Re: Re: Re: Discovering yourself
September 22, 2018
I have recently had the opportunity to spend two weeks taking a breather, introspecting, starting a new therapy relationship, reading a fantastic book on leadership and writing my thoughts out of my head.
This is the end result of a lot of talk both in- and outside of my head - usually people are nicer than the internal critic.
Spoiler: I realized I want to take care of people, not focus on generating revenue.
If you want to follow along how I got to this revelation, read on, or skip straight to the supporting role I envision that would make the most out of my technical and interpersonal skills.
This post is divided into three sections:
You may skip to any section, but in order for this all to make sense to me, I need to first fill in some background information. So let's get back to my childhood!
What do you want to be when you grow up?
It's a classic question with so many different real and punny answers. As early as we can barely walk, society wants us to become something. A productive member of society, paying taxes and making the world slightly better.
I, like quite many of my peers, wanted to be either a policeman or a teacher when I was growing up. Authority. Respect it! I never wanted to be a musician or an animal or a superhero when asked this question.
As childhood turned into my teens, I got my first experiences with computers both at home and at friends' houses. Then and there I knew computers would be a big part of my future and I wanted in on the fun. I took up my first automated data processing classes, or ATK as it is called in Finnish back then, in 7th grade around when I was 14-15. I managed to write a program in TurboPascal that would convert Celsius into Fahrenheit and even print the ASCII sign for degrees (alt-248 °).
Also since my teen years, I have wanted to be an author of some sort. Writing a book, a collection of short stories or even poems, I didn't know nor care. I just wanted to express myself in writing. I guess this had to do with the sheer quantity of time I spent in libraries and reading books.
In my 20s I was introduced properly to programming - especially in the context of what is now known as full stack web development. My dreams about future careers started crystallizing towards that path: developer, then software architect, and then the grand esteem of Code Artisan. I had several of friends pursuing similar goals and we would try different languages, tools and frameworks just for the pure pleasure of learning new programming languages and paradigms.
Then after a decade of doing DevOps I looked up at my future and decided it wasn't for me.
I do not want to grow up to be a Grand Master Code Wizzard.
.oO( Woah! Did I just say that out loud?! )
That stopped me on my tracks quite heavily as it had been my identity and driving force at work for over a decade.
I simply did not find the joy in what I was doing. It wasn't cool innovation as much as it was software engineering. I liked the bit about hacking together a proof-of-concept, but as soon as it came to building large scale architectures it became more of a chore.
After a few years of soul searching in a non-dev role, I discovered my passion for IT security. This thing that had been lurking with me throughout my developer life. But now it had broken the fourth wall with computer malware actually causing real-world damage in the form of Stuxnet in Iran.
In my early to mid 30s I wanted to combat all the assholes out there wreaking computer-enabled havoc. I wanted to bust the crime syndicates behind APTs; I wanted to best the criminal masterminds behind advanced malware exploits; I wanted to find forensic evidence of financial crimes on computers. The childhood dream of becoming a policeman suddenly re-emerged to be united with the teen dream of "something something computers".
I haven't been able to get anyone arrested, nor crashed any crime syndicates; I have had interesting cases involving large amounts of real money which I have helped in my own way.
If you had asked me a month ago what I wanted to be, I still would have said something about making the world a more secure place through the act of aiding companies as a security professional.
But the past two weeks have been transformational, and that answer has now changed. Very recently. And it is getting clearer as I write out my thoughts in this post.
If I look back at my career, there have been shifts in focus before, and the the role of mentor and teacher has been present fairly significantly for the past 10 years.
Pivotal moments in my career
- First computers at home / friends
- 1995 - First programming class
- 1996 - First website (HTML 3.2!)
- 1999 - Co-founding a still-ongoing annual computer event with friends, Lamerfest
2000 - Sami Honkonen teaches me programming with PHP/MySQL
- Security is integral part of Sami's mentoring and I learn of: SQL injection, XSS, File traversal early on
2000 - Jari Aarniala helps me land my first IT job: junior web dev position at iobox
2003 - Jari also introduces me to the Pragmatic Programmer book.
