The French philosopher, Rene Descartes, noted: “To know what people really think, pay attention to what they do, rather than what they say.” Over the course of my career, I have found this quote to be quite accurate and poignant. What people say can be both distracting and tempting at the same time. Yet, it is through their actions that people show who they really are.
I’d like to do something a bit different in this piece. Rather than discuss a security topic or lessons we can learn from the analog world, I’d like to offer a bit of career advice to those who may be early in their career journeys in the security field. Bottom line up front: Focus on doing rather than talking. In the long-term, it pays huge dividends, even though it might feel like you are missing out in the short-term.
What do I mean by this? Here are some examples from both life in general and from the security field that will hopefully illustrate my point:
Staying in shape: There are some people who focus intensely on having a fitness routine, certain fitness equipment, a certain gym, and/or a certain wardrobe. Many of those same people spend a lot of time talking about those things as well. Yet, in my experience, who are the people who are usually in the best shape and the healthiest? Those who put on an old t-shirt they got at a conference 15 years ago, a simple pair of shorts, lace up their unremarkable shoes, and just get about moving. They don’t draw the attention of those who might be inclined to comment on a certain routine, new equipment, a flashy gym, or specific clothing, of course. But the people who stay in shape are results driven, not attention driven.
Keeping weight off: Some people spend an awful lot of time talking about their diet or what types of foods they will and will not consume. Often, these same people receive quite a bit of attention for their dialogue. Yet those who speak of their diet little and quietly watch what they eat over the long-term are usually the ones who are the most successful at keeping weight off. Keeping weight off, particularly as we age, requires putting our heads down and watching what we eat day after day – for our entire lives. If this is something we want to do, there are no shortcuts, unfortunately, and yes, it requires discipline.
Writing: Writing of any kind, whether articles, documentation, white papers, technical methods, or otherwise takes discipline. There are many people in the security field who diligently go about and complete the writing that they need to do. There is no secret method – it simply takes hard work, discipline, and diligence. On the other hand, I seldom see finished writing from those who spend a whole bunch of time talking about how they are “just about to get to that”, or that they “just need to find time to get that done.” Those people will often create more than a few conversations about their upcoming deadlines, but they usually don’t meet those deadlines.
Keeping up: Most of the top security professionals I know keep demanding schedules. Yet somehow, they are able to keep up. They do so by prioritizing, managing time well, and working efficiently. This means knowing what to ignore as much as what to pay attention to, not getting distracted by the seemingly endless supply of shiny objects in the security field, staying focused, and following through – over delivering on their promises. You know who, in my experience, struggles to keep up? The very people who seem to spend most of their time talking about how busy they are. Keeping up with a busy schedule requires doing, not talking about what you have to do.
Being prepared: Preparation most often happens behind the scenes and, yes, it is something that most people don’t see us doing. Yet, when someone is prepared, their hard work is obvious and implicit. Similarly, when someone is wholly unprepared, their lack of hard work is obvious and implicit. Again, not surprisingly, the people I’ve worked with who are most prepared for just about anything that gets thrown their way are usually the ones who quietly prepare behind the scenes without a lot of pomp and circumstance around their preparations.
Developing content: Most people don’t see value in or enjoy sitting through a meeting, presentation, or talk where the same content they’ve seen many times before is regurgitated. Indeed, it requires an investment in time and energy to develop new content, but when done well, it shows. Audiences that get new content are generally far more happy and positive than those that do not. As you might have guessed, developing new, relevant, and interesting content for audiences requires work. On the other hand, merely talking about needing new content rarely produces the needed results.
People make time for the things that are important to them. If some or all of the above points are important to someone, they will make time for them and do them rather than spend their time talking about needing to do them. In my experience, the most productive security professionals don’t spend a lot of time telling people how busy they are or tooting their own horn. They simply get about doing what needs to be done.
It is true that in the short-term, some people may be lured and seduced by attractive distractions, big words, and extravagant promises. In the long-term, however, I’ve found that most people aren’t dumb – they get it – if they observe you repeatedly performing well over time and delivering on your promises, you will quickly become one of their favorites and earn their respect. The best career advice I can probably give you is to play the long game – resist the temptation to talk excessively about what needs doing and instead focus on simply doing what needs to be done.
Related: Spotting the Charlatans: Red Flags for Enterprise Security Teams
Related: Beyond Immature Rhetoric: The Case Against Mockery and Ambulance Chasing
Related: Should Cybersecurity Leadership Finally be Professionalized?
