• Phil Venables

Career Advice and Professional Development

I often get asked for advice about careers and professional development. Unfortunately I don't have the time to do this in person, except of course in my own organization. As a result I refer people to this blog for the various posts that talk about team and organization development, but I realized there isn’t one that codifies what I actually say in response to requests for such advise, so here it is.


First, let’s get something out of the way. Being sought after for such advice is usually because we are perceived to have achieved some degree of success. This always troubles me a bit because it somehow implies that any success was solely down to me. It’s no false humility to say success never is and never will be solely down to any one of us. So, the advice in this post is based on experience and what I’ve learnt that worked from trial and error, rather this being what I innately knew to do and then applied. Hopefully this will give you some short cuts. Also, I would say any success I’ve had is really down to this split:


  • 30% : ability, seeing around corners, connecting the dots, synthesizing ideas and a massive dose of planning and fortune in finding some awesome people to work with in my teams, adjacent teams, in partner organizations or the industry as whole. Another part of this is choosing who to work for in the various echelons of executive or Board leadership one inevitably reports up to.

  • 30% : flat out luck, being in the right place at the right time and having things go your way. Yes, you could say you make your own luck, and that is embedded in the other 2 categories here, this category is really just simple good fortune.

  • 40% : showing up and working hard.


Before going any further let’s explore “showing up and working hard”. By this I don’t mean some insane work ethic that you have to forgo all things in the name of success or results. Although there are times when you do episodically have to put in some unusual effort. Showing up and working hard doesn’t always mean long hours, rather, it means paying attention to what needs to be done and putting in the effort to do that irrespective of your job role, without necessarily worrying that more likely than not someone else should be doing this work.


Here’s an example of that. This was a number of years ago when faced with a specific new piece of regulation that was going to impact a security program I was running at the time. There was no experience of implementation, it was highly ambiguous and there was no significant help available to navigate through this, and our otherwise good Compliance team were also a bit stumped. Many peer organizations in the company when faced with this essentially ground to a halt, threw up their arms and complained vociferously to management. I remember thinking about this and realized that approach wasn’t going to change the situation so I went out and bought the full set of regulatory manuals and literally sat in my office for 2 days and read it all, postulated the best path forward, realized I could commission some external help on some specific parts and make enough progress. A week later our COO called me wondering why we were the only team not to be stalled and complaining - there was no magic answer, it was just that we were doing the work that needed to be done.


Showing up is also about how do you choose what extra projects, outside activities, or professional networking to focus on that could progress your career. The answer is, all of them. But do it with optionality ("soft yes and fast quit" vs. "hell yes or no"). You often never know before you join in what is going to be worth it. Sometimes some of these things are labors of love that ultimately pay-off in unexpected ways. I talk about this more here.


When contemplating the success of others and thinking how they got to do that work, be part of that group or get that accolade, it can be tempting to think this is somehow random or status driven. However, in my experience it is generally more to do with a lot of behind the scenes work that people did for many years that led to such appointments. For example, I do quite a bit of public service associated with some quite well regarded government advisory councils, boards and committees. I’m happy to do these, it’s good to contribute and you get a lot of learning and other opportunities in return. Some people think these types of things are just magically bestowed on relatively well known professionals. They can be, but a lot of the time it’s the result of a whole bunch of less well known contributions over decades. I worked on a lot of useful things for a long time in relative obscurity that led to later, more visible, appointments. In other words, you have to put the work in.


Anyway, here’s a summary of advice based on my experience (mostly stumbled into but sometimes learnt the very hard way):


  • Be persistent. Not getting approved to do something, getting push back on an idea, or lack of people or financial resources to get things done are rarely permanent. Most things I’ve done are a result of pushing multiple times before it ultimately got traction. Some problems might not be ready to solve, but it doesn’t mean that will always be the case.

  • Actually take feedback. When people give you feedback accept it and deal with it - it will make you better. Some people either get defensive or take the feedback and do nothing with it. Go out of your way to seek feedback, particularly at career punctuating moments such as when you get promoted or don’t get promoted, there’s rich feedback you can use from that process. Some of the best feedback I ever got was from promotion processes - even when you’re successfully promoted there’s often developmental feedback collected that is useful for the future. Sometimes it's even very prescriptive e.g. "on balance we think they should be promoted but we need to watch out for their ability to do X in their new role." This means you should go and get coaching on X because they just told you that you're being watched for this attribute. Yes, this is kind of obvious, but I rarely see people actually do it and many times managers don't actually communicate this in the otherwise celebratory moments of promotion. So you need to ask.

  • Place your bets on some “big moves”. Most of the stuff I’ve done and helped with over the years came down to a small number of big ideas each pushed over a few years. I talk about some of this here.