- I decide I want to be a Generalist rather than a Specialist
- The idea of becoming an Artisan Developer of Elegant Solutions is now my main goal
2004 - Learn Ruby, get on board with Rails at 0.16.x.tar.gz (again thanks Jari)
2005 - Restart of IT career after a 4 year gap. Role includes Dev and Ops.
2007 - Entrusted with a CTO role. Leader and mentor to small team.
2009 - Learn Clojure and functional programming. Still focusing on Artisan Elegant Solutions.
- 2011 - Work primarily as tool/framework builder enabling others. Mentor for juniors.
- 2012 - Paradigm shift: No longer want to be a developer!
- 2013 - Restart BSc studies. Focus on pure security.
- 2014 - Finish BSc. Security job offer to Saudi Arabia.
- 2016 - Path to OSCP. Major learning opportunity; overwhelming good feedback.
- 2017 - Re-enter Finnish job market in the security field.
- 2018 - Paradigm shift: Realize I want to take care of people, not focus on generating revenue.
That is the big revelation I had.
So the first paradigm shift happened 12 years after I started on that journey.
The second one 6 years later.
I thought about censoring this next bit. You know. To seem less like someone in the middle of a midlife crisis and more like someone fully in control of their lives. But then I thought back to one of the most important lessons I have learned in the past 5 years: let yourself be vulnerable.
When I went through the PWK course and I decided to start vlogging through it, I knew I would not show up as a glorious hero in white, but more like a ragged hobo barely making it past the finish line. But at least it was easier to do the vlogs as I could be as brutally honest about my feelings and thoughts as possible. And to my very great surprise, this resonated very well with people. Next to the two or three negative nellies I have had overwhelmingly positive feedback from hundreds of people.
So here goes.
Worries about shifting focus
Last year I was focused 100% on delivering security consulting in the form of security auditing projects of varying lengths. I wished a shift in focus to red teaming and incident response and that wish was granted.
Am I being too unstable in my wants?
After I stopped being a developer, I was doing tool building, enabling others in their work and doing interesting investigations. Even though it was never meant to be a permanent resting place, as I was trying to rediscover the goal for my life, it still felt like a fairly short stint. After only two years of that, I dove head first into pure security consultancy. Now after four years of security consultancy I am again reinventing myself.
How often can one reinvent oneself?
I don't see or hear others - my friends, colleagues, etc. - going for constantly changing landscape of wants. I see people taking small incremental steps towards fairly stable goals. At least this is what it seems like in my eye.
Am I being a needy baby wanting the dream job?
I cannot tell valid self-criticism and overpowering inner critic apart right now, so I need external help on that topic.
Another thing I also learned during the past few years is that when you feel resistance and fear, you should double down and head there. Away from your comfort zone. Because that's where real growth can happen.
Introspection on my strengths
Lately I have done a lot of introspection on my wants, needs, strengths and potential. I don't, in general, deem myself particularly special, but I cannot argue with the facts that I do have a solid amount of years under my belt.
So first up in strengths I would say that I have a heavy-duty technical consultancy background. With the exception of my time at RELEX, the past 13 years I have spent in jobs which sell my time on an hourly or daily rate in exchange for services rendered in either software solutions or security expertise. I know that aspect of generating revenue quite well. I estimated that during my IT career I have probably generated my employers revenue in the ballpark of a few million euros. That's a pretty penny considering how small the majority of the companies have been.
Secondly I would say I am very experienced with handling customers and clients of different shapes, types and personalities. Since 2003 I have spent all of my working time in a role which had daily or weekly interaction with clients using different languages and methods of communicating. I have a good knack for talking to clients in a non-technical manner about technical issues when needed.
Thirdly I am very empathetic and good with people. One day I was talking to our talent acquisition bad-ass Johanna, one of the fellows I enjoy working with the most, and I was referring to one particular technical candidate and said "well at least they were talking sensibly and I got along well with them"; she laughed warmly and with a smile said:
"JW, you get along with everyone, I would be surprised if you didn't get along with them."
