The Best Laid Career Plans of Mice And Pentesters

The Best Laid Career Plans of Mice And Pentesters

If you want a copy of the slides from my workshop get them here. Please read the full post so the slides make more sense.

At the inaugural 44CON Cybersecurity I conducted a workshop on career planning. Career planning is something people tend to do at school, college or university but rarely as adults. Many people experience career planning through a disinterested and irrelevant prism, so it’s not surprising they find it dull.

When I was at school trying to work out what I wanted to do with my life, the careers advice function at school took me through a coma-inducing process, often producing unrelated gems like the suggestion that I should be a formula 1 driver or a truck driver, just because I like the idea of driving.

Just like a financial plan, a career plan done properly can be a really useful tool. It might seem silly, but having and executing a career plan is the difference between being in control of your career and being controlled by it. But first, I want to write about how Will Smith became a career planner.

The Pentester and The Hollywood Movie Star

In the 1980s, Will Smith was one of the most famous rappers ever to come out of Philadelphia. Working under the handle, “The Fresh Prince” with DJ Jazzy Jeff, Will had a string of hits and made an absolute fortune. As a teenager, he also learned how to spend it. A couple of tax inspectors up to no good, started investigating in his neighbourhood. He got in a legal fight and his mom got scared, and that’s how he ended up in a show set in Bel-Air.

Smith’s hits had made him money, but he just ended up spending it and underpaid his taxes. The IRS assessed a $2.8 million dollar tax debt against him, money he didn’t have. He wouldn’t have been able to make the money back from music royalties, so Smith and his manager teamed up with Quincy Jones and pitched the idea of a sitcom to NBC about a West Philly kid who moves out to LA to live with his well to-do auntie and uncle. NBC recognised the opportunity to make money, and Will paid his taxes.

Because he [Will Smith] reacted instead of planning, ultimately he ended up in hot water and only got out of it through sheer luck

Up until that point, everything that happened was a reaction to what had happened to him previously. Will Smith had achieved great success in his career as a rapper. Because he reacted instead of planning, ultimately he ended up in hot water and only got out of it through sheer luck. When the show took off, Will took his income a little more seriously than before, and sat down with his manager in order to plan his career.

Will Smith, career planner extraordinaireWhile his time with Jazzy Jeff had been promising, Smith realised that if he wanted to make sure he was never in the same situation again he needed to plan his own career. Smith decided that he wanted to be the world’s biggest movie star. He studied movies, their grosses and leading roles, in which he mapped out the traits of roles commonly associated with the movie stars of old and sought out a career making movies.

Towards the end of his time on The Fresh Prince of Bel-Air, Will teamed up with comedian Martin Lawrence (who’d also been working on a popular NBC sitcom, Martin) and new director Michael Bay. Like Smith, Bay had studied movies from a profitability perspective and between the three of them created the summer smash hit movie Bad Boys.

Will went on to hit major grosses in roles in Independence Day, Men in Black, Enemy of the State and Wild Wild West. Over his 22 film career, Smith has had 4 commercial flops. Only two featured him in a leading role. First was his acclaimed performance in Ali, in which Smith played against type. The second performance was in The Legend of Bagger Vance which, the less said about the better. Smith turned down leading roles in The Matrix and Django Unchained. The former he turnd down because of commitments to Wild Wild West, and the latter because he couldn’t be kill the bad guy. Not being able to kill the bad guy went against the way he portrays himself, and against his plans.

I’m not suggesting that you turn yourself into Will Smith, but having, executing and updating a career plan can go a long way, even if it’s just a broad idea of what you want to do.

Building a Career Plan

In the workshop I talked about the research I did for Breaking In. Because we’re looking specifically at a pentesting career, or a career in which there will be some pentesting, we can take all the usual padding that goes along with career plans and distill it into something more focused. In this case, let’s look at four stages of building a manageable, attainable career plan:I chose this picture because it looks like a dear friend in this very situation

  1. Self Exploration/Assessment
  2. Career Exploration/Assessment
  3. Developing an Action Plan
  4. Executing and Updating the Action Plan

If this sounds a little management-consultancy/self-help booky to you, then that’s because much of what I’ve read has come from professional development programmes and self-help books. I’ve stripped out the irrelevant stuff so you don’t have to bother with it.

Self Exploration/Assessment is basically a way of documenting your personality. The goal of this exercise is to determine possible careers that match your personality. In theory, this means that a successful Self Assessment should result in you being able to measurably qualify career paths against your personality. In practice, you should know yourself more than anyone else. Writing about yourself may or may not help. Specific to penetration testing there are several personality elements to consider, such as whether or not you prefer dealing with people or machines, whether or not you like travel or prefer to stay in one place, how self-motivated you are in terms of your professional development and and most importantly what qualifies as success to you. You need to understand in your own terms how you can measure success to you, which might be any combination of money, influence, respect or freedom. Unfortunately you can’t have all four, but you can find out what works for you.

Career Exploration/Assessment is the process of looking at possible jobs that map to your personality traits identified in the Self Exploration/Assessment process. As you’re reading a pentesting career blog post I’m going to assume that you want a career related to penetration testing. Having said that there are many types of pentesting career and understanding whether you want to be an all-rounder or a specialist, both in terms of technologies and in terms of the softer parts of the job such as governance, regulation and management.

In the workshop I asked attendees to answer questions about themselves, about job qualities and talk to each other. The best way to research possible jobs is to find someone who has or at least had the role you’re interested in. Conferences are great for these, and I asked the attendees to talk to people, offer to buy them beer/coffee in exchange for them answering questions about their jobs. This may sound socially difficult for introverts, but in the worst case scenario, someone you ask doesn’t want to talk to you, so you move on to the next person. In the best case scenario you make a new friend who has the job role you want, which can be incredibly helpful, both for you and for them.

Career plans don't need to be huge, one side of paper should be enough for a broad overviewOnce you know what job type(s) you want to go for, you can start to research the key things about those jobs by searching online job sites and making a note of how often key words appear. Ideally you want to start with all jobs, including ones that have been filled going back 6 months to a year (more than a year and older terms may become less relevant to your current job search). From this you can identify what you need to develop over the next 6-12 months in order to achieve your goals. This forms the basis of the action part of your action plan. I took people through an example walkthrough on the workshop, and then we started to look at how we can structure that action plan. I cover the action plan format and layout in the workshop slides.

The actual document should be more or less a fairly simple bullet-pointed list and fit on one side of paper. Ideally you want to put this plan somewhere visible, such as on your door so you see it every day. It’s too easy to ignore calendar alerts and email reminders, so print it out and physically put it somewhere you can’t ignore. Then as you work on your action items, put a tick next to them when you achieve something towards your goal and put a line through them when you finish. Every 6 months, see where you are, update the plan document, print out a fresh copy and stick it up somewhere visible. As I said at the start of this post, it might seem silly, but having and executing a career plan can be the difference between being in control of your career and being controlled by it.

If you’ve enjoyed this blog post and haven’t yet tried my free 30 day email course on career hacking, sign up below.

What others are reading on Raw Hex

Tagged , , , .

Steve is a full-time penetration tester and founder at Mandalorian and co-founded UK Information Security Conference 44CON in 2011. He is also the author of upcoming penetration testing guide Breaking In.