What does Staff Engineering mean to you?
This took me a long time to figure out. It’s scope of impact. You are rocking on technical projects that touch the entire company. You are a subject matter expert across multiple industries.
Tell us a little about your current role: where do you work, your title and generally the sort of work you and your team do.
My current role, as Staff Engineering Program Manager at Shopify, is very unique and provides me with a large array of project options.
I am on the Zero Trust Security team and work on internal security programs. Work wise, I am able to work on three projects simultaneously- one big lift and two small-medium programs with a shorter deadline. The priority of these projects can change week-to-week. Projects can be extremely technical, like implementing new security technologies for the team. They can also be focused on security strategy, architecting workstreams to bring a project to life. Some examples of projects are: improving our device security posture, beta testing GitHub Personal Access Token v2, and implementing non-MacOS security strengthening projects.
How do you spend your time day-to-day?
Two months into my current role, my week breaks down into:
- 30% - Personal Connection: nourishing my network and making sure stakeholders are aware of important projects. Building personal connections that will allow me to gain context quickly and make sure everyone is looped into decisions
- 20% - Security Program and Design: discussions that require us to pair on solutions, cycle planning, and decision making
- 30% - Program Implementation: working on those 3 projects depending on priority (focus time)
- 20% - Learning: refreshing my memory, learning new things, and gaining context through reading/podcasts/videos. We have all forms of documentation, for all types of learners
You first got a Staff title as a Security Architect at Hulu. What was the process of getting promoted to Staff? (e.g Did you have a staff project? Did you have to put together a promotion packet?
I was promoted to Security Architect at Hulu. This was followed up by a Staff Cloud Security Engineer title in my subsequent job.
During my time at Hulu, I was spending my time trying to grow as a technical leader through mentorship from my manager.
I believe there were two classes of work that helped in my promotion to Security Architect. The first was my performance on projects and competencies within my role:
- I architected and implemented one of the biggest projects on the security team - secrets management. I led a team that worked across 25 partner teams to coordinate this project to production and full company adoption.
- I came in as an expert in Google Cloud Platform, and became an expert in Amazon Web Services and networking.
- I created a metrics and reporting arm of security that allowed us communicate our effectiveness to the Senior Leadership Team (SLT).
The second was based on non-technical leadership, and organizational impact:
- I spoke at conferences externally and gave internal trainings, in addition to producing an incredible amount of documentation.
- I mentored four colleagues, within and outside my team.
- I helped improve the relationship between security and engineering. It took significant work to overcome historic tension, and create a culture of communication, respect, and empathy.
- I worked hard on my professional development. I traveled every other month to HQ as one of the only remote employees, which was tough for me, and hard to leave my family. I also built a great rapport with my managers, and took on big projects.
Some of Devina’s Public Work
How have the companies you joined, your location, or your education impacted your path?
For me, it was important to choose companies that aligned with my goals and values:
- Size: before my current role, I focused on working at companies under 2000 people, where small teams helped me become a very well rounded security engineer.
- Company product and brand: My goal with security is to keep users and customers safe. I am more inspired in my role when I myself use the tools our companies create.
- Technical opportunities: do folks who work there grow in their careers through technical projects? Is there a clear path for senior independent contributors?
- Support for external work: am I able to continue to speak at conferences, teach, and grow engineers?
- Location and compensation: I’m based in Chicago and have been working remotely for the past six years. There aren’t too many options in security at the Staff+ level locally, making remote a game changer. I also negotiate hard, and often.
- DE&I: Unfortunately, I’ve frequently been the only female on my team at most places. That’s been one of my biggest bars to entry and very difficult. At this point, I won’t even interview with a company if it doesn’t have a strong DE&I program.
Where do you feel most impactful as a Staff-plus Engineer? A specific story would be grand.
I care most about my impact as a mentor for other women and queer folks. I find when people talk to me, they feel like they can become an engineer too. There’s no better feeling than empowering someone with code.
I also feel it’s impactful across the industry to share good security practices. I regularly speak at meetups and conferences, and consider that a huge part of being a Staff+ engineer.
Can you think of anything you’ve done as a Staff-plus engineer that you weren’t able to or wouldn’t have done before reaching that title?
I now work on things that change how 14.5k people do their job - daily. Reaching Staff has allowed me to have impact on every single individual at a company. I make improvements that impact and scale our posture today, and for the decade to come.
Did you ever consider engineering management, and if so how did you decide to pursue the staff engineer path?
I was pushed into this by my prior manager and mentor. I have thought about this for many years and talked to at least 15 people about it.
My non-profit, Devi-Labs, allows me to do management, leadership, and develop business acumen. This allows me to grow as a manager, while I continue as an engineer at my day-job. Remaining an engineer allows for growth that the stress and legal risk of management may prohibit.
In the event I continue forward with security, I can see myself growing to become a Chief Information Security Officer. That role requires a great appreciation for incident response, engineering, and GRC (Governance Risk & Compliance) to be successful, and my management experience at Devi-Labs will be crucial.
How have you sponsored other engineers? Is sponsoring other engineers an important aspect of your role? We’d love to hear a story.
Sponsoring engineers and non-engineers is the most important part of my role. If you can empower folks to learn critical pieces, you make them even more effective members of any organization. This will allow you to 10x your impact, and do it quickly.
What about advice for someone who has just started as a Staff-plus engineers?
It’s going to take a little getting used to. At first, making difficult decisions that impact your entire company is scary, intimidating, and can leave you frozen in fear. To be honest, I’m still working through this myself, and I’m learning to be less stunned by big changes.
One way to counter this is to make a list of challenges that scare you and cross them off after you’re done with them.
It’s also helpful to consider projects through the lens of workstreams. This will allow you to parallelize effort and will allow junior engineers to pick up smaller tasks as needed.
Don’t forget to ask for help. Tell your manager when you feel overwhelmed and uncomfortable. If they are anything less than kind and empathetic, leave.