  • Dealing well with career set-backs actually defines your career. I nearly left a long-tenured prior role twice for some moments of disgruntlement, as opposed to ultimately leaving for reasons of opportunity. The first was when I missed out on a promotion one year, for what I considered unfair reasons, but I made it the following year. Then at another point much later I nearly left when I didn’t agree with the direction that some things were headed and in the management approaches being taken. In both cases I stuck around and in the first instance realized that the long term benefit was worth the short term disappointment of doing better in the next promotion cycle, and in the latter case I thought I’d be more valuable to navigate through it and make the best of the situation for my team and others. In both cases, the learning and character building experience of doing this had life not just career benefits.

  • Constantly look for and apply the 80/20 rule. Some of you have heard me talk about this incessantly – because it is so foundational. You should research and think about this relentlessly, and also – the related topic – of looking for “leverage points” in systems and processes.

  • Don’t buy into the trite advice that you should “do what you love”. If I was going to do what I naturally love doing I wouldn’t have had nearly as much fun as doing the work I’ve actually done. Instead, focus on loving what you do, by finding a way to love it. Most jobs I’ve had I’ve been able to add and remove things such that I’ve at least liked, and in many cases ended up loving the jobs. You’d be surprised how much you can do this irrespective of your seniority or perceived span of control. Some of the things I least wanted to do ended up being major opportunities for transformational approaches (in some cases industry-wide) simply because the old way was boring (and wrong) and I wanted to do it a new way that was better but was also a lot more interesting.

  • Notice the best part. Our roles give us tremendous opportunity for learning, to see what’s happening in the world, to deal with really interesting situations. Sometimes you should just stop, lift your head up and notice the good things, the interesting things, and the platform the world is giving you. It’s also worth as part of this remembering to look back at what you’ve achieved, what your team has done even when there’s more work ahead of you than behind. Also, remember to ask your 8 or 18 year old self what they think about what you're now doing. For example, tomorrow I'm getting on a plane to go to RSA 2022 and spend a week of meetings, talks and other events. I could think, ugh, airport, away from family, back to back meetings schlepping around San Francisco and so on. Or, I could think, wow, I'm at an airport, I'm going on a 777 jet, I can spend some time on the flight reading and thinking. I get to catch up with colleagues and others in the industry, I get to talk to some amazing people about some great ideas. I get to promote and help out on some diversity events and some industry development ideas. Wow, I get to do all of that. That's amazing. I prefer to think of the latter approach - notice the best part.

  • You always underestimate your impact (positive and negative) on others. I’ve been constantly shocked at how much the small things (in my mind) I’ve done for people that have had the most impact, that people remember and carry with them. Focus on how you can be helpful, pleasant, collaborative with and interested in others. These small things compound over time to be a pretty big store of “influence capital” that you will need to draw upon regularly. It’s also, perhaps more importantly, the right thing to do.

  • A-grades vs. Pass/Fail. Look out for the difference between work that needs an "A-grade" versus something that just needs a"Pass". This is not about doing sloppy work, a Pass still needs to be relatively good work. But to try and do awesome A-grade work on everything inevitably means you'll fail at some of that or perhaps just get a Pass on the thing that needed the A-grade while getting an A-grade grade on something that no-one noticed or cared that much about. It's hard to give advice on how to do this as it is so context specific for your situation but I've found the mentality of simply being primed to look for this helps you prioritize better.

  • You get way more air cover and management support than you will ever know or believe. There’s always someone somewhere behind the scenes being your champion, sometimes you might even find out who they are. But, they’re always there.

  • Be ambitious for the team - but stay humble individually. When you think you’re somehow being successful then remember you really can’t actually honestly say that you alone did any of it. As you think about every success, every one of those has some genesis beyond just you. Whether it was a team meeting, a hallway conversation, a byproduct of some other discussion, looking at some other innovation and thinking how could we do similar or better, and so on. So much so, I bet a big part of any of our “most proud of” list of achievements is probably squarely on someone else’s list as well. That's not a bad thing.

Bottom line: the ultimate definition of success and what you strive for is being unable to say you solely or uniquely did anything. That you got things done as an extended team is the ultimately mark of where you need to be.

7,075 views0 comments

Recent Posts

See All

Since I first wrote this back in 2021 (titled "CISO: Archeologist, Historian or Explorer?") it seems ever more true that complex and pernicious dependencies are at the heart of most security risks. Th

In this, fourth and final post in the series of Crucial Questions I’m going to focus on those from governments and regulators. This builds on the topics covered before: Crucial Questions from CISOs an

In this, third in a series of Crucial Questions posts I’m going to focus on the questions from CISOs and security teams. This builds on many related topics covered in the two prior posts on crucial qu