Failing Upwards (or not) (Pt1)

One of the phrases my early boss in pentesting taught me and adopted was failing upwards in a career. He used this phrase often to describe himself and others in managerial positions, getting to the point where you eventually have to pick your tools. This leads to hard decisions between hanging up part of your subject matter expertise and focusing on managing and leading teams or do you continue down the route of honing your skills.

The cliche phrasing around a good manager vs. a good leader has never stuck with me, but the sentiment of looking at leading and helping your team excel in every way you can is something I have learned from having good bosses and managers in the past. Like many, I have had a handful of bad bosses who took it upon themselves to make my life uncomfortable or my day-to-day worse, this stems I think, from a control issue in themselves and a lack of trust in their direct reports, which led to micromanagement, bullying, and other toxic behaviours. Being able to tell the difference and learn from both to better yourself is equally important.

For context to you, the reader, I have been working in penetration testing professionally since around 2011. I started working in offensive security as an intern focused on learning the ropes in penetration testing; I then moved to a junior penetration tester position with a short stint in-between in technology and information risk at a bank, the stark contrast between working in a bank vs. consultancy was apparent in my first few interactions within pentesting.

Storytime

I have told this story many times about how I got started; if you have watched my talks or spoken to me in person, I will probably tell you this. I began pen-testing on my first day working for SecureWorks; I was given two laptops, a Nessus license, a burp license, and the task of building me a 'go to war' laptop, which SecureWorks called their pentester laptops.  

Luckily, before this job, I had spent years working at a computer shop building and breaking systems, so I had extensive experience building laptops and installing stuff, configuring things in a manner that was usable and expandable; it was, however, the first time I had given the independence to go build my own laptop for a work setting.

Once my laptop was built, I was in the office the next day and got a call from my colleague asking what I knew about VPNs. If I'd ever done a VPN assessment(oh, and if I could get on a plane the next week and go to Norway to do one!), the answer to all those questions was I didn't know much about them. Still, I would go away and learn; I'd never done one, nor had I been to Norway, so it was a fun experience and pretty representative of winging it. It was my first month in the job, and I was off to a client site in a different country.  

I learned from my second week on the job that thinking on your feet, learning new technologies, and solving problems was where I wanted to be in that moment. I learned many things from that particular engagement and client many years on. The skills we learn from difficult situations shape a lot of what we end up doing day to day. The art of thinking and solving simultaneously is a crucial skill I have built up over many years.  

Fast forward a year, and the pentest team at SWX were all set to leave and join another company; we all left and joined the same firm. I followed a manager whom I learned a lot from and saw as a leader. He taught me a lot about getting the job done and how to help others pay it forward. From the initial team at SWX, we built a team in Scotland; what started as just him and I quickly grew into a ten-strong team.  

Teaching Left and Right to avoid a kick in the face

Outside of security, while I was learning the basics and building upon them, I was honing other crafts; martial arts are very prevalent among security professionals as an escape to exercise creativity and physical excursion.

Teaching karate to kids aged 6-11 was an interesting experience, particularly in developing effective teaching methods and learning the importance of leading by example. A significant part of this teaching role involved helping these young learners distinguish their left from right. This might seem trivial, but in martial arts, it's crucial for safety – ensuring they put the correct leg forward can be the difference between a successful move and an accidental kick, something I've experienced firsthand! This experience has enhanced my teaching skills and provided valuable insights into leadership and communication.

So, what has this got to do with security?

Don't Try to Sprint Before You Can Crawl.

Taking my early boss as a great example here, he taught me many great things, including not trying to speedrun into management. Back in 2016, there was an opportunity to take over a team and build it out even further; his words to me back then were you are going to do great things, but this is not what you want right now, do not hang your tools up, go forth and hone that creativity.

I am glad I took his advice, continued honing my craft, and building my expertise on several subject matters. As I learned a lot of different paths in pentesting with a primary focus on web apps, I moved into learning infrastructure and leveraging both skill sets, which you will see in my historical blog posts.  

I built out a personal brand and learnt about the go giver, so I focused my efforts on passing on as much as possible; my learning style is to teach so you can learn better, which has helped me a ton.  

You can lead a horse to water but can't force it to drink; sometimes, you just need to waterboard that horse to make it understand. I'm suggesting that aggressively pursuing leadership or management roles, especially against advice, can lead to a 'trial by fire' situation. This means facing unexpected challenges and intense pressure without adequate preparation or experience.

To Be Continued.

Originally, I wrote this as one post, but as I have lots to say, I have split it into two parts on my experience, lessons learnt and insights into building leadership and management traits.

• Part 1 (This post)
• Part 2

If you're interested in more of my pics they're available on https://zephrsnaps.picfair.com/ and https://photos.zsec.uk