Lessons in Mentorship

From what I heard in my college classes, the standard advice for moving into security goes something like this: get certifications, keep studying in college, network at conferences, then start applying.

It’s good advice for sure, but it’s not everything, at least in my experience.

I’m an Information Security Engineer in a position to lead. The path that took me to this role wasn’t direct. It was a five year apprenticeship to a senior engineer who made time for me when I had nothing to offer in return aside from curiosity and a drive to learn.

I want to share how everything happened, what I learned, and why I think it’s the best career advice nobody gives.

The Start

I was a systems admin intern on the IT systems team when I first met my mentor. He was just hired in as an information security engineer and I had just joined the team as an intern. As a student intern, I made it a habit to meet everyone on the floor so I sought him out, not the other way around. I asked if I could sit in on his work, ask questions about it, and fortunately for me, he said yes with no hesitation.

People hear that and assume I got lucky. I really didn’t. Sure, he was a new employee with every reason to keep his head down, prove himself and not ‘waste’ any time by letting a student tech shadow him, but he said yes anyway. The only luck was that he turned out to be someone who does that. The responsibility for going above and beyond was on me, and it didn’t cost me anything aside from stepping outside of my comfort zone.

If you are early in your career and want to learn from someone, the first piece of advice I have is simple: get out there, ask questions, and be painfully curious. Most senior engineers will not seek you out. They’re busy, especially now in the current cybersecurity landscape, but many of them will make time for someone who shows up driven, interested, and prepared to listen. Even if you get a ‘no,’ never stop until you get a ‘yes’ because I assure you, someone will take a chance on someone with a passion to learn.

The cost of asking is small. The upside is the rest of your career.

What mentorship actually looked like

It wasn’t a formal program, at all. There was no curriculum, no syllabus, and no defined endpoint. It was him doing his job and me being in the room while he did it.

I sat in on meetings, I asked questions about security best practices and how platforms we used fit into the big picture. I watched how he approached problems and asked questions about why he made the decisions he made. Over time, his reasoning began to shape my reasoning. You don’t notice the moment it happens. You notice, much later, that you have started to think like an engineer. The approach to problem-solving is almost more important than the process in which you actually solve the problem. I began to understand that there was more to the job than just technical skill.

The technical skills were the easy part (maybe not so easy but perhaps, less important). They came on their own over time and with experience. I watched what good work looked like up close and from then on, anything less felt off.

The teaching I carry with me in mentorship

As an intern and a learner, I was told to ask anything at any time. Curiosity was not a tax on anyone’s time. It was the point. If something did not make sense, I was supposed to stop and ask. If I had an idea, I needed to say it out loud so it could be corrected. This was the main way I learned.

However, when I became a full-time employee, things shifted. I had to be mindful of other people’s time, but I want it to be clear, the license to be curious didn’t expire but rather, was changed. Internally as a team, the rule stayed the same, but I understood that I needed to be more professional outside of our group on how I communicated. It was a natural step I needed to take to become a true engineer level professional.

At the time, this felt like two different rules. One for interns, one for full-time employees. Looking back, I see it was a single rule with two phases. The obligations of a learner are not the same as the obligations of a peer. As a learner, your job is to absorb as fast as you can, and the fastest path is to ask about everything. As a peer, your job is to deliver without overtaxing the people around you, because they are now relying on you the way you were once relying on them while never stopping the curiosity that led you to that point. This is the time to begin to step up and lead by example while having the humility to admit wrongs or faults in your work.

New hires either ask too little (mainly out of fear of looking foolish) or they ask too much, never noticing the moment they should have started figuring things out themselves and exhausting the goodwill of their peers.

Teaching these two “phases” explicitly, and trusting the learner to know when the transition happens, is one of the best things a good mentor can do.

What infrastructure gave me that a pure security track wouldn’t have

While I was being mentored on the security side, I was also doing infrastructure work as an intern and soon enough, as a full-time employee. I started my full-time career on the service desk, then I moved to systems administration where I ran physical and virtual infrastructure for many years before I ever worked in the information security department.

For a long time, I thought of those years as a delay. I was not yet doing what I wanted to do and I was frustrated. The security work was happening around the edges, in spare hours and cross-functional work assignments.

I was wrong about that. My time working in IT infrastructure gave me something the “only security” path cannot give you: I know what a compliance requirement costs the team that has to implement it, I know what it feels like to be working at twelve in the morning patching critical servers, and I know what a typical day looks like for the infrastructure engineers who will eventually be on the receiving end of my vulnerability findings.

When I sit down with server engineers to talk about remediation, I’m not just a security person handing them a ticket. I’m someone who used to do their job. That’s a real asset, and it’s one that people who jumped straight into security from school don’t have.

If you’re new to the field, don’t be afraid to start at the bottom. If you’re in infrastructure now and considering security, I encourage you to not think of your time working on infrastructure as a wasted opportunity. Think of that time as a time to learn. How can you expect to be able to protect IT infrastuctrure when you don’t understand it deeply? Having the background knowledge of how the environment operates makes securing it much easier.

The handoff

A year ago, my mentor moved on to another opportunity and I took over his work.

The relationship had quietly changed shape from teacher and student to two engineers comparing notes, and then, I was the one left with the notes.

When he left, the role he had built was what I stepped into and I’m still doing it. The work is harder than I thought it would be, in the specific way that taking over from someone you respect is always harder than starting from scratch. There is a standard to meet for yourself and it’s not easy. However, I knew what the job looked like when it was done right because I had a front row seat to it for years and I’m extremely thankful for that.

What I would tell someone at the start

There are few things I wish I had heard earlier:

First, the certifications, home labs, and conferences all matter. Do them! They build real experience. However, for me, what really mattered was being around people who had already figured it out or people who were on that learning journey with me. Being in close proximity to people who have the knowledge you seek or the curiousity to learn more can lead to your own personal growth.

Second, don’t be afraid to be rejected. The thing I did that mattered most was asking a senior engineer if I could learn from him. An opportunity like that can be declined. Some aren’t. All you have to do is ask and keep looking for opportunities even if you’re rejected at first.

Third, when you are learning, don’t cut corners. Don’t pass up learning opportunities or pretend to know things you don’t. Curiosity has a window, and that window is widest when you’re new. Use it as much as possible.

Fourth, when you stop being new, the rules change. Pay attention to that shift because most people miss the moment they should start figuring things out themselves and keep asking the way they did as interns.

All in all, I am very grateful for the opportunities I was given, the people who helped me along the way, and the path that I took to be the professional I am today.

Excellence is the standard.

-Dan

Have a correction, question, or war story of your own? Email [email protected].