Tips for an Information Security Analyst/Pentester Career - Ep. 92: 5 Unexpected Tips for A Successful Career Growth

I've been a security consultant for almost 5 years, so I collected my share of war stories.

For this reason, I thought I could share with you some experience-driven tips I believe to be critical for achieving success in this industry,  and that helped me a lot along the way.

I think some of them will blow your mind, but it's a needed shock to be successful in this industry, and the sooner you go through it the better.

Well, here we go:

1. Always be professional: Most people think penetration testing is all about technical skills, but nothing could be farther from truth. Especially if you work for a consulting firm, projecting a professional image at all times is paramount. The client expects for you to be a subject matter expert and to be able to explain in layman's terms what problems you found, what their impact is and especially how to remediate them. This means you need to be professional at all times. As far as the client is concerned, you are your company, so you want to look at your best. Even when clients are mean and rude, you can never get down to their level, you're expected to keep your cool and continue delivering. This can be sometimes very hard. I've experienced specific situations where I really struggled to keep my cool, faced with rude and combative attitudes, but I did because I knew I'd be the only one looking bad. At the end of the day, penetration testing is all about business mindset and professional communication. Yes, you heard it right, sorry to break this down to you. Even the most amazing tester on a technical standpoint becomes worthless if they can't explain their findings to the clients in terms the clients would understand, and if they don't know how to communicate with clients in a professional and personable way. So make sure you got your your, you're and so on right. And forget about CTFs and frat house attitudes. Corporate security is much more a tie-and-suit affair than one might think. The most challenging part of being a consultant is to avoid an adversarial attitude and convince the client you're on their team, you're on on their side and you're not the enemy. I believe each one of us can do better under this point of view.
   
2. Be a team player: Security companies are often organized in teams and sometimes, for more complex tests, you may find yourself having to collaborate with other consultants, involved with different portions of the engagement. Be fair to your team members, offer them help and don't take things personally. Even when some team members mess up, don't quickly throw them under the bus, communicate with them, as maybe they're having issues with something you don't know. On the other hand, don't be a rug and demand respect. As for project managers, tell them what your priorities are and what you need from them and from the client. They might not be as technically sound as you are, so advise them when a deeper technical perspective is demanded. If you have issues slowing down your work or hurdling your testing, let PMs know as soon as possible. 
3. Don't be afraid to get out of your comfort zone: Since I started out with Optiv, I clearly stated I was interested in any training they could give me. As a result, I conducted spear phishing and vishing engagements, and will have further chances to branch out with other types of engagements in the future. If you're afraid of taking chances, you'll never grow as a hacker and as a consultant. Plus, you're not gonna get what you want if you're not willing to take on stuff other people don't want to do.
   
4. Deliver, deliver, deliver. Be an asset, not an issue: I don't talk a lot about what I do, I let facts do that for me. If people in your company just have to talk about you, make sure it'll be about what a good job you do and not because you messed up and created problems with clients. You'd rather not stand out instead of standing out for the wrong reasons.
5. Self promotion without showing off, give credit and take credit (you don't wanna be invisible): This point might seem to contradict the previous one, but it's strictly connected to it. Even if you do outstanding work, this is pretty much useless if no one (and especially your boss) knows about that. Especially when you work remotely (as I do), keeping in touch with your team can be hard, but you need to make sure you let them know when you do good work. The challenge you might face is to keep a balance between self promotion and being a show off. One "trick" is to let purposefully, but seemingly randomly, slide a hint to something I've done right every now and then in a conversation, without public announcements to the whole team. I mean, nothing wrong if you get a shoutout, but it must come from someone other than yourself. Every time I chat with my boss and I got updates on my projects, I take advantage of the conversation to keep him posted on what I'm doing. I'm quite sure he keeps tabs on what I do, but reinforcing and reminding remains a good marketing technique. Within a remote workforce situation like today's, the last thing you want is to be invisible. However, carefully avoid being a showoff, too. Give credit to coworkers when they help you with a problem or do a good job along with you on a project. Don't take other people's credit and set the record straight when someone wrongly assigns exclusively to you the whole merit for a good outcome. Celebrate team members' successes and don't be envious. The better they do the better you do. If you didn't quite learn this lesson, you're gonna have to learn it the hard way pretty soon.

Wrap Up 

Being a consultant is not for everyone and surely not for the faint of heart.

The good outcome of a project depends on a series of factors but ultimately on the consultant's relationship with the client.

If a consultant can be professional but at the same time personable and can deliver on promises, he/she will be on the customer's good side and will earn respect.
When you promise to get back to the client about something at a certain deadline, make sure you do so. If you encountered unexpected problems delaying you, inform the client about that in advance and tell them you're going to update them asap when such problems are solved. Don't let clients feel abandoned to their own devices, while wondering where you ended up to. The last thing a consultant should want is to upset clients. 

Issues and inconveniences happen, but I personally always own them and do my best to smooth them up before they become a bigger deal than they should.

Own them, tell the client you're gonna look into that and will get back to them as soon as it's solved, and don't forget to provide an ETA for it.

Sometimes a quick Zoom or Teams call solves issues much faster and avoids dangerous miscommunications and misunderstandings.

Though a successful career as a consultant depends on multiple factors, I do believe the above concepts are paramount for a faster and smoother professional growth. 

I hope they can help.