Honestly I had not truly considered the fact before. Intro- and retrospection has since shown this to be true also of my time before my current job. She was the second person to make a note about my people skills, first one was Tee, our practice lead, who had noticed that I have good touch with people and that he found it to be rare enough to warrant further focus from myself. Due to my imposter syndrome, I have subconsciously stuffed that piece of advice out of sight, out of mind. Until now.
Being very empathetic can also be a hinderance since if things are going badly, I feel the aggregate of my coworkers' angst, stress and uncertainty. It is not always to bear the brunt of so much negativity even if it is not directed at me, I feel it.
So that brings me to today.
I still don't want to go into the details of this new role before venturing on one last tangent.
One day this week, I stumbled upon a book in a second hand book store. It's a Finnish book called 'Syväjohtaminen' by Vesa Nissinen. A literal translation is 'Deep leadership' or 'Leading in depth'.
Normally I would have not picked it up, but my line manager, Lari, had implanted the idea in my head during the yearly development talks: don't discount the possibility of a managerial position in your future. I had skeptically agreed to keep an open mind. But here I was, the book clearly was calling my name. I guess my future had come calling before I was expecting it.
I bought the book and went to my favorite café to have a drink and a quick browse through the books I had bought from the second hand store. I started flipping through the first book, jotted down some bullet points in my notebook, switched to the next book to do the same.
And when I got to Nissinen's book I forgot about making notes, because I was so engrossed in it. It grabbed me. Instead of notes in my notebook, I kept making small lines in the margins of the pages to act as highlights.
I wanted to scream and whoop with excitement as well as hug the author with glee. I wish there had been someone to share the rush I felt while reading it. It highlighted some of the voids I felt in our current environment. It also painted a picture of a leader whose qualities I truly admired. Those same qualities I could see in some quantities in myself as well.
A few selected passages quoted and freely translated from the book:
Employees have an acknowledged right to expect good leadership. The more valuable the person's expertise is, the more critical they are of the leadership culture they face.
Being a good leader of people requires you to allocate time for your employees, let alone time for learning and improving your leadership skills.
In all cases, it is important for people that they are not seen as just resources or parts of the production machinery but also as fellow human beings. The value of a person to their leader must be significantly more than just the financial result of their labor.
There are several other excerpts I could put here, but in the name of brevity, fair use etc. I shall recommend you to read the book yourself.
The four pillars of this methodology are:
- Building trust
- Motivation by inspiration
- Intellectual stimulation
- Interacting with individuals, not just the group
The book goes more in depth on those pillars, how to quantify your progress in becoming a better leader, how to train other bosses and managers to become deep leaders.
I devoured the 200+ pages of the book in two sittings. I had several Eureka moments and began seriously thinking about my role, what really motivates me right now and where is my personality drawing me towards.
The new role
This is finally the description of the role I have now drawn as the perfect fit for my needs now.
Whether or not this is a feasible role in my current team or not, remains to be seen; dreams are meant to be big and things to strive for even if with small steps.
First and foremost I see myself as a guardian of my peers, shielding them from frustration, overload of information, and navigating through the murky woods of uncertainty.
Secondly I see myself as a mentor, training partner, facilitator, enabler. I don't see myself focusing on maximizing billable hours, but rather by helping my fellows be more productive by being more trusting of themselves, having the right tools to help them, and feeling more secure as I have their back.
According to the book I quoted above, there is significant empirical evidence that this 'deep leadership' - which is based on a previous idea of transformative leadership - will actually increase productivity in teams whose leaders employ the tactics described in the book. So that should be a fairly good argument also for the business benefits of this role.
I would hope that this role would allow me to also impact the overall quality of work we are producing as a team, as more people get more sure of themselves and have the courage to commit to trying even wilder ideas outside their comfort zone.
My personal focus would be on the mass of younger but very potent talent we have in our team. I have already claimed the onboarding process as my own, because I wanted to make sure all of our hard-to-come-by talent felt appreciated and welcomed from day 1. So far I have received good feedback on the ever evolving sessions I have had.
In my view, we - not just our team or our company, but the industry as a whole - are missing a crucial role.
We have recruiters, we have talent acquisition specialists and so forth.
My vision for that missing piece is:
Talent Retention Champion
Talent retention champion is there to make sure talent stays in. It is yin to the talent acquisition's yang.
