Level Up Your Career: A Panel on Staff+ Engineering

hi everyone this is level up your career it's a panel on staff Plus Engineering uh for those that somehow ended up in this room and don't know staff engineering is a role that happens Beyond these sort of terminal senior engineer role that happens in tech companies and specifically an interesting thing about the staff engineer title the staff plus engineer role is that it's often seen as a completely different set of responsibilities and skills and not just uh sort of a logical continuation of senior and as a result folks find it hard to break into staff they find it hard to switch roles once they're at the staff level managers find it hard to work with staff plus Engineers or hire

them and so we all had the opportunity to work together and with Clint Gibbler of tldr Sac II collect about a dozen stories of Staff plus engineers and advice on the role in the security industry and thankfully uh these folks were kind enough to panel today um I'm Rami I'm a infrastructure and Cloud security engineer at figma and infrequent contributor to tldrsec with me today we have Lee who is a principal security engineer at Microsoft and mostly has worked at companies that start with a you can check out LinkedIn for more information she's also organizing a bunch of security conferences including besides Seattle and the Diana initiative which are coming up soon if you like security

conferences uh we also have hasnain who is currently a software engineer at databricks and we're excited to talk to him about the sort of role of software engineering in security um and previously he was doing a lot of work in fuzzing and dynamic analysis at meta and finally Kurt is our final panelist and Kurt is a security researcher at the staff level at semgrab uh who make a stack analysis tool and his fun fact is that he likes Carnival carnivorous plants um so you know find him in the hallway afterwards and ask him about that uh without further Ado um I want to do a little bit of audience participation I can't see you so this is

mostly you participating with yourselves enjoy uh just gonna do a quick show of hands on a few things to to sort of get a pull of the room and and help you all look around and see who you're here with so first off can I get a show of hands and I'm going to include the panelists here who here has spoken at a conference before wow that's a lot of hands one of the best parts about b-sides right is we have a lot of participants um similarly who's published a blog post of any kind uh who's released or maintained an open source project awesome fewer hands there takes a lot of work uh who here's been a manager

fair amount of managers in the room great to see and then uh who has a degree a college degree of any sort who has a CS degree specifically or maybe security right and who has graduate degrees so this is really great for me especially because part of this panel is all about having really different profiles and experiences of security you know Lee is a principal security engineer has named a software engineering and security and Kurt does research so we're really excited to show all the ways you can get into security all the things you can do inside and outside work to be successful and grow your career and really just uh talk a lot about this

role and hopefully get some questions from you and follow up after um you know we're all very happy to take questions outside this talk as well if you're stuck in your career looking to get unblocked looking to figure out how to succeed as a staff engineer or really just sort of bond with other folks going through those challenges I guess for the first question I just want to like say I in the Preamble I said staff engineer is a different role than just you know a Step Beyond senior with different responsibilities and I love to just like starting with Kurt could I get just a little bit from each of you on what you think about the staff

engineer role and like what makes it different uh sure I can start can folks hear me okay yes cool awesome uh so kind of what I see about staff Engineers can being sort of a specialist Problem Solver is kind of where I have kind of made my bed and it's like I I focus on the things that only I can do either via combinations of experience or localized equities or things of that nature and then aggressively delegating down things that don't require my attention to people who can also do it and may benefit themselves from doing that task and that is a skill that takes a while to kind of generate imperfect and that last

bit's mentorship which I'm sure we'll be touching on a lot here that's the name sure uh can everyone hear me fine cool um so I think for me staff engineering is really about ownership at the end of the day um I'm here to solve business problems and move the company forward and part of the role of Staff engineering is like you're not allowed to take any excuses you're signed up to help the org do something you have to get it done um whether that's getting your hands dirty leading a team doing a lot of collaboration project management it doesn't matter that's the ownership that we need to take to help move things forward okay I have a slightly different take

