There are many great blog posts, videos, and general advice about how to get into the computer security industry. However, there appears to be less advice for security professionals who have been in the industry for a few years, or mid career advice.
In this post, I’m going to provide a frank overview of what lead me to change from a senior IC leadership position at a security consulting firm to become a senior leadership position at a security product start-up.
Specifically, my choice to leave my role as a Technical Director and Research Director at NCC Group to becoming the Head of Security Research at r2c, a Bay Area-based start-up building Semgrep, an open source static analysis tool.
- Some high level thoughts on evaluating your next job options.
- Why I chose to leave NCC Group
- My next options
- Why I chose what I did
Career Choice Strategies
There are many ways to think about what you want to do next. Let’s quickly examine a few.
What’s most important to you?
There are many things about a job that can make it more or less a good fit for you. Here’s an inexhaustive list of job :
- Compensation - base salary, bonus structure, shares of your non public start-up, stock in a public company, 401K matching, …
- Work/life balance - is everyone putting in 40 hours and work is just a way to pay the bills? Are people passionate and working hard on something they believe in (e.g. 40-60 hours a week)? Will this job demand all of your time, including weekends (e.g. investment banking)?
- Annual paid time off, sabbatical after a few years?
- Benefits - healthcare, maternity/paternity leave, …
- Remote work friendly
- The office has a fun, modern design and lots of snacks, a gym, and
- Client facing or not at all client facing
- You get to travel constantly vs you never have to travel
- Company size - you’re founding the company, <20 employees, <50 employees, a few hundreds employees, 1,000 employees, many thousands of employees.
- Industry - healthcare, banking, security product, government, agriculture, developer tools, …
- Tech stack used - perhaps you have a particular cloud, or programming language, or want to ramp up in a new area (e.g. Kubernetes, infrastructure as code, Elixir or Rust) and you’d get to in this company.
- You love your manager and/or team.
- Your role within the company (e.g. Head of AppSec, senior individual contributor, director, …)
- The mission of the company, the company’s values
- You love or believe in the company’s product
- Your ability to have an impact within your team or more broadly across the company
- You believe this role or company will set you up nicely for your next role (more on this below).
- You believe this role or company will help you develop significant expertise in an area you find interesting or important (e.g. client facing work, helping with sales, public speaking, some technical area like fuzzing, reverse engineering, web app pen testing, etc.).
- You think there’s a strategic shift/revolution in society or technology and you want to join a company that’s pushing forward this new paradigm (e.g. cryptocurrencies, NFTs, or something that actually helps people).
Ultimately none of these are more or less “good” or “valuable” than the others. What only matters is what’s important to you.
Let’s say you’re saving up and wanting to buy a house, or you have significant student loan debt, or you have young kids, or you’re saving money to send your kids to college. Then focusing on compensation makes a lot of sense.
Say you have a sick relative, or young kids, or your partner is going to grad school and you need to help support them. Then a job with better work/life balance sounds great.
Take a few minutes to think about what’s most important to you.
Determining what you value is potentially the most important thing in your job search.
- Choose one or two highest priority, hard requirements.
- Choose a handful of other nice to haves.
It’s easy to be swayed by societal expectations or what your peers or family think. So you end up in some 100 hours per week job at a prestigious company earning a massive salary, but a few years later you realized you’ve dropped all of your hobbies, have no time to even spend your money, and ultimately your work helps rich companies or people get richer, and provides little overall societal value coughmanagementconsultingcough.
You have a very finite amount of time in this life. Do what matters to you.
What’s your “next next job”?
Once I decided to start seriously exploring opportunities outside of NCC Group, I asked a number of super smart, career oriented friends of mine how they navigated their careers.
One of the most valuable pieces of advice I received, from several people (thanks David Nichols and Noah Beddome!) is:
What’s your next, next job?
That is, what do you want your job to be two jobs from now?
Then, back track from there to determine what job you should pursue next in order to have the right experience, connections, title, etc. to get there.
I’ll describe what this looked like for me below, but let’s look at a few examples first.
Senior IC -> ??? -> CISO
Say two jobs from now you want to be a CISO, and currently you’re an individual contributor (IC).
