Do the work behind the scenes and don’t be a workflow bottleneck
InfoSec as an enabler
If I were to choose only one thing to share with you, it would be that there is no place for a naysayer in a security department.
It’s unbelievable how many of us kept doing the wrong things for so long. It’s tough, because the impact we’ve had on IT societies is something that’s chasing us till this day. I’ve had to spend a lot of energy on working out healthy relationships with my peers by convincing them that not all security people are rude and negative. I don’t want to point fingers at anybody, because I’ve made those mistakes as well, however, we – as an industry – must acknowledge an elephant in the room and recognize how many cultural mistakes we’ve made in our careers. We must confront that our strategy of whining about insecurities of everything and desperate attempts to slow down innovation turned out impractical. We’ve tried hard to keep the comfortable status quo instead of learning the new technology and figuring out how to allow others to do their work more efficiently. We had good intentions, however, people couldn’t follow our incompetent lead and always found a way to bypass our restrictions.
I know it’s getting better and there are fewer infosec specialists who default to denial and rejection. Yet, I feel like it’s worth emphasizing that our ghosts of the past made it tough for social-savvy security pros to create healthy relationships with engineers and other employees.
Saying no is easy, being creative and looking for innovative solutions is challenging and for us, hackers, we should strive to solve challenging problems as that’s part of our DNA. If you’re not creative enough, people will find creative ways to bypass your negligence and it’s all for nothing.
Your mission is to enable your coworker’s workflows and demonstrate that you actually have an honest intent and willingness to help them address challenges of their day to day struggle. Don’t romanticize the path you had to follow in order to be where you are today. Just because they haven’t been studying security for the last 10 years like you had and they aren’t aware of the risks involved with the technology they want to use, doesn’t entitle you to have an attitude and razz them for it. You’re there to help them, that’s why you are a security specialist, and you’re ought to use your skillset to support them, no matter what.
If you want to be a rock star, then earn that status, because the status is something that’s provided to us by a society, not something we tell ourselves. We can say as many blank statements as we want, but if our actions don’t back it up, we’re just being delusional. We’re hired to build robust products other people can use, and must use our greatness to solve the challenges. Even though it’s uncomfortable and it may be something you don’t want to do, it’s still the right thing to do.
So make sure you revisit your attitude, because even though your competence may be fantastic, your attitude must be in check as well to enable yours and your team’s productivity.
Listen and execute behind the scenes
Those who aspire to be great leaders must master one skill before others, because this skill alone can take them far and enable their growth in other areas. It’s listening and execution. Execution, especially when no-one is watching and expecting it.
Delivering the work no one asked you for, just to improve the life of your co-workers, is something that people know how to appreciate. So whenever you feel like doing something for the community, just do it, and the satisfaction will come to you sooner or later. Going the extra mile, is something that can help you build the image of yourself as an outgoing leader and problem solver. Our world needs people who identify problems and try to solve them on their own, without waiting for someone else to pick up the fight. People always seek someone to lead them. Someone who’ll inspire them and someone to whom they’ll be able to secretly look up to. Be that person, or at least give it a shot because there nothing you can potentially lose by doing the good work.
If you provide upfront a lot of value, people will feel emotionally obligated to give something back, because we can’t stand the feeling that someone gave us so much, and we haven’t even attempted to return some of it. It doesn’t need to be tangibles, the ROI can be their eagerness to work on security improvements for you. We’re all in human business, and technology comes second, so if you have good relationships with people, they’ll do something for you, even if it’s something they won’t be acknowledged for by the business. It’s in their human nature, and that’s all it takes.
Obviously, like for everything I’ve shared with you so far, there will be exceptions and you’ll face totally ungrateful people, but just because of those few individuals, you shouldn’t abandon the whole society of great people who’d love to work with you side by side.
Sometimes we just need to step out and take things in your own hands. Even if you think like there is no tangible incentive to do so, the feeling of doing something for better future of your coworkers is wonderful and justifies the sweat equity.
You must ensure that you’re doing whatever possible to show people your determination, competence, and passion, but be wary of taking too many little things — like code fixes — on your shoulders, because it may lead to cognitive and time overload. You can’t take so much on yourself that it’ll become impossible to do the actually important tasks that only you can do because of your skillset.
If it happens that you need to fix some code or tweak configs, then that’s perfectly fine as long as it’s an exception, not a rule. The key is the balance.
The concept of purple teaming is something I fell in love with, many years ago when I was experimenting with a variety of ways to make myself more productive. Everything has changed for better when I started embracing a culture of collaboration, where attackers and defenders work together to find the best approach of securing the products.
Although it’s great to focus on your narrow specialization and be an expert, it’s not the actual reason we’re getting paid. We’re getting paid to improve the safety of our organization, not just do the work for sake of doing the work. To be truly productive, I really recommend to at least try collaborating with all stakeholders across the organization.
Being a pwn-all-the-things rockstar will take you only this far. It’s overrated and while fun in short-term, gives terrible results long-term. I must remark tho, that there are great people out there, who provide immense value to the industry by doing only the thing they love but those are exceptions. It’s much easier to achieve success and long-term satisfaction if you learn how to work with others.
Become a member of each department
Having an independent security department is expensive and hard to scale. What worked for me, was working side by side with people who ship the products. This is a good thing to focus on, especially in small organizations where security culture isn’t yet established and people don’t realize they should inform you about some matters. While it is obvious to you and you expect them to use you as a consultant, people just often don’t have it on their mind if they weren’t ever required to do it before.
As a third party consultancy entity, you’ll be often late to the party, because people either forget, don’t have enough time for proper communication or are afraid that you’ll introduce additional burden to their existing workflow.
Becoming a team member will make everyone more socially comfortable with your presence and role, which enables you to cover more things with your security expertise. Some of us, painfully learned that approach “we VS developers” doesn’t really work if the goal is to create a healthy and friendly environment. If you introduce that competitiveness, it often creates a toxic atmosphere where people do their best to hide stuff from you instead of collaborating on convenient solutions
Join one team for a few weeks and then jump into another to create a well-intentioned relationship with your peers. Don’t just sit in your cubicle waiting for someone to call you for help, because that’s not going to happen.
Delegate instead of trying to fix everything yourself
To maximize your impact, you should learn how to delegate some of your workloads, because you don’t want to become a bottleneck for security improvements which is completely contrary to your goal. Except for time management and the fact you can’t always be a one-man army, there is an important educational purpose of tasks delegation.
By relaying work to a person who wrote or deployed the code/service, you help them understand mistakes they’ve made so they know how to do it better in the future. If you fix everything yourself behind the scenes, people will keep making the same mistakes over and over again. They may not be even aware that they did something wrong as no one ever raised any concerns in regards to their code quality.
Apply the same approach in all aspects of the business and educate people on how to improve the security of their day to day execution. You can, for example, teach internal QA teams on how to do basic security testing, thanks to which you’ll have additional eyes looking at the products from a different perspective.
Use your exceptional skill set to focus on things that matter and leave rest of stuff to others who’re more capable or who’re actually supposed to do given type of work.
If you’re great web pentester and good software engineer you surely can fix the bug you’ve found, but is it the smartest thing to do? If you’re the only security expert while there are 50 software engineers in the company you’re better off delegating the fix to others, so you can focus on execution within your domain of expertise.
Internal security training and awareness awards
Conduct recurring security training
Videos and online presentations are good, but nothing can really replace quality in-person meetups. Show as many demos as possible and don’t stick to overwhelming PowerPoint presentations which put people to sleep.
It’s fine to share raw technical details as a recap material, but while starting out you must make people excited about the subject, otherwise, it’ll be just another corporate training which they’ve attended only because it’s obligatory.
