• Phil Venables

Simple Rules of (InfoSec) Career Success - Updated

Over the years I've noted the behaviors I’ve seen from consistently successful people. In this context I define success as a balance of getting worthwhile results for their customers, increasing their span of influence for the wider good and being highly regarded as coaches for improving the lives of their teams. Naturally, all of these behaviors are markers of success in any role, and this could be a much longer list - but, in my experience, these are the ones I’ve observed make the most difference consistently.


  1. Take Action. Get stuff done whether it’s your job or not - take ownership. Make a difference in some way every single day - while audacious goals and actions are great, much success comes from persistent small steps, sometimes adapted from others. Copy fast and improve.

  2. Focus on the Customer. Obsess on them (internal or external). View the world from their perspective and recognize their problems - but know that some problems are not ready to be solved, so need to be regularly revisited when the time or context is right - without prompt.

  3. Have a Mission. Be clear on your goals, if you aren’t then work to create such clarity. Keep focus on the essential. Align missions among teams, yours and others. Look for cross pollination. Measure results vs. mission.

  4. Aim to Solve Wider Problems. Look for the problem beyond the problem and try to solve for that. Even if you are ultimately not wildly successful in doing this you will have likely stepped onto a different track and moved beyond what you reasonably might have been expected to achieve.

  5. Be Who You Are*. At a personal and team level. Find a role that plays to your strengths or adjust the role to match your strengths. Be great at your core role, aim to grow/increase scope, but never neglect the core. [*be who you are - except if you behave like an a-hole.]

  6. Believe in Your Team. If you equip people and get out of their way then they will astound you. Face contention and disagreement as sources of action - don’t merely seek to improve relationships - mine the root cause of this, there are seams of gold there.

  7. Collaborate. Build internal and external relationships with peers, other teams, leadership, partners, vendors, customers and so on. Build these relationships in advance of you needing them by being useful to them, so when you do need them they are already there for you.

  8. Improve Other Things. Don’t just solve the security issue, aim to also provide some adjacent benefits like improved customer service, performance, efficiency and effectiveness. Even if you can't, the fact that you even tried raises your credibility significantly.

  9. Work on Yourself. Learn something new every day. Zen - take satisfaction in the process - doing the best you can - progress not perfection. Be curious and be ok with saying “I don’t know”, usually followed with, “But I will find out”.

  10. Honor Your Sponsors. Be loyal but not meek. Confound people’s expectations and amaze people with how commercial and helpful you are - especially in places where the status quo is far from this.

  11. It is Always Your Fault. The golden rule for InfoSec: people not “getting” security is always our fault. We could have made a better solution, persuaded better, and so on. Think this even when something really wasn’t our fault - a better outcome will come from that too.


Bottom line: I’ve seen these attributes/behaviors work for many people, including me. The list is, of course, incomplete but when I look at all the other good things successful people do you can often see they are a result of these core behaviors. You don't need an innate ability to do these, like most behaviors, with some effort you can just do them.

882 views0 comments

Recent Posts

See All

Situational Drivers of Cyber-Risk

Many years ago I wrote down a list of the drivers that create information / cyber-risk or that otherwise compel the need to mitigate this risk. They all, perhaps unsurprisingly, remain consistent. I d

Privilege Management Program - Governance

I can’t recall having seen an overview of a systematized privilege management program. There are lots of great articles on specific authorization management techniques and guidance for identity/access

Security Ratings: Love, Loathe or Live With Them?

Security ratings services tend to be loved or loathed. Loved if you consume them and it makes your job easier, especially if you have no other method of assessing the security of organizations that yo

Subscribe for updates.

© 2020 Philip Venables.