Well, CISOs run many teams, so there’s no way you’re going to go from an IC to that directly.
A better path would be to start taking some team management responsibilities in your current role, then either in that company or your next company become a Head of AppSec/CloudSec/whatever, then perhaps you can hope to another company and become a CISO then.
For your next job, Yyu could try becoming a Head of AppSec at a medium to late stage start-up, as going from IC to Head of Foo is probably unlikely at a large, established company.
Then from there, you can use your experience at a further along company and hopefully the brand name of the company to become CISO at a smaller, earlier stage company, who might not yet have the reputation or money to pull an experienced CISO.
Why Leave NCC Group?
Choosing to leave NCC Group was an incredibly hard decision. I had many really good friends, my colleagues were brilliant, and the work was often challenging and interesting. And once you get to be a Technical Director, you have a fair amount of control over your schedule and general autonomy.
I was also incredibly fortunate to have the position of Research Director of the San Francisco office, which involved mentoring, encouraging, and in any way helping support my colleagues in scoping out research projects, completing them successfully, and sharing their work in blog posts, conference talks, tools, and white papers.
Seeing my colleagues beam with pride as they stood on a conference stage for the first time, present their work, and then get positive feedback from the security community is one of the best things I’ve ever experienced. So amazing. There were a number of times like this I will always cherish, and still think back on sometimes and smile.
So why leave?
Compensation is not one of my top job selection criteria, but I did feel a bit of pain around the opportunity cost of staying at NCC. Security consulting tends to run lean, as you’re billing person-days, which is inherently unscalable, compared to a software product for example. The pain wasn’t bad, but I knew many of my former NCC colleagues were easily earning 30% or more elsewhere.
As with many large, international companies that have been around many years, there can be a fair amount of institutional inertia. Even with many smart, hard working, good intentioned colleagues, starting new initiatives, or changing existing ones, can take a huge amount of work, consensus building, and time to change.
After ~4 years of consulting I was still learning things, but I found that my rate of learning went down. When you first start consulting, it’s like drinking from the firehouse - you gain probably the equivalent of 2-3 years of experience every year. But I had gotten to the point where I still learned things on projects, but I felt like I largely had a feel for the flow of project work, delivering standard assessments, and I wasn’t feeling as often that I was throwing into the deep end and was going to have to paddle frantically to not drown.
My colleagues and I at NCC got to test products used by millions to billions of users, hack new services or hardware before it was publicly released, and other important things. However, over time, I gradually became a bit jaded about the overall value of pen testing. Yes, it’s important to manually find bugs, but how much of a difference was I really making? I wasn’t fundamentally raising the security bar across this company, just in one narrow service or product, and testing one thing at a time certainly wasn’t improving software security across the entire industry. I wanted to have a bigger, broader impact, and I didn’t think I could do it at NCC.
Pen testing does and always will have a role in improving a company’s security posture. But ask any experienced internal security professional, and they’ll say it’s just one piece of the overall pie, and in a mature org, almost definitely not the primary piece. It’s much higher leverage to focus on security engineering: building secure by default libraries, services, and infrastructure for developers to use. More on this below.
Focus on Research
As the San Francisco Research Director, I did have more flexibility and leeway to do research than most people at NCC. Still, the amount I was able to personally do, and the time I could spend mentoring and helping others was fundamentally peaked at where I currently was. It was unlikely to increase beyond the (admittedly generous) state it currently was. But security research is one of my passions and primary career motivators, so I was on the lookout for a role where it could be a greater focus than it would ever be able to be at NCC, due to billability requirements (as mentioned previously, consulting business model).
Note: despite all of these factors, NCC was still a great place to work and I was enjoying it. I could have stayed longer and been reasonably happen for awhile I think. I did receive several other offers while at NCC that I intended up turning down, because I didn’t think I was enjoy them as much, or learn as much, or that the’d be as helpful for my career goals.
It took finding a company that was an extremely unlikely combination of so many things I was looking for.
Post NCC Group Options
As a Technical Director at NCC Group, you have a lot of career options, as you’re working from a strong base:
- You have deep technical expertise across a variety of programming languages and technologies, and you can rapidly ramp up in new ones.
- You’re generally the go to person in leading technically and logistically complex projects, so you’re an experienced technical team lead.
