Social Skills For Infosec Professionals

Social Skills For Information Security Professionals: A Handbook For Those Who Strive To Lead And Manage Effectively
1
Table of contents
On my motives for this book 4
How and why - I believe - can my story make your life easier 4
How and why - I believe - my story can make you avoid personal and professional suffering 6
How to squeeze maximum value out of invested time in reading this book 8
Align strategy with business stakeholders first 10

Who’s actually responsible for investments in security? 10
It all goes top to bottom, the culture and tone set by execs is a real thing 11
Set common goals with management and executives 12
Settle down on authority at the earliest 13
Build credibility and learn the language of business 14

Stay away from spreading confusion and FUD 14
“Make it till you make it” is a much better strategy than “Fake it till you make it” 16
Everyone is a target these days, but are they truly aware of it? 17
Agile implementation of security into a corporate culture 18

Start small 18
Start early 20
Outline SDLC/NDLC improvements 21

Security should be perceived as any other cost of running a business 21
Hold them accountable to high standards, but keep your expectations low 22
Build a Secure SDLC 23
Show up, adapt and deliver results 25
Make security simple 26

Simplify it for them 26
Everything is just a tool and the mission is the only thing that matters on the macro level 27
Encourage and teach instead of demanding and judging 27
Extensively explain security requirements and identified issues 28
No matter what your specialization is, we all share the same goal - improving the defense 29
Do the work behind the scenes and don’t be a workflow bottleneck 30

InfoSec as an enabler 30
Listen and execute behind the scenes 31
Embrace DevSecOps 32
Become a member of each department 33
Delegate instead of trying to fix everything yourself 34
Internal security training and awareness awards 35

2
Conduct recurring security training 35

Popularize internal Bug Bounties and awareness recognitions 36
Security Is An Art Of Tradeoffs So Learn How To Manage The Risks 37

Be practical 37
Allow cutting corners when necessary 38
Learn how to run productive security meetings 39

Create a friendly atmosphere during your meetings and spend most time listening 39
Leave Your Ego At The Door And Study Empathetic Leadership 41

Make it all about them by making it personal 41
Never play the shame or blame game 42
Don’t forget about non-techies 43
Leadership values and Emotional Intelligence 44

Be a leader you wished you had and remember that we’re all just humans. 47
The long-term efficiency requires you to do things the right way 47
It’s easy to destroy relationships and hard to rebuild them 48
No place for ego in the effective management and when less is more 50
Listening is a skill which requires constant training 53
Memory exists so we don’t repeat the same mistakes again, not so we romanticize the painful
experiences and live in the past 55
Appreciate feedback every single time you get some 56
Make them safe and make them feel the comfort of that safety 57
On toxic and productive criticism 58
Watch your language and respect your peers 59
Blaming, shaming, pointing fingers doesn’t help anybody. Never, nowhere. 61
Growing thick skin in InfoSec 62

Dealing with negativity and destruction is a part of nature 62
On the truly negative 63
Sometimes the best way to win is to quit 65
Don’t shy away from showing off your success 66
After all, it’s all about protecting the money-making machine 68

Make each action purposeful and data-driven 68
Adapt, adjust and execute 69
Securing the money-making machine is the prime objective 70
Business context matters. A lot. 72
Effectiveness, High Productivity and Fulfillment in the InfoSec — The Game That Never Ends
75
Don’t make it hard for people to get involved 75
Stay humble, no matter what 75
Value their time over yours 76
3
Create a culture of appreciation 76

Don’t take good results for granted 77
Avoid myopic decisions to save your reputation 78
Don’t let the stress and short-sightedness slow your company down 79
Become a lifelong learner 80
Go the extra mile 81
The game that never ends 81
Be selfish 82
Now it’s all up to you… 82
Dawid Bałut bio 83
To Damian Bałut, my closest friend who’s been there for me when I had my highs and lows.
A single human being thanks to whom I’ve survived through it all.
Love you Brother, you’re the best.
4
On my motives for this book
How and why - I believe - can my story make your life easier
It’s been roughly 11 years since I’ve started commercially working in IT, out of which 7 were
profoundly dedicated to InfoSec, a field in which I truly believe there is a lot yet to be done and that
each individual can make a difference by their contributions. Similarly to the careers of so many of us,
I’ve made plenty of mistakes that had put my career at risk, significantly slowed down my growth,
significantly lowered the income, as well as had negatively impacted my health and personal life.
Although making mistakes should be an expected part of any worthwhile career, I had certainly not
expected that along the way I’ll taste so many different flavors of life.
I’ve had my ups and downs, but I always tried to ensure that whoever was involved, came out with
something beneficial to them. Despite having good intentions in my heart, not always was I successful
in demonstrating that well. To me, everything I’ve been doing was always about bringing value to
others and being the most productive person in the room, long before I have realized that I’ve had
been doing it all wrong and my hunger for success was my biggest obstacle. But as the saying goes,
“obstacle is the way”, which is why I’m grateful for all of it, and I really want to share my experiences
with others, so they can save themselves some trouble and get smarter faster than I had. I wish I’ve
had a resource that would guide me through at least the basics of human interactions and effectiveness
in the business world. So here it comes. A book that I wish someone else gave me 11 years ago.
I want to be really upfront and transparent with you. Although the companies I’ve worked for were
very satisfied with the outcome of my work, to me it came at the cost of my professional and personal
relationships. Without any doubt, I can say that because of my stubbornness and improperly directed
hunger, I’ve wasted a ton of my potential as well as burnt some potential in others. And that feeling
sucks. Realizing that while chasing greatness I’ve had a negative impact on quality of life of a few
people around me, as well as looking at my own life and noticing how much health and energy I
wasted - it just sucks. But it sucks in a different way than most things in life suck. It’s not about
discomfort this time, but about an actual pain, because while I’ve got compensated quite fine for my
around the clock grind, I’ve forgotten about the most important currency we have access to in our
5
lives - time and health. If you’ve got good health and you’ve got time, you have all the resources
necessary to makes something great happen. Assuming obviously, that you’re resourceful and can
actually understand the value of these powerful two. That’s what I want to be the leading point of this
book, i.e. how to achieve your goals quickly, yet without compromising the quality of yours and
others’ life. I respect your time, which is why I wanted to keep this book as concise as possible,
cutting out the fluff each time I’ve noticed any. If this book takes you 2 hours to read, and it saves you
as little as 1 day of your life - I’m all set. My mission is accomplished and I’ll feel good about it,
because there is no bigger mission than saving lives. This is one of the reasons I’m publishing this
book for free. I’m making a fair amount of money on selling my time to the corporations, and I want
these lessons to reach as many people as possible and help them preserve their time and health. I can
make money by other means, but the opportunity to help people improve their health and relationships
is so rare, and so huge, that I couldn’t let myself to agree for commercial publishing. I’ve been sharing
my knowledge for the past 5 years all over the Internet, at conferences and meetups; and those few
voices generous enough to share with me that I’ve helped them improve their lives, are the biggest
reward one can get for their work. That’s what I hope this books will do for you - help you achieve
your goals at lower costs of all involved stakeholders at all facets of life. I don’t want to monetize on
this book. I want you to learn from it, and then for you to monetize newly acquired knowledge by
improving as a professional and getting compensated well for your effort.
You don’t owe me anything and I don’t expect anything from you. You’ve already given me enough
than I’m audacious to ask - your time and attention. Thank you for that, and if you still want to do
something for me, then please share your experience and knowledge with others. Help your peers,
show them your perspective and help them grow by exposing them to various point of views. Pass
your knowledge to others, so they have it easier than you had. To help them avoid the mistakes you’ve
made and so that they can save their time and use it to build something bigger or experience other
things life has to offer. Standing on the shoulders of giants. That’s what it all is.
I also must admit that this book most likely wouldn’t have happened if it wasn’t for a great infosec
community I’ve found in 2016. Over 2 years ago I’ve found a website called Peerlyst which turned
out to be the startup with a mission to create the best collaboration and knowledge transfer platform
for security professionals. I’ve found it because one of the users posted there a link to an article on my
blog, and I’ve noticed many visits from one source. Curious to see what it was all about I visited the
6
peerlyst.com and found overwhelmingly positive feedback about my content. Finally, I’ve found a
place that felt like sort of a home I never really had. A place where even if people don’t agree with
you, they don’t make you feel like a piece of crap but provide you friendly insights which you can
then use to learn and grow.
Fast forward a couple months later, Peerlyst created an initiative to write a crowdsourced book on
“Essentials of Cybersecurity: How to get the basics right”, where I volunteered to write a chapter
about something I’m deeply passionate about as it connects a few deep interests of mine, i.e. business,
infosec, psychology, and sociology. My chapter called “Building a corporate security culture” has
been such an exciting subject to me, that I’ve written over 10 pages despite being asked to provide
only 2-3 pages. I wasn’t really surprised when I’ve heard that most of my content didn’t fit in, because
there had to be a place for chapters of other great individuals. As I couldn’t let go to waste something
I strongly believed in, I decided to publish at Peerlyst the subchapters that didn’t get it into the ebook.
Turned out that once again that the community appreciated my contribution and my posts sparked a
huge discussion on the soft side of our jobs and allowed me to learn a ton from experience of other
professionals coming from very diverse backgrounds. After so many great discussions, after seeing
people opening up about their personal life, about the relationships issues they’re facing because of
the stress at work, about the health issues generated by their anxiety, I felt obliged to create a resource
which could help others at least a little bit. I know how it feels when life just ain’t right and you start
to lose hope. I got to know people who were in the same spot as me and it would be cruel of me to not
share the tips that have helped me regain my sanity and achieve some level of professional and
personal success, i.e. happiness.
Happiness is a never-ending chase, but it’s still something if you at least hate your life a little less.
That’s the reason why I’ve spent the next 2 years writing this piece of art and assembling only the
advice I truly believe to be universal, practical and helpful for the community.
Deep inside I believe that running into Peerlyst was one of the best things that happened to me. I
haven’t made any money out of it, I haven’t sold anyone anything, and I never intend to monetize on
them, because way too much I appreciate what they have already given me in return. I earnt an
unbelievable feeling of connection with the community of people who I’ve been searching for my
entire life. Being a part of something bigger, learning from the greatest and having an opportunity to
exchange feedback is something that can’t be compensated with any money.
7
I’m simply grateful because the mission to help others live better lives is something extraordinary that
Peerlyst is allowing me to do.
How and why - I believe - my story can make you avoid personal and
professional suffering
Infosec is a stressful job and if not managed properly leads to unhealthy situations which surely can
end up with a long-lasting burnout. Burnout is one of the most painful experiences in the life of a
professional, especially a good one who is self-aware enough to realize how much of a potential they
had and how it just got destroyed. There are many critics saying that the job-related stress in industries
such as IT isn’t worth discussing, but I call that a dangerous misconception. You couldn’t get more
wrong in thinking that we’re not under high pressure. InfoSec is one of those industries where many
things are totally out of our control, and you can’t really sleep well - ever. Many of us got so engaged
in the work we do that we started compromising other parts of our lives, introducing unhealthy
imbalance. Precisely such imbalance led . So I can relate to all of us, who had experienced tough
times. That’s one of the reasons I believe in this book so much. It’s not that it contains any secret
knowledge, or that I’m such an egocentric writer. Heck, I’m not even a native speaker English
speaker, so I realize my shortcomings, yet I am still ready to take the heat, because I believe in its
value. I believe that this book can help - at least to some extent - my InfoSec friends who have
struggled, struggle or will struggle with the challenges I’ve been struggling for many years. I hope this
book answers some of the questions we ask ourselves and will turn out helpful especially to those of
us, who have nobody to turn to for a practical and non-judgmental advice. Writing the book has
certainly help me in understanding some concepts better and instilling them deeper into my mind, so I
have the answers handy whenever I need them. And I need them pretty much on daily basis, so having
this handbook on my computer allows me to stay in sync with reality and remain calm and humble.
The tough experiences had made me who I am today, and with many bad outcomes, I’m getting more
and more comfortable with helping others avoid my mistakes. Losing relationships, not taking care of
my health which resulted in life-long illnesses and daily pain which decreases the quality of my life,
had all contributed to the process of reinventing myself. Moments of the truest joyfulness were these
where I’ve learned that something can be done better. That I can do better and I can be better to other
8
people. It’s thanks to those moments that I’ve used to reinvent myself, I’ve been able to achieve
long-lasting fulfillment.
I know I’m starting to sound meta and all that corny stuff, but I decided to still leave it here as I’ve
met people who will get to feel the hope again while relating to my story. I’ve got good news for you
though. Only the foreword contains so little substance.
Please feel free to use this book whatever way you like to. You can read it as a regular book in its
entirety or using it as a reference handbook, with an easy to navigate index which allows you to jump
into specific questions and answers.
Almost nothing worthwhile comes without pain or some sort of suffering so I’ve come to the point
where I accept my mistakes and allow myself to live without blaming myself too much for making
them. I advise you to look at things similar way, because holding to the past in which we weren’t as
smart and wise brings nothing good. Looking at the future as a blank page, allows you to approach
things differently and avoid repeating the old mistakes.
In the book, I”ll be guiding you through subjects that are very subjective and focus mostly on
emotional intelligence and social skills, which can’t be as accurately measured. So you might feel like
I’m yet another bozo, but you need to open your mind to fully benefit from it. I promise you that
nothing in this book hasn’t been thoroughly tested, and each and every single chapter you find in this
book describes lessons learned from mistakes I’ve made personally in my career. I’m never talking
about others, about things I’ve only read or heard about. Everything has been battled tested by yours
truly and I believe most of it can be easily replicated into most working environments. It worked for
me with minor contextual adjustments while working for companies from various countries on two
continents with organizations ranging from a small services startups from Silicon Valley, through
public institutions in Poland, to hundreds million dollars big corporations.
You need to sacrifice the present for a better future, but it doesn’t mean you need to sacrifice as much
as I’ve had to. I’ve learned a ton and I want to use that knowledge to help you make your professional
life easier. I want you to be more effective and productive than I used to be all those years before I
started taking the human aspect more seriously.
9
Understanding these concepts can potentially enable you to see a bigger picture and gain a richer point
of view. Please bear in mind that nothing is set in stone and that my experiences may be different
from the things you’ve had a chance to experience in your career. So to limit the amount of anxiety
and misunderstanding, let’s create a healthy narrative for this journey of ours. I want this book to be
an inspiration for you, showing you yet another perspective of someone who got his hands dirty, not a
predefined set of rules one must follow. Use it as a doof for thought, a content for consumption and a
spark to initiate something bigger and adjusted to the culture of your organization and your
personality. Your personality matters. Just because something had worked for me and is indeed a sane
way to do things, doesn’t mean you’ll want to follow the same path. Things that come to me easily
now may come hard to you, and that’s all fine. We are different, so embrace what’s best in you and
use that to achieve what you want to.
How to squeeze maximum value out of invested time in reading this book
This book isn’t an ideal picture of the world. It never intended to be. It was meant to show us ways in
which we can be more practical and effective. To show you how we can abandon the fears, imposter
syndromes, anxiety, and stress - or at least reduce it significantly, by small tweaks in a way we operate
on a daily basis. I want this book to be practical, so I recommend you to read this book slowly and
don’t rush into the next chapters. Please read a chapter and give yourself some space to reflect on it.
Try to remind yourself a situation to which a chapter would apply and outline counterarguments to
what I’ve written. Then find the right balance for you and find the best way for you to navigate
through life. I’m not right, and you’re not wrong. We’re both doing our best, and sometimes the best
solution is in the middle of two perspectives, of two totally different individuals. You do you.
After all, while we’re expected to bring value to the business and help it make more money so if
you’re still employed, then apparently you must be doing something right! However, regardless of
how much we like or dislike our job currently, we can make ourselves like it more. We can make
others like us more and we can reduce the anxiety of a whole system.
But for that to happen, we must improve our social skills, especially communication skills at scale.
I believe that security professionals can’t achieve their greatness at the workplace, if they’re not being
actively supported by all stakeholders across the entire organization and if other employees don’t feel
10
ownership for the organization’s safety. Security just must one of the core values of a corporate
culture. Each time I have joined an organization, where security professionals wanted to do everything
themselves, they miserably and painfully failed shortly after. Fighting a broken security culture
without any support from the top leads to burnouts for InfoSec folks and creates general anxiety,
irritation and a toxic atmosphere within an organization. No one wants that to happen, yet so often we
end up in exactly such situation.
Right, but what about Secure SDLC you may ask? To me, Secure SDLC is more technology-centric,
while DevSecOps is more human and culture-centric. I may even write a book on secure SDLC one
day, but we have a lot of great content on that matter already, so it’s not a priority by any means. To
me, helping people understand the DevSecOps culture is a much more important task, although they
are a very powerful couple, and I believe in the long run, one cannot exist without the other. I would
even say that many companies have magnificent SSDLC, but it could be so much better if the
operators understood that each business, is a human business first and you can boost whatever you’re
doing by involving more people and making them care about it.
I’ve met many people who understand how to implement SSDLC principles into their organizations,
however not many know how to build the DevSecOps culture which can bring their SSDLC or
whatever they’re doing on the totally next level.
I’ve spent over 5 years working on implementing DevSecOps culture at the organizations I’ve worked
at, because I believed that with so limited resources doing things together is the only way to go. We
all hit a point at which we can’t scale anymore, which is why we must seek the help of others. And to
get such help, it’s good to provide it first. Be the leader people will happily look up to and many doors
will open. And by working all together we can do much more and do it much better.
SSDLC is a fabulous piece of art, and I wish more companies adopted it since 2002 when Microsoft
officially announced it. I really wish, because we’d be in a completely different shape as the whole
industry. But we haven’t so we must add something to it, that will fill the gaps with a work that
doesn’t cost much every single one of us. Collaboration and empathy is something that’s not that
complicated or expensive if we only decide to take one step forward each and every single day.
With the right attitude, the culture is something that can be created in the background, while we can
use our technical competence to enhance our SSDLC workflows and incrementally improve the
resilience of the organizations we work for.
11
I hope the lessons shared in this book will save you - and everyone around you - a lot of anxiety and
trouble. I wish I had access to such a resource when I was starting out, which I believe could’ve
helped me prevent the damage that has happened otherwise. It’s never too late to learn and improve,
so I’m still extremely grateful for an opportunity to have experienced so many things and that now I
can share it for benefit of others. I hope this book helps you navigate through social interactions with
lower stress and more fruitful results and although this book summarizes the most important lessons
learned over the past decade, I’ll be still happy if it saves you a single day of your life.
Let’s get started already! :)
Align strategy with business stakeholders first