Don’t shy away from showing off your skills to non-techy people. It makes sense to show some real-life exploitation to impress them to build a great human relation and gain their respect for your skills even if they haven’t understood all of the things you’ve just shown them.
I personally like to show real-life testing, including very first steps from setting up Burp through vulnerability assessment, exploitation to data extraction. When you go step by step and show how you find a specific type of vulnerability — how you exploit it and how it can be fixed/prevented — people get the big picture perspective which is understanding the business risks. When they actually realize how code quality affects business longevity, they’ll pay much more attention to it.
There is plenty of Open Source resources that come handy in such exercises so squeeze the max out of them to create enjoyable and valuable security training.
Guiding them through detailed flow is practical, because while you’re doing the hacking part, the participants have a chance to directly and comfortably ask you many (un)related questions. Interactive meetings are the greatest, as they’re much better memorized than a blunt slide deck and they give you an opportunity to show the human part of yourself. Standing in front of people, gives you an invaluable opportunity to cultivate the relationships I’ve mentioned earlier.
The same concepts apply to physical and personal security and the key message is that training should be engaging, exciting and relevant. They should also be periodic so people are constantly reminded about the importance of security.
Popularize internal Bug Bounties and awareness recognitions
Bug Bounty programs are great and I’ve been a solid advocate of it for the past decade, but before you jump into spending crazy amounts of money on external BB, you should give it a try internally.
It’s smart to start with internal initiatives first and give your peers an opportunity to learn new skills and get some fancy rewards for their efforts. Consider hackathon-alike efforts where engineers can work on complex security issues they consider interesting, or just do some internal bug hunting with you.
While the BB is mostly a vehicle to create a security culture, there is actually a real chance of finding a few security issues because each person has a different perspective and a developer may find a bug in a place you’ve never thought of.
Make it fun and offer rewards like a few additional PTO days or gift cards for individuals who’ve found security issues in the specified timeframe or if they came up with great security tool during the hackathon. Except for the fact that everyone likes awards and rewards, people get excited when they’ve been publicly recognized as security aware. At most organizations, people remind being razzed for security, rather than being appreciated, so you’ve got a chance to use it in your favor. Don’t forget to properly acknowledge the effort of all those who’ve also tried but weren’t as successful, because you want everyone to feel engaged and appreciated. You can use the Bug Bounty concept for non-technical people as well to show your appreciation e.g. if they report you a physical security incident. The key is that you need to cover the whole organization with the awareness because the security is as strong as its weakest link.
Initiatives like this help shaping a culture where being security aware is appreciated and rewarded and after a while, it can become employees’ habit to take care of company safety. Besides all security benefits, it’s simply a great team building exercise that organizations so you should employ on regular basis.
“Tell me and I forget; teach me and I may remember; involve me and I will learn.”
Męczy mnie gdy ludzie się duszą z własnym życiem, bo ktoś im kiedyś powiedział, że są niewystarczający by spróbować swoich sił w programowaniu, testowaniu czy szydełkowaniu.
Ludzie pozwalają by zbyt wiele głosów dotarło do ich głów, przez co marnują swój potencjał i zaganiają swoje marzenia w ciemny kąt. A lata lecą, aż rozgoryczenie przejmuje nad nimi kontrolę, przez co sami stają się ludźmi mówiącymi innym “Nie nadajesz się, daj sobie spokój. Mi się nie udało, to dlaczego Tobie miałoby się udać?”.
Najpierw pozwalamy innym by zatruli nasze umysły, swoje odcierpimy, a później zapominamy o empatii i zatruwamy życie innym.
Z tego własnie powodu nagrałem ten podcast, w którym mówię, o tematach których powinno się uczyć w domach i szkołach.
Nie każdy miał szczęście doświadczyć tego typu edukacji od ludzi którzy powinni byli ich wspierać i się tą wiedzą podzielić. Dla tych właśnie osób dzielę się moimi obserwacjami, bo wierzę, że każdy z nas powinien walczyć o zdrowsze społeczeństwo i o to by innym żyło się lepiej.
A Ty jakim typem człowieka naprawdę jesteś?
Gdy zadajesz pytanie to szukasz odpowiedzi, która Cię odblokuje czy wręcz pragniesz by ktoś Ci czegoś zabronił, bo ułatwi Ci to usprawiedliwienie swojej porażki?
Słuchanie tego podcastu dla większości nie będzie łatwe. Ale zrozumienie tego o czym mówię jest konieczne jeśli naprawdę chcesz odblokować swój rozwój w życiu.
Lekcje, które możesz wyciągnać z tego nagrania znajdą zastosowanie zarówno w życiu zawodowym jak i prywatnym, bo ileż to razy szukałeś/szukałaś wymówek by tylko nie zawalczyć o rzeczy dla Ciebie ważne?
Praca, związki, zdrowie, hobby. To wszystko jest ważne, ale sam/sama musisz sobie odpowiedzieć czy jest na tyle ważne by podjąć ryzyko i zmienić swoje życie na lepsze.
Good luck Y’all.
You need a separate room if you want to be effective while working remotely. There are so many reasons for it that even though I’ve been working remotely for over 7 years, every few months I discover new benefits of it.
Many people attempt remote work, hoping that their lives will get so much better if they only don’t need to commute to work anymore. They portray remote work as something that’s easily manageable, where you just comfortably sit on a couch in your living room, with the TV turned on, kids running around and you working on your computer in the middle of it all.
That’s how most people see the remote work and that’s precisely the reason why most people fail at it. Remote work is a fantastic opportunity that comes with many advantages, but only if you know how to manage them. But as with most things in life, if an opportunity doesn’t meet the preparation, it’s all for nothing.
There is nothing extraordinary with the amount of preparation for remote work in comparison to other things in life. Humans – myself included – are simply really bad at looking at the big picture and understanding how many factors influence the quality of our lives.
If you want to be effective and remain sane while working remotely, you need to find yourself a place where you can isolate yourself and train your brain to recognize when it’s time to work. To give you an example that every one of us can relate to, let’s take a look at some other space we spend our time at. Let it be our bedrooms.
A bedroom has two general purposes. It’s a place where you should sleep and have sex. And that’s it. The consequences of not understanding that purpose of a specific room should be respected are dramatic, yet so easily avoidable.
Your brain must be trained so that whenever you head to your bedroom, it’s thinking either about rest or about making love, and both should generate chemicals in your brain that bring positivity into your life. For most of us, our bedrooms aren’t necessarily clear synonyms to the positivity, because we don’t respect the rules of the bedroom. We eat in bed which makes our brain associate bedroom with specific smells and tastes. We keep bedrooms messy, which causes irritation and makes our thought to wander and think that we should clean up, rather than just enjoying a moment. We bring computers to the bedroom, and we either review social media, reply to emails or browse the Internet in general, even though all these things have a huge potential of generating stress, anxiety, and irritation.
Unconsciously we bring negative emotions to the bedroom, and then when it’s time to sleep or have sex, we’re distracted. We’re not in the mood, because we’re pissed off by someone who sent us a crappy message on social media; because we’ve reviewed our email and know there is so much work to be done; because there is a nasty smell of the leftovers; or because there are crumbs everywhere that seem to be hiding everywhere and are never gone no matter how long we vacuum the bed.
We fuck ourselves up, because we don’t respect the simple rules of space management. Clean up your bedroom and make it a neat place where you enjoy spending time in solitude or with your partner. If you got to pick up a phone, leave the bedroom and answer the call from the living room. Really, the world isn’t going to collapse if you answer it 5 seconds later. If you know you’re going to have an argument with your spouse, get out of the bedroom and argue in the living room. You’re going to ruin your day anyway, so you seriously can take 10 seconds to go to another room and not ruin the atmosphere of the bedroom. Don’t talk negative shit in there, don’t talk about work, about problems and bills in the bedroom. Because when it’s time for pleasure, you want to experience the pleasure to the maximum, focused entirely on you and the other person. You don’t want to think about the bills you need to pay, get distracted by the notifications flashing on your smartphone or to get uncomfortable because you’ve got cookies crumbs everywhere.
