Security is a Team Sport

A call to action, with practical advice

Author

Rami McCarthy
April 24, 2024

What is one of the best parts of working in Security? Collaborating across companies is rarely zero sum! This post straddles the line between practical guide and call-to-action.

As junior engineers, a core skill you learn is when to ask for help. It’s the 10/30 rule: spend at least 10 minutes trying to unstick yourself, but no more than 30 before asking for help.

As you get more senior, this extends beyond your coworkers. Starting a project where 30 minutes with an expert might de-risk weeks of work? Why would you do anything else?

I personally treat this as a part of the research process for any project. Where possible, it’s great to lean on my own knowledge, public resources, and my coworkers. But security teams tend to be small. It is easy to find a topic that no one in your organization has worked on before!

The basic idea is that:

  1. People want to be helpful

  2. If something is new and presents an interesting challenge, it can be interesting for your network to hear about

  3. The worst thing that someone can do is say no

When to reach out?

There are a variety of cases where it can be helpful to tap your network for expertise.

  1. New security topics and domains: for example, if you’re bootstrapping a Corporate Security team, or Securing AI features, or trying to understand how to roll out a Common Controls Framework in your compliance program.

  2. Reviewing Vendors: it’s very common in security to hear that products are purchased based on personal recommendations. The corollary is that you can tap your network when you are reviewing a specific vendor or looking for a product for a specific problem.

  3. Hiring, and being hired: back-channel references, when conducted respectfully, can offer enormous value in vetting candidates or potential companies.

What’s my network?

One stumbling block I’ve heard in response to this advice is “what if I don’t have a network?” or the more specific “what if I don’t have your network?”

This question is best addressed by re-framing the concept of “a network,” and the necessary proximity and relationship.

Here are people I’d feel comfortable reaching out to for 30 minutes of their time on a security topic:

  • Anyone I’m connected to on LinkedIn

  • Anyone in a security Slack I participate in

  • Anyone who has written a blog post or given a conference talk on the topic

  • Anyone on the security team at companies where I have a connection

    • This is particularly salient when working backwards from the logos on a vendor’s marketing material!

For more junior engineers

You should know that it is the job of your IC and management leaders to lend you their networks.

It’s true that the longer you’re in the industry, the more you’ll accumulate professional connections. If you have a burning topic that you want to poll peers about, ask your manager, security leadership, or nearest staff engineer for recommendations and warm introductions! If you’re already senior or a leader, consider tapping your company’s VCs as networking super-connectors.

The mandate you have when tackling an important task is to Get It Done. Take it from Meta’s CTO:

If the way to get it done is to ask for help, then that’s what you should do.

Andrew Bosworth

How to reach out

I have a few personal preferences on the general etiquette here:

  1. Do your research: I only ask for someone’s time after looking instead for a good resource to answer my questions. “Here’s a blog post addressing that question” is always an amazing answer to get back!

  2. Anything that can be asked in public, should be: While these private discussions can be necessary and valuable, consider whether your question can instead be posed to a security community publicly (i.e in a Slack channel) either in whole or in part. This makes the responses part of our collective knowledge, and scales the impact of answers.

  3. Respect the “no”: people are generally happy to help, in my experience. That being said, people might be busy, or not feel able to help, and it’s really important to hear a polite no well. No one owes us their time, it’s a gift.

In practice

Here are some concrete examples of ways my network has helped me in the past ~year.

  1. NextDoor’s David White shared the Nextdoor Cloud Security Posture Management Evaluation Matrix. When considering CSPM procurement, he was kind enough to give me 30m after I sent him the following message in the (public) Cloud Security Forum Slack:

Hey! Appreciate you sharing re:CSPM. I'm on InfraSec over at $company, and suspect we might have similar roles, opportunities, and challenges. Any interest in trying to grab a virtual coffee to talk shop?

  1. At one point, an engineering team I was working with was considering building a Terraform Automation platform on top of Temporal. I happen to know Brandon Sherman, a cloud security person over at Temporal - and was able to set up a round table with our respective engineering teams. Here was the opener:

Hey hey! Hope you've been well :blob-wave: My Platform org is seriously looking at moving to using Temporal (self-hosted) for TF orchestration. IIRC you mentioned you were dogfooding that approach, am I remembering right? If so, would you be willing to let us/them pick your brain/share any lessons learned? I'd love to take advantage of your experience and expertise 🫶

  1. When thinking through a Privacy Engineering function, I watched a bunch of PEPR talks. One of the talks about a “people first approach” resonated, and a LinkedIn DM referencing a shared connection resulted in an amazing brain dump addressing specific questions. Here’s the message I sent with a LinkedIn invite:

Hey Ryan! I was asking [shared connection] about [company]'s experience with [vendor] and he mentioned you'd be the person he'd recommend to chat with. Would appreciate picking your brain!

Give to get

Be generous with your time and knowledge! The blogs I’ve written and talks I’ve given have been a hugely positive force in developing my current network.

Take Leif’s advice, The InfoSec community needs you (yes, you)!. He absolutely nails it:

Why does community involvement matter? It benefits the community

InfoSec teams end up solving a bunch of similar issues as their counterparts at other companies, often in silos. We all face a lot of the same problems, even if we at very different businesses.

Try to make yourself available to folks that read your blog or attend your talk and share additional information if you have the time and energy. Even though some people in the InfoSec community can be guarded, I have found that many others are happy to shareinformation in semi-private settings if you ask them about their work.

Sharing your own work inspires others to publish their work, which makes technology safer for everyone else.

Thank you to Sean Rice for the conversations inspiring this post!