Who’s actually responsible for investments in security?
Security issues don’t pop up out of anywhere. Code, products, infrastructure and business quality is
always the responsibility of a human being. So why don’t we treat it as such, and we seem to be
always obsessing about technology rather than going after the root cause, which happens to be the
people?
However, while talking about the “responsible person”, I rarely think about a software engineer who
writes code, but about the company’s management layer. Because it’s up to business leaders to decide
on all investments. Including how much time employees will be allowed to devote to security and
quality in their day to day work. If software engineers are expected to produce inhuman amounts of
code, they can not afford to focus on security best practices. Managers who reward software engineers
based only on the amount of produced features, are the ones truly responsible for insecure products.
Just ten years ago I used to religiously believe that the responsibility for insecure code is all on
programmers. After many years of working with businesses all over the world, I’ve learned that my
perception couldn’t have been more wrong.
It rarely happens that engineers don’t want to build high-quality products, but at the end of the day
what they want vs what they’re ought to be doing, can be a two completely different things.
Most software engineers I’ve met were actually very interested in concepts related to application
security, infrastructure security, and the whole hacking theater. It’s fancy, it’s all over the place,
12
people want to be a part of it, but their fantastic attitude doesn’t matter if we keep blocking them from
joining the tribe.
The challenge is that more often than not, middle management isn’t held responsible enough for
products’ safety. They’re usually rewarded just for shipping feature-rich and functional product on
time, and the ‘security-thing’ is somewhere at the bottom of a software release checklist.
It’s also up to the executives, how much time and money they invest in employees education. If you
expect your employees to learn about security in their personal time, that’s called being delusional,
not visionary. Because if a software engineer wants to spend time after hours learning something, then
most likely they’ll be looking into some new programming library or framework, rather than stressing
about complex concepts such as application security they have had unfriendly experience with at
work.
It all goes top to bottom, the culture and tone set by execs is a real thing
There is a long and rough path ahead of us, till secure software engineering will be considered a part
of basic quality assurance processes. It takes a lot of time and effort to make everyone conscious of
the potential consequences of security negligence, which means the earlier you start educating them,
is better.
If execs don’t incentivize middle management to keep an eye on security, then middle management
won’t incentivize software engineers to write code securely. If you don’t start from the top of an
organization’s hierarchy you’ll have a hard time succeeding with your security initiatives.
Engineers, like most other human beings, generally don’t like to step out and do things their managers
don’t want them to spend time on. And that’s for a good reason. In a healthy corporate culture, you
want engineers that trust their leaders and focus on bringing value to the organization. You want
people who’re don’t raise a riot against policies set by business leaders, unless there have some good
reasons to do so. Many, many people work in IT just to provide for their families, so being anxious
that not all of them are questioning the status quo, is just ludicrous. Let others live the lives they want
to live, because it’s not for any of us, to judge anyone else. If you want something to change, then
focus all your energy on helping yourself drive a change, rather than oppressing people to follow your
lead. If you start something that’s worthwhile and sensible, I promise you that there will be people
willing to follow.
13
So if you notice someone stepping up to raise software engineering standards, you can’t miss such a
rare opportunity to convert it into a long-term partnership. Show your appreciation on the spot,
because if someone is risking something for you, you better watch their back.
If you want to push people a bit so they leave their comfort zones, you must be very clear about your
expectations and also provide them with some incentives. It doesn’t need to be tangible, just make
sure you express your appreciation for an employee going an extra mile and paying attention to code
quality. If you want to create a tribe that follows your lead and steps up, then you need to decrease the
discomfort as much as possible. Essentially, you must make people comfortable in the discomfort
they’re about to experience. You achieve that, by making them (feel) safe with your leadership.
I’m telling you all these, because I’ve seen a handful of my friends burning out. They had no support
from the TOP so they’ve tried to take a lead alone, and incompetently enforce their narrative on
regular employees. Which then led to a toxic atmosphere, very aggressive tone and broken
relationships. So be careful, because no matter how big your mission is, office politics apply to every
single one of us.
Set common goals with management and executives
Senior management must be advocates of healthy security culture, otherwise, it’s a Sisyphean task to
do all the things from the bottom up. Without healthy leadership of an executive team, it’s very
problematic to achieve tangible security improvements without huge costs without compromising the
quality of your personal life.
So before you start bothering engineers with your requests, make sure you have official support from
executives, because engineers need clear and integral guidance coming from the top. Don't confuse
them more than they're already by their other duties.
A good way to achieve the effectiveness of your security program, is to try to learn as much as you
can about the high-level business objectives of your company and what are the points of focus for
people sitting in management roles. Understand their perspective and gain the leverage.
It’s hard and dangerous to provide you with generic recommendations, because each organization and
each executive is different. It’s all in your hands to learn and feel how to approach them on an
individual basis.
14
Settle down on authority at the earliest
Security is an executive level issue so it would be really useful if you were in a position to influence
all stakeholders at the organization. You shouldn’t be wasting your time on the back and forth
discussions on why something must be done, or why it must be done this way or another. In a healthy
corporate culture, it would be enough if you just had a security role and everyone should follow your
lead from the day one with a credit of trust. But such organizations don’t really exist. Every single
organization is dysfunctional to some extent, and sometimes you’ll face people which you can not
lead as a servant-leader and you’re forced to use your authority in order to execute.
I’ve seen it many times that security professional had great intentions, attitude and leadership skills
but they couldn’t complete their tasks, because there is always that one person in a company whom
you must approach differently.
It’s CEO’s job to create a culture, where every employee trusts new coworkers and respect them with
a friendly attitude. Executives should make it clear to the middle-management that you are a serious
business stakeholder, no different than any one of them, and they should respect your guidance.
If managers are only penalized and rewarded for shipping working product on time, they won’t want
to invest in security which in most organizations almost always slows down the software development
process to some extent. So execs must make it clear that products security is a part of quality and
should be treated as a regular, acceptable software development cost.
Thanks to that you may not need to waste time arguing with people why their teams need to invest in
security and all that stuff. You should be able to focus on effective execution rather than discussions
caused by dysfunctional corporate culture and lack of proper communication. Being at the lowest of
an organization chart, you’ll likely to have a hard time working with non-security savvy management
who has no interest in focusing on security. That’s how business works, if there are no incentives then
why would anyone want to listen to you, especially when you’re a fresh-hire?
Deciding on those bureaucratic matters at the earliest can save you a lot of anxiety and frustration. I
realize that plenty of us want to act like big boys and girls, who can obviously handle everything
without anyone having your back, but that isn’t smart. Cost of maintaining your ego really isn’t worth
15
all those bad consequences that may come if you push too hard.
By consequences, I not only think of toxic corporate atmosphere but also about your professional
burnout and health issues that may arise when you’re too stressed and anxious for long periods of
time.
With power comes great responsibility so always aim to be empathetic to your people and don’t fall
into the trap of taking advantage of your authority just because you can. Use this leverage only in
exceptional situations when you’ve tried everything else and it failed.
You want to be in power but you should hope that you will never face a situation when you need to
use it.
Build credibility and learn the language of business
Stay away from spreading confusion and FUD
Credibility is something you ought to be building from day one of your career and tender till the very
last day, when you say the final goodbye. What I’m trying to say here, is that the way of doing things
really matters. We’re often so goal-focused that we don’t pay too much attention to the byproducts of
our actions. Sometimes, those byproducts bite back in the future.
Even if you achieved expected outcome, you must consider if you’ve used the best tools for the job,
meaning have you persuaded people to do something thanks to your leadership status, or have you
spread fear, uncertainty, and doubt(FUD)? If the second is the case, then you may expect it to haunt
you in the future.
If you’re a renowned expert in your field, you still must remain humble. You still need to build your
internal reputation from the ground up by working nicely with people in your organization. You
coworkers expect you to comply with their code and aren’t easily impressed by your status outside of
the company. So if you’re a rockstar that’s perfect, and you should leverage it to make your life easier,
however, you should be aware of its shortcomings.
I’ve seen plenty of folks who ended up disappointed, because they believed that everyone will know
their reputation and they’ll be treated differently because of their prior achievements. And when we
16
think we’re THE ONES, we tend to forget about the need to play nicely with others. No matter what
your perception of yourself is, I promise you that others have it completely different.
Learning how to weigh your words, so that people understand your intentions well, will ease a lot of
interactions. Security field is very special, because we often tend to be the ones who worry more than
managers and executives, because they simply don’t realize the true nature of security risks. However,
if you complain too often, people may start labeling you as a frustrated person, who doesn’t
understand that business is an art of tradeoffs. They may become afraid that all you care about is
building a fortress and slowing down the business growth.
We have our reasons, but our good motives don’t matter much if others don’t know about it. You
must work out relationships in which people understand that you’re trying to help them do their work
safely, that you’re the enabler and troubleshooter, not the troublemaker.
So you really want to be perceived by business people and other coworkers like someone who has it
all under control. When discussing severe security issues you’ve had discovered, you must be careful,
so your language and tone aren’t unclear, negative or overwhelming. As an InfoSec Pro myself, I
know why you’re using certain jargon, but everyone else outside of our little echo chamber has no
idea what’s going on. Don’t be too simple in your speech, just be impossible to be misunderstood.
While it may sound counter-intuitive, sometimes it actually makes sense to slightly underrate the issue
you’re reporting, so they accept it without anxiety and you can make a progress. Small progress
always trumps no progress, and good now is better than ideal never.
Because of the negative tone, we had set for all-things-security in the past few decades, people
overreact when you have even a little aggressive tone. Security folks who too-passionately want to
secure companies they work for, often don’t comply with a corporate communication code.
Overreaction may ultimately lead to them ignoring you, which is one of the biggest challenges to
overcome after the damage had been done.
The most practical advice I can give you is that we must learn how do adapt at the fast pace. Yes, it
does mean that you won’t get as much technical work done at the beginnings, but building credibility
and foundations really pay off in the long run. Because once you’ve built credibility as a “smart
security leader who knows business, risk management and knows how to work with people”, you can
17
progressively start expressing your thoughts more in-depth.

So be careful about all that and once you’ve figured it out for yourself, stick to it. Different things
work for different people and organizations, so keep doing what works for you. You do you, keep that
in mind thru the whole book and life actually. If being passionate and verbose works for you and
everything is good, then I’m happy for you! Keep doing what you’re doing, but revisit often so you
don’t fall into the trap of being too romantic about your past approach. Effectiveness and practicality
trumps attachment every single time, so stay alert and don’t let your ego blindfold you.
“Make it till you make it” is a much better strategy than “Fake it till you
make it”
If you feel that what you’re doing is right, then you shouldn’t let anyone who doesn’t know you
influence your point of view. But bear in mind, that when you act a certain way and don’t listen to
suggestions from others, you gotta take it all on your shoulders when stuff goes sideways.
If you act overly confident to the extent that it may be perceived as narcissistic cockiness, yet you
make too many mistakes, people will lose respect to you very quickly. Humility is a huge tool you
should use, to give yourself a space for making mistakes.
For example, if someone asks you for help but you aren’t sure of the answer, be honest about it and
tell that person that you’re going to figure it out for them, but you need to do your homework first to
make sure you provide quality advice.
Then do the homework diligently, and get back to that person with all the details they needed.
Never let your ego try to make things up, because people are smarter than you think. If you fake too
much, they’ll figure you out and you may end up forever labeled like an incompetent imposter.
Fake it till you make it, doesn’t really work and I much more prefer a version “Make it till you make
it”. Learn stuff, be humble, reiterate till you’re pretty good at things you do. Competence inspires
confidence, so till you have a serious body of work to back up your words, just do stuff in silence and
don’t try to overdo it.
18
Everyone is a target these days, but are they truly

aware of it?
A vast majority of startups and SMBs - especially outside of tech world - tend to have this dangerous
belief, that they’re too small to become a target for malicious hackers.
When you look at the statistics and reverse engineer hacker’s mindset you can figure out why it’s
actually the opposite way around. Hackers, cyber thieves, script kiddies and other malicious actors,
come after the easiest targets not only because of the instant reward that stimulates their brains, but
because hacking is these days is more of a business than it is a hobby.
Thieves seek quick wins, because, like most business owners, they realize that time is their most
precious resource. So they’re more likely to attack organizations with weak security posture, because
in a week they can hack dozen of them, rather than spending a month without certainty that there will
be any return of investment.
It’s not to say, there aren’t hacking groups that go for the big brands, it’s just there are far more
average skilled hackers than there are sophisticated and well funded hacking groups. And that leads to
a very important point. As an owner of a small business consider your investments as something that
is supposed to stop those lone wolfs, rather than trying to spend a lot of money on trying to protect
yourself against gangs or state-sponsored attackers.
Management needs to understand that while big organizations can often survive a security breach,
small ones can’t afford it, often because of its impact on their public image. If business providing
enterprise solutions has a stable position on the market and great product, most customers will stay
because it’s expensive to transit the whole enterprise to another vendor. But if you’re a small startup
that has been compromised, you’ll have a hard time preserving your customers. Not only that, because
in this era, breaches get overblown on social media and PR/marketing-wise you’re finished even in
terms of new, potential customers. This is a really important thing to mention here, because recently
I’ve seen many articles saying that “it’s cheaper to get hacked than secure an organization” which are
nonsense and are doing a lot of harm to us who work on executives’ security awareness.
Basic security isn’t that expensive and articles like that make more bad than good, so ensure everyone
understands business risk management including dangers coming from social media scandals and get
the solid perspective on why security breaches bring different results to different organizations.
19
You can earn some love from your marketing and sales people if they learn that you’re protecting the
business to make their job easier, so they won’t need to explain to each prospect why you were hacked
and convincing them that the company is in much better shape nowadays.
Be smart and unite people from various departments to help you achieve your goals.
Agile implementation of security into a corporate

culture
Start small
I recommend you to take baby steps with all of the security initiatives you want to start at your
company. By balancing the workload and adaptability you can demonstrate coworkers and executives
that security doesn’t need to be tangled and complicated. If you show people that it takes just 5 clicks
to enable disk encryption to improve the safety of their PCs, it’ll be easier to have discussions with
them in the future. After you’ve accumulated a few such small-wins, their mindset will change and
they believe there actually are hassle-free solutions to security, they’ll be more eager to implement
more of it.
Focus on the small wins and do the things that have the biggest ROI(Return Of Investment) and
lowest cost of implementation and then steadily increase the complexity of security requirements.
1% is always better than 0. Small win executed today is better than an ideal win executed never.
The common mistake I’ve seen is that we try to start out too big. We want to enforce all the security
rules as soon as possible and sometimes even worse - all at once.
This approach may sound reasonable from a security pro’s perspective, because time is all we’ve got
and each minute with security exposure is a minute an attacker can get a foot in the door.
However, it’s a complete failure from a practical business POV and I haven’t ever seen it being
successful in the long-term perspective when someone tried to execute too many and too complex
things at once.
20
Human beings are wired in a way that makes them dislike leaving their comfort zones, because the
primitive part of our brain was programmed to keep us alive by avoiding risks. In order to fight that,
you must give people a tangible incentive for them to take a leap, because they must justify in their
own heads why this particular risk is worth taking. Bigger your demand is, bigger the incentive should
be, because the potential gain must be big enough for people to fight back the alerts their primitive
brain is giving them. Yes, although nowadays we’re rarely required to make decisions that can kill us,
that thing still resists when challenged with something new, because it doesn’t understand that
discomfort. All it knows is that it must protect us at all cost, and it’s up to us - or actually other parts
of our brain - to take a brave decision regardless.
It’s a good idea to start smaller with things that don’t push the comfort zone that much to earn the
trust of your people. Most people are open-minded, but not that open-mindedly stupid to leave their
safe spot on day 1, when they don’t know how good of a leader you are. And that’s for a good reason,
it’s not them to be blamed. People just want to be safe and we should respect that.
An example may be a common situation when you want to start implementing Principle of Least
Privilege within your organization. You shouldn’t just cut off coworkers access to all of their
productivity tools, they were used to utilize on daily basis for the past few years. Do it in many small
stages, one tool after another in reasonable time spans, otherwise, you may outrage people when they
lose access to things they were used to use freely. Not only it may cause them a discomfort but it can
negatively affect the business when people’s morale is low, and their productivity is lower because
they don’t have the tools they need to get the work done.
Building security is tough, not because it’s that technically complicated, but because it takes a lot of
time, perseverance, patience, and leadership skills. If you’re joining an organization that’s been on the
market for a couple of years and never had a security person/culture before, you must prepare yourself
for a slow rollout of all those great ideas that you have.
It’s because people, who were never trained to be security-savvy, will have a hard time adopting new
requirements , even if you have reasonable justification for it. People like what they know, what they
tested and know to be working and what feels like right for them. Because of our recklessness and
mistakes we’ve made in the past 4 decades, we have earned a not friendly reputation around infosec. It
makes a lot of engineers think that security will make their work suck, so they do everything in their
powers to stay away from it.
21
The best way to build credibility and have immediate results without irritating people is to start with
subtle changes like showing the value of strong passwords, password managers, 2 Factor
Authentication, Antivirus, and frequent software updates . It may sound like nothing, but all adopted
across the whole fleet will result in good security baseline that already puts your company in a few
TOP % of safest companies. Even though those are the basic things and infosec folks like to go for
fancy and overhyped security measures, I can count on fingers of one hand companies that actually
have implemented above-mentioned basics and done patch management right. That’s just an example
tho.
That’s it, starting small is important. You won’t get much love for 30 days password expiry, enforcing
security product with terrible UX or for cutting off access to critical services, just because you haven’t
done good enough research to learn what is it, that people need to get their work done.
Start early
I can think of at least two main reasons why it’s reasonable to start with security at the project’s
earliest. One is that if you create a security culture in your organization from its early days, you won’t
give people a chance to learn bad habits of ignoring security. Second is that it’s more expensive to
change architecture design and refactor a finished product. Changing habits which essentially is
rewiring brains of your employees is a very expensive ride, so it’s better to avoid such challenges
altogether and instill security from employee number 1. Everything that’s happening in the
organization is CEO’s responsibility and if she/he doesn’t set a healthy tone from the day 1, it’ll be
hard to teach people to follow the practices, if they know even CEO doesn’t walk the talk.
I recommend all-sized businesses to look for the help of a security consultant as soon as it becomes
affordable. I wish more companies realized that asking for a few hours of consultancy won’t ruin their
budget, but can have tremendous ROI. It can create a baseline upon which they can build their stuff
securely from the day one and avoid costly refactorings or breaches in the future. Chances are that if
you give it a thought, you’ll remind yourself that you personally know some security passionate
who’ll be more than happy to support some startup free of charge in exchange for business
experience. She/he can help you ensure that products are well secured, so people in need should reach
out to their social circles and ask for help as soon as possible. It costs them nothing, and even if they
22
find a kid who’s been studying appsec for barely 6 months and can work for you only part-time, it’s
still better than doing nothing at all.
I’m writing this to demonstrate two important things we don’t pay enough attention to. If you’re a
security specialist and someone is asking you for advice, you should emphasize the importance of
starting early. Because if you eventually end up joining that company in the future, you don’t want to
start from scratch and waste your energy on solving problems that could’ve been prevented from
happening in the first place.
The other one is that when you join the company, expose yourself as soon as possible. Don’t close
yourself in your office focusing solely on technical aspects such as deploying monitoring and
pentesting the infrastructure. Go out there, and show people that you exist. Allow them to notice you,
and give them relevant resources as fast as you can. Provide them with books, articles, tools,
guidelines, checklists, procedures so they can already start applying it in their day to day work.
Thanks to that the improvement will be happening in the background, when you get back into your
zone focusing on other things.
Outline SDLC/NDLC improvements
Security should be perceived as any other cost of running a business