Now let’s get back to the office space, because the example I’ve given above is something everyone can relate to and it’ll give you a context allowing you to understand what I’m about to say in terms of the office space.
When you get into the office, your mind should be calm and focused. If you want to get things done and you’ve set high standards for yourself, you need to be able to focus and allow your brain to get into the state of flow. For that, you need physical isolation, because you can’t be even slightly afraid that someone is going to disturb you. When you’re in the living room, you subconsciously know that there may be other people around, or someone can scare you when you’re focused. We don’t like to get scared and our primitive brain is always on the watch, so it can’t give you all the headspace to focus on creative work. It’ll be constantly in the reactive mode, which jacks up your adrenaline and cortisol levels, generates stress and causes a depletion of your cognitive pool.
Your brain must feel safe, it must know what to expect and you can’t be constantly looking around the room to ensure no one is coming or asking you any question. You need isolation, the same way you’d need that in the office. Most people never get to experience the flow state, because current open space offices are the biggest enemy of productivity, but let’s leave that for a separate story.
At the office, you still manage to get some work done, because you know you got to do it and that it comes first before the strangers who constantly interrupt your work. But it’s a whole different story when you’re at your home, because at home it’s not the work that matters the most. Family and loved ones matter the most, and very often we put work away in order to ensure we’re giving our best to the ones we love and for whom we care. That’s to me is the bigger reason why people manage to somewhat get stuff done at the office, but they barely manage to do anything done despite working long hours from home.
Of course, there are people, who need to feel the pressure of their peers, who need to be directly managed and constantly verified, otherwise they slack off. But I’m not writing this particular post for people who can’t get their shit together and they play video games instead of working, abusing the trust that was given to them by their team and company they work for. I’m also not writing this post for digital nomads who enjoy traveling and working in a meantime, because their priorities and responsibilities are different of those that I hold for myself. Digital nomads lifestyle was never for me, so I won’t talk about the things I have not experienced for a prolonged period of time. So if you’re a digital nomad and you enjoy your life, then most likely I don’t have anything valuable to offer for you. Keep doing what works for you.
I’m writing this post for people like me, who are in the point in their lives where they have other things they deeply care for, and they want to ensure that whatever they do, is matching their high standards. For people who want to leave no stone unturned and also for those who just want to get shit done and experience life beyond work. Some people just want to separate their work from their personal lives and they’re seeking ways to do it most effectively and for those, this advice should come handy.
Get yourself a separate room in which you do nothing but work. It’ll allow you to focus better, because your body won’t be jacked up with the adrenaline, and your brain will know that this particular place is when you get shit done. This is the place where you get all the stress on yourself, where you don’t play around and where you do what needs to be done. Don’t eat in the office, don’t play video games in the office, don’t have sex in the office, because it’s going to mess up the way your brain produces specific chemicals. If you play video games in the office, you’ll have a hard time focusing on work, because you’ll crave the dopamine hits and you won’t be able to manage the delayed gratification that comes after many hours of work put into completing a task at work. If you have sex, watch TV, eat food in your office, your mind will get easily distracted each time flashbacks kick in. That’s why it’s hard to work remotely – for a longer period of time – on your couch in the living room. Because there are no rules of the living room. The living room has no restrictions as it’s meant to do all the living-related activities.
There are simply too many distractions, too many ways to escape the work, and too many priorities. Sit down in the separate room and leave yourself no chance to notice a sticky note on a fridge to pay the bills or to take care of the laundry. Because if you just take a look at it, you’ll lose focus over the work, and you won’t give the best of yourself while working. You’ll be stressed out because there are other tasks, you’ll keep it in the back of your head and it’ll slowly but surely consume your cognitive pool for a day.
It’s hard to tell someone you live with, that they shouldn’t talk to you when you’re in the living room. It creates a toxicity in the air, where people don’t know when it’s a right time to talk to you and when it’s not, so you make your stress contagious. If not communicated properly with your family members, they may get a feeling like you don’t care about them, if you don’t interact with them when they ask you something or want to interact with you.
Our brains, bodies and social interactions are tough, so you got to find a way to make it less complex at all cost. Even if you communicate it all well, when everyone understands that you’re working, and it’s not that you don’t love them, but you simply need to work; when you have social dynamics under control, it’s still bloody tough to control your brain and primitive instincts. When you sit on a couch and your kid wants to watch the TV, you’ll take a look once in a while, because the flashy lights will drive your attention to it. When you work from your bedroom, and you notice your spouse stopping by to change the clothes, you really think you’ll be able to just continue working like nothing has happened? Your brain will desire pleasure and intense emotions, because the work we do most of the time isn’t exciting enough for it. The brain doesn’t like boredom, it likes action, it craves the chemicals that will be generated when you fall for the pleasure.
If you work in a separate room, you just don’t give yourself a chance to get distracted. That what it really is all about. By keeping a discipline of working in a separate physical location you make it easier for your mind to stay disciplined.
And back to that bedroom for the last time – I’m far from giving anyone any personal advice, but if you don’t respect the purpose of other rooms in your house, you should really consider doing so. Because if you manage your bedroom properly, if you manage your kitchen and living room properly, it’ll be way easier to manage the office space. It’ll be much easier for you to detach from work when you need it, because you know where you need to go in order to get some rest or leisure. Everyone needs some escapism once in a while, and it’s good to know it’s just a few steps away.
If you respect the purpose of your kitchen, you’ll go to the kitchen anytime you need to eat something, saving you from creating a mess in your office space which would then distract you.
So yeah, that had to be said, because work-life balance matters. Work is part of life and I want to treat it as such, which is why the mindset I’ve chosen for myself is to focus on building the best work-life harmony. Because when I’m done with work on which I focused all my energy for X hours, I want to close the doors of my office and go experience other things life has to offer. I want to spend quality time with people I love, I want to devote myself to my hobbies, I want to do other things, but I want to do it all with the highest quality I can, with the laser focus to know that whatever I’ve done – I’ve given my best and I leave myself no space for any regrets. I close the doors of the office and leave all the good and the ugly in there, ’cause the last thing I want is for me to be distracted and not pay attention to other important things in my life so they know how important they are to me. Priorities are priorities and work needs to be done for various reasons, but that mustn’t get in the way of higher values. And while working remotely, a separate office space is the number one thing, without which I wouldn’t be able to perform at the level I need.
And that seems to be having good results so far. For me. You do you. And if you decide to apply this advice in your life, do it with a dose of common sense, because you want to be disciplined thanks to your rules, not enslaved by them.
It’s okay to write some code from the living room. It’s okay to turn on the TV, play some Netflix and reply to emails in the meantime. Let’s not get too serious about it, we’ve got to have ways to decompress when we need to. Of course, you can – heck, you should! – have sex outside of your bedroom, in your living room, in the bathroom, in the kitchen, on the balcony, in the car, on the car and wherever you feel like it. You obviously can play games or eat in the living room, kitchen or surprise your spouse with a great morning meal delivered to the bedroom. Make it all work in your favor, but on some qualities, you shouldn’t compromise, and you should not allow an exception to develop into the habit of making your bedroom/office a hideous place.
Focus, energy, and time are limited. Manage the resources wisely.
Tym razem miałem zaszczyt pojawić się jakos gość w drugim odcinku nowego podcastu Konrada z QAudycja.
Opowiadałem o karierze w bezpieczeństwie, o cyberbezpieczeństwie Polski oraz mojej nowej przygodzie zawodowej.