um so I think of it as this weird role that's sort of a combination of engineering and Technical program management I think you have to be able to like lead really large complex problems and solve them and possibly on your own and possibly like show to his name's Point like business impact before you can get more folks involved so I think it's kind of an interesting sweet spot but if you have both of those skill sets awesome thank you all and so we've right mentioned that this is a role but it's also importantly to a lot of people a title and one thing I like to think about because I'm sure we have people in

this room who might be doing this kind of work without the title that goes along with it and you know maybe there are folks who have the title and don't yet feel like they're doing the work and I'm curious like um maybe his name to start with you do you think the title matters like do you think there's impact to getting that staff engineer title or is it more about the work you do or some mix um I think for me it's mostly about the work I do but it varies a lot based on company um and my previous employer meta titles or private so it was definitely easier because you could show it and get like

recognition based on the work that you've done but from what I've heard from peers like you know if you work at a company where titles are important then like people do want to see you have that title before they sort of let you push forward in that role so I think it is context dependent yeah and anyone else have a thought there I have a potentially lukewarm to spicy take on this okay titles absolutely matter and the people who tell you titles don't matter have nice titles and nice positioning within the industry this is like almost universally true uh especially for underrepresented folks in the industry if you are anything beyond what is considered like the industry

like default human you absolutely need that title to be taken seriously in a lot of rooms so absolutely title is important awesome yeah I guess I would say that the title lets you in the room it's not like you're doing any different but you don't have to fight for that place um so that's why I think it matters so but I agree with you it's it totally matters yeah and and being in the room is something I feel like we all talk about a lot and uh with that comes meeting burden so um maybe we'll touch on that in a bit uh okay so you talked about mentorship Kurt but as the reverse like I know you've

talked and thought a lot about how sponsorship and mentorship helped you in your journey to staff like could you share a little bit about how managers might be able to help someone or peers or mentors get to this level sure so I made it to a staff title and what is arguably like record time I feel like for the average is you know what seven to ten years usually I think I did it in seven flat might have been six uh and this is largely because I made all of my uh career choices based on uh mentorship opportunities my very first career job uh was uh a large e-signature company pre-ipo I was offered two positions one was a

general engineering role and the other one was with the hiring manager who did my phone screen and I was like I don't care about the job I want to work for this person and that got me connected with my next Mentor who is still a mentor to me today and that got my my next job after that where I built an appsec program from scratch and that connected me with Clint who got me my current researcher job so I basically like mentorship has built my career in its entirety so picking like good mentors is super super important and unfortunately I don't really have any concrete advice for you on how to find those people it's kind of an you know it

when you see it type deal and come to b-sides go to hallway con talk to people I think that's all that's all I can give you there yeah anyone else have experiences of mentorship that maybe unlocked something for you in your career or no Soul successes yeah no and it's interesting because like that's what this is all about which is I think mentorship can unlock career opportunities and also you can make opportunities for yourself and and be successful um can you maybe starting with Lee talk about how you see your roles as a staff engineer now the other direction giving mentorship and giving sponsorship and what that might look like yeah so I mean I totally agree that mentorship and

sponsorship can open doors and any chance you get to do to help someone you should um I do a lot of mentoring I probably do too much um honestly like I will always sign up if someone reaches out even people I don't know I'm happy to like do those conversations I just think it's so critical to people's success and I wish I had had mentors and sponsors and I didn't so for me it's really important to give back to open the door for someone else um so I I got a bit of both of these points I think for me mentorship was critical in getting where I am um but at the same time so I try to give

back like we suggested I think one of the key areas I found is like you want to find people that are hungry for mentorship and will like respect your time but also put in the work um there's um a lot you can do then you can see those people honestly outstripping you and doing way better than you could ever do in your own time and that feeling is just something like you can't beat and like there's a lot of like really amazing people out there in the field and getting into the field and we have a lot to do um as a senior folk in the industry to help them grow Curt anything on the other direction

