I've been wondering where to go with my career for some time. My background is in Windows server configuration and support, yet my passion is increasingly information security / cyber security related. Equally I enjoy development work, and really like the time I spend working on eVitabu. I could go in any number of directions, with equally any number of employers. In this post I discuss my thought process, largely to help me think things through.
While attending (ISC)² Security Congress 2021 I had the opportunity to take some careers advice sessions with Suzanne Ricci. There's quite a lot of difference between the USA and UK job markets (and employment law, boy is that different?!) but the sessions were helpful. We considered how much I'd want to travel or if remote working was preferable, plus if I wanted to chase a job title or a particular salary. These were really useful questions, and I don't completely have the answers to those. I'll discuss those questions a bit further below.
Suzanne has also authored a book, Luck is not a strategy. It's a workbook to make you think about your career and where you want to go. I'm working through that and that's helping too. Perhaps I'll blog a review at some point.
What led me here?
Currently I work in the public sector, in local government. If you live in the UK you've probably heard it said that "restructures are part of public sector life" but I challenge that. It doesn't have to be part of public sector life, but the sector is poorly funded and restructures allegedly bring savings. Depending on who you work for you'll probably also be aware that running the organisation properly, and not wasting money or having to pay staff off when mistakes happen, saves more money still.
Anyway, I digress. In my current role I'm a deputy senior information security officer. I focus largely on vulnerability management, governance and incident response, with the odd bit of hands on work. In terms of career progression, at my current employer, there's one post above me. In addition to my current role I'm also trained in penetration testing (ethical hacking) and digital forensics, and cyber security is a broad subject. I could focus on any number of areas and I've not entirely decided which avenue to go down.
In October 2021 a review of the ICT service was announced, which will impact me one way or another. I'd already been considering where my career should go next, and finding out there was another "review", which to my mind will likely result in a restructure (my fourth, at least, in five years) got me thinking my time at my current employer was up. Instead it was time to think more seriously about where I go next.
What do I already do?
I've covered some of this already, but in addition to my day job I also do the odd bit of software support or infrastructure work as part of work with other teams. There's development work on eVitabu. I've done public speaking, lecturing, and security workshop running too. Recently I also picked up a private client that I'm doing some cyber security work for. My challenge is working out what to focus on from that list, or I could go off completely in another direction - I joke about running a tea room sometimes.
I'm going to assume, for now, that I'm staying in security in roughly the same sort of role I do now. Equally I wouldn't mind doing more work with Azure or AWS for a bit, implementing systems securely, but I don't think that's for me permanently long term.
Working for someone else
Being an employee has a key advantage - you're guaranteed a monthly salary, and probably sick pay. You get paid time off and you've got a team to fall back on, socialise with, and bounce ideas off of. As someone with a mortgage, and a family, the idea is certainly appealing. Naturally it has to be a good employer (I've had plenty of bad ones), with good peers, to work well, but it is an attractive option.
All of my working life I've worked for someone else. It's the safe option. If I moved into the private sector there may be additional benefits (healthcare, better salary etc.) too which is something else to consider.
On the other hand, working for someone else can have its drawbacks. I could be constrained to working on projects or tasks that don't interest me (parsing logs with my eyes...more on that later), or stuck working for someone that I don't respect or trust. Some of this you can work around - a decent manager will look to resolve issues the employee brings up - but if the workplace culture is bad pretty much the only solution is to leave. Having suffered badly at the hands of a former manager, the idea of moving on to work for someone else comes with an element of fear.
Going it alone
An exciting option, albeit scary. I've been running my own consultancy side line, all above board, since around 2019. A lot of my work as that consultancy has been on eVitabu, so with a charity. I couldn't do that full time without seriously impacting the charity's finances (plus HMRC's IR35 rules would deem me a hidden employee) but that doesn't mean I'd have to give up that work.
Working for myself would mean I could pick what I do. I could work on eVitabu a day or two a week, then fill other days with work for other firms doing either development or, probably, cyber security or infrastructure jobs. If I found a workplace culture was toxic, or the people there untrustworthy, I'd only have to be there for a short time, complete the work, invoice them, and move on. I wouldn't be obliged to go back to a bad place.
I'd have the flexibility to work when and where I wanted, at least in some cases. I've done eVitabu development from home, a café, my eVitabu boss' house (even sat on his sofa, in front of the fire, designing features on paper to get a break from the screen) and there's no reason I couldn't do similar for other clients. Some of my work I do at the weekends, early morning, or in the evenings. Unless there's a meeting with a client they may not require 9 - 5 presence. There's tremendous benefit to working flexibly.