Klasycznie pojawiła się też garść informacji o codziennym radzeniu sobie z życiem, w szczególności o intensywności, ludziach dobrych i negatywnych oraz o wpływie środowiska na to jak kształtuje się nasza ścieżka prywatna i zawodowa.
Serdecznie polecam, bo poziom pytań Konrada był fantastyczny a On dopiero się rozkręca!
Trzymam kciuki za sukces jego bloga oraz podcastu 💪.
On 15th of November 2018 I gave a talk at TestWarez conference, where I wanted to share my experience and observations, to help others gain a bit richer perspective on life, which would help them solve non-trivial career related challenges.
Unfortunately I’ve ran out of time before I could close my story properly, which is why I’ve decided to create this blog post and ensure that people who attended my talk actually received what they were looking for. If you want to jump right into the subjects I haven’t managed to go through, scroll down to about 2/3 of this article.
If you haven’t attended the talk, just go ahead and read the parts that you feel could bring you some value
1. Who am I and why do I want to talk about things such as happiness in the workplace and career management?
I’m no guru and I don’t claim to be one. I’m just a man who’ve spent a significant part of his life chasing great career and while I’m doing my thing, I want to share the biggest so far takeaways of my life’s study. I’m not going to tell you that you can become a CEO of billion dollar organisation, or that you can earn $X if you do Y, or that you can become the greatest person on the planet. I don’t know that, and I don’t have such answers. But I do have answers which can help you get better at whatever you’ve decided to be doing. There are patterns that many people have noticed and shared in one form of another, and I want to do the same with my community. Create a list of things that are proven to not work, and things that are proven to have a potential of increasing the odds of your success. When you have that, you can try it out and see what happens. Assuming obviously that you want to try something new, because you feel stuck.
If you’re happy, if you’re content and you’re living life on your terms then I don’t think I have anything for you, really. By all means continue doing things that you know are good for you. However, if you’re a person that have tried many things and still don’t see any significant change into the positive, then you might want to take a look here and there.
Many things I’m going to talk about here, are things you’ve most likely have heard about already and it may seem like nothing new is here. Which is about right, and that used to be my attitude as well. That’s the reason why I share such long back stories and create a context for what’s coming up next. I’m sharing my knowledge in a way which I know worked for me and which made me who I am today. First I had to attain a better understanding of things such as human nature and rules of the corporate world, to be capable of comprehending the cliché things that we often hear about. I had to understand why things are the way they are, I had to understand why we act the way we act and only after knowing that there are many moving elements which dictate our state of being, I could get myself to work on changing my position in life.
You really can’t solve a problem if you don’t know what the problem is, and more often than not what we believe to be a problem, in fact turns out to be just a facade for something much more complex. And explaining that complexity takes time, it takes years, but I want to try to compress is as much as possible to make it quickly digestible for everyone else. I do believe there are ways we can share our knowledge and help others understand the subject faster – for some it’s a kind of a shock therapy, because they come expecting a list of things they can take and implement right away to take their life’s on the next level. Then you drop a massive amount of knowledge, observations, and advice, and you let them think about it. You spark an inner thought process which makes people think “what if?”. “What if there is actually something about it, and there are ways to get what I wanted despite my past failures?”. That thought is what ignites the start of a bigger change. Sharing just a set of tips you’ve heard many times will often get forgotten without any action. Sharing a way of looking at the world which makes you question a thing or two, is the game.
In my career, I’ve had a privilege of working as a computer programmer, cybersecurity specialist, manager, team leader and business advisor. But it’s not about me and you probably shouldn’t care. Judge content based on its merits, not its author.
It’s that I’ve tasted many things which gave me an opportunity to interface with many fantastic people at various stages of their career at various organisations. For some reason I wanted to know what it is that differentiates people who’re under-performing, those who are achieving a lot and those who’re basically mediocre. What it is that differentiates people who thrive in the workplace, who love their job, who love themselves when they’re doing the specific type of work; from people who struggle to achieve their goals. I’ve had a privilege of not only collaborating with multiple companies of various sizes as an employee, but also were given a chance to recruit people into teams I was working in. I’ve recruited people into the IT sector for a roles with a paycheck as little as $400 per month and as much as $15k per month. I’ve seen people who were paid twice as much as the other person holding the same position at the same organisation and the question was – how come?
Although it’s not all about the money, it’s a lot about the money. Money is a reasonable indicator how well someone is performing at work, and it’s just something that’s more tangible than skills, knowledge or experience. It’s hard to compare people based on their skills or knowledge, but it’s really simple to compare two numbers. It’s especially easy, when you work with diverse organisations with people who get to the absolute TOP of corporate structure within 5 years and people who barely manage to get any movement across the career ladder over those 5 years.
Obviously there are people who simply choose to take it easy and who don’t care much, there are people who have different genetic predispositions and all that, but you know what I’m saying. I’m pretty sure you’ve met in your life two people who tried really hard, who wanted to achieve the same, yet they achieved completely different results.
So I started paying more attention, because I was really curious. Fast forward to over a decade later, I believe I came to conclusions and some universal truths which can be applied by many of us, obviously each and everyone of us getting different results. But there certainly are things that simply work.
Let me end this intro with the following statement, which should put some more clarity into what I’ve been trying to say:
I don’t believe you or me can become world-class NBA players just because we’ve watched how LeBron James got there. That would be delusional and as far from the truth as one can get. But I definitely believe that we can learn from LeBron to become better at playing basketball than we currently are. No one can promise you or me, that we’ll become world-class at it. But if you put in the right type of work in the right amounts, there are high chances you’ll get better at it and that’s what most of us want and need.
2. Why do I care enough to share it, instead of just doing my thing and investing the time to better myself?
Well, if you get to a point in which you’ve tested something on yourself, you made yourself happier and can see something is working, you just don’t want to keep that to yourself if you see people around you struggling with the exact same thing. It’s such a waste.
People are truly struggling and way too many people waste their potential because they don’t know any other way. I don’t really want to get into what people are doing, because it’s their lives and it’s up to them how they want to live it, but the thing is that many of people who’re struggling just don’t want to, or don’t know how to ask for help. They’re not unhappy because they want to. They are unhappy because they don’t know what else they can do, so they try many things, they fight, they put in the work, and they try to do something good. And sure, many people find their way, become happy as one can get and live a fulfilled and joyful life.
But why would we want others to waste their precious time on trying things that are known to simply not work? Or why would we want people to take a longer path if there is a faster way to get where they want to get, which would save them not only time but some pain, which is inevitable when you try new things.
To me it’s just a right thing to do. If someone doesn’t want to listen to the advice, they won’t and that’s absolutely cool. But if there happens to be a person who wants to try something new, then you’re at least giving that person an opportunity to learn about other ways than the ones they currently know about. Then it’s up to them to try it or not, but at least they get a chance to trying something else.
The problem with unhappy people is that the misery loves company and we’re very empathetic creatures. We’re humans and we’re bound to each other whether we like it or not. We affect each other and we influence each other. And understanding this concept allowed me to get through things I couldn’t wrap my head around before.
Success is cool and all that, but the internal success i.e. happiness is what most of us are really chasing. Also, if you’re happy, you can make others happy. If you’re unhappy and feel stuck, there are high changes that not only you’re not making others people happy but you’re actively making them unhappy.
So yeah, chasing happiness is something that really matters. Because by being stuck and being unhappy you’re not doing anyone any favor. Your state influences state of other people. And although we want good for people whom we hang out with and we don’t want to make them unhappy, we’re way too often lost in our thoughts, to realize that we’re unconsciously intoxicating lives of those around us.