Security shouldn’t be seen as an addition to the product development. It’s a regular part of business
operations as anything else, especially when we’re talking about companies that develop their own
software.
At software companies, ensuring security should be considered as a part of Quality Assurance, not
only because security triad mentions Confidentiality, Integrity, and Availability out of which 2 are
heavily linked to the product’s quality. So there is that, but also nowadays customers demand products
to be safe for their personal usage and professional usage, because they don’t want to buy a service
which may have a negative impact on their business operations. We’re living in times where we’re all
connected to each other like never before and not a single company can exist on this planet without
affecting others in one way or another.
Although it may sound obvious to you, it’s not you who I’m concerned about, because we - security
professionals - can’t do anything on our own and the perception of all parties involved matters. You
23
must instill security into organizations DNA in such a way that people truly understand what it is and
how it matters, because it doesn’t really matter if you have triple-firewalled PC with a personal guard
watching over your computer when you go to the toilet, if there are employees who think it’s fine to
download pirated games on their corporate laptops.
Also, middle-management is much more eager to spend resources on security, when they perceive it
as a regular, necessary cost of software development. There will never be enough money and time to
invest in “additional” activities, so you must rewire their dictionary. Security is often called a no-ROI
time-waster which adds complexity and slows down the development process, so not only security
itself costs a lot, but it also makes other things more expensive.
Unless you explain how and why security is important you may have a hard time pushing
security-related changes into existing SDLC processes, and that’s fair because everyone has their own
work they ought to protect. That’s something you got to really understand, because most often at the
workplace importance and urgency, don’t come from inner virtues and passions, but from the actual
business impact. So that’s something you must comprehend to shift your mindset and help everyone
across the board understand what impact may insecure product have on your business, because except
us, no one is there to do security for the sake of doing security.
Hold them accountable to high standards, but keep your expectations low
Settle down on how much resources can be dedicated to security improvements, bugfixes and alike.
Discuss how many hours in each development sprint can be dedicated for security and how much free
bandwidth does engineering have for potential unexpected security patching. Write it all down in
internal documentation system or some other place that allows you to have an official proof that you
had those discussions, so that no one can claim that you’re expecting them to do something they
hadn’t agreed upon and twist out of the commitment. Each big goal is achieved by making many
small steps, and altho it may look like some things should be done all at once, it’s most often not the
case in real life. If you properly dissect your projects into smaller tasks, you’ll realize the value of
small incremental changes and that big projects not only suck for time management, but they also tend
to create a lot of friction with coworkers.
Focus on small but constant improvements, so you have the big goal in the back of your head,
however, you don’t expect people to deliver it all at once. Not only it’ll make execution your projects
24
on time more feasible, but it’ll also reduce the stress and boost team’s morale when they see 100%
execution of a small task, rather than 0.1% progress on a huge project.
Let me make one remark here tho, because you really need to be wise when creating your
expectations and demands. It’s not reasonable to expect business to stop all money-making activities
and focus entirely on security for a few days or weeks to fix identified vulnerabilities. Use risk
management to help the business operations and help ensure it’s longevity instead of expecting
impossible.
In my experience, it really makes a lot of sense to establish a fixed amount of resources that will be
spent on ensuring security in each product’s release/sprint.
Sacrificing 3% engineering resources each day is less painful than telling the customer that you won’t
deliver a mission-critical feature, because you had to stop all your software engineering activities,
caused by your security department having this unreasonable request of focusing solely on security for
the next couple of weeks. Customers care about security, but not that much, to let you lag on service
delivery.
Build a Secure SDLC
Security is more cost-effective if you start working on it at the earliest phase of SDLC.
Old tried and true, isn’t true anymore. The common practice of building a product and throwing it at a
security team doesn’t scale anymore. Given how much code we produce on daily basis, it’s
increasingly more expensive to not instill security in early phases of SDLC. At the current pace, we
can’t afford to wait will last phase of SDLC, because a need for potential refactor of two weeks of
code would come with dramatic costs.
Securing the whole workflow drives very tangible long-term improvements, because to me it’s less
about catching issues earlier than it is about education that ultimately is something we’re looking for.
Developers who’re constantly exposed to security work will memorize more and more of it, keeping
safety in the back of their heads and allowing them to fix the issues even faster.
We don’t want to see the same mistakes over and over again, and unfortunately, that’s something I
25
still see at most companies all over the globe. Although the software engineering world moved
forward a lot, security practices are still holding it all back and we haven’t globally addressed the
basic issues that are so trivial to be remediated. It’s all about mindset and it’s all about moving the
responsibility to the left and then making sure everyone is capable of taking ownership of it.
While I get it that approach of black box pentesting was somewhat practical in the past, - been there
and done that - nowadays most innovative software is too complex for security teams to secure the
product in just a few days before it hits production. There must be a whole lot of things done around
it, which we’ll discuss in DevSecOps chapter later.
Surely there are small software houses with senior, security-savvy engineers where it’s practical to
build a tiny product and then deliver it to security testers, because they cared about security while
writing their code. But during my whole career having had worked with thousands of engineers from
dozens of companies, I can name only a handful of such senior level of security-savviness so hoping
that you have people who are somewhat competent in security isn’t the smartest thing to do.
Actually, hope rarely is a good strategy for anything in life. It’s good to have, but it’ll take you only
this far.
However, if what you’re doing works for you, your company and your customers, then keep doing it. I
want to emphasize it once again, that I’m sharing yet another perspective that if you feel a need to,
you may want to try out. So while I’m advocating an approach of injecting security into whole
software development life cycle, I realize that it is not a silver bullet and it may be too expensive for
you at the moment. Yet still, I believe that 1% is much better than 0, so trying something is better than
sitting stale and missing the right point when you were supposed to take action.
My recommendation always is to get involved in the product design phase and keep an eye on the
product throughout the whole development process.
It’s all about the cloud and dirt. About having the high-level vision and long-term roadmap as well as
doing what needs to be done to help your organization achieve the goals.
Show up, adapt and deliver results
26
Everyone needs to be made aware that security testing is a time-consuming activity, so it must be
included in release planning schedules.
It’s generally a good idea to jump in with security tests when QA Team is given their time to do the
“regular” testing. While we’d love to receive stable and fully functional software after QA is done and
functional bugfixes are in place, it’s not really practical in most fast-moving environments. Asking for
a separate time after everyone else had completed their tasks, would significantly slow software
delivery. Slowing anything down is something we should try to avoid at all cost, because as I’ve
mentioned previously, we must strive to minimize the costs of running security operations.
It’s great if your coworkers actually know about your existence and trust they have a go-to person in
the company, who’s competent in security and eager to help them. We sometimes get ourselves off
the radar while doing our work, and people start feeling like there isn’t anyone watching their backs
anymore. You can show your presence at the company by dropping suggestion here and there, by
asking people if they need your help, by plugging security automation into Continuous Integration
process and doing anything that’ll show people that you’re there and that you care for them.
The CI/CD part is important because it’s beneficial when you have tools that give you a clearer view
on change management which enabled you to act accordingly and e.g. run your tests and respond in a
timely manner demonstrating people that you’re on top of things.
l that you’re keeping an eye on everything, that you’ve got it all covered and you do stuff on your
own. Showing people that you’re a person that takes ownership and goes an extra mile really matters,
so if you talk to someone out of the blue about the issue you identified, even tho they hadn’t notified
you about it, then you may change their perception of you to better.
That’s how you build respect really. You show up, you deliver results and you do stuff behind the
scenes to make people’s life easier and then you come out letting them know about the cool stuff
you’ve been working on lately.
If people see you hanging around all the time during design discussions, they’ll organically learn
you’re needed and will let you know whenever there is something new coming up. Just be there for
them and make it easy to approach you and ask for help. Professionals do enjoy the companionship of
other professionals, so if you become one and build such image of yourself, people will be happy to
collaborate with you.
27
Become a leader capable of stepping out and delivering, especially in moments when people least
expect it.
Make security simple
Simplify it for them
Security is often perceived as complex and cumbersome which makes engineers unwilling to work on
it. Such attitude has its reasons, and I myself experienced that security processes at most companies
actually suck and create problems.
You can make no mistake while making things simpler and carefully explaining your requirements.
Easier and cheaper you make it to build secure products, more likely it’ll get included into SDLC.
You need to take ownership over the processes and simplify the frameworks, knowledge base and
other resources so people can actually consume it and use it to add value to the business. Having a
huge and rich in a value knowledgebase, doesn’t mean a thing unless you’ve got people actually using
it. So make it simple and spread awareness about it, so your work doesn’t get lost in the noise of daily
grind.
Developers have their own stuff to learn and they don’t want to waste time digging thru confusing
documentation which doesn’t provide clear guidance on problems’ resolution. They’re looking for
high-quality resources, so you are expected to provide a well-described set of practical action items.
Remember, that all I’m talking here is about making people leave their comfort zone. So you need to
incentivize them learning new stuff, and generally lower you put the entry bar is better.
If you ask people out of the blue, to use some security product like 2FA or SSO integration, ensure it
provides a great user experience. No one wants to waste time on learning ugly UI, just because
security folks require them to use yet another tool.
If you don’t keep it simple and your requests become too irritating, you won’t be able to build healthy
long-term culture. You can not allow situations to happen which make people create mind maps
where security equals discomfort, pain, anxiety, and shame.
28
To me, security is all about the mindset and it’s very little about technicals. Because we already have
all the tools necessary to improve the safety of our businesses, but what we often don’t have is buy-in
from stakeholders.
Everything is just a tool and the mission is the only thing that matters on
the macro level
Technical actions are parts of your strategy, which is just a vehicle meant to help you achieve the
goal. So if the goal is to secure your company, usage of specific tools is a tactic meant to bring you
closer to the goal. So don’t hang on to existing strategy or tactics, and tweak them as much as needed,
because if something not contributing to the bigger picture, it needs to be thrown away, no matter how
appealing it may be. If something works, that’s awesome. If something doesn’t work, then tweak it. If
it still doesn’t work and creates more confusion than it creates protection, then throw it out the
window, and move to something else.
Do not fall into the dangerous trap of romanticizing your strategy or tactics. Those are just tools, and
practicality beats romance every single time on all possible layers and dimensions.
Encourage and teach instead of demanding and judging
It’s easy to assume that your peers should have a certain level of security awareness, but it’s as wrong
as it gets. I’ve met successful senior software engineers and managers who after two decades of work
experience had very limited knowledge about security engineering. Everyone comes from a different
background and have worked on projects with different priorities, so the safest option is to assume
that they haven’t had a chance to become security-savvy.
It’s on you to create a foundation on which you can build later on. It makes a lot of sense to create
low-mid level security training to equalize the level of security awareness — both general safety(e.g.
phishing) and technical security(e.g. secure coding) If you create such a baseline, you’ll be able to
speed up discussions and save time in the future.
When you know that everyone is on the same page and you don’t need to repeat yourself on basics,
you can go right into the specifics and discuss matters that matter.
29
It’s worth it and it made me much more productive so I encourage you to follow, even just to save you
from a burnout caused by a need to repeat same things like a broken record.
Extensively explain security requirements and identified issues
Every time you file a bug report or request a product feature, pay attention to the communication
vehicle. Elaborate as much as possible to make clear what your intent and business profits/risks are.
While writing technical details, consider using ELI5 approach, so there is no confusion along the way
and no surprises when the code is shipped. Describe what the problem is and provide a practical
solution i.e. pseudocode, configuration excerpt or an actual piece of code that can be copy/pasted to
fix the bug.
While taking such an approach, make sure that people understand you’re using ELI5, because some
people may take it personally. It’s important to not hurt anybody’s feelings and it can happen if one
thinks that you’re using ELI5 to diminish their knowledge even tho your intention was to make
everything clear so they don’t need to waste time on individual research.
Express that you want to share your knowledge so they can learn quickly and to make it easy for next
generations and juniors to understand what was the case. It may seem to be a small thing, but you
don’t want to create a toxic atmosphere because of such a trivial misunderstanding.
No matter what your specialization is, we all share the same goal -
improving the defense
Let me go a bit deeper on why I believe in overcommunication so much, because there are two
reasons for it.
If you don’t want to be disappointed and anxious then overcommunicate. It’s simple, but in life, we
tend to blame the other person that they haven’t understood us well, while it was us who haven’t
expressed our thoughts clearly enough. Always blame yourself first and reflect if you’ve done the best
job possible to ensure that there is no chance of someone misunderstanding your requirements. Yes,
people should ask more questions if something isn’t crystal clear instead of jumping right into
30
implementation, but life is what it is, everyone has their own struggles so you need to take this into
consideration as well.
The other side is that engineers are often tired of cocky security rockstars who don’t bother putting in
the work in helping engineers address the issue, besides finding the bug and shouting loud how great
they are. Don’t drop a fancy vulnerability name with a brief description of “Fix it, it’s simple, you can
google it out!”. We’ve had enough of it, everyone is tired of it, so I implore you to not add to this
bucket anymore. Finding a bug means 0 value for the business as long as the vulnerability hasn’t been
addressed. Right, maybe you’ve made everyone aware of the risk, so they can take it into
consideration, however, that’s not the ultimate goal of a red teamer. The goal of every single one of us
is to improve the defense, not to boost our egos by trying to show people how much better we’ve got
it than them. If you act this way, you aren’t better than anyone, you suck. I don’t want to put you
down, maybe you have huge potential and skill set, but it’s ego that’s playing you like a marionette.
Been there, done that, and then evolved to bring actual value to the business, rather than just for
myself. Intentions are fantastic and I get that you may have it all good, but actions speak louder than
anything else, so even when you think you’ve done your job as an offensive security professional, ask
yourself a question what’s the actual outcome of your day’s work. Did you contribute to the bigger
picture? If you haven’t then it doesn’t mean it’s your fault, maybe it’s business or indeed someone
else's responsibility to take it further. That’s fair enough.
All I’m saying is that you should give yourself some time to think about it, embrace that the result of
your thinking may be uncomfortable and then take it to improve. Don’t beat yourself up, just improve,
move forward and don’t waste energy on looking back.
Once again, if you get the results you want to get and everyone is happy - keep doing what you’re
doing. But even then, ego check may be a good thing to do, to make sure you’re not getting out of
sync with reality, because further you got with that, harder it’ll be to get back on the right track.
Do the work behind the scenes and don’t be a