I said this option was scary, and the fear comes down to not necessarily knowing where the next pay-cheque is coming from. As a friend of mine said to me, "in consulting, it's not the first job that's the problem - it's the second". I need to build up a client base in order to succeed, and that takes time. At the moment I have two clients, one development, one cyber security. Is that because I'm only working as and when, or because they're the only clients out there?
I sincerely doubt there's only two clients out there that would contract me, but I still don't know that. Hopefully word of mouth and networking would help me find clients, but that's not easy to do until I "take the plunge". It'd be really bad if I had to turn potential clients down because I only work for myself on an ad-hoc basis at the moment. A conundrum.
What work benefits do I want?
Building a wish list could be dangerous, and I might never find a job that offers all of these things, but I don't think these are outrageous.
Most importantly, and the biggest things: I want to be fairly paid and work for a trustworthy employer. I'm not completely driven by money (otherwise I'd work in London and easily double my current salary), but money is needed to exist where I live. One of the things that annoys me most is knowing I'm doing some great quality work but being paid below market value. Sadly that's been the case for a lot of my career - the problem of the public sector (and of some small employers). A trustworthy employer seems to be hard to find. One employer tried to involve me in tax fraud. Another has me documenting everything to cover my behind. Why have I stayed at those places? Geographical convenience mostly, but the world is transitioning to remote work now...
Flexitime is the biggest perk of my current job. Essentially it means I can take time off in the working day for appointments, coffee meetups , longer lunches. If I take time out I just have to make it back up, which works fine. On the flip side, it means if I end up working late all of that time is counted as flexitime balance - some employers I've had would just say "tough". I can't put a value on flexitime but it's a very nice plus.
Due to the pandemic I've learned that working from home is something I can cope with. I suppose remote working is a work benefit, so I'll include this here. More about that below.
For most of my working life I've funded my own professional development. In honesty I don't mind that to a point as ultimately I gain from those activities. Ideally though it should be the employer that pays for appropriate training, and provides time off. I've been a Pluralsight subscriber for years (due to not having training provided initially) and I'm likely to continue with that, so a middle ground of being given the time off to use that would be acceptable to me.
Good colleagues is another work benefit, and one I wouldn't have if I worked for myself. Not initially anyway.
Physically where do I want to work?
If you'd have asked me this question three or four years ago I'd almost certainly have said "in an office, with my colleagues". Obviously the pandemic had other ideas, and as I reflect on in my blog post "over a year of working from home" , I'm fairly suited to home working now. My working environment is pretty good, with a CD player (an old car radio), comfortable seating for if I'm just reading an article, standing desk, decent equipment. It would be hard to replicate that set up in someone else's (an employer's) office.
Then there's the time saved by not commuting. I spent five months commuting to a job I didn't enjoy (one of my first jobs was to parse logs, with my eyes, for days - that's what we have computers for...) and I lost time. On a good day the journey took forty five minutes one way. On the worst day it took two hours one way. While driving, alone, I couldn't do anything else. It was wasted time, and I wasn't compensated for it.
So, I think my conclusion on workplace is that I want to work from home most of the time. My biggest concern was losing touch with people, and I still miss personal contact, but I have regular video calls with colleagues in my current role that offsets that. It's not perfect, but it's not bad. I don't mind going in to the office occasionally though.
Chasing the money or the title
I've chased money before, leaving an employer for one that paid a lot more and, in theory, offered better benefits. It didn't work out. As I've mentioned already, my goal is to be fairly paid.
Job titles can be very confusing. For example, I used to be the network manager for a secondary school - what does that mean I did? The answer was that I did everything ICT related, but based on the title you might think I only managed the network infrastructure. Nonetheless, there's prestige that comes with some titles, at least in my head. Senior developer or Chief Information Security Officer sound interesting and important, although it's more the interesting part that I want. I won't lie though, being important can be a draw too.
I think the answer to "do you want to chase money or a title?" comes down to the result of the other things I've discussed.
I still don't know exactly what I want to, or what's next, but I suspect I'll be working for someone else as my next move. Until my mortgage is paid off I'd be concerned to be in a situation without "guaranteed" income. That said, if I lose my job I'd likely switch to working for myself first to see if I could make it work.
Time will tell...
If you're in this position yourself, I hope this post has helped you. If you've been in a similar position before, I'd love to know what route you took. Ping me a message on Twitter (@joncojonathan) or drop me an email ([email protected]).
Banner image: Modified version of Road Crossing Turn Right by MaSc on Openclipart.
 Hot chocolate in my case, although my hot chocolate buddy's moved away. We still get to meet online for hot chocolate though🙂.
 I don't object to working for charities at below market rate, if it's for a cause / project that I care about and am interested in. See fairly paid!