- You’re comfortable handling ambiguous requirements and success criteria, and have significant client facing skills.
And as always, the security job market is hot.
Here are a few archetypes of jobs I was considering. There are many roles in between, but I think these are somewhat representative. I’ll try to list my perceived pros and cons of each role based on discussions with friends, but as I have never personally done many of these roles, I could be wrong. If you have feedback or nuance about any of these, please let me know!
I could be a senior IC or perhaps small team lead at a major tech company like Facebook, Apple, Amazon, Netflix, Google, or the like.
- Get to work with smart people on work that impacts millions to billions of users.
- See how things work at scale / in the big leagues.
- High compensation.
- Brand name on your resume.
- Bureaucracy - more organizational overhead and politicking in a big company.
- Values - a number of these companies aren’t great re: privacy or their business model, and have had negative societal impacts (e.g. political polarization, genocides, promoting conspiracy theories and anti vaccine sentiment).
- Little green field work - most big, important problem domains have probably already had a significant amount of work done. Your work may just be making niche, incremental improvements.
- Little ability to make a big impact across the company or influence company direction. You’re one of thousands of employees on this massive barge built 10+ years ago heading in a pre-determined direction. Your ability to change its trajectory even a single degree is limited.
Head of AppSec, small company
Become a security team lead at a small company, say <200 employees.
Pros:* TODO Cons:* TODO
Found a start-up
- The prestige and branding of being a founder (I’d argue, even if it’s not successful). Can potentially get you into certain high status circles.
- You get to work on whatever you want to work on - you define what problem you want to solve.
- You get to build the team you want to work with, and set the company culture.
- Potentially massive economic upside if you’re successful.
- Potentially very long hours when first starting out, as you’re trying to build something from nothing.
- Needing to raise money and deal with VCs.
- You need to learn a bit of everything, and probably spend time doing things you might rather not (dealing with lawyers, thinking about IP, calculating run rate, finding office space and negotiating rates, …).
- The stress of knowing that your company is employing a number of people, and they’re economically relying on you. If you make a major bad decision or are a bad leaders, your team may have to look for new jobs.
Join a start-up
- Don’t need to deal with VCs or build the team from scratch.
- Get to do a bit of everything.
- Lots of green field work to do - most problems that are already solved at bigger companies aren’t here, so you can get experience defining how something should work (e.g. vulnerability management), and seeing it through to completion. Potentially great resume booster for future roles.
- Can have a massive impact on the success or failure of the company. Can have a big impact on company priorities and what is worked on (or not).
- Potential high economic upside if the start-up does well.
- You don’t have the title of “co-founder.”
- Have to do a bit of everything.
- You’re making much less than a FAANG company, and if the start-up happens to do really well, you’re making a lot less than one of the co-founders. So average economic outcome is lower vs FAANG, and maximal economic outcome is less than co-founding.
What’s important to me
A chance to build the next Burp Suite / nmap / Metasploit - the defining tool in its niche.
Super brilliant founders and team.
Ability to have a massive impact on company outcome/trajectory/what we work on.
I might found a start-up in the future, this gives me insight into if I’d like that (or be good at it) without having to do it from scratch myself.
Static analysis is a niche I like.
Semgrep is the tool I wish I had as a security consultant. I think it fits a niche that no other tool does.
I think secure defaults are the future (not bug finding), and Semgrep is the right tool and r2c is the right company to make this future a reality. I believe that currently secure defaults are where DevOps/Agile were maybe 10-15 years ago - a crazy idea that some companies are doing, but many don’t believe in. Gradually, now more companies are believing in it but it’s too hard or unclear how to make it real. The next phase, which I think r2c will be strategically well positioned to tackle, is make it easy and measurably raise the software security bar across the industry. I think we have a chance to finally change the OWASP Top 10 and start making dumb bugs like XSS/SQLi a thing of the past.
As a security product company, I can impact the security of hundreds to thousands of companies.
I’ll be able to build a team, mentor junior colleagues, and personally pursue as well as support very interesting, novel research projects that make a dent in the security industry.
Worst case, if things don’t pan out at all, I’ll still have helped build an awesome open source tool that I can continue using for the rest of my career.