- tl;dr sec
- Posts
- Jonathan Fisher - Staff Security Engineer at Praetorian
Jonathan Fisher - Staff Security Engineer at Praetorian
Jonathan Fisher
June 08, 2023
Table of Content
Staff Security Engineer:
Stories:
Anshuman Bhartiya - Principal Security Engineer at Thirty Madison
Devina Dhawan - Staff Engineering Program Manager at Shopify
Jonathan Fisher - Staff Security Engineer at Praetorian
Jonathan Fisher: LinkedIn
Tell us a little about your current role: where do you work, your title and generally the sort of work you and your team do.
I work as a Staff Security Engineer at Praetorian, which provides security services to Fortune 500 and other large companies. These services provide both offensive and defensive coverage for their business needs. My work typically falls into securing products and infrastructure, and I specialize in performing chip-to-cloud assessments (IoT). Our assessments typically last 2 to 4 weeks, and after the work is completed we deliver a detailed report and discuss recommended next steps.
Most of our customers are long time partners where we tailor our work to what would best serve their security goals. This allows our engineers the flexibility to dig down into areas that need more attention. Additionally, this allows us to grow our service lines that focus on niche subjects (smart contract security, microservices exploits, etc.). Each quarter, we set team goals and OKRs to improve our practice and grow our revenue. This keeps the job very fresh and exciting, it never feels like you see the same thing twice.
You got the title Staff engineer at Praetorian, where you’ve worked since graduating university. What was the process of getting promoted to Staff? (e.g. Did you have a staff project? Did you have to put together a promotion packet?)
I started working at Praetorian as a security engineer straight out of college. During the past 5 years, I was promoted 3 times (Security Engineer -> Senior Security Engineer -> Lead Security Engineer -> Staff Security Engineer). Praetorian believes in only promoting individuals once they are operating at the next role. There are defined rubrics across 5 categories (learning/mentorship, critical thinking, ownership, communication, and technical skills) that list the expectations for each role.
For each of my promotions, I worked with my manager to put together promotion packets which described how I met each category and included additional items that highlighted my work. For example in the learning/mentorship category, a Staff Security Engineer is expected to be the go-to person for one or more domain areas. In my case, this was the Internet of Things.
Other distinguishers we make between our roles are the sphere of concern, control, and influence. At the Security Engineer and Senior Security Engineer levels, the focus is on developing your own engineering skills. At the Lead level, the focus becomes on your team. Finally, the Staff+ level focuses on multiple teams and company initiatives. During my promotion packet for the Staff Security Engineer role, one of my highlighted items was speaking at a security conference about potential IoT security gaps within Cloud providers. This was backed by a company initiative to increase thought leadership.
It is hard to describe my promotion experience without my managers. Praetorian holds a loose up-or-out policy, so it is the manager’s role to make sure their engineers are making progress on their personal goals and increasing their skills. After each promotion, the expected timeframe to the next promotion increases, and the highest level within the engineer track is Principal Security Engineer. Each timeframe is unique to the individual, and the goal is to make sure no one becomes stagnant or loses interest. The biggest reason for each of my promotions was having managers who trusted and supported me.
What two or three factors were most important in you reaching Staff? How have the companies you joined, your location, or your education impacted your path?
Besides my managers, the two biggest things that contributed to reaching Staff were:
being present, and
taking on new opportunities.
When I first started at Praetorian, we were a small enough company to know everyone by name. Every morning, I would make a point to make my rounds and say hello to everyone before work. Although this seems superficial, it quickly allowed my presence to be known across the entire company. During company meetings, I would also ask questions whenever I got the chance. It humorously led to the CEO looking at me and asking if I had any questions whenever there was awkward silence. It also gave me a huge number of opportunities, because managers would start saying, “That’s something that Jonathan could do”.
There are now significant challenges remaining present in the current remote-first environment. However, I still make efforts by interacting daily with company channels in Slack and joining weekly virtual events with my peers. It also goes a long way to send DMs to various individuals throughout the week to check up on how people are doing.