workflow bottleneck
InfoSec as an enabler
31
If I were to choose only one thing to share with you, it would be that there is no place for a naysayer
in a security department.
It’s unbelievable how many of us kept doing the wrong things for so long. It’s tough, because the
impact we’ve had on IT societies is something that’s chasing us till this day. I’ve had to spend a lot of
energy on working out healthy relationships with my peers by convincing them that not all security
people are rude and negative. I don’t want to point fingers at anybody, because I’ve made those
mistakes as well, however, we - as an industry - must acknowledge an elephant in the room and
recognize how many cultural mistakes we’ve made in our careers. We must confront that our strategy
of whining about insecurities of everything and desperate attempts to slow down innovation turned
out impractical. We’ve tried hard to keep the comfortable status quo instead of learning the new
technology and figuring out how to allow others to do their work more efficiently. We had good
intentions, however, people couldn’t follow our incompetent lead and always found a way to bypass
our restrictions.
I know it’s getting better and there are fewer infosec specialists who default to denial and rejection.
Yet, I feel like it’s worth emphasizing that our ghosts of the past made it tough for social-savvy
security pros to create healthy relationships with engineers and other employees.
Saying no is easy, being creative and looking for innovative solutions is challenging and for us,
hackers, we should strive to solve challenging problems as that’s part of our DNA. If you’re not
creative enough, people will find creative ways to bypass your negligence and it’s all for nothing.
Your mission is to enable your coworker’s workflows and demonstrate that you actually have an
honest intent and willingness to help them address challenges of their day to day struggle. Don’t
romanticize the path you had to follow in order to be where you are today. Just because they haven’t
been studying security for the last 10 years as you had and they aren’t aware of the risks involved with
the technology they want to use, doesn’t entitle you to have an attitude and razz them for it. You’re
there to help them, that’s why you are a security specialist, and you’re ought to use your skillset to
support them, no matter what.
If you want to be a rock star, then earn that status, because the status is something that’s provided to
us by a society, not something we tell ourselves. We can say as many blank statements as we want,
but if our actions don’t back it up, we’re just being delusional. We’re hired to build robust products
32
other people can use, and must use our greatness to solve the challenges. Even though it’s
uncomfortable and it may be something you don’t want to do, it’s still the right thing to do.
So make sure you revisit your attitude, because even though your competence may be fantastic, your
attitude must be in check as well to enable yours and your team’s productivity.
Listen and execute behind the scenes
Those who aspire to be great leaders must master one skill before others, because this skill alone can
take them far and enable their growth in other areas. It’s listening and execution. Execution, especially
when no-one is watching and expecting it.
Delivering the work no one asked you for, just to improve the life of your co-workers, is something
that people know how to appreciate. So whenever you feel like doing something for the community,
just do it, and the satisfaction will come to you sooner or later. Going the extra mile is something that
can help you build the image of yourself as an outgoing leader and problem solver. Our world needs
people who identify problems and try to solve them on their own, without waiting for someone else to
pick up the fight. People always seek someone to lead them. Someone who’ll inspire them and
someone to whom they’ll be able to secretly look up to. Be that person, or at least give it a shot
because there nothing you can potentially lose by doing the good work.
If you provide upfront a lot of value, people will feel emotionally obligated to give something back,
because we can’t stand the feeling that someone gave us so much, and we haven’t even attempted to
return some of it. It doesn’t need to be tangibles, the ROI can be their eagerness to work on security
improvements for you. We’re all in human business, and technology comes second, so if you have
good relationships with people, they’ll do something for you, even if it’s something they won’t be
acknowledged for by the business. It’s in their human nature, and that’s all it takes.
Obviously, like for everything I’ve shared with you so far, there will be exceptions and you’ll face
totally ungrateful people, but just because of those few individuals, you shouldn’t abandon the whole
society of great people who’d love to work with you side by side.
33
Sometimes we just need to step out and take things in your own hands. Even if you think like there is
no tangible incentive to do so, the feeling of doing something for better future of your coworkers is
wonderful and justifies the sweat equity.
You must ensure that you’re doing whatever possible to show people your determination, competence,
and passion, but be wary of taking too many little things — like code fixes — on your shoulders,
because it may lead to cognitive and time overload. You can’t take so much on yourself that it’ll
become impossible to do the actually important tasks that only you can do because of your skillset.
If it happens that you need to fix some code or tweak configs, then that’s perfectly fine as long as it’s
an exception, not a rule. The key is the balance.
Embrace DevSecOps
The concept of purple teaming and DevSecOps are the things I fell in love with, many years ago when
I was experimenting with a variety of ways to make myself more productive. Everything has
changed for better when I started embracing a culture of collaboration, where attackers and
defenders work together to find the best approach of securing the products.
Although it’s great to focus on your narrow specialization and be an expert, it’s not the actual reason
we’re getting paid. We’re getting paid to improve the safety of our organization, not just do the work
for sake of doing the work. To be truly productive, I really recommend to at least try collaborating
with all stakeholders across the organization.
Being a pwn-all-the-things rockstar will take you only this far. It’s overrated and while fun in
short-term, gives terrible results long-term. I must remark tho, that there are great people out there,
who provide immense value to the industry by doing only the thing they love but those are exceptions.
It’s much easier to achieve success and long-term satisfaction if you learn how to work with others.
Become a member of each department
34
Having an independent security department is expensive and hard to scale. What worked for me, was
working side by side with people who ship the products. This is a good thing to focus on, especially in
small organizations where security culture isn’t yet established and people don’t realize they should
inform you about some matters. While it is obvious to you and you expect them to use you as a
consultant, people just often don’t have it on their mind if they weren’t ever required to do it before.
As a third party consultancy entity, you’ll be often late to the party, because people either forget, don’t
have enough time for proper communication or are afraid that you’ll introduce additional burden to
their existing workflow.
Becoming a team member will make everyone more socially comfortable with your presence and role,
which enables you to cover more things with your security expertise. Some of us, painfully learned
that approach “we VS developers” doesn’t really work if the goal is to create a healthy and friendly
environment. If you introduce that competitiveness, it often creates a toxic atmosphere where people
do their best to hide stuff from you instead of collaborating on convenient solutions
Join one team for a few weeks and then jump into another to create a well-intentioned relationship
with your peers. Don’t just sit in your cubicle waiting for someone to call you for help, because that’s
not going to happen.
Delegate instead of trying to fix everything yourself
To maximize your impact, you should learn how to delegate some of your workloads, because you
don’t want to become a bottleneck for security improvements which is completely contrary to your
goal. Except of time management and the fact you can’t always be a one-man army, there is an
important educational purpose of tasks delegation.
By relaying work to a person who wrote or deployed the code/service, you help them understand
mistakes they’ve made so they know how to do it better in the future. If you fix everything yourself
behind the scenes, people will keep making the same mistakes over and over again. They may not be
35
even aware that they did something wrong as no one ever raised any concerns in regards to their code
quality.
Apply the same approach in all aspects of the business and educate people on how to improve the
security of their day to day execution. You can, for example, teach internal QA teams on how to do
basic security testing, thanks to which you’ll have additional eyes looking at the products from a
different perspective.
Use your exceptional skillset to focus on things that matter and leave rest of stuff to others who’re
more capable or who’re actually supposed to do given type of work.
If you’re great web pentester and good software engineer you surely can fix the bug you’ve found, but
is it the smartest thing to do? If you’re the only security expert while there are 50 software engineers
in the company you’re better off delegating the fix to others, so you can focus on execution within
your domain of expertise.
Internal security training and awareness awards
Conduct recurring security training
Videos and online presentations are good, but nothing can really replace quality in-person meetups.
Show as many demos as possible and don’t stick to overwhelming PowerPoint presentations which
put people to sleep.
It’s fine to share raw technical details as recap materials, but while starting out you must make people
excited about the subject, otherwise, it’ll be just another corporate training which they’ve attended
only because it’s obligatory.
36
Don’t shy away from showing off your skills to non-techy people. It makes sense to show some
real-life exploitation to impress them to build a great human relation and gain their respect for your
skills even if they haven’t understood all of the things you’ve just shown them.
I personally like to show real-life testing, including very first steps from setting up Burp through
vulnerability assessment, exploitation to data extraction. When you go step by step and show how you
find a specific type of vulnerability — how you exploit it and how it can be
fixed/prevented — people get the big picture perspective which is understanding the business risks.
When they actually realize how code quality affects business longevity, they’ll pay much more
attention to it.
There is plenty of Open Source resources that come handy in such exercises so squeeze the max out of
them to create enjoyable and valuable security training.
Guiding them through detailed flow is practical, because while you’re doing the hacking part, the
participants have a chance to directly and comfortably ask you many (un)related questions. Interactive
meetings are the greatest, as they’re much better memorized than a blunt slide deck and they give you
an opportunity to show the human part of yourself. Standing in front of people, gives you an
invaluable opportunity to cultivate the relationships I’ve mentioned earlier.
The same concepts apply to physical and personal security and the key message is that training should
be engaging, exciting and relevant. They should also be periodic so people are constantly reminded
about the importance of security.
Popularize internal Bug Bounties and awareness recognitions
Bug Bounty programs are great and I’ve been a solid advocate of it for the past decade, but before you
jump into spending crazy amounts of money on external BB, you should give it a try internally.
It’s smart to start with internal initiatives first and give your peers an opportunity to learn new skills
and get some fancy rewards for their efforts. Consider hackathon-alike efforts where engineers can
37
work on complex security issues they consider interesting, or just do some internal bug hunting with
you.
While the BB is mostly a vehicle to create a security culture, there is actually a real chance of finding
a few security issues because each person has a different perspective and a developer may find a bug
in a place you’ve never thought of.
Make it fun and offer rewards like a few additional PTO days or gift cards for individuals who’ve
found security issues in the specified timeframe or if they came up with great security tool during the
hackathon. Except for the fact that everyone likes awards and rewards, people get excited when
they’ve been publicly recognized as security aware. At most organizations, people remind being
razzed for security, rather than being appreciated, so you’ve got a chance to use it in your favor. Don’t
forget to properly acknowledge the effort of all those who’ve also tried but weren’t as successful,
because you want everyone to feel engaged and appreciated. You can use the Bug Bounty concept for
non-technical people as well to show your appreciation e.g. if they report you a physical security
incident. The key is that you need to cover the whole organization with the awareness because the
security is as strong as its weakest link.
Initiatives like this help shaping a culture where being security aware is appreciated and rewarded and
after a while, it can become employees’ habit to take care of company safety. Besides all security
benefits, it’s simply a great team building exercise that organizations so you should employ on regular
basis.
“Tell me and I forget; teach me and I may remember; involve me and I will learn.”
Security Is An Art Of Tradeoffs So Learn How To

Manage The Risks
Be practical
No one likes when their time is wasted. When creating a process, policy or procedure you must really
thoroughly consider if they have any chances of being implemented. By pushing hard on something
38
that sounds great in a lab environment, but has low chances of success in real life, you’re not only
wasting your time, but you may create friction between you and your peers.
In order to be productive, you need to learn how to justify your decisions. If you express yourself in a
reasonable way, people will be happy to do stuff that makes sense.
While it may sound obvious to you, tunnel vision is a real thing and us — security
professionals — quite often fall in a trap of idealizing things and we leave the practical path, because
we’ve told ourselves that this certain thing makes sense to us. The key is to analyze if our requests
make sense to others, because it’s one thing to establish a policy and it is a completely different story
if users are going to comply with it.
Being practical is being tech-savvy enough to know what’s the right thing to do from the risk
management perspective. When you take into consideration how hackers operate, you’ll really
understand why you should double your spendings on securing the basics. It does make sense to first
ensure your users have strong passwords and implemented 2FA before you jump into buying a $1M
firewall. Just because everyone is unwisely spending their budget, it doesn’t mean you should follow
their steps . The security market is flooded with low quality, yet ridiculously expensive tools, and you
must learn how to recognize tools created by and for overfunded startups that can afford to recklessly
burn VC’s money.
Being practical also means being social-savvy enough to understand that speed of your improvements
will vary depending on predispositions of the specific organization. Sometimes you must take things
slowly and enforce only 1 change per year, and at some organizations, you can execute on 10 things
per quarter. You really should feel your people and understand their thresholds of becoming
overwhelmed by the number of requests coming from you.
Allow cutting corners when necessary
Business is there to make money and must ship the product or service no matter what. Bringing value
matters more than anything else and occasionally, quality must be compromised and you should learn
how to navigate in such situations.
39
Just because it appears like you’ve lost the battle, don’t allow frustration and despair to take control
over your sanity. Instead, spend time figuring out what else can be done to cover the gaps created by
the operational tradeoffs. If the business team decided to ship the product regardless of potential
security risks, revisit your risk management process to figure out why had that happened and if there
is anything you could improve to prevent it from happening in the future - assuming it was a bad thing
at all.
Cut your resentment short and work on second layer protections which will provide security in case
the holes in the shipped product are exploited and abused.
Learn how to mitigate risk and minimize the damage that can be potentially done. Spending time
reading books about risk management has bigger ROI than obsessing with how stupid your
organization is and how insecure are the products you ship. Even though sometimes it’s indeed a
painful truth that the company you work for is neglecting security, you must move forward regardless.
Your workday probably has ~8 hours where you have an opportunity to make a difference and do
something productive. Complaining and dramatizing is taking away from you the chance to be
creative and to solve mistakes made by others, because you can’t get that time back. Once it’s gone,
it’s gone forever and there is yet so much of other work to be done. Learn how to prioritize the risks
and drama so that your company benefits from your skillset to the maximum possible.
Learn how to run productive security meetings
Lots of engineers I’ve met had bad to at least poor experience in the past with security folks who
either shouted over them, were blocking new initiatives and defaulted to NO each time someone asked
a question. Sometimes, they’re even scared to join a meeting with a security team, because they don’t
want competitiveness and adversity, which is something you should learn to respect.
To build a culture you need to show empathy and understanding of your co-workers’ intentions.
No one is really decreasing the security of their work on purpose. They simply have no time to play
games with you even though surely there are some, who would love to do something just to annoy
40
you. People have their own duties and responsibilities and are often forced to cut corners, and if
you’re not making their life easier, they’ll find a way to go around you and get the work done
regardless of your policies and procedures.
Create a friendly atmosphere during your meetings and spend most time
listening
Listening is good, throwing silver bullets and expressing your genius not so much.
People you’re working with are really smart and eager to improve their code if you approach the
subject in a tactical way.
If you aren’t a savvy leader and speaker yet, it’s a good idea to join other non-security related
meetings and learn how they’re managed. Make notes, learn, observe people’s behavior so you can
take the best out of all those meetings and then apply to yours.
In general, meetings aren’t the most liked thing by engineering departments. If you make security
meetings productive and friendly, your co-workers will be amazed by seeing someone who fixed
boring corporate meetings and improved the bad experience they had in past with other security
teams.
The approach that works best for my meeting is spending most of the time listening. I listen to the
team giving me a thorough product description when I just quietly sit in the room, sometimes asking
questions but without throwing any comments or advice that could enforce my narrative on them.
Then I ask them what do they think could be done better if they had more time or expertise in
something. There is no better source of information than a person who wrote given chunk of code , so
I do that often because I realize they have their priorities and even though they’d like to do something
better, business demands from them to just do okay
Only then, in a neutral tone, I provide my insights, to give them food for thought and avoid preaching.
If needed, I ask them to analyze with me my POV and if it makes sense to do something a bit
different, because I believe we could still improve the current state if we combine our knowledge and
brainstorm our approaches. I try to be as calm and clear as possible, outlining why I believe it’s the
right thing to do and how they - as a team - or a business can benefit from it.
41
After the meeting, I’m reviewing all the notes I’ve made and the data they sent me, so I can come up
with guidelines and send it over to the team. I want them to take a first glance over it and become
comfortable with my requirements or some general thoughts. On the next meeting or an online
call(whatever feels to be more effective) we spend more time discussing the potential changes and
now they’re the ones asking questions. I must respond nicely without embarrassing them or causing
any negative experience even if their idea was really derpy. If someone steps out to ask a question
they should be appreciated, not demotivated by my ego.
All that back and forth makes sense, because if you drop too many information on their heads during
the first meeting it may become overwhelming. Even if you see all the flaws and suggestions during
the initial meeting, try to stop yourself from bombarding them with all that, unless you really don’t
have much time to afford the polite game. Surely you can give them initial feedback but keep in mind
that they can’t leave the meeting overwhelmed or feeling like you were aggressive and undermining
their expertise.
The first meeting is meant to create a good relationship with a team and the second one is where
things actually happen, but without prior, results may be poor and against expectations.
During the second meeting, we decide if it’s all good or I need to adjust some of the guidelines so
your team feels better about it.
We’re there to serve others, no other way around, so sometimes you’ll need to do a lot of back and
forth in tweaking your improvements to be actually practical. It’s still worth it, because at the end of
the day that’s exactly what matters. Improvement, no matter how small or big it is. Improvement in
the security posture of your organization and improvement in your relationships you have with people.
Learning how to run effective meetings and how to persuade people are essential components to make
corporate security programme practical. If you master social skills, almost everything else becomes
bread and butter. Bear in mind, that all the advice here must be considered as high-level guidance
rather than a set of actual recipes you should put into practice the very next day. At some
organizations, face to face meetings don’t take place at all, and at some, it’s all about the speed so you
can’t play games with anyone, so just pick the best advice, leave the rest and be practical.
42
Whatever you do, always think how others feel about the way you communicate, regardless of the
communication medium.
Leave Your Ego At The Door And Study