I believe most people do their best and try to be the best they can. But sometimes it’s not a lack of enthusiasm or lack of ideas that’s stopping us from achieving our goals. It’s lack of consciousness and self-awareness that doesn’t allow us to connect the dots.
3. So, do you want to save yourself and others some struggle and at the same time achieve more? Go ahead, there is a few things that are really important for you to get yourself on the right track.
First of all, I believe that we’re way too confused, especially in the early days of our careers. We don’t know what we’re supposed to be doing, so we try to follow people who we think like they have it all figured out. We read an online magazine and we read about top performers, those people everyone looks up to and secretly wants to be. And we try to replicate what they’re doing, which includes doing things such as heavy meditations, more rigid diets, following a heavily disciplined schedule, waking up at 4AM like the CEO from a cover of the Forbes magazine and other crazy things.
It’s absolutely a good idea to experiment and try those things, but for most of us – those tips simply won’t cut it. Each and everyone of us is different, and we need tweaks and adjustments to all the recommendations we hear from other people. We fail to recognize that magazines write about things people want to read, which not necessarily being at the same time things which will actually work for people reading it.
As an example of a process to dissect, let’s pick the sleep schedule, which is something many people try, after getting motivated from reading an article about some TOP performer. When we read about someone like Tim Cook who gets up at 4:30AM, we see the end result. What we fail to recognize is that Tim’s wake up time is a result of the process that he established for himself during his lifetime which also requires other changes to his schedules. Magazines want to tell you that you can be more successful and you’ll get more things done if you wake up at 4:30AM, because hope sells well. But they forget to mention that to wake up at 4:30AM and be productive by any measure, you need to go to bed at 8PM day earlier.
When you read about someone having a rigid diet, you don’t see the process it took someone to prepare their body for such a change. You see the result, but you’re not given enough insights into the process of getting there which is a key for improvement and which is something we must all do thoroughly.
It’s not enough to implement into our lives the elements that successful people do. More often than not, it’ll fail for very simple reasons such as the fact, that your body and your brain are complicated systems, which don’t adapt overnight. It takes a long long time for your brain and body to get used to different times you wake up. It takes a lot of time for your body to adjust the management of nutrients you’re feeding it with.
Combine waking up at 4:30AM with drastic change of messy diet into keto diet and the next thing you know is you’re an anxious zombie who instead of being more productive is an ass to anyone who just happens to be around.
You got to take it easy, and you got to find what’s right for you. And what’s right for you is what you’ve been testing for quite some time, not something a journalist put into the magazine.
I like to say that 99% of things TOP 1% performers do, aren’t practical for 99% of other people. By the same token, I do believe that if someone who in the past was in the position you’re now and achieved some sort of success, then you can follow their steps and get somewhere close to where they’re at. Most likely not to the same place, because there are too many differences between each one of us, but you can certainly change your position to some extent, as some thing are universal and in general work in many situations.
So if you want to be as great as some specific person you admire and to do the things they’re doing, then it’s a much better strategy to follow their footstep and try to replicate their success. Because if you look at it rationally, what makes you think that you can simply switch to doing some things overnight, if it took your idol months or years to get there? Successful people decide to do those things you read about, not because they’ve decided to do them after reading an article, but because they know it’s right for them and they’ve been getting there their whole lives.
You got to get some respect to the journey, because by following it, you can make yourself more compatible with the end results that you’ve seen that other person to have.
4. From what I’ve seen in my life, among my peers and all over the world, there are about four major areas which contribute to people’s lack of happiness in relation to their career.
- People are stuck at the job, in which they feel they’re not being rewarded well enough
- People feel like they’re somewhat stuck with their skills and career in general
- People are stressed and they lack work-life balance
- People are hopeless, because they’ve expected something else than they’ve received and they just can’t see anything beyond that
None of these things are trivial and there is no answer which will work for everyone, but there certainly are patterns which show why some people experience one or more states from the list above, and why some people don’t even know what these things mean – because they’ve never experienced it.
So if you’re experiencing any of those things, then it may be worthwhile to look at some of the things that can be done, to change that state of being. There are certainly a few mistakes related to a workplace, that people do which makes their career to develop way slower than in potentially could.
4.1. Sticking too long with one company
Some people feel like they’re getting nowhere, and they’re not getting paid enough and they’re not progressing as well as people in the industry, because they happened to be in the wrong organisation. It’s not that they’re not good enough or that they don’t deserve better compensation, it’s just that they’ve been working in one place for too long. In the current state of IT industry, there are zero reasons to stay with one company if the job is making you unhappy. There are so many companies, good, great, average, and bad ones, that you can’t possibly try them all during your lifetime. If you’re working in IT, you won’t run out of companies who’re looking for competent employees.
Sometimes it really can’t be said that given organisation is bad, just because you feel unhappy while working there. Some organisations are just made for some type of people, and for some people it may be the best company of their lives. Just because you have different expectations, doesn’t mean the company is bad. If you work for a company that’s producing a type of service which doesn’t generate that much revenue, then it’s not it’s fault. It’s their business model to do things they’re doing and it’s absolutely fair that they have a low compensation they can offer you compared to some other organisation. If you’re feeling like you’re expectations aren’t being met although you’ve talked to right people about it, then switch the company instead of being miserable and blaming company you work for, for not being another Facebook or Amazon. You got to understand that if you want to get paid as much as software engineers working for Facebook, you should try to get into Facebook instead of complaining that your company can’t offer you the amounts of money other people get at Facebook.
This may sound trivial but it’s really not that simple of a choice. We often have unreasonable expectations because we focus too much on our expectations instead of setting high standards for ourselves. If you want to expect something from your company, you must analyse how much does it cost you first.
Get out of your comfort zone and find the right place for yourself instead of making yourself miserable because of lack of courage to change your workplace.
There are always trade-offs and there are always risks as it is with anything in life. Those risks aren’t go away and you probably won’t be less afraid of them anytime soon, but you can become more courageous and more willing to face them and to go after it regardless.
[On remote work
I believe remote work should be available to everyone, but it doesn’t mean anyone can do it. Working remotely can be great, but it can also get really ugly. You need to know what’s right for you and what you’re capable of doing. You need to study yourself to understand in what configuration you’re performing at your best. Just because there are many articles written by people who dropped their corporate job and went travelling all over the world and working remotely, doesn’t mean it’s a right choice for you. It’s tempting, it looks good on paper, but for some people it’s just a wrong thing to do. Just because there are many people saying that you can get much more work done while working in the home office – which can be true – doesn’t mean you’ll be able to achieve that. For most people, there are other ways to be productive and to achieve what they want to achieve, without trying to save as much time as possible by going remote. ]
4.2. Disrupting your career development by leaving an organisation too early
We’re humans and we are irrational. We can often get as far in our irrationality that we want to leave an organisation because we don’t like the commute or we don’t like the meeting that we’re required to attend or because we don’t like to hangout with some person that works in the same office. And instead of trying to resolve the issue, we get emotional, we forget how tiny actually is that thing which irritates us and we go way too far. If you don’t like your workplace, you need to analyse what it is that you actually don’t like. In my experience it rarely happens that the whole organisation is broken and everything is ugly. It’s just a one or few things that we tend not to like and sometimes can’t accept. But we need to have such dialogue with ourselves and understand what it really is that makes us unhappy at the workplace. Chances are that you actually enjoy doing what you’re doing, you have fun being around most people most of the time, you’re getting compensated well enough, but you really don’t like that one person which is bothering you or the long commute it takes to get to the office. But the feeling is so intense and negative when it happens, that you let your emotions take control and then you think like the entire world is against you and you must seek escape. And sometimes, the answer to a toxic coworker can as simple as switching a floor you work at or negotiating with the company an option for you to work remotely.