uh just to add to the previous two responses if you have someone like that that you are mentoring and they are hungry and they are putting in the work you absolutely do owe it to them to like go to the mat for them and uh I have a current mentee who may or may not be in the audience here who I have done this for this week around like you know or stuff and promotions and through that and you have to like I am due to my experience I have the political pull and you know title and all that stuff to be able to get into those rooms to have those conversations I owe it to this person to do that

yeah um and so some of the things we're talking about here are mostly non-technical actually which I would make a note of um and so some of the questions come up which is like is this a non-technical role how much is sponsorship and mentorship and then what makes it different than being a manager and actually like last name you've managed folks and you've come back the other way um can you talk about maybe you know the differences you found in those roles or what you find compelling about right now working maybe outside of management with some of these responsibilities sure um so I I will caveat by saying I was a tlm or technical manager which is a bit

of mix of both when I was a manager do you mind just explaining that to folks who haven't worked at a company with that role sure so I would say my responsibilities were as a tech lead of the team driving projects and stuff but also having reports and doing the people management aspect so bounded to a small team um I would say the main differences for me like as a manager my focus was much more on the people on supporting their career growth on helping them find the right projects and excelling as a team but as a staff engineer it's a little bit more on the technical side so sort of I still work very closely with my

manager to ensure the people on the team are getting the right feedback that they're growing appropriately but providing more technical input into the direction of the team like I'd say the main difference is like as a manager if I'm doing the technical decisions I'm doing it wrong but as an engineer if I'm not doing any of the technical decisions I'm doing it wrong awesome Kurt Lee have you considered management like what what keeps you working as an individual contributor so I've done management um and I do agree that a lot of the time is spent you know coaching others uh the interesting thing to me is as a principal security engineer I spend a lot of time coaching others so I I

think the main difference is I don't have to write the performance review which is thrilling to me personally um but I think it's honestly I do just as much coaching and uh helping people figure out their career paths as I did as a manager um why didn't I want to be a manager I don't like doing perform like really it comes down to that for me I just don't like it I'd rather just drive strategy and direction as an IC I will plus one much of what Lee just said I tried managing I was a terrible manager uh so like some people are good at the paperwork part and like you know you have to be a person with like super high

conscientiousness and like attention to detail and stuff like that and my brain doesn't work like the reason I'm a researcher is because I go chase butterflies down through like rfcs and specifications and stuff like that like that's why I have the job I have that makes me a really bad manager because it makes me super inconsistent um I am happy to offer like career Direction and some of that like you know squishy political advice to mentees but like can I help you do the like how to climb the ladder at your current work no not really like I can give you broad strokes but like I'm just bad at it so okay so maybe next

question not for Kurt uh that's namely like one of the big things that happens is folks find themselves stuck at senior I think I was just having a conversation last night with someone a manager um who was talking about how their report couldn't get that staff level promotion right was doing the work and wasn't getting the promotion and I'm curious like as folks already already in that role what would your advice be or maybe how do you help folks navigate that sort of um blockage in their career progression yeah so um oddly I was right there not that long ago like just stuck at senior being like so I've been doing principal work can I can I have my promo thanks

um so like my suggestion is if you are stuck own your own destiny right like there are other people hiring if you're doing the work and you have the body of work and you can speak to it somebody else is going to give you that role so that's that was my approach it worked out perfectly for me um I think relatedly to add to that um if you uh like for me I was also stuck for a while and it was okay am I doing staff level work um is there something missing where I think I'm doing staff level work but my management chain or other folks don't um that was one thing like just go and

ask for feedback like say okay hey what am I missing um once those expectations are clear um try to like work towards them but then also keep getting feedback and holding yourself accountable like it is not enough to just you know do the work and ship a project but it's more about the intangibles how do you get everyone together how do you set a longer term Vision than just doing the work you're assigned because at the end of the day as a staff engineer you're supposed to drive bigger things forward than just being given work to do yeah and so um let's say there are folks out there who are stuck at senior level um you know they're trying to take

