I normally would take some time to write a proper “year end” reflection post… But as we all know how exciting 2020 was… that task was “deprioritized” and is now replaced with this post instead. Yep… this is solidly being posted in mid-March… but hey, OKR is still being met since it’s posted prior to end of Q1 ;)
In a few months, I will officially have my 2 years anniversary at my new company as a Sr. Security Engineer, after a career pivot from the software side. What’s the most different? I’m no longer writing codes but instead
helping other people write more secure codes. They seems similar enough from the outside. But oh boy, writing the code yourself vs. trying to help others to do things securely is a whole new science!
In my old role on the software side, I had the privilege of having an amazing PM that work with the customers and business side to understand their needs, then helped to prioritize the work. I always had clear directions and expectations of what is needed to be done. The work was cut out, and all I needed to do was to pick up as many tickets as possible while solving challenging problems. AKA … I never had to talk to anyone outside of my little bubble, was able to work individually, head down most of the time and it was GREAT!
In my security engineer role, the team is MUCH smaller, the work is much more self directed. I suddenly found myself becoming BOTH the project manager and the technical engineer. I now find myself in meetings 60% of the time, working face to face with people. Most people don’t understand how daunting this is… but it’s kind of an engineering nerd’s night mare. The social aspect of it can get so draining, especially for an introvert… But it’s one of the experience that I appreciated the most because it made me venture completely out of my comfort zone!
Throughout this experience, these are some of the things that I got to learn last year:
“It is impossible to learn that which one thinks one already knows.” -Epictetus
I can’t emphasize how important it is to keep a beginner’s mindset. Once we let our ego tells us that we know something or have it all figured out, it prevents us from learning. This is why I always sign up for any classes that I can, and learn anything that I could. Technology changes constantly, specs get revised/improved. That’s why it’s always important to be open to the fact that despite having “senior” as a role, always keep yourself humbled by how much you have yet to learn. And strive to teach, mentor others. Once you can teach, you’re forced to understand the subject on an even more intimate level. On my annual professional development goals list, I always schedule in to give one to two trainings a year to my team, despite hating public speaking (and thinking I am terrible at it :’)). But you know what… the only way for me to get better is to force myself to be bad first and learn from my experience. Staying in the comfort zone won’t help my growth!
Working in security, you’re probably used to being overworked and overscheduled most of the time. Ever since COVID, it’s not unusual for me to be in back to back meetings for hours, sometimes my calendar is even doubled or tripled booked. As an appsec engineer, it’s a normal trend to see a ratio of 1 appsec engineer supporting hundreds of developers spanning across multiple projects and languages. This is when the economy of scale comes in. Anything that is often repeated should be automated. Anything that can be documented as a knowledge base should be written down. This will save you SO MUCH time. Learn to say no to the one off’s unless it’s critical. Time is precious, so focus it on addressing the root cause issues that will generate the most impact.
To be honest, after a few months of struggling on learning how to people, I can now banter pretty well and can have an endless conversation with someone over security any day. Sometimes, even too much … and I have to remind myself to go through the THINK (Is what I’m saying: True?/Helpful?/Inspiring?/Kind?) acronym before I speak. The biggest thing that I’ve learned during the past year is that it’s not just about what you know in term of technical expertise. You also have to consider other aspects and goals that the business is trying to achieve, and whether or not if your recommendations will fit in with the company’s overall strategic vision. Don’t get me wrong, your expertise in security is still at play here, that’s why you’re hired for your job, but try to find alignments with the business and you will be able to move much quicker! ;)
When it comes to working with others — It’s all about listening and forming the right questions to ask so you can help people in the right way. Only then, they will be open to your recommendation and suggestions, even if that means additional work on their end. This key will unlock your ability to move swiftly and effortlessly to collaborate with various teams and product groups.
I find myself often having to ask teams to make changes to their code bases, adding/take out certain key features, prioritize and scheduling a security task into their sprint planning, and sometimes even delay shipping a critical function. And at the end of the day, it’s a scale weighing between business vs. security needs, and business will often win. However, at the end of the day, both of the business and security’s goal is to deliver a great product for your customers. So find the commonalities and focus on that instead of the differences. Make sure to always try your best. And what “trying your best” mean is:
- Being prepared, and do the prep work ahead of time to make your cases
- Respectfully rationalize the WHY, and having the ability to defend your requests onto why certain choices need to made
- Break things down to simple terms. It’s not your goal to sound smart, it’s your goal to help people understand
- Have the ability to clarify, explain, persuade, and close (I literally started picking up sales book to become better at this)
This will help to create
trust which in my opinion is the most important foundation of building great relationships. Throughout this process, learn to be empathetic and set realistic expectations too. Everyone is human at the end of the day, and it’s a great feeling being able to solve problems happily together.
It’s better to address flaws earlier rather than later on and set realistic expectations. Nobody is perfect. And here’s the cliche phrase… Teamwork makes the dream work! This is especially true when you are the only person carrying out a large project, it’s easy to look past certain things. It’s so helpful to have additional set of eyes to validate that you and your project aren’t completely insane. It will also help with getting buy in because people are more invested in what you’re doing once they help you with it. Be open to the fact that mistakes are inevitable, and it’s also ok to not know everything. This is why we have a diverse team for everyone’s different skillsets and perspectives.
This is my last point, and also one of the most important point. Make sure the people that helped you, worked with you feel appreciated. Drop a note to someone’s manager and thank them for their contribution, drop some karma on Slack or their karma board. Recognize and appreciate the people who help you as much as you can. It doesn’t take much but goes a long way. :)
There was a lot of learning in the past year and I’m extremely grateful for the opportunities to do so. I was put out of my normal comfort zones, learned to work through many uncertainties, and picked up new skills along the way. As time goes on, I will continue to reflect and share my experiences. That is it for this post today!