy zrealizować i co nam z tego pozostanie, jaką ubogacimy siebie, bądź innych. Jeżeli takiej wartości nie ma w transakcjach, to warto się zastanowić, czy wszystko robimy dobrze. Drugi wniosek, jaki mi się nasunął to konieczność bycia czujnym i świadomym, tego co nas otacza. Niestety, ale nasze interesy w dużej mierze, nie są interesami innych partnerów. Trzeba zawsze szukać kompromisów i wchodzić w relacje, które mogą przynosić dobro wspólne.