ownership of their Destiny they're doing the work uh do you think that there's a time at which you will be more successful getting that promotion by leaving your job or do you think that you're more successful sticking with a job for that promotion because I know I talk to all sorts of senior Engineers who are really torn between investing in the company they've worked at and built this reputation and understanding that maybe there isn't a path or a role for them there I think it depends on how patient you are I'll admit I'm really impatient like I'm wildly impatient like it's a huge weakness for me um and I wasn't willing to wait like I

just I finally said this is I'm not going to stick around like I made that very clear to my management it's what I wanted it's what I expected and when it didn't come to fruition I was like I'm out and that is a very honest conversation so that's the other thing I would be very honest with somebody about what you want and how you want to grow you've got to let that person know because otherwise they may not even realize it's what you're looking for

okay um so something that's come up already a little bit and I always am interested in talking about is we talk about this staff engineering role often in terms of scope I think especially among staff Engineers right uh if you're a senior engineer maybe you're responsible for work you do what team does as a staff engineer it's normally an area of the business right we're all at very different sized companies and a team an area of the business a product a department is vastly different and I don't know if uh maybe starting with Lee who I think works at our largest employer represented like do you think there's a difference in the role at big

companies is it a difference in sort of really seniority like as a staff engineer at a tiny startup doing the same job in the same way what's the comparative well I mean I think it's like the same comparison you have to a small company versus a large company right like they're they're different beasts and there's different problems the part reason that I work at very large companies is I love the complexity of the problems like they're really hard um I love like getting to scale like every time you're asking how do I scale how do I scale how do I scale and it's just for me a very different um like atmosphere and an environment I but

fundamentally I think it's just a you know they're just different companies I don't think one is better than the other I don't think the role like I think each staff engineer role is actually kind of unique and is at a certain place at the company that they they need that person right and so it's really I think it's really hard to compare personally I don't know if you guys have I mean you've worked at both large and small companies so yeah I'm happy to take a second pass I just switched from a very large company to a reasonably large company like mid-size yeah um so I think there's parts of the role that stay the same and like you know as

a staff engineer you're on the hook for business impact um and I think the it's just the ways that you need to get those done are different like at my previous role it was you know um leading a team of Engineers to build software set the vision and then work closely with our partners both within our organ across different orgs to like meet their needs um and my current role our team is much smaller um and we have a lot more things to do so it's a lot more about building relationships with teams where we need to get them to do things on our behalf understanding their roadmaps understanding where we can contribute and then building a lot more stuff on my

own um but at the end of the day the north star of like you know here's what the company needs and I'm helping drive that forward is what it's important yeah and I mean Kurt you're in research like you're almost a solver archetype which is an archetype that sort of goes deep on a single problem uh does this resonate for you or is this just divorced from your experience my experience is complicated so my first couple jobs were mid-sized company like pre-ipo midsize company post IPO midsize company and then uh when I was hired at some crap it was still under 50 people and I had known most of the team since it was like 15

people so I went from you know mid-sized Miss I to itty bitty teeny tiny company so the research part is like we're in a space that has a bunch of like big industry-sized problems that don't have great Solutions like I I work on the supply chain part of our product and like based on the plethora of other companies in the space trying to talk about no one has like a silver bullet yet like there's a reason there's 50 companies because there's like 50 different strategies and no one is a clear winner yet really so is kind of different um and the other thing is based on um even the two mid-sized companies I was at had wildly different problems

that needed to solve be solved and wildly different scaling problems just based on like who their customers were what their infrastructure was like how old their code bases were relatively like they're like speed of shipping and there's just so many variables that like staff engineer positions really are like super super unique so I guess like a lot of this like resonates like a little bit but again I'm off in the weeds looking for like solutions to problems we don't like have solutions for so I don't know I will stop there yeah so Kurt you mentioned doing the supply chain product is sort of a big research problem and Lee you mentioned that there are like

this concept of big problems can I get like Hassan Lee an example of what a big problem is in your sort of Staff engineering role whether currently historically in uh whatever way you can share it in this context sorry I can take a stab so in my previous role um I was basically working on fuzzing um but the problem that we were trying to solve was that we had like member corruption bugs and native code and that's sort of what we took ownership of there was people attacking that from different angles but we said hey we do Dynamic analysis so fussing is a natural fit for this um but at the end of the day our Focus