(At first I thought about calling it 'Talent Retention Specialist' but I like how Champion feels even more of a person who you can trust to have your back.)
This is usually a role that is not any one individual but the responsibility is spread over different people: manager, most senior co-workers, and HR.
But what happens in a distributed role, when one part is overworked and thus lagging in keeping sure employees are not unhappy? The natural recourse is to trust and assume the other participants of the distribution are taking up your slack.
I've seen in several companies what happens when multiple parties of this distribution are so busy that talented people slip through the cracks as their well-being is not sufficiently being taken care of on different levels of the Maslow's hierarchy of needs.
In addition to losing people to attrition of spirit, the entire IT field is in constant need of skilled people and almost everyone I know is bombarded with headhunters' siren calls to greener pastures. I want to combat this by making sure people feel wanted and welcome even after day 1.
So my want is simply put:
I want to take care of my people.
I want to help my fellows develop on all levels:
- feeling secure,
- feeling cared for and belonging together,
- building their self-esteem and esteem in the group with coaching,
- and finally helping them actualize their potential and goals.
What I envision this role to actually include in the day to day grind:
Priority one task is being a mental leader, not necessarily with executive power, but at least being in the trenches with my fellows and being able to be their voice upwards, sideways or widdershins.
As my team's champion I would be mentoring and coaching whoever needs or wants it, regardless of what project or client they are working for. Giving feedback on their ideas, results and findings. This includes being a sparring partner for when they are stuck in a project, or are trying to find ways to express the business impact of their work.
As I recognize that, at first, I would not have my hands full of coaching for a full week's worth of hours, there are also some auxiliary tasks that would aid the main tasks.
Tooling, documentation and sharing tips
Almost every project I have worked with in the past four years has required some custom tooling. From simple one-liner scripts to more complex automation, there is always need for development work. These quite often end up being an individual consultant's special tricks and only by working with that individual will you be able to accidentally learn of those tricks.
So as champion I would be closely working with fellows in different projects during the week. As I see and learn the different tips and tricks people use, I can catalog and document them in a way that serves the good of the team and of the company. Seeing people re-re-repeat things over and over, I will have an excellent front row seat into what should be the focus of any joint tool development as the individual team members are simply going from one project to another, like bees in a sunflower field.
Quality assurance and trends across all projects
In addition to the accidental discovery of trends in tools, problems etc. I think that going over all of the reports we generate and trying to find trends hidden within: trends in findings, how are those reported, what things are missing, what could be improved with shared templating.
As time goes on, the level of information available for digestion is rapidly moving further and further away from human limits. A consultancy firm's main objective in crude terms is to keep its consultants as busy as possible, thus generating maximal revenue and profits. There are obviously variations between firms on what definition of "as possible" is used in regards to the well-being of consultants and the sustainability of those limits. This combination usually means that consultants I've worked with prioritize billable work over time spent reading, listening or viewing informational content from internal or external sources.
As champion I would have time and the technical expertise to summarize the most important bits of information to help my fellows in keeping up-to-date with the news from in- and outside our team/company/industry. This alone would potentially save a full week's hours if I am able to summarize an hour-long presentation into a brief email memo to my fellows.
These summaries, decisions, tips and tricks could then be archived in a manner that is easily referenced in the future, when doing 1-to-1 coaching for example. This archive could also have some links to reports that contain certain themes that are common throughout our projects.
Authoring articles for internal or external publishing
Last but not least, I would also personally like to incorporate the role of author in this list. As a lot of the archiving and summarizing already includes dense writing, it would be natural to also use my natural propensity for writing to also help in PR efforts. While ingesting external feeds of industry relevant topics for my fellow consultants, it would probably easily also translate to a weekly or monthly newsletter that could give a few more eyes on our company.
As I mentioned I don't see having executive decision making power as being a requirement for this role, but I would see this fit in as a role with heavy ties with line managers and with HR. Those should be strong enough partners to sort through or at least escalate nearly all problems.
Does your organization have a talent retention champion role?
Does their role differ from what I described above?
JW, Helsinki 2018-09-22