After building my presence, I remember my first new opportunity I received was recruiting. This started as an invitation to represent the company at career fairs. After a few months, I was then trusted to give interviews with candidates. Within a given week, I would do 1-2 interview stations with candidates and then be a part of the roundtable discussions that decided whether to extend an offer. Each person we hired increased my influence and credibility.
Another huge opportunity I received was leading the IoT security training in our Austin office. I had begun to specialize my work in our IoT service line, and the company was planning on doubling our revenue for IoT assessments. We were quickly in need of more security training, and my name was the first to be selected. The office had its own workbench with various hardware hacking tools, and I became the go-to person for hands-on training with new security engineers. This was the first step to becoming a force-multiplier in the company.
After each new opportunity, I was recognized and given more responsibilities. After being with Praetorian for so long, I had established an image of being personable, available, and reliable. Making the step from a Lead to Staff at Praetorian is not through technical engineering skills, but through influence on both peers and leadership.
You’re a Staff Engineer in a consulting team. Can you talk a little bit about the shape of that role versus Staff Security Engineers working in-house? In what ways is the skillset transferable, and in what ways is it tied to the consulting model?
I would say that typical consulting work runs much faster than in-house work. We have 2-3 weeks to fully understand a customer’s product and infrastructure and find its most critical vulnerabilities at the same time. That means that every 2-3 weeks we see a new tech stack, new code bases, and new technologies that we immediately need to become the “security experts”.
However, I would also say that the Staff Engineer role for consulting would look similar to the in-house Staff Tech Lead or Staff Architect archetype. During consulting work, the Staff Security Engineer operates as a Tech Lead and guides the direction of a given project. Outside billable work, the Staff Security Engineers operate as an Architect and are responsible for supporting all Security Engineers and spearheading company initiatives. We also focus on increasing efficiency within projects, improving the quality of our tools, and even building new practices.
The largest skill difference I would place between consulting and in-house for the Staff security engineer role is the level of depth you need on a particular subject. For consulting, it is more important to be adaptable than to remember every technology that you have learned. This allows Praetorian’s Staff security engineers to find new vulnerabilities in technologies that haven’t ever been used before. However, I would expect the in-house Staff security engineer to have deep knowledge of their security technologies and the current state of their products.
Where do you feel most impactful as a Staff-plus Engineer? A specific story would be grand.
One of the biggest impacts as a Staff+ Engineer is the amount of times we get to help other security engineers on their projects. Every day we have virtual Staff office hours where anyone can join to ask questions or troubleshoot blockers they are having. Most of the questions lead into either exploring a potentially high-risk vulnerability or discussing the right attack methodology to use for a given platform. This provides a company-wide lifeline and ensures the quality of Praetorian’s work.
What are some resources (books, blogs, people, etc) you’ve learned from? Who are your role models in the field?
During my time at Praetorian, the majority of my learning came from other coworkers who taught and trained me to be who I am today. They are also my role models:
What about advice for someone who has just started as a Staff-plus engineer?
Every time I was promoted, I experienced this feeling of being inadequate again, as if I was way out of my league. My advice to someone who has just started as a Staff+ Engineer would be that every Staff+ Engineer brings something different to the table, so it’s best not to compare yourself to others. Begin by focusing on how you can make the biggest impact in your control and then increase your area of influence.
Do you spend time advocating for technology, practice, process or architectural change? Can you share a story of influencing your organization?
As a Staff Security Engineer, a large part of my time is advocating for new process changes and increasing our efficiency. One of the initiatives that I help lead is aggregating information and making it easily accessible to other engineers. I discovered that the internal engineer wiki was being underutilized, so I started a weekly meeting called “Quality of Life Improvements.”
In this meeting, we would share tools or processes that made it easier for us to do our job. Each topic was pre-scheduled, and after each meeting I created an index of who spoke about which topic and linked it back to the recorded video. For each topic that wasn’t in our internal wiki, I created a new page for that topic and encouraged the speakers to share their information on the page. This increased our usage of the internal wiki space and allowed engineers to quickly discover new tools and processes.