Empathetic Leadership
Make it all about them by making it personal
Professionals want to constantly expand their horizons and develop their careers. Luckily for us -
InfoSec folks - security is one of the things people want to learn, as it became pretty exciting subject
pumped from all directions starting from corporate policies through social media to TV news.
If you frame the subject right and help people truly understand the value of security awareness you’ll
be surprised how many of them wanted to work on security, but couldn’t get themselves to do so.
Lots of coworkers I interacted with, had a negative attitude towards security because of their past
experience with rigid corporate security policies and unfriendly InfoSec specialists. Fortunately, I
found it doable to convert most of them into security-savvy engineers, by approaching them in a
friendly manner and expecting from them only what’s practical. Expecting people to do stuff, just for
sake of doing it may be a daunting task. But you can flip their attitude if you explain in details your
reasons and demonstrate how the new knowledge and skills can benefit them personally.
While the benefits of security education are obvious to us, the key is to transfer the same awareness to
our peers, so they perceive security training as something that brings value and not something that just
steals their time like most of the other corporate bureaucracy.
You can get their attention if you e.g. explain that learning security will make them much more
attractive employees on the market. People may not really care about corporate security, but they do
care a lot about their careers but they just don’t know these two things overlap, which is something
you should use for your advantage. People often don’t know what’s good for them, and your help will
be appreciated in the long run.
43
Target something that’s relatable to all of us as a society. Things such as social engineering, smart
devices, and the Internet of Things, are concepts we’re all exposed to in daily lives, so why don't you
use those as anchors to get their attention. Go beyond corporate security and have a chat over lunch
about insecurities of IoT devices, or how recent incident at company X abused our online privacy.
People want to learn, but they want to learn about things that are either entertaining or relevant, and
you can make sure hit both of those. Emphasize the fact that habits acquired at your company may
help them in their personal lives, by enabling them to be more alert to online scams such as phishing
attacks meant to steal money from their bank accounts.
Never play the shame or blame game
People rarely violate security policies with malicious intent. In my whole career, I’ve met only a few
employees who were obsessively doing stupid things just for the sake of doing it. They weren’t
internal threat actors, they were just kids who wanted to demonstrate everyone around them how great
their ego is and how they won’t comply with anything that’s oppressing their freedom. But that’s an
exception which you must know how to handle, nonetheless, it’s all about minimizing the attack
surface and it makes a lot of sense to focus on controllable 95% of your workforce, rather than
stressing about 5% at the cost of the majority.
Mistakes usually happen because people are stressed, overloaded and tired, so blaming them is just
adding to the negativity bucket which is already filled to the brim. Try to approach each case
individually, don’t generalize to not hurt person A because you’ve just had a bad meeting with person
B. Study their behavior thoroughly, because sometimes it’s small things that make people act the way
they do, and focus on how you can prevent reoccurrence of the same incident with others.
Consider each problem individually, but then generalize to make sure you apply lessons learned to the
whole organization, because if something has already happened with one person it may happen again
with someone else.
Shaming someone for their lack of awareness is one of the best ways to kill their motivation to learn
and collaborate. Take at least partial responsibility for someone’s incompetence because if someone
exposed the organization to severe risks, you may want to look at it as it’s an indicator that your
44
security awareness program should be improved. Always look at yourself before you even think about
pointing fingers at others.
But remember about the balance! Don’t beat yourself up too much, just make sure that when failure
happens, you know how to step out and be a leader capable of owning the improvement process.
Don’t forget about non-techies
Meet up with sales, marketing, support, and other non-techies to learn what tools they use and how do
they use it on daily basis, so you can figure out how to secure their workflows. Customer facing roles
are especially endangered as they are the ones who — in order to do their job — need to constantly
download unknown data from the Internet. Given the exposure, you must train them to understand the
risks associated with their day to day work activities which include tools, processes as well as external
communication, because you don’t want your support agents to get tricked into exposing access to an
account of another customer.
Most of the peers I’ve met who were working in soft-skills-heavy roles are very friendly and get super
excited when you share with them the latest news from security world such as the recent massive hack
they’ve heard of on social media. Such discussions can be a great tool to get a foot in the door and
later include subjects like network security and corporate security culture to provide actual value to
the business. It’s all about incremental improvements, taking as small steps as necessary and
increasing the coverage by having “your” people in each department.
Leadership values and Emotional Intelligence
Social skills are hard for everyone, not just Security Professionals and we struggle with it in our daily
lives.
In such niche field as infosec we’ve got plenty of great specialists, researchers, analysts and people
who can hack almost anything, but how much attention do we pay in terms of their social skills and
how much we care if they can nicely play with others? How much do we praise leadership in our
field? It almost doesn’t exist in media, and yes we all know Mitnick to be extremely
45
“socially-enabled”, but can you name more Mitnick-alikes with the same ease you can enumerate
great security researchers? I’ve spent a ton of time researching influencers in our space to identify
those who are great at security management and leadership. Even though we have many great people,
those numbers aren’t even close to what they could’ve been, if we had put more emphasis on
leadership and collaboration in our field. A number of great security leaders capable of creating robust
security programmes are far, far lower than a number of brilliant researchers working in appsec. It
may be the case, that the first ones just don’t want to go public with their ideas, and that’s fine.
Everyone should do what makes them happy, but because we’re not setting the right tone, we’re not
being as effective as we could be as a whole community. We’ve got crazy amounts of fantastic
musicians, but we’re lacking conductors who could lead them and create a fabulous orchestra, which
at the end of the day is what we’re supposedly trying to achieve.
Or are we? Is it still about securing the planet or more of working at fine jobs with a fine salary and
trying to secure the planet as a byproduct of the fun we have at work?
Technical work is exciting and tempting, technical skills are in great demand and people get
compensated very well for their technical acumen. Given that narrative, we shouldn’t be surprised that
so few people want to bother with social skills education Why would they? If you’re good enough on
technical skills you’ll easily find joyful and lucrative employment.
I’m not saying it’s wrong - it’s fantastic that businesses around the globe finally started to realize how
important hackers are and that they should appreciate them by providing multiple incentives(including
solid $$), but it’s clear that we’re not spending much attention on the social side of the house.
It’s not a problem for hackers who now have great jobs, but for businesses, because it takes much
more than a single technical rockstar to secure the whole organization.
You can be a great hacker and programming guru, but if you’re not interested in uniting people and
leading them to help you secure an organization, you’ll have a hard time making a difference. One
man army will only take you this far and the true power comes from the synergy of competence and
attitude of all employees.
For over a decade of my IT career, I used to be a deeply technical person who avoided social
interactions at all cost. I wanted to be the most productive person ever and I got crippled by just
thought that I’ll need to waste a single minute on redundant interactions with people. Redundant,
because I believed that it takes away from me an opportunity to do something “truly important”.
46
What I’ve come to realize, is that in order to be truly productive as someone who had been given an
opportunity to secure an organization, I needed to step out of my comfort zone and educate myself
more on human psychology, sociology, management, leadership, business execution, and related
disciplines. Leaving that safe spot, was one of the best things that have ever happened in my whole
life, because making this change in professional life made a positive impact on my private life as well.
What we used to consider to be a safe spot, may actually not be safe at all because in the comfort we
tend to stagnate. To me, the definition of safety in the modern world is constantly putting myself out
there and doing uncomfortable things thanks to which I can progress my life and career. Today’s safe
turned out to be what I’ve had considered unsafe for many years of my career.
We all started somewhere and we followed this path or another, but I really wish I had someone to
guide me through social interactions, because that knowledge would literally save years of my life.
That’s why I’m writing it down for you. I hope that my experience will save you at least some trouble.
Sure, there are still days in which I’d prefer to stay at home, turn on the airplane mode and pentest all
the things and refactor as much code as possible, but I appreciate too much the benefits of exposing
myself, to let myself be myopic. When you take extreme ownership of your activities and emotions,
you enable yourself to go places that were completely out of sight before you’ve taken the leap. If you
need to take time off, take it by all means and recover, but at least give it a shot with positive attitude,
because often social interactions end up miserably not because they were destined to end up that way,
but because from the very first start we had negative attitude which influenced our actions, resulting
exactly in what we were afraid of.
Many of us have trapped ourselves into believing that we had been born one way or another and that
we can’t develop our emotional intelligence. While it seems to work just about right as an excuse, the
reality is that we can actually learn to be more empathetic. I realize that someone people indeed had
been born + have chosen to be very technical which is absolutely fine. Do whatever makes you happy,
I really mean it.
I’m addressing this chapter to those who haven’t even tried to develop social skills, because in
childhood they’ve been labeled themselves as introverts not capable of dynamic social interactions
and they agreed to live their lives in compliance with that blank statement.
Some of us have beloved productivity so much that we’ve decided to go all-in with working alone to
focus on a deep work. We realize that mastery of our craft requires a ton of sweat equity put into
47
self-development while there are only 24 hours each day, so on the first glance it seems like being
alone and isolated from distractions is the right way to go about it. Although that’s great for the
development of our technical skills - if imbalanced - often makes us lose our social skills edge.
The deal is that without leadership skills you can’t really change the corporate culture, especially
when you’re joining an organization which had been on the market for many years, yet it hasn’t been
ever exposed to InfoSec practices. You need to have that leadership touch while working with people,
to instill security into their value system and keep them inspired so they want to put in the effort to
help you secure the organization. Whether it’s by securing the code they’ve written or by reporting
you potential physical security incident everything comes from education, the right mindset, and
relationships.
Learn to feel your people. Understand what truly turns them on and then give them what they need.
Share with them your motives to allow them to understand you better and learn about your attitude.
For trust to exist, there must be honesty and communication from both sides, so not only learn about
your people, but also allow them to learn you.
We have a tremendous amount of fantastic people, who’re just waiting for a leader to show up and
guide them into the path of bigger mission and noble achievements.
Be a leader you wished you had and remember that we’re all just humans.
Sometimes, we obsess too much with wearing that mask of a professional, which instead of making
our lives easier, actually generates more anxiety and bitterness which we spread around unwillingly.
Not only we can’t contain our emotions, but we waste so much energy on creating a fake image of
ourselves, that we leave very little energy for doing the actual work and for legitimate compassion
towards our coworkers. Just because you’re in such a serious role and your duty is to protect an
organization and know a lot, doesn’t mean you’re expected to know everything and it certainly
doesn’t mean you’re required to act like you have answers to all the questions.
We are all alike and it pays off to be authentic. Everyone is trying hard to play someone different than
they are and it’s killing us on an individual level as well as it’s rotting the society. Don’t be afraid,
fight back an imposter syndrome, because you’re good enough and everyone is playing the same
48
game. When you understand that there is no point in faking, literally everything changes, because
once you bring down the walls of isolation and dread, you can see the real world around you.
We’re all imposters. Get over it and go do shit!
The long-term efficiency requires you to do things the right way
As security professionals, a solid part of our daily work involves finding and pointing out mistakes
made by other people. It’s what we are expected and supposed to be doing, and what we’re paid for.
However, the real trouble comes with how we communicate information without causing too much
damage to message recipients.
Many of us have multiple times fell into the trap of naive cockiness, because while finding mistakes in
the work of others, we’re tempted to feel like we’re smarter than our non-security peers. We can’t
stand seeing the same bugs appearing over and over again. We’re all tired of OWASP TOP 10 bugs
showing up in a new code because most of it has been known for far over a decade at this point.
The lack of proper education and attitude of our peers is the origin of many social problems and the
reason many of us have burned out and have simply no interest in playing it nice any longer. So you
can either continue doing what you’re doing in your resentment or you can revisit if you’ve been
doing all the thing the right way. Often our resentment and social anxiety come from lacking humility
when we’re the first ones to judge someone else while the right thing would be checking if we had
done everything in our powers to change the disappointing status quo.
I do believe that if we’ve taken an approach of extreme ownership, we would realize that for a very
long time we weren’t practical enough and focused on myopic gains rather than on addressing the
bigger issue.
It takes a lot of passion and tenacity to stay on a path of effectiveness, i.e. a path of doing things the
right way and taking into considerations many constantly moving elements.
In my experience, it’s very hard to make security cost-effective if you’re not capable of playing nice
with coworkers to get stuff done on a scale. Obviously do whatever works for you, however, to me,
this was one of the biggest lessons learned.
49
It’s easy to destroy relationships and hard to rebuild them
We all make mistakes and that’s fine, as long as we don’t keep that tendency for too long. People are
capable of forgiving your mistakes if you change your attitude and possibly apologize, which we
know very well from our personal lives. However, to apologize for someone for something, you must
be made aware that your behavior caused harm to that person and that there is a need for change. The
challenge is that most people aren’t confident - or rude - enough to tell you explicitly, what you’ve
done wrong or how you’ve put them in discomfort, so you got to learn the art of detecting toxic
atmosphere.
It’s about little things, watching how people’s attitude changed towards you, and that’s rarely about
words but everything in between. If you’ve had a great relationship with a few coworkers and now
you can see them not as interested in being involved into conversations as they used to be, then you
generally have two choices:
a) assume they’re just having a bad day like every human being, and ignore
b)consider if you may have done something that caused their day to be bad, and act on it.
I’m not saying you need to analyze every single behavior of each and every coworker, but when you
feel like something is off, look into yourself first. If there’s one person acting strange for a while, then
it may or not be okay, because people have hard times and shit happens in our lives. But if you’ve
noticed a decrease in your productivity caused by coworkers’ unwillingness to collaborate with you,
then I strongly recommend you to put your empathy in use and figure out what might have happened.
Self-control and self-reflection are important, because most of the time, people will keep the tiny
negative experience for themselves, which is dangerous, as it grows bigger and a little spark of
inconvenience can evolve into a terribly toxic situation. You can’t allow for it to happen, because
negativity is contagious, and while you may hear their thoughts only when emotions hit the roof, the
negative impact may be noticeable far earlier. People may get bitter about you and make others feel
the same, either by talking stuff behind your back or by just being anxious all the time.
Even though most of the time we don’t recognize it as well as we should, we’re very sensitive to the
emotions of other people and we allow emotions of others to influence our whole system. We’re
compassionate, we want to resonate with people, so often unconsciously we change our physiology
and put ourselves in low energy state so we can better relate to someone else. I do it, you do it, and
50
your coworkers do it, so learn to recognize those moments and fix them before your whole team gets
trapped in the fast-growing bubble of resentment.
Given all that, it’s unbelievably important to do a gut check once in a while, because if you don’t
observe your behaviors to catch yourself in moments when your ego and attitude are way off,
someone else is going to spot that for you. If you’re lucky, that person can be generous and
courageous enough to provide you honest feedback about your behavior.
Hoping that you’ll have luck is far from being a good strategy for career development, business
management, relationships or pretty much anything of value, so let’s leave that aside. If you care
about something, you should work for it to increase the odds of good things happening to you.
And you may think that it’s not that big of a deal, because if someone will finally notice, let you
know, then you’ll just apologize and fix it right away. Unfortunately it not always is that simple. If
someone has criticized you, it means they had been thinking about it for a long time before
approaching you to discuss it. Which means that someone had spent their energy on thinking about
your actions, likely got emotionally invested and in case of negative thoughts, business context and
logic often get lost along the way. With the mix of all these things, people may accept your apologies
but it doesn’t really mean they care about it, they have forgiven you and cleared the page. There is no
one to blame for it, it’s just a self-defense mechanism of human beings with a good reason.
It’s not the goal of this book to discuss whether it’s right or wrong though. People often act in a way
without realizing how their emotions and subconsciousness are playing them, so it’s not reasonable to
blame them for not owning it. It is the way it is, and you must keep in the back of your head that
people will judge you, will keep some stuff for themselves and you won’t always get a chance to
receive honest feedback.
This is why you’re on your own. You’re the right and only person that should take ownership of
monitoring your social interactions. Just work on yourself and take into consideration that people are
different and there is a ton of patterns that you must look after. Working as a security professional, the
last thing you want to happen is to have coworkers dislike you because of something very silly that
could be remediated within minutes, if only you had identified it before it started consuming the
energy of others.
51
Fixing relationships can be easily mapped to fixing bugs in SDLC. Sooner you start working on it,
and earlier you identify a defect, cheaper it’ll be to fix the issue and move forward. With relationships,
I’d even triple down the efforts on early diagnosis and constant monitoring, because here we’re
talking about humans and their emotions which makes the risks and costs grow really, really fast.
Trust and credibility are intense tools that are indispensable if you want to achieve something great
with other people. So be careful, because if you lose your reputation it may be much harder to regain
it, than it was to earn it in the first place.
No place for ego in the effective management and when less is more
The mantra of each and every organization should be that all employees share a common goal and are
expected to create something bigger together. To win in the sport of business, adversity and
competitiveness is needed, but people get confused. It shouldn’t be about aggressive competition
against each other, but against all adversities slowing down the organization from reaching their full
potential. Fight everything external and cut internal arguments short. That’s a huge subject in itself,
and many great leaders have written entire books on subjects such as how to create a healthy and
respectful corporate cultures, so I’ll just leave it as is, and what I’ve written in this paragraph already,
should give you a good enough context for what comes next.
While pointing out mistakes of others makes us feel smart and is kind of funny, it foremost
importantly, makes others feel bad about themselves. You really can devastate the whole culture that
has been built by founders and all employees for years if you start acting like a jerk who is so
dominant that he makes others insecure and confused. Nothing justifies a situation where you feed of
people’s lack of knowledge to grow your ego and to put yourself on a pedestal.
Even if a senior software engineer makes a mistake while doing something you consider to be the
basics, it’s still not a good enough reason to judge them based them only on that.
If someone has been a great software engineer providing a ton of value to your organization for every
other day, and they just made a mistake, who’re you to judge them negatively? Everyone has days
where things aren’t the way they should be and all goes against expectations. Taking into your threat
model that people can simply be tired and you should focus your energy on finding a way to secure
them regardless and to support other people that may be in similar circumstances. You make mistakes
52
too, and it wasn’t once when you had missed a severe security issue, a threat indicator or you had
misconfigured a tool because you weren’t at top of the game that day. And it’s fine, you somewhat
justified it in front of yourself or maybe even your peers, so you looked good because you know that
99% of the time, you deliver top quality work, and it’s the underperforming 1% simply comes from
human nature. Treat others the same way you treat yourself and protect them the way you protect
yourself. Or at least allow them to protect themselves without nagging them with your egoistic
monologues on how disappointed you are. It’s humans who are and for a long time will be writing
code and running businesses. This fact entails all the good and the ugly, so to be practical, you simply
should incorporate all the human risks into your daily threat modeling. My POV changed immensely
when I started considering risks such as employees(including myself) being tired, anxious, negative,
troubled and having any other emotion or mental state.
We also have a cognitive bias that makes us a terrible judge as to what’s basic, what’s advanced and
what others should know. It happens to all disciplines in busy lives. I promise you that the person who
has written an insecure piece of code could make you look lost like a child in the jungle, if they had
asked you to do something that they do on daily basis without any struggle, yet it was something
you’ve done for the last time in high school. Beware the cognitive bias, especially when the ego is in
the equation.
Yes, our role is to identify weaknesses, and you should definitely keep doing that, but keep your
emotions in check remembering that you’re supposed to be judging and assessing a particular
situation, not a person that caused an incident. This perspective, that we should be judging actions, not
people performing the actions have profoundly impacted my entire life. Transforming that part of my
daily life has not only helped me understand the whole system better, but it also made me less anxious
which lead to decreased friction I used to have occasionally with coworkers.
It’s a bug that sucks, not a software engineer who has written a piece of code. DaVinci had created
plenty of ugly pieces, yet we don’t say “DaVinci sucked badly”, instead we just say “oh, this piece of
art isn’t as great as his others”. If you need to at all, be a fair critic and treat your coworkers with the
same respect you’d like to be treated. If we had appreciated the work of our coworkers in a similar
kind way, we appreciate the work done by historic role models, our society would be much calmer
and healthier.
Take this advice with a grain of salt please, because we face a wild variety of people in our careers
and in some cases it may be indeed worthwhile to stop for a while and reflect upon a person as well.
53
But personally, I try to be optimistic about people and do the human analysis only if everything else
has proven to not work.
Making such a subtle change in the way we assess incidents, can make a huge difference, because if
we let ourselves to get lost into a mindset that permits blaming other people, it’s hard to escape it and
we can’t focus back on the actual mission. Being judgmental is so attractive and addictive, that once
you start it, it presents itself as a mission beyond all other.
If I had to pick one thing that changed my life the most, it would be learning how to dance with the
dark side of my ego - mostly the one that’s responsible for all sorts of insecurities. You can’t really
kill it and we know that while it’s an enemy of our happiness it pushes us to chase the fulfillment. So
it’s reasonable to learn how to control it, at least to some extent.
Controlled ego may become your friend, which supports you, helps you mute out evil critics and
gives you permission to do your thing regardless of the opinion of others. Ego does not need to equal
vanity, so please use moderation while trying to battle it. In the media, we’re bombarded with too
simplified information on how bad ego is, which eventually may make us forget that our ego is also
our shield and can be used for good.
Taking control over your ego, enables you also to become more open to feedback from people around
you, which to me is the essential ingredient required to unlock one’s potential. If you accept the fact
that you’re not the smartest person in the room, and that you neither should be or are required to be,
you enable your true growth. Permit yourself to risk it, and allow yourself to trust other people’s
expertise and intentions. If you trust others, you can then utilize their experiences and knowledge to
build upon it, as opposed to figuring everything on your own.
Whether it’s feedback about your work or you as a person - you need to learn how to appreciate all of
it. One of the forms of true appreciation toward the person who has tried to help you is putting freshly
obtained knowledge into practice, to not repeat the same mistake again.
Obviously do that only if you’ve had assessed the feedback to be reasonable, positive and practical.
54
Listening is a skill which requires constant training
Although we think we’re listening when other people talk to us, most often we’re just hearing them
talking. That’s far from listening, really. Absorbing a new perspective and pulling value out of it isn’t
an easy task. Biologically - if we’re lucky - we have a capacity to hear, but listening is something that
requires training and experience. Nothing extraordinary and it applies the same way to you and me.
It’s simply not something that’s being purposefully taught in any school that I’m aware of. Negligence
in teaching kids how to actively listen has a significant impact on the lives of all of us in adulthood.
We’re being taught many things, but we’re not being taught enough on how to understand each other
well.
To some extent, the art of listening to others is trained daily, as since our earliest days we’re being
taught to follow orders and to be generally obedient to the social constructs. You can’t really go
through life without at least some receptive skills, unless you want to live a life where you’re causing
a lot of trouble to others by deciding to be a non-obedient outcast. You do you obviously, it’s just that
some rules are in the system for a reason and refusing to comply with them is not always such a great
idea. Obedience is a good thing, as long as consciously moderated and adjusted to the contextual
reality.
Regardless, obedience isn’t the most advanced form of listening. Listening to others with empathy and
understanding is something way beyond what we’re being taught by the system. That’s one of the
reasons why you can have fantastic technical experts in their field, who fall short and disappoints
miserably when put in a leadership position.
Being capable of following the predefined route of mastering a field doesn’t equal being able to
competently show the direction for others to follow.
You know what requires even more effort? Muting everything and everyone out so you can hear and
listen to your inner voice.
You need it the big way, because along the way you’ll meet many people - mostly with good intent -
telling you how you should do things, regardless if they’re anyhow competent to give out such advice.
Although it’s great to surround yourself with supportive people who provide their perspective hoping
their suggestions will turn out helpful, you need to remember that at the end of the day you - not them
55
- will be the person who makes a decision and takes a recognition or blame when things go sideways.
That’s why you must thoroughly assess all signal that’s entering your head, because often we
subconsciously made decisions based on external factors, not on our personal gut and expertise.
Everything is on your shoulders, and if you listen to others too much, you may end up in a situation
where you’ve done all the things they wanted you to do, but then you were left alone to deal with the
consequences that come as a result of your actions. When you take ownership, you at least know it
was your decision and if it doesn’t work out, it’s fair and right to blame you. Also if your action was
successful you can recognize yourself for making a good call, which is harder in situations where you
know it wasn’t just you who made it happen.
If you take ownership, you do it also for benefit of others, because if you know it’s all on you, you
avoid the possibility of a resentment and angst towards that person. It’s much lighter to deal with “I
messed up but I can clean it up”, rather than victimize with “I shouldn’t have listened to them”. When
you’re left with the second option, you deprive yourself of control over your life and given situation,
and that’s when things go even more sideways. We’re often not so eager to clean up the mess, if we
feel like it’s someone else’s responsibility, because it was them who instructed us to behave one way
or another. Even that is just a dangerous denial syndrome, not an objective truth.
You made a decision to surround yourself with those people, you made a decision to listen to their
advice and you made a decision to implement their suggestions into your life. Given how many times
you’ve made a decision before making the decision of implementation, you are really the only person
to take the credit for the good and the ugly.
Sometimes, the inner voice may tell you things you don’t want to hear. It may tell you that you’ve
done things the wrong way and that you should conduct yourself much better in the future. It’s
dangerous to look inside, because if you haven’t had looked inside before, you have no idea what to
expect. That’s why it’s important to give yourself some space regularly to check with yourself if you
haven’t lost yourself in the busy daily operations. It may be even painful at times when you reflect on
your actions and recognize that you’ve had simply behaved badly. But the freedom and lessons that
come from the acknowledgment that you’re not perfect are worth the struggle.
56
Memory exists so we don’t repeat the same mistakes again, not so we