was just on are we solving the end goal of like reducing the lake attack surface in Native by finding these bugs and preventing them up front yeah and so was that mostly Technical Solutions was that mostly about getting other teams to use your platform like what's the shape of that um I would say um technical Innovation so that we could actually find it on like find those types of bugs in our code bases and then finding the people that could most benefit from our steps it was on us to like see okay which teams would most benefit from the switch code bases were most at risk and so on yeah so um I work on breach preparedness which

sounds simple Until you realize that you're working with service teams who doesn't sound simple I don't know if anyone else just panicked but um in my head it sounded simple when I took the job maybe that maybe I should reframe that um so a lot of mine is looking at tooling that will help understanding like problems we have in our current tools that create issues and then process so it's it's a it's a weird space to be in I'll be honest and I think a lot of people are used to you know blue teams practicing response and I'm really much more interested in how does a service team practice response so that's how I spend my time

and I think we're maybe have the slido stuff Maybe yeah yeah cool awesome um we have more questions prepared but like feel free to get some questions in the slide out or if you can't figure that out and I can see you in your in the first four rows you can like throw up a hand and yell at me um that being said I think the first question that came in uh maybe I don't know what order these are in is trying to push us on a point that we sort of uh skipped right over which is really no how do you find mentors um you know you're driven you're interested in growing your career I

guess the way I would sort of add color to this is do you think that you should be looking for mentors inside your company or outside do you think you should be looking for mentors with your specific role like is there a profile you should look for do you DM them on Twitter do you walk up to them at the conference do you send them a cold email like what advice can we actually give people to help them get access to this resource that exists in the community I have a very long story time answer for this if no one else wants do you have a short story time answer for this I can attempt to bridge this a bridge this

story time is all right I'll put you on the clock all right tldr I have done all of these things uh and with reasonable success like uh I met uh Alejandro Munoz and why can't I remember his name we don't do mentorship for the fame people yeah any um why the why so serial developer whose name I'm forgetting anyway I met him and uh Munoz and Alexander marosh at Defcon 27 just like and like talked deserialization with for 45 minutes because I ran into them at Defcon uh I have messaged people on Twitter I have um but the best advice I actually got from my dad which when I started my like big kid corporate job because he was

like go identify the people who are not in leadership positions now but it'll be in leadership positions in two to three years because those people are still accessible and they will have much more power and influence when you need them to so what I did is when I started uh I met the director of appsec and I just had coffee with him literally every Monday and we would just talk security I was not in security at the time but like you know we talk about off bypass Monday and because anyway uh different stories uh but that like that is where I got one of my like super Rock Solid mentorships I still have to this day and that was like an

in-company thing so if you're in a large enough organization to find these sorts of people absolutely do go find the people who are like one to two rungs ahead of you on the like career ladder because you can still have informal conversations with them and those and they will end up big decision makers yeah like and when you're in mid-career when you really need this kind of mentorship so Kurt you mentioned like 45 minutes of talking gang coffee regularly if you're inside the company also we're all in roles where I think people put one-on-ones on our calendar um if you are not putting one-on-ones on people's calendar you want to have a bigger relationship with uh you should

just do that other people will um you're falling behind if you're not putting yourself out there but I think what often gets people tripped up is they have that first meeting and they don't know how to turn that into a relationship and I'm wondering if Saint early you know like what is the next step right you've met someone you think is really interesting or really helpful or insightful what do you do about it um I'll make a first pass at this one um I found it useful like say okay I am meeting this person because I want to learn X or grow my connections in private why and I just talk about it um I just like open up and say hey I'm

looking for advice in this area I want to grow I am being respectful of your time so what are things I can do for you that'll help me learn more about this field or that can help me grow and I found that to be a good end especially when I was like really Junior like people would love to delegate and get brand new points for that and get their stuff done right um so it's a win-win situation and then over time you can just like you know be like hey I wanted your advice on X as a quick question it doesn't always have to be a one-on-one or a long meeting it can just be an email after a certain amount