People who go ahead in life, nailed this skill down. They’ve understood that what they think is happening, may not really be the case. Human beings are complicated and we’re not trained in any school that I know of, how to detach and analyse our problems by looking at things for what they truly are as opposed to what our emotions are making us to see.
So detach and dissect each complicated situation to find the root cause for the bad situation you’ve found yourself in.
5. 10Xers aren’t superhumans. They just know how to get things done.
Many people experience a lot of stress, because they don’t feel like they’re learning enough. They experience stress because they miss deadlines and sometimes blame the company for putting too much workload on their shoulders. The thing is that if you want to develop your career, you just need to deal with the workload. And for many people, the reason they are stressed out, and they can’t manage their workload, isn’t because their company is expecting too much from their employees. It’s because people can’t put enough order to the chaos, they waste a ton of time and they have too little time and/or energy to get necessary things done. They get stressed out, and after a while they get anxious, because their life is falling apart. They can’t manage the workload, so they go home and work even more. They’re stressed even more, because they have no time to decompress. This puts them in the downwards spiral leading to anxiety and feeling hopeless.
I’m not saying it’s always the person’s fault, but way more often than we think, it really is. If you could only focus on doing the work you could easily get things done in the office, and then don’t touch anything work related when you get back home.
So if anything I’ve written in this paragraph feels familiar to what you’ve been experiencing lately, then I highly recommend you to take a closer look at how you really spend your time.
If you want to be productive, you should consider these things which really do matter:
5.1. You may not know how to get in the zone, how to put yourself in a flow state and do the deep work.
In a field such as IT, where we heavily rely on our creative brain we really need to focus. We can’t really multitask well, so if you want to do something well, you must focus on that thing alone. We’re living in a world of constant disruptions caused by our inability to control the distractions, which makes us unconsciously do things such as checking our phone each few minutes, browsing social medias each time you feel stuck at work and alike. If you’re stuck with something, you don’t know how to solve a problem at work, you don’t know how to use a programming library, then you’re not going to learn that by reading a motivational article or by checking what’s up on Snapchat. If you want to solve a problem, you must focus on solving a problem and getting deep into your work. If you need to learn an API, you must read about an API, understand how it works, try it out, and get back to major task of implementing that API. If each time you face an obstacle, you shift your focus on something else than removing that obstacle, you’re wasting your time. You’re not going to find a way in a background to solve a problem you’re facing for the first time, while browsing reddit. All your brain power must go into the task and getting it done. People who perform well just focus, and focus on getting work done.
Many people go to work for 8-10 hours, and if they actually counted, they’d realize they’ve worked maybe for 3-4 hours and the rest was spent on either doing something else or on “getting back to work”. So yeah, there are definitely people who in one year can achieve what for some other people take 3 years to achieve. It’s a simple math, if someone goes to work and work for 6 hours straight and know how to get into the zone, they can actually get 18 hours worth of work of someone who’s constantly falling for distractions, switching tasks and never getting into the zone.
5.2. Those people who outperform you, often don’t work more than 8 hours a day. Because for most of human beings it’s technically impossible to get our brain to produce meaningful work for any longer than that. They just use their time wisely, they don’t allow their primitive brain to take control and get quick dopamine shots. They have a discipline over their mind and they push regardless of the tricks their brain is trying to play. And they know how important it is to rest each day, so they get back home and they try to actively relax. They don’t lie to themselves that they can squeeze some more work in a day. They realize, that after a couple hours of deep work, they won’t be able to do anything worth the struggle. Because if you’ve been really working for those 8 hours, then your brain is exhausted. And you can put in 5 more hours, but for most of us, it’ll be worth maybe 1 hour of work. So instead of wasting those 5 hours, get some rest, enjoy your life and recharge for the battle of a next day.
You’ll need that. You need that balance, and you need to understand the signals that come from your brain and your body and which are telling you when you can still push a bit, and when it’s time to back off. And I promise you this is not easy by any means. And it’s impossible to learn to recognize such signals from your body, if you never go into a quiet place and you’re overwhelmed by a noise of distractions of the world we live in. You need that time off, that quiet time for yourself, to reflect. To think about your feelings, to think about your plans, to let yourself feel things. And if you don’t have the discipline, you don’t focus on getting the work done when you’re in the office, you won’t get that quiet time for self-reflection. You’ll be to stressed out and too busy.
That’s how complex we are. One thing that’s off and dysfunctional can put our whole life into jeopardy. That’s why I never create blog posts such as “10 things to make you XYZ”, because it’s worthless. There are way too many things you need to take care of first, before any of those 10 things have even a slight chance of bringing any value into your life.
5.3 People who go ahead in life, know how to be productive. And most people don’t really know what being productive entails. Replying to hundreds of emails a day and talking with coworkers on Slack doesn’t make you productive. It makes you feel productive, but what it actually does is making you busy. And being busy is far from being productive, because these two things have nothing in common. Your goal isn’t to be busy. You want your time, you want your life, you don’t want to be busy. What you want it to be productive, to get work done. The work that needs to be done and work that contributes to the bigger picture. Unless you’re working in a Customer Support role or something similar, replying to emails isn’t getting work done. Certainly not for most people who visit my blog, because most of you happen to be software engineers for whom getting work done means producing code, producing a product, creating an art that can be sold to a customer who pays for the service. That’s contributing to the bigger picture.
To be productive you must recognize the difference between being efficient and effective. People obsess with being efficient, and they’re being told that working hard will earn them what they want to earn in life. Which is silly, because what’s actually going to bring you closer to your goal, is indeed working hard, but working hard on things that are important. You can be efficient at zeroing your mailbox, but is it effective for you and your organisation? It’s not. Communicating with people is necessary, but you should get that done as quickly as possible and get back to actual work.
Effectiveness is doing the right things. Efficiency is just doing things right. And you need both. You need to work hard but before you get yourself into the grind you must know how to work smart, it is to know what are the things your manager and your team wants you to focus on.
I don’t know a single person who got promoted for being the fastest person in the company in answering emails of their coworkers. But you bet I know people who got really far in live because they delivered important work on time. Human being way too often fail to recognize that doing lots of work, doesn’t mean they’re doing the work that matters. And the person that signs checks for you, couldn’t care less how much you’ve worked if the outcome of said work hasn’t directly or indirectly produced a revenue for your company.
So that’s one of the biggest takeaways and lessons I’ve learnt in my career. The results are the only thing that matters to the business. Everything else is just a noise, so learn how to get things done.
6. Attitude matters
I’m really not into the motivational coaching or things like that. I stay away from it, so don’t get me wrong, but there is something that is really real, and that is your mindset. If you have fixed mindset and you don’t believe you can achieve something big, you most likely won’t. It’s not about any law of attraction, or believing that if you constantly imagine you’re going to become a millionaire, you’re one day just going to become one. No one is coming to rescue you, and no one is going to knock on your door and hand you a check for $1M out of the blue.
You got to work for it, which is the crucial point. But to work for it, you must believe that there is something in it for you. Because how could you achieve something big, if you don’t believe it in so you don’t do anything about it? You need to have an internal motivation and you need to allow yourself to believe that you can achieve the thing you want to achieve. Then put in the work, and see if you were right. Time flies by anyways. You know what’s going to happen if you do nothing. But you have no idea what may happen if you take action.
6.1 That’s why it’s so important to surround yourself with right people.
You’re the average of the 5 people you spend the most time with, is one of the most real lessons being shared out there. If you surround yourself with negative people, who complain about their life and do nothing to change their state, it’s easy to fall into the same category. It’s easy, because if you have people who accept your weaker self, it’s hard to push yourself to get better, because why would you sweat if everyone accepts you anyways? And those dreams won’t go away, they will just go into hiding and after 5 years it won’t be fun to look back and see that you haven’t really done much, and that time is gone and you’re not getting it back. It’s painful to realize that you could be enjoying the fruits of your work and living your dream, if you haven’t had allowed other people to dictate your will.