romanticize the painful experiences and live in the past
Look back and remind yourself from 2 years ago and notice how much — hopefully — you’ve grown
since then. Each time I look into my past I can’t believe how naive and silly I was at times. And that’s
OKAY. A few years/months or even weeks can make a whole difference in how you operate, given
you’ve provided yourself with some space to audit your actions and improve.
Change and evolution although scary, shouldn’t be the things you are afraid of experiencing. You
should be afraid of looking back and realizing that you haven’t evolved a bit in the past couple of
years. Time is the most precious asset we have, and not living up to one’s potential is such a waste. So
if you feel embarrassed about how much worse you were compared to today, then replace that feeling
with a joy. Because you should be proud of yourself that you’ve changed. If you don’t feel sorry for
your past self, then it means you’re not pushing hard enough in the present.
Allow yourself to grow, acknowledge your mistakes and move forward. Don’t dwell in the past for
too long, learn from your mistakes and do better in the future, till you still have a chance.
As time passes by, some things become impossible to be fixed, and if that happens, then you’ll truly
understand how the real regret tastes like. When someone having an image of you as a bad person
leaves an organization, it’ll be much harder to fix that state, while now it may take just walking by a
desk of your coworker and having with them a small chat to show them the real and friendly version
of yourself. Such ghosts may chase you for a very long time, and that’s not a pleasurable experience.
If you want to build a healthy culture in your company or in your department, then you must cut your
resentment short. Negativity spreads like a virus and creates a toxicity that very hard to eradicate. So
when someone tells you that you suck or that you’ve hurt them or someone else, then don’t fall for it
blindly. Listen to others, reflect on your actions, think if it’s really something you should improve and
make your decisions accordingly. Only the one who makes mistakes moves forward at the right speed.
If you’re not making mistakes, are you doing anything at all?
Sure, you can be cautious and find it to be your tempo, but please, do not let your ego kill your
passion and empathy just because someone criticized you or you had revisited your past and noticed
your mistakes. Cool, if the mistakes have been brought up to your attention, then you’re done with
57
your past, now take those lessons into the future. Your brain will help you if you guide it properly. It
just must know that you don’t want to stay in the past. Seriously. Get in there, extract as much data as
possible, get back to the present and burn your boats. No coming back, because now you should focus
on learning from your present mistakes, because if you went into the past once and learned from it,
then you’re in a completely different context now, and from now on you should build your wisdom on
the mistakes you’ve done after nth iteration, not the ground zero.
Appreciate feedback every single time you get some
What I’ve found in life to be an interesting phenomenon, is that if someone is providing you any type
of feedback, then it usually means they’re expecting you to do something about it. If they haven’t
wanted you to change, they wouldn’t have had spent their time and mental energy on thinking about
you - let alone talking to you about that thing, which costs them even more.
Pay attention to the things happening around you, because what you’ve might have been considering a
noise, may actually include some worthwhile signal. When someone is starting a sentence with “you
know, I just had a thought, not a big deal, so just take it or leave it”, then it doesn’t mean you should
treat it the way they’re naming it. You should treat them the way they want to be treated, and people
rarely say how they want to be treated. Instead, they show how they want to be treated and it’s up to
you to feel them and read between the lines. The case with such soft discussions is that someone
wants good for you, they don’t want to hurt your feelings and they don’t want to put themselves in an
uncomfortable situation, which is why they’re willing to do their best to keep the tone of a whole
discussion as pleasant as possible. Don’t let the tone set by your agreeable interlocutor misled you,
however. You should be thankful for their compassionate tone, but regardless of that, you should treat
it seriously and read their intentions from the whole package, which includes the used words, the tone,
the personality of your colleague, history of your relationship, and context of the very specific
situation you’re in. It sounds like much but it isn’t. Once you try it for a while, you’ll get used to it
and it’ll improve like any other skill that comes from the habits you’ve had developed in other areas
of your life.
“Take it or leave it” advice rarely exists, and that’s especially the case in the corporate world, where
people don’t have a moment to spare on discussions that bring no value to the table.
58
Make them safe and make them feel the comfort of that safety
The biggest challenge though is getting people to feel so comfortable in your surroundings, that they
allow themselves to be honest, to share their feedback - because everyone has some and you should
respect it, regardless of its quality - or admit they don’t know something technical and need your help.
There are many things that hold people back from being honest. Corporate politics, insecurities and
imposter syndrome are very real. It’s not that people are insincere, they’re simply afraid. They’re
afraid that their goodwill can backfire and cost them their stability and life’s comfort.
That’s why I’m an advocate for helping people at discretion, not making a big deal out of their
requests and never letting them feel weak for talking to me. I want to get the job done and that’s why I
must help people achieve their objectives in the most comfortable setup for them, not myself. My
comfort doesn’t cause people to deliver greater results. My comfort allows me to deliver results, and if
I want others to deliver high-quality work I must make them comfortable first.
Although it feels great when you earn people’s respect or admiration, these should be considered
byproducts of your care for the individuals you lead. Our job is to remove the obstacles from
coworkers way so they can swiftly move forward.
To me, it means providing my colleagues with quality technical advice that empowers them to solve
their problem and ensuring that they leave the meeting inspired to actually do it. The last thing I want
for people who’ve had asked for help, to feel like they’ve given some part of themselves away to
someone who couldn’t appreciate it.
Don’t let your perception of the world mislead you and put a filter through which you expect others to
be alike. If talking and asking come easily to you, then all it means is that talking and asking come
easily to you. It has nothing to do with how others feel about asking and talking, so don’t fall into the
trap of thinking and preaching others on how easy it is to say out loud their thoughts. You don’t know
them and you don’t know their thoughts, so you can’t really tell how tough or easy it is to share it.
If you explicitly ask someone to share their feedback with you, you better keep your mouth shut and
your ego in check, because if you disrespect that person, it’ll be the last time you get the honest
feedback from them. Especially if you’re justifying your request as if you wanted to hear suggestions
59
in order to improve yourself, you must take that conversation seriously. If your supporters don’t see
things changing despite their involvement, they likely won’t treat you as seriously the next time you
ask them for the same favor. And rightfully so, because we all don’t want to invest our time in people
who waste it so easily. People are frustrated and tired with those who can’t keep their word, and at
some organizations, fake feedback requests are more of the rule than an exception.
Anytime someone approaches you, you should make that person feel that you’re grateful for their
involvement. It’s really nothing new but treat that person the same way you want to be treated when
opening yourself in front of someone else. Although so obvious, so hard to implement.
Creating feedback loops is invaluable, but maintaining them doesn’t come at a low cost. The cost is
that you must take - some sort - of action upon the recommendations you’ve received from your peers.
But that’s a good cost to have, isn’t it?
On toxic and productive criticism
Criticism is one of those forms of feedback that you can get really wrong. For example, if someone is
negatively criticizing you or your work, then instead of getting defensive, why don't you dive deep
and try to understand their real agenda. You should analyze whether it’s really yours or that person’s
problem, but if someone has gotten themselves so involved - it’s your problem to solve. It’s
frightening how often we’re blindfolded by our ego, which creates a strong narrative making us reject
the voice of others. We listen to others and let them put us down, yet at the same time, we get so
defensive that we miss opportunities. You need to break that pattern. Don’t let anyone let you down,
but listen to everybody because they may be right about something that will benefit you. Focus on
learning from them, but while letting their voice penetrate your mind, make sure you don’t let it sit it
for too long, because the bottom line of some agendas is indeed malicious.
At this point, I can’t even remember how many times I’ve seen someone dropping bitter and confused
comments under my content, until I’ve decided to ask that person what’s bothering them, and give
them some compassion. I’m actively trying to understand people’s intent and the place they’re coming
from. When you put yourself into their shoes, it all may just click and then you truly realize why they
act this way or another. And sometimes they’re just trying to bring attention to them, so that you can
help them because deep inside they want to understand. Some people don’t know how to ask for help
60
“properly” and they do it their way. It’s too bad they haven’t been taught how to communicate nicely,
but regardless of their upbringing you should show them some love and try to feel them. When you do
that, it becomes available to convert an ignorant hater into a driven advocate of security or other
things that mattered to both of you. If they’re pushing hard on negativity then they already have some
sort of drive. You just need to target their energy in the right direction and make them positively
productive.
Toxic criticism can be productive, but only if you put in the work to understand why it’s toxic in the
first place. Some people are broken, some have problems with controlling their emotions and some
haven’t been taught how to give feedback in a more empathetic way. Regardless of that human nature,
all of them can teach you something valuable.
Watch your language and respect your peers
Using aggressive AKA too passionate language is dangerous. Watch your language especially with
email conversations, especially while talking to sensitive people, and truly especially while sending
email to sensitive people who haven’t yet had a chance to meet you and learn about your true, friendly
personality.
Email communication is a fantastic productivity tool. It bring benefits such as allowing you to keep
track of your work, preserve the discussion for the future, saves the time you’d need to spend walking
to someone else’s desk and then briefing others with the outcome of your discussion; and allows you
to stay in the zone without getting distracted by personal interaction.
To some of us, emails are also a great form of escapism from real-life social interactions and
uncomfortable discussions filled with unexpected emotional reactions. The problem is that while
trying to use emails or instant messengers as a vehicle to escape anxiety and emotions, we’re actually
less thoughtful in terms of the words we use, and we often end up with an outcome completely
different than the one desired. We think that we’ve escaped the inconvenient discussion, while in
reality we’ve transferred our anxiety on others and now made them uncomfortable. We hope that
choosing an email over face to face interaction won’t drain our energy as much, but we forget to
consider if we won’t drain the energy of others.
In all types of interactions, regardless of their form, you must take the other people involved into
61
consideration. People have feelings while reading your emails too, so make sure you don’t fall into the
trap of shooting your messages in the speed of light, because while it gives you an immediate good
feeling that you’re getting your work done, you may be causing someone else’s work to get disrupted
You can still save a ton of time by using an email but not being an ass. Using the right words and
format will take you just a few seconds more, and will save a lot of time down the road if you happen
to offend someone. It’s not that hard. It’s not something you must actively think of while writing an
email and you’re not expected to choose very polite words over practical ones. Just change your
mindset and the language that comes out of your fingers will follow.
Have you noticed it as well? That in the email, we’re much more eager to offend people, by blaming
or them than we’d ever been in face to face conversation? Consciously or not, I’ve noticed this trend
in my messages of my own as well as in the communication coming in from others. Grab a coffee and
go through a few emails you’ve sent over the last week. But this time, read them as if you were
talking to a real person standing in front of you. Would you use precisely the same words while
talking to someone face to face? If not, then don’t use such language in a written form either.
Don’t overthink this exercise. Just read your emails out loud, and when you feel uncomfortable with
saying something, then you’ve got a hit.
Blaming, shaming, pointing fingers doesn’t help anybody. Never, nowhere.
While it may be a relief for your grief, it’s negatively contributing to your long-term success at your
organization and in your relationships - professional or not. You’ve got to find other means to let your
emotions go and if you haven’t found them - keep on searching, because if you don’t have any
conscious way of releasing your emotions, you’re likely to be releasing them unconsciously in the
most inappropriate moments.
Humility is one of the most critical qualities a leader must possess. It’s a major dependency for
building the trust that can be converted into long-lasting relationships, so don’t be too cocky just
because you’ve found someone else to be less educated than you are, which gives you an opportunity
to point out their mistakes and feed off of their insecurities. Make yourself feel well and boost your
62
ego by helping someone become more educated and resilient to other rude people, not by hurting their
feelings.
How would you feel if the roles had been reversed? Imagine that someone purposefully offends you
when you come asking for help. You can surely fight and play their game, but is it really what
collaboration is about? No, it’s totally not, so stop acting like you could endure everything and so
should others. Everyone thinks that way, until they get punched in the face and realize they’re exactly
as vulnerable as everyone else - as the famous quote of Mike Tyson goes.
The concept of workplaces went that odd route and created very artificial and fake micro-societies,
but there are very few reasons for you to continue playing that game, and there is plenty of
counter-arguments to act in a workplace as you act among your friends, colleagues and other personal
acquaintances.
The winning corporations figured it out a long time ago, that it’s all about making people comfortable
with their self-awareness and hunger for growth. You must make sure that people understand and feel
that there is nothing wrong with not knowing something as long as they have a willingness and
interest in learning, improving and getting better in whatever field they’re paid for pursuing.
If you want to surround yourself with great people and create a tribe in which you all feel at your best,
then you must create such microclimate around you. There is one rule that seems to work amazingly
well, which is: Overreact when someone does something good, and under-react when someone does
something bad. Managing this certainly isn’t easy, because you’ve got to find a balance between
feeling for others and taking things seriously when someone has really messed up. But it’s still easier
than spending 8 hours each day in a toxic culture no one had cared enough to fix.
You do you, just stay with sync with reality and be thoughtful about how your actions may influence
people around you. Both short-term and long-term, that’s the ultimate game.
63
Growing thick skin in InfoSec
Dealing with negativity and destruction is a part of nature
There is one thing we can’t - and likely shouldn’t try to - escape, and that is working with other
people. Whether you’re remote or not, you’re still a part of a bigger organism, consisting of humans
with different personalities. Luckily, most of them are positive and generally cool, and it’s the really a
tiny fraction of them who’ll cause you trouble. 80/20 principle applies to human nature as well and
just a few people you’ll meet in your life will cause you a headache, while the vast majority will be so
nice that you want to have them around.
You must recognize that and focus always on individuals because one of the worst things you can do
to other human beings is to punish an innocent and excellent tribe for the mistakes done by one
specific individual.
Although we like to generalize, we must recognize that fact right away and take no shortcuts when it
comes to deciding on responsibilities within a tribe. Society and humanity isn’t all that evil and wrong
as we sometimes allow ourselves to think of it. It’s just a few permille who are responsible for making
the whole fuss, and because negativity is louder, it just appears like the overwhelming amount of
people are negative. They’re not. It’s just that when something positive happens, people don’t talk
about it that much, but oh my, do we love to complain when something negative happens!
I choose to believe that people are good by default, it’s the environment which is either weakening
and breaking them, or supporting and making them better. Some people had no luck in their lives, and
while it’s not an excuse for their behavior and attitude in adult life, it’s just smart, practical and
empathetic to keep that in mind. Our technical work is hard enough, and every single tweak to the
mindset, meant to reduce anxiety by understanding human psychology is a good tweak.
Life sometimes just happens to us. We need to learn how to recognize situations in which someone is
in just a temporarily weaker mental state because it’s fatal to fail to remember that people go through
hard times in their personal lives which have an impact on their professional life. You, me, and
everyone else have such days or weeks where things just go sideways. It doesn’t mean we
immediately change into evil creatures forever, right? It doesn’t, so make sure to remember about it
64
while assessing the behavior of your coworkers, because they might be as well coping with something
you have no idea about. It happened many times to me, that while talking to someone, they
overreacted a lot, but I tried to remain calm. And only after a couple of hours that person approached
me and explained that they understood their reaction was off and it’s because they’re under personal
stress lately. Sometimes, I was that person who went to apologize to someone for being irrational
during our discussions. It just happens.
If you keep that in mind, and you don’t escalate the conflict when someone is behaving oddly, there
are high chances, it’ll solve itself within a few hours. Most people do have some self-reflection, and if
you remain calm when they’re anxious, they’ll eventually realize what has happened and they’ll either
control themselves better in the future or will apologize you right away. But if you engage in the
aggressive discussion, their mind will be in the fog of the battlefield, leaving no space for clear vision
and empathetic understanding. Ego and human self-defense mechanisms are huge so remain calm and
always assume the person you’re talking to, knows something you have no idea about.
On the truly negative

