The last few years have been quite a journey. I've moved from a level 2 Offensive Security Engineer (queue GoldenEye memes) to a Principal. The differences are so vast that I couldn't have fathomed how much I would change from when I started on this path. I did not achieve this level alone, and mentorship from many individuals helped me see the way and become competent at the principles required to reach the Principal level. Being a Principal in Offensive Security is pretty specific, so I'd like to capture some information here that people will find helpful. If I'm successful, someone may even find themselves a newly minted Principal using some of this information. Let's get started so you can learn what helped me achieve Maximum Compromise in my Offensive Security career.
Before reading this post, consider reading the following:
Many will reach the Senior level through all technical efforts. Leadership skills will grow as you get closer and move inside the Senior title. To move to the next level, however, it may be required to either become a leader and use your skills to grow teams or become specialized in the planning and execution of technical work. I always considered myself an average Red Teamer, and if I had to score my skills, I would give myself a 70% or 75% if I'm being generous. I resisted the idea of leadership for years as if it was the worst fate I could imagine. Ultimately I discovered that by using my leadership skills, I could add that extra 10-15% that made me much more valuable. Others will choose technical excellence as their path, choosing to be a constant source of 100% awesomeness regarding technical challenges. The role I'm currently in gives me a 70/30 balance of technical/leadership. I'm pleased with this, but each person must choose what balance works for them when considering how to reach the Principal level.
As a Principal, the techniques and strategies you built for years to be successful at your job are now the roadmaps for the success of others. Mentoring can be very fulfilling, and most companies expect you to mentor others as a Principal. Staying to yourself and not growing team members may not be an option. Most companies recommend that you perform 1:1 meetings with individuals in your team looking to advance in their careers. When mentoring, make sure you respect your own time and the time of the person you're helping to improve. Set clear goals and estimate how many 1:1 sessions it will take to complete that goal. It would help if you also considered being a person to check in with for new team members and interns. Establishing how often this occurs is between you and that individual. If you're successful and mentees are taking your advice, you will start to see growth and an increased ability for them to make decisions without guidance.
Regardless of which side of the fence you're on as a Principal, you may need to interpret unplanned work. Ambiguity may exist in understanding the direction, and you must decide how to reach team goals effectively. Your ability to estimate workloads, break them into chunks, and measure outcomes will become necessary. It may also be required to describe your planning, model your process, and collaborate with other teams to reach organization-wide goals. The outcome will be distributing work so all staff levels can understand.
Ownership of your career path is required to grow to Senior levels and above. I also want to mention personal planning, which means having a personal plan for the direction of your career. I keep mine in planning software and update it quarterly to track my progress. Planning this way can also help you evaluate if your current role is helping you reach those goals. You should never let your job goals override your personal goals. If your job isn't helping you achieve your objectives, it may be time to speak up or find new opportunities. With this constant evaluation and making hard decisions when necessary, I reached this level.
Another planning factor is the cost or "what is the cost of the thing you're proposing?". Planning for the price of a project is a massive surprise to individuals who have only started working on items after they have been evaluated for cost and approved. As a Principal, leadership will look to you for a clear understanding of what you're doing and how much it will cost. Additionally, you may have to defend the cost of your proposed work, explaining your strategy and the outcomes you will reach by investing in your direction.
Yes, a buzzword, I know. Many buzzwords are entirely nonsense; Data Driven is not one of those. The Information Security and Offensive Security industries are overloaded with qualitative data, aka opinions. When dealing with higher-level staff and executives, they may look to poke holes in your plans and strategies. If they're successful, it can damage your credibility. Companies are relying on you to drive towards the best security decisions. Without the data and repeatability to prove that you're making the best decisions, it's just an opinion. Offensive Security isn't the first group to tell someone whose focus is on running the business that they know for sure what is a priority, and we won't be the last. Data or quantitative answers can give you strong backing for your decisions and prove that you have done your research. I use data to drive decisions, and I use it for reporting after engagements are complete. I'm challenged frequently at this level, and the data I've chosen to collect has been the best response.
Storytelling is a topic I had considerable resistance to for many years. Why must I tell anybody anything but the cold, hard facts? I learned that a massive jungle of confusion exists in between your technical work, the teams making the changes, and executives who invest in the changes you suggest. It would help if you took every advantage to learn how to cut through that confusion and deliver your message. One technique to help you do this is Storytelling. Putting a story behind your work is a way to invoke the feelings necessary to make executives hear what you have to say. These individuals have meetings all day, and your requests add to their list of "you must care about X." From personal experience, Storytelling has supercharged my presentations. It has also provoked thoughts and questions from executives who used to attend engagement readouts with little interaction.
There is no way I could have reached my goals without optimizing my workflow and personal life. There is always an opportunity to improve your day-to-day workflow. You learn through experience which things you're participating in that are serving you and your team well and which are not. The same goes for your personal life. Sometimes you have to realize, for example, Twitter isn't helping you reach your goals and causes you to feel bad more often than not. At those points, it may be time to optimize so you can take back that time and apply it to something that produces the desired outcomes. I minimally participate in social media, configure my phone to limit notifications, and maintain a non-negotiable work/life balance. These things have made a massive difference over the years, and I always look for more opportunities to optimize.