This post was inspired from a LinkedIn question that I began to get really detailed on...then hit the character limit.
So this post is intended to fully flush this thought out.
For context, I started my career in security consulting which lasted around 5-6 years in total. I moved from consulting into my first role where I was hired to build and lead a security program at Nuna, a big part of which was for work on a new Medicaid data warehouse. I've since moved on from Nuna, but this journey has been an incredibly positive and rewarding one for me.
What I enjoyed
- A whole new set of challenges like having to work through internal politics, consider end-to-end ownership and have to think about security in the context of the endless trade-offs that exist in the reality of running a business.
- Being in a seat of actual power and influence over security was really exciting to me. Consulting is a very ivory tower sort of feel and I thought it was even worse as a security vendor where your problem always appears to be the most important one in the room.
- I feel that this experience coupled with consulting has given me an amazing perspective over the field. All of this rolled together has given me the confidence to believe that I can step into just about any situation where security is relevant and succeed.
What I didn't enjoy
- You lose the ability to jump around to a bunch of different projects, tech stacks, industries, etc. when you are locked in at one firm. This is either a positive or a negative but that was one aspect of consulting that I thoroughly enjoyed and I heavily attribute to my being able to learn as much as I did in as short a time period as I was in those roles. It's like total immersion for security professionals.
- I personally didn't love the "worship at the feet of tech entrepreneurs" mindset that seemed to exist in many tech companies. At least in my experience it's felt like this thinking led to a sense of being misguided about technology solving all problems in the world and not taking into consideration many of the non-technical elements of a problem.
- I really missed the people I worked with while consulting, that experience won't fit everyone's experience by any means but I left an incredible group of people at Cigital (now Synopsys) and I continue to keep in touch with many of them today because they are that awesome.
- Coming from the idealistic and somewhat abrasive security world shaped my thinking coming into these roles in a way that I had to constantly fight against. In security, we get to recommend absolute security or at least as close to it as possible, which is almost never a reality of budgets, time, priorities, etc. So finding it in myself to constantly strive for 80/20 wins and iterative improvement was a challenge.
- I struggled initially with coming up to speed with all of the management skills I needed to be successful, learning this required a lot of trial and error, reading, and self-development. It's been incredibly rewarding and I don't regret any of it, but this is not something that my experience in consulting set me up for very well (outside of project management).
- Trying to figure out what the real most important thing to do was a challenge at times. My consulting experience created a bias around A being more important than B, but leading a program where you need to consider everything from legal agreements, to endpoint security, to appsec, to incident response is a constant hustle.