It’s not to say that you won’t meet people whose dark side manifests itself publicly without any
moderation.
You’ll certainly encounter the kind of people, who’re always unsatisfied, ungrateful, rude or just
deeply troubled, including some exceptional characters, who won’t change their attitude, no matter
how empathetically and diplomatically you approach them. But it doesn’t really matter, ‘cause we’re
not here to judge anybody. We just need to find a way to cope with them so they don’t intoxicate our
lives more than necessary. Some people are just the way they are, and although I believe we should
try to help as many people as possible to get back on the righteous track, sometimes the best thing you
can do is just accept that person for who they are and continue with your mission regardless. If you
can’t make someone your ally, at least don’t let them get under your skin so much that you allow
yourself to call them your enemies. Don’t let the negativity of a few get into your way of helping the
vast majority of good human beings.
While we’d all prefer to work only with nice and friendly people, we need to deal with various types
of personalities or sometimes with great personalities having a bad day.
65
You’re in control of your reactions to your emotions. Most of us aren’t but we can become such if we
invest our energy in learning to do so. If you’ve asked me, any time of a day and night I’ll tell you that
it’s worth the struggle. Because if you let the negative thoughts get to you and you don’t take the
human nature into the equation, it can indeed be a painful feeling when you’re doing your best, yet
there is someone who purposefully, with malicious intent is doing everything in their power to put
you down.
It’s as much about emotions and personal calmness as it is about your productivity. Most of the
negative people you’ll meet along the way will often turn out not to be worth your effort. No that it’s
impossible to make them your ally, but because time is a very limited asset. No matter how strong
your will to help others is, you still have only 24 hours each day, meaning that if you spend an hour
trying to sell security to someone who’s unsellable, you’re losing an opportunity to work with
someone collaborative.
You really need to be smart about how you pick your battles. If you allow your vision to get too
narrow and focus on fighting someone to convince them to join the tribe, you might be at the same
time making the biggest disservice to your organization. You could’ve been investing that time in
positive people who’re so eager to help you and with whom you can achieve whatever it is that you
want to achieve. Sometimes, if you get enough positive people on your side, it’ll spread organically
and negative ones will be left with no choice other than to comply with the standards set by the tribe.
Or to leave an organization. In any case, you’ve won.
Always try to clarify the situation, but if feel like you’ve had enough, don’t overstretch yourself. You
need to learn when enough is enough because it’s really not your duty to sacrifice your health in order
to save the world for those who don’t want to be saved. Our mental state is vastly influenced by
emotions of other human beings and if you spend too much time among people too complicated for
you to handle, you can break yourself and become as bitter as they are.
Not a single job and not a single person on this planet are entitled to your physical, mental or physical
health so seek escape when things are really bad.
66
Sometimes the best way to win is to quit
Don’t let bad people get into your way and stop you from doing the things that matter. Sometimes
trying too hard will have the effect opposite to the expected, because you won’t be much of a help if
you lose your sanity after trying to fix someone who lost it a long time ago.
As cruel as it may appear, some people just need to be let go. Because you know what’s even crueler?
Allowing toxic people in your organization to make others miserable. You don’t want anyone to
spread negativity, destroy the corporate culture and get on the nerves of other employees, who may
eventually even leave your company in a search for a safer place.
Firing is hard, but it’s necessary. If you’re on a mission to build something big, and you’ve been
doing it for decades and you involved hundreds of other people, then the idea of allowing someone to
destroy or intoxicate the project of your life is just ridiculous. Do what needs to be done and move on,
because life’s too short to let anyone sabotage the quality of your life.
You can’t afford to neglect what’s good while striving to fix the bad, and it appears to me like this is
one of the most common mistakes that we make in our lives. You should give more love to people
who care and who want to work with you, instead of investing your time in people who don’t care
enough to conduct themselves properly. If you invest too much time on the negative people, you’re
simply being disrespectful to people who care for you and who do their best at work, because they are
the ones who deserve your time and attention. Don’t fail them on this one, because lack of
appreciation is one of the quickest ways to make people lose their drive and dedication, so make sure
to spend your time and energy wisely.
By the same token, you may find yourself to be the person who’s doing their best and you’re not
getting adequate support from your coworkers, managers or other people in the chain of command.
You may have joined an organization in which security is just an afterthought and people couldn’t
care less, but they need “some more security” so they got you on board. But for you to be effective,
you need to have the support of most stakeholders in the organization, otherwise, you might be killing
yourself, yet still having with very limited impact on the overall security posture at the organization.
And although you can try your best, if nothing changes for an extended period of time or if HR
doesn’t bother with addressing your concerns about toxic coworkers, then the best thing you can do
67
for yourself and your family is to quit that organization and find a better-suited place for yourself.
If you run into an organization that requires you to push yourself way beyond your mental and
physical limits, requires you to do plenty of politics to get anything done, then is it a right place for
you? Or to phrase it better - is it the best what you can manage to have? I promise you that you don’t
need to stick to a place that makes you miserable because as an experienced security professional you
have so many job opportunities all over the globe, that it’s at best unreasonable to stay for too long in
a place full of drama. The market is booming right now, and not taking advantage of the sheer volume
of opportunities is plain silliness, ‘cause there is nothing more important in life than your and your
family happiness, fulfillment, and sanity.
Yet, so many of us fail for it. I guess that’s actually one of the character traits that make people choose
security as their passion/mission in life - the hunger for changing the world for better. But what gets
us going can as well be our kryptonite, so we must pay attention to how far we allow ourselves to go
with it.
Don’t shy away from showing off your success
If you’re like me, then you prefer to do most of the work in silence and move forward without wasting
time on show-offs, because I’ve joined the infosec field to do infosec, not to be a marketer. Many of
us, are simply tired of seeing social media flooded with content which has little value, yet is wrapped
in a nice box which sells well. We don’t want to become what we disguise, so our reflections on social
media set a negative tone to the concept of self-promotion.
The challenge is, that we all need to learn how to make our work noticeable and generally more
visible to stakeholders at our organizations because it helps more than it hurts. Obviously, it may hurt
our egos a bit, because how come can they not notice the sheer volume of work you’ve put in and the
great results you’ve achieved, right? Well, for people not working in infosec it’s really hard to tell
which work is important and how much effort was required to get something infosec-related done.
The little narcist comes out from all of us sometimes, making us fail at getting recognized among our
superiors and other colleagues. The reality is that other people often don’t know or don’t care to know
how much value you bring to the organization and it’s on you to help them understand that.
More often than not, we’re led by our noble virtues which make us forget about the self-promotion
because we feel like our job is to help secure the organization by doing more and more “actual” work.
68
If you care about long-term results, it’s a much better strategy is the one in which you promote your
work, because it can be treated as a tool for shaping a culture of consciousness and appreciation,
which will benefit everyone - you, your team members, people who’ll come there after you and
ultimately, the organization you work for.
It’s silly to think that every second put into promotion of your work is a second taken away from
doing the work that could bring value to the world. But to understand that, you must take a look at the
bigger picture which means doing all those “unnecessary” things to achieve a bigger goal, that being -
creating a healthy corporate culture in which everyone at the organizations begins to understand what
it is that you do, which then gives them an opportunity to help you or to at least not get into your way.
But it’s not always that shallow and really doesn’t mean you’re doing it to buy in into someone’s evil
agenda. If you clearly express how much you were able to achieve and how does it positively affect
the business, people will be more eager to offer you support in the future.
If you’ve proven yourself to be successful, if you’ve made people aware of your success’ story, then
they’ll feel like you apparently know what you’re doing so you deserve their trust. I spent most of my
career trapped in a belief that I shouldn’t be promoting my work, which did nothing but stagnated my
career development and didn’t allow me to go after things that I knew were good for me and
companies I’ve worked for. No matter how much executives at your company preach about giving
trust, failing fast and going after it, the reality is that 9 out of 10 times you won’t be given a chance to
have a meaningful impact if you haven’t proven yourself to be worthy of the trust. And that’s fair
because at the end of the day it’s those executives who’re held responsible for business longevity and
its financial situation.
You shouldn’t ever feel bad while promoting your work. If you believe in your work, if you’ve done
something of value, then you’ve earned the audacity to share it with other people. Especially if you’re
on a mission to secure that organization, you should feel good with doing whatever it takes to make it
happen, including allowing yourself to promote your work, especially at times when you don’t really
feel like it.
Communicate, communicate, and when you think you’re already done enough of it - communicate a
little more, to put yourself in the best position to succeed.
69
After all, it’s all about protecting the money-making

machine
Make each action purposeful and data-driven
Generally, in life, a deep trust isn’t easy to earn and is unbelievably hard to regain once lost. Every
step you take in any new relationship, should be carefully planned and executed accordingly to the
thoroughly designed plan. Minor tweaks to the plan are allowed, because to be practical it’s necessary
to change a thing or two, but the roadmap should present itself as a professional piece of work.
If you’re joining a new company, then for the first couple of months — in reality for as long as it
takes you to prove yourself — you must pay extra attention to not only the things you do, but how
you go about doing them. While we all make mistakes, not all of us have the courage to own our
failures and handle the blame. You really don’t want to create any negativity around your persona
right after you’ve joined the company, because people are quick to label others, and negative labels
wear off slowly and painfully. If within the first couple of months, you earn a negative label for
yourself, you’ll have a hard time getting rid of it.
If you want to get to play the big game, then the last thing you want to happen is to have someone
consider your initiatives to be reckless or myopic.
Take special care of security initiatives that can have an impact on the productivity of your coworkers.
People are sensitive about their time, because life is short, and because they’re being pressed by their
managers to deliver the work on time. If you steal their time, without giving anything back that would
either make them feel good or would make their managers feel good, then you put them in a state
discomfort which they’ll eventually need to release somehow. You can steal pretty much anything,
and people won’t get as much upset as if you take their time away.
Do not fail your new coworkers, even at the cost of your own productivity. By rolling out the big guns
without learning the corporate context first, you’re setting yourself for a big drama. More mistakes
you make over time, less interested people will be in your future initiatives because they’ll be afraid
of you screwing their work again.
70
Yes, walking on eggshells will eat up a significant amount of your time and make you less productive
over a couple of weeks or so, but it’ll create solid foundations for future long-term and riskier
endeavors. Saving time by cutting corners on creating relationships is the last thing that should come
to your mind, because there is a huge amount of things that eat up your time on a daily basis, yet
provide little to no results.
And if something bad happens, not all is lost. People know how to forgive people who deserve to be
forgiven and who have a track record of being a good citizen.
Adapt, adjust and execute
Every single one of us made plenty of mistakes in the early days of our careers. That’s completely fine
as long as you recognize your mistakes and aim to improve. No one is different, no one is exceptional
and no one is out there with a blank page. I’ve been in the industry for over a decade and it
occasionally happens that I make some basic mistake, even though it would be crystal clear for
someone who’s been in the industry for as short as 6 months. People let me live, despite my periodic
incompetence and cluelessness. And that’s okay because we’re just humans and other people
recognize that you’re just a human as well, and making mistakes is a part of human nature.
What really matters is to recognize when you’re not making progress and to be constantly open on the
feedback from people who are affected by your actions. Do not put yourself down because you’ve
made a bad judgment. Keep evolving, adapt to events happening in the industry and adjust your
activities to the context of your organization’s, team’s or even particular person’s needs.
There is no shame in acknowledging your mistake. It’s actually a great leadership quality which
shows that you’re strong enough to admit that you’re not a know-it-all person. You have no idea how
few people actually have the courage to admit they’ve made a mistake and how hard it is for them to
break the toxic pattern.
Lead people, take ownership when you or them make a mistake, and be empathetic to understand the
motives of every single person. Being such a virtuous being will more than anything else inspire them
to care about security and help you perform at your peak.
71
Securing the money-making machine is the prime objective
If you’ve found a job at a healthy organization, and you feel calm and joyful to work there, there are
high chances you’d actually work just for the sake of working, because for many of us, security - all
flavors of it - is a burning passion which we’ve been grinding on long before anyone paid us to be
doing it. For some of us, hacking & defending is almost like oxygen. If taken away, we’d quickly and
surely die!
In the corporate world, being driven by your passion may be your biggest strength allowing you to
take your career to levels unavailable to others, but as much it can be your kryptonite. You must
remember that work is work, and although there are plenty of great things you could be doing at the
moment, you need to target your passion at very specific tasks allowing you to focus on protecting the
critical infrastructure generating the revenue. If you keep the money making machine safe and keep
your company alive, you’ll be able to play with security longer than if you had focused only on the
playful side of our jobs.
If you love the work you do, if doing the work makes you love yourself and it’s truly your obsession
then remember that there are always ~16 awake hours in 24 hours long day and there certainly is a
time to have fun and enjoy yourself doing the great things with technology you want to do. There is
life outside of work, even if you still decide to work after the work. For your own sanity, make a clear
a distinction between what you’re required to be doing and what you want to be doing, and I promise
you that in 16 hours you can find plenty of time to do both, without disappointing others by chasing
your dreams rather than tasks important to the business.
At places where people rely on you to be a PRO, you must put first things first. It sounds obvious, but
we all get ourselves in those obvious situations. We don’t realize how often we go sideways instead of
focusing on things that matter, to only learn about it when someone calls us out on it. By then, it’s
often too late and instead of stopping the damage from happening, we can only contain the damage at
that point.
We are humans and we fall short when a next flashy thing stimulates our brain. We all love to do
fancy stuff, but the thing is that most business owners don’t care how much fun you’re having as long
72
as their money-making machine is holding up good with low risk of that state changing to any worse.
Smart entrepreneurs know that employees perform at their peak when they’re not stressed out, feel
safe at the workplace, feel like the work they do is meaningful and when they can develop their
careers at employer’s time, leaving personal time for leisure and private life projects. So there is that,
but you must reverse engineer the process and ensure you’re pulling the right strings, because not all
employers will know how to appreciate your vision and passion, and you can get yourself in
unnecessary trouble if you stretch their open-mindedness too much. Don’t get me wrong. Keep that
passion burning and demonstrate it courageously, because your drive matters the most and there are
executives fascinated by technology and excited about you delivering more than expected.
What I mean by all these is - you must accept that often you’ll be required to do mundane tasks and
those mundane tasks will often be the most important puzzles for your success. It’s far more important
to investigate why Joe from HR so often fails at phishing tests than it is to deploy yet another security
tool released yesterday by Netflix. Focus more on people who actually make the money for the
business. If you hear that your salesperson has problems with accessing their account because of
dysfunctional 2FA mechanism, it is a critical issue you should address at the earliest, because those
people are the ones who keep the machine going, and are the ones who in a rush may fall a victim of
phishing attacks, possibly leading to a sensitive data leakage.
To be truly effective you must understand the differences and recognize between the important and
the urgent. Some things are both urgent and important, so don’t allow yourself to ignore urgent
requests because you believe that working on “important strategic project” is where you should be
spending your time at the given moment. It’s all about the balance coming from your common sense
because you can’t be too hard on any of the sides.
If you delay your coding for a few hours, likely not much is going to change. But if you delay helping
salesperson, your company may have just lost thousands of dollars on a deal that could’ve been
secured if you had enabled the salesman to do their work. Give yourself a moment and let it sink in
because I’m pretty sure you’ve had experienced this phenomenon as well - you focused on things you
believed to matter the most, to then realize no one cared and you were supposed to do something else.
We’re blindfolded by our ego and drive, so keep on learning how to control your highs and lows.
Business context matters. A lot.

73
You can’t effectively manage the risks if you don’t understand the business you’re in. InfoSec is all
about managing the risks and enabling the business to meet its financial objectives. If you don’t know
what are the most important assets at your organization, what are the actual sources of the revenue and
what is the position of your company on the market, you’re not even close to the effectiveness you
could’ve achieved if you’ve had learned all those things about the company you work for.
There absolutely is a plethora of things that are the same or very similar across most companies, but at
a certain level of professional maturity, you need to level up your understanding of the business. If
you’re going to request a heavyweight budget from your CFO, you better know what they care for and
how you can help them understand ROI of that investment.
If something isn’t directly or indirectly helping the business make or retain money, then it doesn’t
matter.
Speaking in the technical terms, we all know how important it is to thoroughly understand the
business logic of the application we’re securing, right? Remind yourself the feeling of irritation when
you received a pentest report, which was nothing more than a report from an automated vulnerability
scanning system such as Nessus, which included highly rated findings which turned out to be an
expected feature of your application. I can’t even comprehend how many times have I received a bug
bounty report from someone reporting an ‘CVSS 10.0 arbitrary file upload vulnerability’ in the
application, which was a file sharing application with the primary objective and business model to
allow users to upload files.
And that exact feeling you had at the moment of reading a dumb security report, is the feeling your
CFO gets when you ask them for something that doesn’t contribute to the bigger picture.
Many of us remember the days when we were so naive, that we got all excited seeing Nessus-alike
scanner printing out high severity issue. The same way many of us remember the days when we were
so clueless, that we ignored the low severity issue printed by Nessus-alike scanner, which then turned
out to be a huge attack surface that could’ve been used in an exploit chain to cause real damage to our
company.
What came next was a harsh realization that all those numbers are as blunt as it gets, and without
human touch, it provides very little value to the end user.
74
Issue rated as 10 out of 10 on an unpatched server doesn’t necessarily mean you need to drop
everything you’ve been doing so far and fix the server immediately. The server can be in the darkest
corners of your internal network, in the DMZ without inbound or outbound traffic allowed to other
hosts, without any external exposure and hosting no valuable data whatsoever.
If framed this way, it changes perspective, right? Well, although some purists may say - and rightfully
so - that it’s still the risk and the server can be used for lateral pivot and creating collateral damage,
the answer is always - a day on the planet Earth has only 24 hours, and aren’t there really any other
things that are more worthy of your time?
Now we’re talking the real perspective.
Priorities are the thing, and you must learn how to differentiate between things that are important and
things that appear to be urgent. Why would you spend time and change priorities because of
unrealistic ratings like that? Differentiating between important and urgent is an incredibly
undervalued skill. But make no mistake, because I don’t want you to underestimate your tools or to
blur your judgment. I’ve seen scanners reporting bugs rated as 1/10, which while chained with a few
other low severity bugs could put a company out of business. So analyze all data thoroughly and
always keep in the back of your head that context matters. Data is king, but the context is a god.
We all fall into a trap of thinking that it’s so obvious, that it’s needless to say. However, I can’t even
count all the times I’ve allowed myself to let things slip thru, because in a rush of daily work I’ve
forgotten the value of big-picture perspective. I don’t really beat myself up for it, because I realize
everyone will point it out anyway, so I’d rather focus on improving and being more careful next time.
That’s what cyber resilience is really all about. Minimizing the number of mistakes we do and
incrementally decreasing the vulnerability of our organizations to malicious actors. It’s not about
being 100% right or turning a human into a machine, but about learning from mistakes and being
more careful in the future. As long as you learn and as long as you fight your ego, to not let it
blindfold you, you’ll be good.
Tailoring a security program to the context of your organization is not only recommended, but truly
necessary. To bring the culture to the next level, you need to be thoughtful of whether your actions
map to the environment you’re currently in. Many times I’ve seen people going crazy about things
that mattered in their past workplace but had little to no importance in the new environment. Don’t let
75
your past experience confuse you. Humans ability to memorize things exists so you can learn from
past experiences to be smarter in the future, not to be able to repeat your actions from the past.
Every little thing separately has the potential to make a difference, though all connected will create a
clear vision of corporate security culture. Your actions compound the same way knowledge does, so
don’t get crippled by the fact that there are so many things that require changing. Tweaking one piece
at a time is good enough and has the potential to put other cogs into the motion. Focus on the value
the small things can bring to you and your business and don’t let sheer volume of work required to put
you down or to make you feel like nothing makes sense at the scale you’re capable of working.
Once you truly realize that all big achievements are nothing but a result of many small steps taken,
you’ll enable yourself for a more successful and less stressful career. Try that, it’s worth it and if you
don’t like it, you can always get back to a previous, often overwhelming way of looking at things.
Effectiveness, High Productivity and Fulfillment in