of time and then that builds that relationship for when you really need it anything badly or like I guess you know I think about the relationships I have with folks who are mentoring and one of the things that we tend to do at least in the first meeting is we don't actually talk about anything besides just like what's going on what are your interests what do you do like very much break the ice because that gives you the end to then have the follow-up conversation um I have the only thing I would say about the inside or outside the company I just wanted to kind of touch on that if you're at a large company I would say

it's absolutely essential to have somebody who can go to bat for you so it's the person who was terrible at it for a long time but I do think it's actually wise um I also think it's really helpful to have somebody outside the company to give you a perspective because it's too easy to have blinders on and just get very sucked into your corporate culture uh which is you know beneficial for growing but you do need that other perspective to grow even further so I just wanted to do a plug for that yeah someone actually asked a relayed question which is um I think we're talking about mentorship right now but we've also mentioned sponsorship and inside your company like

is sponsorship ship signing you should seek his sponsorship something you should expect from your manager like what's the role of sponsorship in your growth in your career um it's something you should expect from a manager but realistically you're not likely to get it and you should not like wait for it to come around so it is something you actively need to seek and say okay hey I need someone to back me up in this area or someone to like give me Kudos in the room where it matters where stuff I'm shipping um and you want to set clear expectations for that awesome can I add something to that real quick yeah of course this is absolutely

one of those you know when you see it indicators like someone who is willing to sponsor you and go to bat for you is an indicator of an excellent manager and mentor awesome and I think we um like you mentioned asking good questions sort of following up um and allowing your manager to like or your mentor to delegate down um but we had a related question right a lot about mentorship here uh like you all have a lot of people probably seeking your mentorship or at least like Lee I know you and I have talked about sort of a lot of mentees and what what is a like good mentees engagement look like what's a good mentees sort of

contribution that relationship look like um that's an interesting question I think just come with like an openness to learn and an engagement from like what you want from that person this is probably why I'm actually bad the opposite direction is I I actually didn't know what I wanted from the people that were helping me um like to do everything on my own I seriously don't recommend that but like just tell them what you're like be really direct like I would like help you know growing my technical skills I would like help growing my you know leadership skills like the folks at our level can help you with both but we don't really know what you need unless you tell us

like we cannot read your mind and um something I think Hussein mentioned I always think about is like situations and cases have you guys found that um mentorship gets easier if someone's bringing you like a specific problem or situation or skill I know I found that like a lot of times you get these inbound emails that are like hey please teach me security and just like yes read tldr SEC and like come back to me with a specific topic or question and I'm happy to help but I'm wondering like have you seen that sort of Realm of interaction my current mentee brings a bolded list to all of our one-on-ones and that is incredibly helpful

because I'm yeah like I am here as a resource but like I need you to guide me with what you need from me because I can Rabbit Hole down like let's talk about the URL specification for an hour so you need to ask me for what you what you need I would also say like you have to be comfortable with the like I tend to do this to people like you can say I want to learn X and then I'm going to pick up that a bit like why do you want to learn X tell me like I'm gonna ask you just as many questions as you're gonna ask me I'm probably actually gonna ask you more

um so that's what I mean by come prepared because it's a conversation it's back and forth I'm not just going to give you a path and say go because I just I don't think that works well personally yeah awesome um we talked about like unblocking path to staff advocating for yourself but concrete Liz there anything you have seen really work for someone who's a year or two out that they should focus on I think there are probably some folks in the room who are you know don't feel like they're trying to fight for the promotion but maybe they're fighting for the packet um and like what that might look like sure I think trying to identify that

