Introduction

Every week, I get a call from someone I don't know (or barely know) asking for a meeting so they can get to know me and ask me questions about working in security. Often, the person is thinking about working in security and needs help figuring out where to start. Just as often, the person already works in security and is wrestling with some challenge they can't solve on their own and wants some guidance. Sometimes, the person has taken on a new leadership or management role, and they are overwhelmed with the responsibility and don't know where to start.

They ask questions like these:

• How did you get into security?
• What would you recommend I do about this problem?
• How do you balance your work and home life?

I ask questions like these:

• Where do you work now?
• What do you want the outcome to be?
• Have you read this book/blog/podcast?

Being a mentor, coach, and sounding board is one of my favorite things to do. I love the community of people who work in this profession, and I love helping people navigate their way into and through it. I typically meet with a couple of people each month. Sometimes, meeting a new person results in an ongoing mentoring relationship, with a regular meeting cadence and a specific issue we explore. Sometimes, it results in no further meetings, but we do form a common connection, where I learn more about them. Usually, I also take something away from our meeting, too. I learn something that helps me remember something I had forgotten or something that helps me in my current role. We start a thread that can be picked up later if either of us needs it.

Over the years, I have enjoyed meeting people who are in different stages of their professional journeys. They usually fall into one of three categories:

• Someone who is trying to get into security as their first career or who is coming from another profession
• Someone who is already in security and navigating some mid-career challenges
• Someone who is in a security leadership role and is working out how to be effective

The first meeting is concerned with learning about the other person, making an intellectual and emotional connection, and recognizing where help is needed and where help can be given. Sometimes, I find that I'm the one who needs help, and we realize that regardless of our respective backgrounds or how long each of us has been working, we each have something worth sharing.

I've been in the security industry for a couple of decades, and my own journey has been one of trial and error, good luck, and hard work. I'm now in a place where I have enough experience to provide insight into most questions people ask. I'm also connected to enough really amazing people who will know an answer to a question if I don't. Between blogging, public speaking, and working as a chief information security officer (CISO), I continue to learn about how to be happy and successful in security. I also know that I don't have all the answers and that the path people are on today cannot be the same path I walked. And I have learned that I have a lot to learn!

The security industry is unique. Although the issues have been around for a long time, the industry itself is young compared to other professions. There aren't many established organizational structures or career ladders. The way of doing security varies heavily between different industries and companies. There are no generally accepted security principles or professional standards. Not yet. This makes the security field hard to navigate.

People ask similar questions at each stage of their careers. We all struggle with the same things as we move through this profession. The industry, the company, the manager they work for might be different, but the issues and concerns are common. Often, the person knows what to do or how to find answers, but they need to bounce their ideas off someone else first. They find me or someone like me who can offer wisdom and objectivity. We know enough about the industry to help, but we aren't wrapped up in the day-to-day issues. It helps them confirm that they're not dealing with a unique situation, that someone else has been in the same trench, and that help is available. I play the role of listener, coach, and cheerleader. It is tremendously satisfying.

Meeting people one-on-one doesn't scale very well. As my colleagues and I work hard to attract new people to our industry and help people thrive and lead, the number of people who need help navigating their security careers grows. I wrote this book about the common questions I am asked and to make a widely available resource for people who can't meet me in person. I hope this will also help mentors like me, who can't address all the questions all the time and would like to direct people to a useful resource.

I considered creating three different books (getting into security, living in security, and leading security). As I thought more about it, I realized that our careers aren't linear. Sometimes, we are just starting out in a leadership role. Sometimes, we are decades into one security job, but we are thinking of jumping into a new role and need to work out how to break into security all over again. Sometimes, the challenges we have as a mid-career professional are the same ones we have as leaders. I realized that a person might want to read ahead or revisit certain topics, so keeping them all together would make for one easy reference.

I assume that if you want to work in security (or you already do), then your target company is large enough to support dedicated security resources. This can mean a start-up that is moving into the next phase of growth and needs its first-ever security professional, or it could be a large enterprise with many security teams under one security leader. In any case, my advice applies to people in companies who have some organizational culture and structure.

The topics in each chapter can be read from the perspective of the job seeker, the job holder, or the manager - and sometimes all at once. For example, the chapters about writing a résumé, creating a job posting, and building a diverse team are all related, and there is something in each of these chapters for everyone. I encourage you to look at your questions from "the other side." If you're a job seeker, read the manager chapters to see what they're thinking. If you're a manager, consider the perspective of the job hunter. Security professionals are at their best when they think broadly about a problem. Take the same approach here and explore your questions from all sides.

In each chapter, I begin with a summary section. The summary allows you to quickly find the information you need and to pull out the key themes and resources. You will notice that many themes carry over from chapter to chapter. For the entire book and your entire career, this means you should know yourself, network, stay curious, and communicate well (and often!).

Summary

• Know yourself: Know why you are in security. Know what energizes you, how you like to work and communicate, and what motivates you. Constantly seek out jobs and experiences that play to these qualities. Be authentic.
• Network: Make building your network a core piece of "being at work," and make room to interact with people in person and online. Use your network for information, for support, and to give back to the community. I can't state how important this is. Being only a person away from almost any answer in cybersecurity is a huge advantage.
• Stay curious: There will never be a time where you can "set it and forget it." Keep learning about technology, people, and yourself, and apply that learning as fast as you can.
• Communicate well and often: Know how to talk about security and your role in it with as many people as possible. Be clear in your written and spoken communications and be prepared to share widely. Build your relationships with your stories.

You can read this book by just reading the chapters that answer your immediate questions, though advice in one chapter might apply to others, so I would encourage you to read it all. It's helpful to know the answers to questions you have now and also questions you might have in the future. People will be coming to you with these questions at some point, so this is for the future mentor you will be, too. "Be prepared" is a great motto for anyone in security to follow.

You will notice that not many of the questions you will be asked are technology questions. Yes, security is a technology-focused discipline. Yes, you need to have some level of technical expertise to have a role in security. But how to "do" technology is rarely the question people ask mentors about. More often, the questions are about finding resources and navigating organizational structures, personalities, and politics. Security-specific issues must be considered, and I discuss these as they arise, but the presence of technology is a starting point, not the main point.

I didn't write the book in a day - or even a year. When I revisited each chapter during the editing process, I realized that my own ideas about a topic changed with time. As I write this introduction, we are in the middle of the COVID pandemic, and ideas of remote work, inclusion and equity, and career opportunities are changing. I have tried to make my thoughts as time-agnostic...