the InfoSec — The Game That Never Ends
Don’t make it hard for people to get involved
You need everyone’s perspective. To build a robust security program which actually addresses the
challenges at your organization, you need questions, concerns, insights, and criticism of people
outside the security department. But not only that, because the best way to understand ourselves and
put an order to chaos in our minds, is to talk to someone who’ll listen and maybe even question our
way of looking at things.
Sometimes, we’re not even aware that employees use a specific tool, thus we have no way of
protecting them. You need to talk to people, you need to encourage the culture of communication, so
people know how important it is to keep you in the loop with new tools and processes. You also need
data from their systems, you need to be able to tweak configurations, which you can’t do if you don’t
even know these exist.
76
It’s a Sisyphean task to try to manage the safety of the whole organization on your own. Why would
you even want to do that, if you have people around you eager to lend you a helping hand, if you just
ask for it? Funny enough, sometimes you don’t even need to ask for it - it’d be enough if you’ve
stopped actively discouraging people from helping you.
Stay humble, no matter what
Everyone needs help now and then. If you don’t respect the problems of others and you don’t apply a
dose of humility in all interactions, how do you expect others to support you? Most of the times, you
get what you give and that’s for a good reason.
You must first give something from yourself, and only then you can ask for something in return. Each
time you catch yourself acting cocky, think how would you feel, if you were in shoes of the other
person. Would you like to collaborate with a person that acts the way you act?
I’ve seen it a countless number of times, when people behave like complete jerks to more junior
people, but when it happens that “THE PRO” doesn’t know something, it’s all good and everyone
should drop everything and jump in to help.
The world doesn’t work that way. Be humble, be grateful and always give more than you wish to
receive in return.
Value their time over yours
Put in the work before you ask others to do so — that’s how leaders inspire people to action. They
set an example by putting in the work, not by throwing the requests around and abusing their position
of authority.
Debug the stuff yourself whenever you can. It’ll show your coworkers that you care, and you don’t
drop work on their head in a rush so that you can get away with doing less.
Before you delegate, rethink if it should indeed be delegated, because you want to delegate as much as
possible, but not more than necessary. Also, don’t let the delegation come at the cost of the company’s
growth. Which means that if something is time pressing and you know you can deliver something
much faster, then do yourself and others a favor, and do stuff on your own.
77
You need to master the art of delegation, by starting with a reflection on how often could you actually
do something yourself without bothering others.
Create a culture of appreciation
You really want to have people believe and feel that they matter. Everyone wants to feel safe and
empowered at the workplace, so don’t shy away from providing feedback to people. It’s not only
about positive feedback, you need to work out a way to talk with people about the ugly stuff as well.
Most conflicts after discussions aren’t born because of negative feedback itself, but the way that
feedback is given. Conflicts arise because of improper and incompetent communication, so always
over-communicate and don’t let other people misunderstand you. Don’t be simple in your speech, just
be impossible to be misunderstood.
Trust comes from care, and care comes from honest relationship you should have been building with
another person since the day you met them. Actions speak louder that words and no one is going to
expose their vulnerabilities in front of you, just because you’ve just told them “hey, trust me, be open
and honest”. It doesn’t work that way, so don’t even bother, because such wishful thinking will only
put people in uncomfortable situation. Uncomfortable is an enemy of deep trust and if you
demonstrate the lack of such knowledge, you’re not building the trust in your leadership competence
and goodwill.
Don’t take good results for granted
If you appreciate the speed as much as I do, you likely do the same mistake I’ve been doing for a long
time, which is taking the goodwill of others for granted. When you move fast and want to make a
difference, you create for yourself a narrative and keep telling yourself the stories about how the
world is and how it should be. People are different, and you should keep reminding yourself that not
all people share your passion — let alone mission of securing the organization.
Very often, it’s not in the business of coworkers to spend extra time at work or invest their personal
time to learn and do security. We should always appreciate when someone goes an extra mile and
78
does something great, especially when they were not expected to do it. This varies between corporate
cultures, but you must accept that some people are at the workplace to do their 9–5 staying in line
with the job description they’ve had read while applying for a job and that’s totally fine. Your
approach to work life harmony shouldn’t dictate how you see the work-life balance chosen by other
people. Everyone has to find their own way of living happily with respect to their personal standards.
One thing, that we all have in common tho, is we love to be praised and called out for our
achievements, so whenever you’ve got a chance to do that, do it without a hesitation. It truly can make
miracles. You can use it to shape a culture in which people go an extra mile just for that bit of
appreciation from your side.
So just do it. Be a good citizen and spread the positivity around you, because it costs you very little
and can have a huge ROI. Being an empath always wins.
Avoid myopic decisions to save your reputation
People will understand when you make mistake, they really will. We all make mistakes and that’s
really not a thing that should bother you a bit. The anxiety of your coworkers kicks in, when your ego
doesn’t let you admit you’ve messed up. Be humble to acknowledge what happened, do a solid Root
Cause Analysis to learn from the failure and move on.
Don’t be so stubborn in keeping the poker face, because nothing frustrates people more than a
know-it-all person who’s taking “fake it till you make it” to the extreme. There is no need to let your
ego play you like a puppet, because people are smart and — sooner or later — will figure you out.
Your credibility decreases with each lie to try to sell to your team, and credibility is all we’ve got as a
leaders. When you fake it too hard, it’s not only that others will finally see through your insecurities,
but also you may lose respct towards yourself and jump on the downwards spiral of low vibration
energy.
People love when you stay in line and backup the decisions you made in the past. We all make
mistakes and it’ll not worth of spending much time worrying about them. We will be always smarter
while looking back at the decisions we had made. There is no point in kicking yourself with your
79
failures. Just spend a bit of time on reflecting what could be done and move forward — this applies
to all aspects of your life.
However, we must realize that being integral puts you in position of an authority, because people love
to secretly look up to the highly integral individuals. If you need to change the direction of your action
plan, clearly explain your reasons, so people understand your “why”. You must take an extreme
ownership and show that you indeed have all the knowledge and grit necessary to lead them, and the
failure you had happened to experience was a calculated risk.
In general, just don’t jump from one idea to another, but build a solid security roadmap for next 2–4
years and stick to it, adjusting only the minor items along the way. If you do that, if you take
ownership of your guidance and create a strategy which makes people feel safe under your leadership,
you’ll be all fine.
Don’t let the stress and short-sightedness slow your company down
If you push people to get stuff done for the sake of getting it done, you’re not setting your
organization on a path to the long-term success.
Review your emails from the past few weeks and if you notice too many messages in flavor of “Fix
this now, it’s important!” stop for a while and give it a second thought. Whether everything or
anything is important is decided by a context of a given situation. Something important for you, may
not be important for others and when you’re sending too many messages emphasizing what’s
important and what’s not, you’re messing around with people’s priorities. If you rewire their personal
definitions, you’re not only leaving their work schedule skewed but your create a confusion in your
organization, because now people can not differentiate between urgent and important. You don’t
know what they’re doing, you don’t know the situation they’re in at the moment, so enforcing your
narrative on them brings no good to anyone. You’re missing the Big Picture, and Big Picture
Perspective is all that matters while managing the problems in our lives.
I encourage you to try to move to approach of “Let’s come up with a solution to fix this now and
prevent us from making the same mistake in the future”.
80
It’s also not wise to expect urgency from people, to be then surprised that the important work isn’t
getting completed. Create a sense of urgency on important items, so you don’t keep coming back to
the exactly same issues all over again.
Think about security culture like it’s a car that must be fully functional for next 5 years after your kid
inherits it from you. You care about your child’s health and good experience, so you think long term
when using your car. You don’t do anything crazy and avoid collisions that could weaken the car
parts, hence endanger your child who’ll be driving it after you.
Same concepts apply to security culture, because there will be people inheriting it from you(other
security PROS) and there are people who trust that they can have a safe trip with you(coworkers).
Make sure you don’t discourage people by taking them on crazy initiatives. Short-term improvement
of security posture with a risk of exposing people to negative experience and feeling really isn’t worth
it. Even if you’re not planning to stick with an organization for a long time, don’t make life harder for
an InfoSec fellow who’ll be hired after you. Be empathetic not only to your coworkers, but to any
person that may interact with your work in the future. You know how it feels when you need to
refactor spaghetti code or infrastructure, right? Now multiply the effort x10, and you’ll get the feeling
how hard it is to recover the organization who had negative or an indifferent security PRO.
Become a lifelong learner
I would be nothing if it wasn’t for great people who’ve had invested their time into writing books
describing their life stories. I can’t even reasonably measure how much I’ve transformed my life and
career by learning from experience of the greatest.
Consuming books, articles and other materials on leadership, people management and general HR is
essential for success of security initiatives — or any initiatives that touch people for that matter.
If you want to spread security culture across all company’s departments you must posses wide range
of qualities and skills. You need to be a great generalist who knows how to find flaws in various
system and processes, but also how to manage a small talk with your coworkers.
81
We tend to underrate the value of chit-chats and we don’t put enough effort into converting a random
small talk into something of actual value. It’s those small things that together create what we call later
a culture. It’s not about dull policies, processes and extravagant speeches made by CEO. It’s about the
work we put in every single day, can contribute to the bigger picture.
Most of us have an internal urge to kick asses thanks to our technical knowledge, but when it comes to
managing security across the entire organization, social skills are at the top of the pyramid. Every
single one of us, even those of us who work in highly technical roles, should enhance our social
abilities because if you really look at it — you’ll see how bad we are at it and how little we care
about developing it. You really should pick some good read on leadership, because every single one
of us participates in something greater, and you can’t delegate all social interactions to your manager.
And I truly believe it’s worth the temporary pain to become a better communicator because it’s
something that will benefit your personal life even more than your career.
Go the extra mile
The extraordinary results are born when people do more than they’re expected to. It doesn’t mean you
should be staying late and working till you’re completely exhausted. It means that when you’re
already working, pay attention to what you do and put some heart into it. Be nice to other people,
think how to deliver great work.
If you’re working anyways, why not work on something meaningful in a way that makes you proud of
yourself?
The game that never ends
Great security culture takes years of hard work to be established and takes a lot of work to maintain it
in a good shape.
Working with every single employee which may seem like scaling the unscalable may have great
results if done right. Simply saying, you’re making everyone a guardian of safety of your
organization. You won’t ever be able to hire enough security engineers to keep watching what
employees do, but you can make employees themselves more alert to potential dangers. When people
82
are smart about security, they make less mistakes which allows you can decrease the number of
required InfoSec employees.
I know it costs a lot of time, but perceiving this as an investment in your personal satisfaction really
makes a difference. You’re building yourself a tribe of people who’ll support you going forward, and
having people behind your back is a great motivation to do even better work. You, like everyone of
us, will be facing tough times once in a while and legitimate motivation and positive feedback from
your mates will be essential to get past thru it.
By being friendly and practical security professional you can make a lot of valuable and great
connections because people you worked with will remember you during their future ventures. And
everyone these days is looking to hire great InfoSec professionals so you can make sure to be
constantly creating meaningful and long-lasting relationships.
Be selfish
Because if you’re not happy, you’ll have a hard time making others happy.
You can’t save a drowning man if you can’t swim yourself. You can’t take care of others if yourself
require help. I came to the point where I feel obliged to take care of myself, because I know if I don’t
I can become a burden to others.
Put yourself first, always and everywhere, and then inspire others to action by showing how great life
can be. Life’s long if you know how to use your time wisely. If you don’t take care of your health,
your church, your gym, your meditations, etc. you’ll cut yourself off from the great things that you
could’ve experienced if you had been paying attention to the things that give us an opportunity to
learn more about ourselves.
Now it’s all up to you…
I hope that suggestions you’ve just read will help you make the process easier and enable you to be a
bit more effective. I wish this to you with all my heart, I really do.
83
We need you to lead your organization and inspire other professionals to deliver great results. People
with whom you work will at some point leave to other organizations and spread the goodness and
knowledge you instilled in them. That’s how you change the world for better — you influence your
local social circle, who influence their local circles and spreads like a good virus. An antidote to chaos
let’s call it. We are the average of a few closest people around us. So be a good person, to increase
chances of someone else evolving into a greater human being by having you by their side in life.
All the best and I’ll be keeping my fingers crossed for you. Hit me up anytime you feel like I could be
of help to you because helping others is what’s been the biggest driving force in my life.
Dawid Bałut
a man who’ve failed a lot so you don’t need to.
Dawid Bałut bio
Dawid is an optimization freak who happens to be

obsessed with InfoSec. He’s putting all of his
brainpower to be one of the people who change the
industry for better, because he firmly believes we
need to be the change we want to see in the world -
for our families and future generations.
In the past, he worked with over a hundred

high-profile companies such as Ebay, Paypal,
Amazon, Adobe, Facebook in their vulnerability
research program.
His inner sociologist wanted to know more about the
business world and find the root cause of
vulnerabilities across so many great companies, so he joined a startup from Silicon Valley to
secure them from the inside, which ended up being over 5 years long journey of a security
architect and executives advisor for multiple other companies.
An entrepreneur by heart, he wanted to share his experience with the world and build
security at scale, which made him now be hustling in the role of a CEO & Chief Security
Strategist at CyberForces, a cybersecurity company he co-founded to assemble the team of
professionals who sincerely love cybersecurity and who want to change the world for better.
He believes he’d be nothing if it wasn’t for other great professionals generous enough to
share their knowledge, so he’s spending most of his spare time writing articles and recording
podcasts where he shares the most important lessons from the professional and personal
84
life. His work has been published by magazines such as Forbes, Quora, Peerlyst, Apple
News, 2600 Security Magazine, Australian Cyber Security Magazine, Egnyte News and
dozens of other magazines, blogs, and podcasts where he appeared as a guest contributor.
You are more than welcome to contact me on any subject and I’ll be glad to get to know you.
Some of the useful platforms with contact info:
Linkedin: https://www.linkedin.com/in/thedawidbalut/
Twitter: https://twitter.com/thedawidbalut
Peerlyst: https://www.peerlyst.com/users/dawid-balut/info
My blog: https://dawidbalut.com/contact/
85

Social Skills For Infosec Professionals

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Social Skills For Infosec Professionals

Загружено:

Авторское право:

Доступные форматы

Social Skills For Information Security Professionals: A Handbook For Those Who Strive To Lead And Manage Effectively

Align strategy with business stakeholders first 10

Build credibility and learn the language of business 14

Agile implementation of security into a corporate culture 18

Outline SDLC/NDLC improvements 21

Show up, adapt and deliver results 25

Make security simple 26

Do the work behind the scenes and don’t be a workflow bottleneck 30

Internal security training and awareness awards 35

Conduct recurring security training 35

Security Is An Art Of Tradeoffs So Learn How To Manage The Risks 37

Learn how to run productive security meetings 39

Leave Your Ego At The Door And Study Empathetic Leadership 41

Leadership values and Emotional Intelligence 44

Growing thick skin in InfoSec 62

After all, it’s all about protecting the money-making machine 68

Create a culture of appreciation 76

On my motives for this book

Let’s get started already! :)

Align strategy with business stakeholders first

Set common goals with management and executives

Settle down on authority at the earliest

Build credibility and learn the language of business

Stay away from spreading confusion and FUD

progressively start expressing your thoughts more in-depth.

Everyone is a target these days, but are they truly

Agile implementation of security into a corporate

Outline SDLC/NDLC improvements

Security should be perceived as any other cost of running a business

Build a Secure SDLC

Show up, adapt and deliver results

Make security simple

Simplify it for them

Encourage and teach instead of demanding and judging

Extensively explain security requirements and identified issues

Do the work behind the scenes and don’t be a

Listen and execute behind the scenes

Become a member of each department

Delegate instead of trying to fix everything yourself

Internal security training and awareness awards

Conduct recurring security training

Popularize internal Bug Bounties and awareness recognitions

Security Is An Art Of Tradeoffs So Learn How To

Allow cutting corners when necessary

Learn how to run productive security meetings

Leave Your Ego At The Door And Study

Make it all about them by making it personal

Never play the shame or blame game

Don’t forget about non-techies

Leadership values and Emotional Intelligence

We’re all imposters. Get over it and go do shit!

The long-term efficiency requires you to do things the right way

It’s easy to destroy relationships and hard to rebuild them

Listening is a skill which requires constant training

Memory exists so we don’t repeat the same mistakes again, not so we

Appreciate feedback every single time you get some

On toxic and productive criticism

Watch your language and respect your peers

Blaming, shaming, pointing fingers doesn’t help anybody. Never, nowhere.

Growing thick skin in InfoSec

Dealing with negativity and destruction is a part of nature

On the truly negative

Dawid is an optimization freak who happens to be