North Star early and say hey um this is the direction I want to go in this the strategy I want to develop and build like put yourselves in the shoe of your manager two years from now who's saying okay I am promoting X because they have done ABC and demonstrated that they're at that level um and you want to start writing that and like if you can't write it as for feedback like see what am I missing what is like an example of a staff appropriate project or deliverable and work towards that once you have a clear idea then you could go about executing on it I mean I've seen people hyper focus on deep technical skills and completely

ignore what does the business need so I think you know like go after those deep technical skills but remember at this level like if you don't have the leadership skills it's going to be very hard for your manager to make the case yeah so the next sort of highly rated question here is about the fact that staff Engineers are often involved in planning and Road mapping and and you know maybe not Greenfield work but Greenfield determination of what the work should be uh what do you do to sort of identify the next big problem you or your team or your sphere of influence should tackle and is this a process that is you know internal only

is it benchmarking is it uh based on some framework I think Kurt you're in a bit of a different role in this like deep solver mode what's your process for finding big problems in research so my employer is a static analysis security tool our customers are appsec people basically I was an abstract person I built a program basically from scratch for a billion dollar company so I am deeply familiar with the problems that like are sort of like ideal customer profiles trying to solve and so I use that as my North Star for like okay because again as we've mentioned several times now technical skills are table Stakes what's really the differentiator for staff is

being able to connect that to business outcomes because the people who are deciding whether or not you are a staff engineer are people who are deeply deeply concerned with business outcomes so you can do technical Wizardry all day long and if the business doesn't care it doesn't matter so what that's kind of what I use to define research is like okay what are the problems that like my peers because I still have a bunch of peers from my career that are all appsec people and so I technically like hey what do you hate right now and you know if I get four of the same response I go that's interesting let's go look at that

so that's that's kind of I'm gonna stop there but that's kind of yeah that's interesting so that's alluding to the idea of like a peer Network becoming really important at this level um especially if you're in maybe a smaller company where there aren't 15 staff Engineers to I lean on Clint a lot and I lean on a flint a lot too and I I don't even uh share an employer uh that's namely anything to sort of talk about how you go about identifying like work to be done Road mapping what big problems there are to tackle um I'd say basically the same thing but I've done it in an internal company context it's like you want to talk to

the teams that you're working with and just understand what their roadmaps are what their biggest concerns are and then drive like what you want to do based on that um especially in security we're here to start the business so you want to understand what the product teams are building why they're building it what the broader context of it is and understand how to secure that and go from there um and you should be meeting these people regularly anyway even when it's not planning paint so that when planning time comes you already have a good idea of what you're gonna do I would say like well this is how I do it I look at data I look for gaps like

those are my two go-to models like I look at the data I see what it's telling me and then I try to suss out is there a Gap somewhere in our business strategy that I can go after and build something to have impact it's it's that sounds really simple it's not but that that's been my go-to I recommend it awesome on a uh on a road mapping planning note we've talked about business impact being important but to get to staff level to succeed um how do you quantify or qualify the impact of a security project right like you're looking at the data what data are you looking at for research how would you ever sort of

compare against things you aren't exploring right opportunity cost anyone anyone have a silver bullet for security metrics nope nope um what what do you do to paper over that Gap though like the security industry knows there's a gap in quantification maybe you're at Netflix where they're actually doing fair or risk quantification but most shops aren't doing that um like how do you sell security then or security impact um we try to come up with at least project appropriate level metrics I'm in the bug detection space so we look at how many you know PRS are we checking how many bugs are we actually finding how many actually do we let through um and then try to work backwards from

there and we say okay you know we're going to reduce this thing by 30 this quarter um that's one way of approaching it and that's roughly what I try to look at there's always some Metric you can't say there's nothing really any big company wisdom for us I mean a lot of the companies are going to use okrs I am a big fan of write and objective statements I do X so that y happens right and then what are the metrics that will tell me the why right like and it could be Trend analysis it could be raw data I mean it just really depends on the problem but I always have found it much easier if I State the