If you surround yourself with negative people, who point fingers at others, it’ll be hard to take ownership over your situation, because it’ll be easy to also blame everyone but you for your misery. And if you get yourself in such environment it’s going to be really, really hard to escape, because those people won’t feel secure enough to let you chase your dreams and achieve your goals. If you take ownership and you show that it’s possible to achieve something if you put in the work, you’ll make them feel bad with themselves. Because now they’ll have a living example that if you put in the work and stop expecting someone else to give you everything, you can do better in life. And that’s scary, because now it exposes them and leave them no excuse to stay where they are.
So be careful about your surroundings, because you really need great people in your life, who want good for you, or for both of you instead of thinking only about themselves. You need people who can support your mission, and whose mission you can support. You want to have a tribe where you all aim at doing better and wish each other the best instead of sitting together complaining how bad you’ve got it and how many reasons are there to not pursue your dreams. You’ve got to have hope, and you must guard it at all cost, so people don’t take it away from you, because human’s hopelessness is a tragedy.
It’ll be good for everyone if you own your decisions and you don’t let others put you down. Because if everything is on you, and you know that you’ve made a decision yourself, you can’t point fingers at anyone else. Which can be the case, and often is the case when you do something someone told you to do and it fails. You get bitter and angry at that person, because you know they made you do it – even though it was your final call to listen to them.
So don’t let let that happen. Take it all on yourself, and give yourself no chance to blame other people for your failures.
7. Communication – a skill no.1
7.1. Your impact is limited by your inability to have meaningful conversations
I’ll keep it short here and will expand it a little bit later in the leadership chapter. But you know already that you can’t go far if you’re not productive, and you can’t be productive if you don’t know what are the critical things for the business. To know what’s critical for the business, you need to know how to listen to people and how to communicate well. So if you can’t communicate or don’t want to communicate, you can’t really be a 10Xer, let alone being a leader or someone at the top or organisation’s hierarchy.
7.2. You’re paid what you negotiate, not what you’re worth. Know your value and present it well
You get what you agreed upon and way too many people are underpaid for a simple reason, being lack of courage and actual social skills to negotiate better terms of employment. Although it’s ugly, the reality is that in 99.99% of companies you won’t face a situation in which a CFO approaches you and says “hey mate, you’ve been underpaid for the past 5 years. We’re going to compensate you for that, and we’ll triple your salary which is the current market value of someone like you!”. You got to take it into your hands, you need to learn how to communicate your expectations and understand the expectations of the other side. If you don’t do it, the most realistic scenario is that no one is going to do it for you. You’ve got to have your own back, ’cause people mind their own business, which is fair, but just don’t be naive.
I believe these are one of the most important general things everyone should know about, and now we can move into the actual recommendations for people who want to know what they can do right-away in their current situation.
8. If you have between 0-18 months of experience, I really recommend you to focus on the following things that I see many newbies failing at:
- Absorb the mindset, because that’s something very difficult to attain on your own
- Learn about the industry, so you know what life has to offer
- Get to know people, so you can learn how to communicate well and simply create a network of people whom you like
- Stay humble, because at the beginnings there are high chances you know nothing, and although you can definitely bring some great, fresh perspective, it’s much better for you if you focus on listening and absorbing that knowledge. You’ll get a chance to say it all one day, so take it easy
- Don’t stress about looking too far into the future. Just do what you’re told to do, try to do it well, and ensure you’re meeting expectations of your team and employer
- Learn to rest and build work-life harmony, because if you don’t create a healthy foundations early on, it’ll get increasingly harder to create good habits when life gets busier and as we get older, sacrifices get more expensive
9. So you want to be a Senior now? Cool, we need more senior people courageous enough to take more responsibilities, so let me share with you some of my truths that can come helpful.
Generally, there are two ways to have a senior role in our industry. One if more about feeling senior, and it’s when you join some bullshit company where the only prerequisite to become senior is that you’ve been with the company for 3 years and you know all the legacy mess well enough to keep it all together.
The other one, which will likely last longer and allow you to remain senior between companies is to do the work others won’t, so you can get a role they can not have. To become a senior professional at a reasonable organisation, you need to put in the work that goes way beyond your current job description. Here’re some universal truths which just work:
- Put an order to the chaos, because people perform better at calm environment without too much stress. Here’s where real 1000Xers are made – they help others become 10Xers
- Communicate exceptionally well, because to put an order to the chaos you need to know how to listen when people share their concerns
- Be a master of your craft, because being good at something means you can do things faster, better and inspire/help others
- Connect the dots and remove the obstacles, because showing an initiative earns you respect and trust of your team
- Lead by example, and let the example be work ethic, willingness to go an extra mile and having an honest intent to help others
10. Those are just some things, but based on my experience and observations, these are the things that simply need to be done.
And although at this point you may reaffirm me and yourself that you’ve known it all for a long time, that’s not the point. No one, especially the nature and your company don’t care if you’ve known something. All that matters is if you’ve put it into work and made use of the knowledge you have.
It’s easy to attain knowledge. It’s a courage to do the work which differentiates people. So little, and at the same time so much.
I’ll probably update this one day or the other, because there is much more to it, but all the things that I’ve shared should really cover most cases for people who’re new in the industry.
Good luck to you all, and please remember that it’s the path not the point on a map that gets you to the destination. You had to invest quite some time to get to the conference venue, you didn’t just get out the house and made one huge jump from your home to the destination. You didn’t fight it, you didn’t complain that you can’t just teleport, so why would you expect to get results without putting in the work first? 🙂 It’s all about doing what needs to be done.
Nothing remarkable was ever achieved without putting in the work. That’s how things work and sooner you accept it, sooner you can start getting closer to achieving whatever you set for yourself to achieve.
Good luck. And maybe even more than luck – a discipline, because we all need more of it.
Show up, adapt and deliver results
Everyone needs to be made aware that security testing is a time consuming activity, so it must be included in release planning schedules.
It’s generally a good idea to jump in with security tests when QA Team is given their time to do the “regular” testing. While we’d love to receive stable and fully functional software after QA is done and functional bugfixes are in place, it’s not really practical in most fast moving environments. Asking for a separate time after everyone else had completed their tasks, would significantly slow software delivery. Slowing anything down is something we should try to avoid at all cost, because as I’ve mentioned previously, we must strive to minimize the costs of running security operations.
It’s great if your coworkers actually know about your existence and trust they have a go-to person in the company, who’s competent in security and eager to help them. We sometimes get ourselves off the radar while doing our work, and people start feeling like there isn’t anyone watching their backs anymore. You can show your presence at the company by dropping suggestion here and there, by asking people if they need your help, by plugging security automation into Continuous Integration process and doing anything that’ll show people that you’re there, and that you care for them.
The CI/CD part is important because it’s beneficial when you have tools that give you clearer view on change management which enabled you to act accordingly and e.g. run your tests and respond in a timely manner demonstrating people that you’re on top of things.
l that you’re keeping an eye on everything, that you’ve got it all covered and you do stuff on your own. Showing people that you’re a person that takes ownership and goes an extra mile really matters, so if you talk to someone out of the blue about the issue you identified, even tho they hadn’t notified you about it, then you may change their perception of you to better.
That’s how you build respect really. You show up, you deliver results and you do stuff behind the scenes to make people’s life easier and then you come out letting them know about the cool stuff you’ve been working on lately.
If people see you hanging around all the time during design discussions, they’ll organically learn you’re needed and will let you know whenever there is something new coming up. Just be there for them and make it easy to approach you and ask for help. Professionals do enjoy companionship of other professionals, so if you become one and build such image of yourself, people will be happy to collaborate with you.
Become a leader capable of stepping out and delivering, especially in moments when people least expect it.
Make security simple
Simplify it for them
Security is often perceived as complex and cumbersome which makes engineers unwilling to work on it. Such attitude has its reasons, and I myself experienced that security processes at most companies actually suck and create problems.
You can make no mistake while making things simpler and carefully explaining your requirements. Easier and cheaper you make it to build secure products, more likely it’ll get included into SDLC. You need to take an ownership over the processes and simplify the frameworks, knowledge base and other resources so people can actually consume it and use it to add value to the business. Having a huge and rich in value knowledge base, doesn’t mean a thing unless you’ve got people actually using it. So make it simple and spread awareness about it, so your work doesn’t get lost in the noise of daily grind.
Developers have their own stuff to learn and they don’t want to waste time digging thru confusing documentation which doesn’t provide clear guidance on problems’ resolution. They’re looking for high quality resources, so you are expected to provide well described set of practical action items. Remember, that all I’m talking here is about making people leave their comfort zone. So you need to incentivise them learning new stuff, and generally lower you put the entry bar is better.
If you ask people out of the blue, to use some security product like 2FA or SSO integration, ensure it provides great user experience. No one wants to waste time on learning ugly UI, just because security folks require them to use yet another tool.
If you don’t keep it simple and your requests become too irritating, you won’t be able to build healthy long-term culture. You can not allow a situations to happen which make people create mind maps where security equals discomfort, pain, anxiety and shame.
To me, security is all about the mindset and it’s very little about technicals. Because we already have all the tools necessary to improve safety of our businesses, but what we often don’t have is a buy-in from stakeholders.
Everything is just a tool and the mission is the only thing that matters on the macro level
Technical actions are parts of your strategy, which is just a vehicle meant to help you achieve the goal. So if the goal is to secure your company, usage of specific tools is a tactic meant to bring you close to the goal. So don’t hang on to existing strategy or tactics, and tweak them as much as needed, because if something not contributing to the bigger picture, it needs to be thrown away, no matter how appealing it may be. If something works, that’s awesome. If something doesn’t work, then tweak it. If it still doesn’t work, and creates more confusion than it creates protection, then throw it out the window, and move to something else.
Do not fall into the dangerous trap of romanticizing your strategy or tactics. Those are just tools, and practicality beats romance every single time on all possible layers and dimensions.
Encourage and teach instead of demanding and judging
It’s easy to assume that your peers should have certain level of security awareness, but it’s as wrong as it gets. I’ve met successful senior software engineers and managers who after two decades of work experience had very limited knowledge about security engineering. Everyone comes from a different background and have worked on projects with different priorities, so the safest option is to assume that they haven’t had a chance to become security-savvy.
It’s on you to create a foundation on which you can build later on. It makes a lot of sense to create low-mid level security trainings to equalize the level of security awareness — both general safety(e.g. phishing) and technical security(e.g. secure coding) If you create such a baseline, you’ll be able to speed up discussions and save time in the future.
When you know that everyone is on the same page and you don’t need to repeat yourself on basics, you can go right into the specifics and discuss matters that matter.
It’s worth it and it made me much more productive so I encourage you to follow, even just to save you from a burnout caused by a need to repeat same things like a broken record.
Extensively explain security requirements and identified issues
Every time you file a bug report or request a product feature, pay attention to the communication vehicle. Elaborate as much as possible to make clear what your intent and business profits/risks are.
While writing technical details, consider using ELI5 approach, so there is no confusion along the way and no surprises when the code is shipped. Describe what the problem is and provide practical solution i.e. pseudocode, configuration excerpt or an actual piece of code that can be copy/pasted to fix the bug.
While taking such approach, make sure that people understand you’re using ELI5, because some people may take it personally. It’s important to not hurt anybody’s feelings and it can happen if one thinks that you’re using ELI5 to diminish their knowledge even tho your intention was to make everything clear so they don’t need to waste time on individual research.
Express that you want to share your knowledge so they can learn quicker and to make it easy for next generations and juniors to understand what was the case. It may seem to be a small thing, but you don’t want to create toxic atmosphere because of such trivial misunderstanding.
No matter what your specialization is, we all share the same goal – improving the defense
Let me go a bit deeper on why I believe in overcommunication so much, because there are two reasons for it.
If you don’t want to be disappointed and anxious then overcommunicate. It’s simple, but in life, we tend to blame the other person that they haven’t understood us well, while it was us who haven’t expressed our thoughts clearly enough. Always blame yourself first and reflect if you’ve done the best job possible to ensure that there is no chance of someone misunderstanding your requirements. Yes, people should ask more questions if something isn’t crystal clear instead of jumping right into implementation, but life is what it is, everyone has their own struggles so you need to take this into consideration as well.
The other side is that engineers are often tired of cocky security rockstars who don’t bother putting in the work in helping engineers address the issue, besides finding the bug and shouting loud how great they are. Don’t drop a fancy vulnerability name with brief description of “Fix it, it’s simple, you can google it out!”. We’ve had enough of it, everyone is tired of it, so I implore you to not add to this bucket anymore. Finding a bug means 0 value for the business as long as the vulnerability hasn’t been addressed. Right, maybe you’ve made everyone aware of the risk, so they can take it into consideration, however that’s not an ultimate goal of a red teamer. Goal of every single one of us, is to improve the defense, not to boost our egos by trying to show people how much better we’ve got it than them. If you act this way, you aren’t better than anyone, you suck. I don’t want to put you down, maybe you have huge potential and skill set, but it’s ego that’s playing you like a marionette. Been there, done that, and then evolved to bring actual value to the business, rather than just for myself. Intentions are fantastic and I get that you may have it all good, but actions speak louder than anything else, so even when you think you’ve done your job as an offensive security professional, ask yourself a question what’s the actual outcome of your day’s work. Did you contribute to the bigger picture? If you haven’t then it doesn’t mean it’s your fault, maybe it’s business or indeed someone else’s responsibility to take it further. That’s fair enough.
All I’m saying is that you should give yourself some time to think about it, embrace that the result of your thinking may be uncomfortable and then take it to improve. Don’t beat yourself up, just improve, move forward and don’t waste energy on looking back.
Once again, if you get the results you want to get and everyone is happy – keep doing what you’re doing. But even then, ego check may be a good thing to do, to make sure you’re not getting out of sync with reality, because further you got with that, harder it’ll be to get back on the right track.
A każdemu kto nie może doczekać się długiego weekendu i spokojnego czasu w domu, polecam materiał, który nagraliśmy parę miesięcy temu z Michał Bąk o zarządzaniu swoim życiem pracując zdalnie
Niektórzy z nas są stworzeni do tego by pracować w ciszy i w komforcie swoich czterech ścian, jednak wielu z nas nie próbuje nawet znaleźć dla siebie rozwiązania i godzi się na framework stworzony przez społeczeństwo.
Dla mnie praca zdalna to narzędzie, które sprawia że nie tylko jestem lepszym pracownikiem, ale i czuję się bardziej spełniony prywatnie i pozwala mi to na skupienie się na rzeczach w życiu ważnych.
Jeśli rozważasz pracę zdalną, bądź chciałbyś dowiedzieć się odrobinę o wyzwaniach związanych z tym trybem pracy, rzuć okiem na ten wywiad, w którym dzielę się lekcjami płynącymi z ponad 7 lat spędzonych pracując zdalnie.
Powodzenia i szukajcie miejsca dla siebie. Życie jest zbyt krótkie by pracować w miejscu, które nie daje komfortu; natomiast jest wystarczająco długie by testować i w końcu znaleźć coś odpowiedniego.