objective which is you know basically the goal in a lot of ways but really break it down and then just look for what metrics will help me determine whether I'm moving the needle or not yeah like two second question what's better a bad metric or no metric I pick no metric yeah that's the same no matter yeah I I actually think a bad metric because then you can go down the wrong path and I've seen that happen a lot so there will be no follow-up here we're gonna we're gonna take this off um awesome so we have one one question that sort of floated to the top here and just so folks know I am paying attention

to thumbs up so if you are interested in influencing what we talk about here um go for it uh there's a question from Brandon thank you Brandon about anti-patterns in trying to reach staff positions or things you've seen sort of people either hurt their own case or hurt their own progression do you have any examples or or like what not to do people make I have a knee-jerk response brilliant jerks don't be a brilliant jerk no one wants to work with a brilliant jerk and part of staff is working with a whole bunch of other people if other people don't want to work with you you will never make it there um I would say doing a bunch of the work

that you're already doing and better uh like doing that better that doesn't matter if you're doing continuing to do senior level work at senior level impact you'll do great you'll get great readings but you will not get promoted to staff because you're not changing the way you work I think I mentioned this earlier the people that I've seen really get stuck are the folks who they they just keep developing their Tech skills and again that's table Stakes as we mentioned earlier and I keep being like so you need those leadership skills like listen to the person who tells you hey you have this Gap here go chase it down um and I'd also say like

to a point if you get too technically deep in one area that can be a problem because I do think especially at large companies they're looking for people with breath not necessarily depth like you you have actually you have actually decent depth but it's more about understanding the entire of the security domain not just one specific thing so like I worked in appsec I've worked in Cloud SEC I've done infrasec like I've I've tried to do many different domains because that's what's expected yeah and I guess I would just add one thing I've seen is that if you're reaching for staff level without your manager's buy-in like we've talked about this um you're gonna have a really hard time

and so you should really think about communicating to your manager the things you're doing that you think demonstrates staff level impact and making sure they're aligned and I've seen some folks really thrash by um you know talking to their peers about how they're doing staff level work uh and realizing that that work is deeply misaligned with what the business needs or what their manager expects from them and you know unfortunately it's not just the work that matters it's it's talking about it getting it recognized and eventually getting promoted and sort of having that pay off for you I have one other piece of fatherly wisdom to pass on that I found very helpful please give

me fatherly with the wisdom my dad was a Boeing engineer for like 35 years uh If you flew here on a triple seven he built the wings for that um he his biggest piece of advice is the unhappiest people in the least successful people he saw in the corporate world had this like did 20 or 30 years of the same year every year have a different year every year and figure out what that means to you and use that as your North Star you will be successful I did that look where I am now awesome yeah so I think um maybe time for a couple more questions one uh let's let's go through this quickly uh I will say I think it's

covered in the stories everyone's shared in depth so if you want to know more there's a link and uh all three of these people have written like narratives of their career and how they got to staff um but like give us an example of a project or achievement that unlocked staff for you like what was what was the thing you'd point to and say really you know when in the packet and and got you the buy-in you needed

um I'll go first uh I think for me it was really making fuzzing a reality like when I started working on this problem uh my previous employer we had nothing for it um but then over the course of a couple years I built a team around it and we started being a meaningful part of the way my company did security and I think just being able to point to that and say okay we came from nothing and now we have this thing and this exists and it was broad enough that it was affecting things org or company-wide was the main factor I would say yeah Kurt I built an abstract program from scratch by myself

um at a company with a thousand plus employees and 500 engineers so a lot of the zero to functional I think is going to be kind of a common thread for staff like building something new that's like adopted and effective is a big staff feather if you can do it does that carry the big companies like because I think there's probably also a lot of Staff Engineers who are making things work better which at scale has huge impact right yeah but I do think like it's it's sort of that cross-organizational uh work that really stands out you know when I think about when I was trying to sell myself after leaving one large company to go to another large company I

really talked about these massive programs that I ran across the entire company and I could talk specifically to the impact that we had by running those so I think I think it's the cro I do think cross org if you're at a really large company plays a huge role awesome yeah and I guess uh a last question that we saw float up here um like what do you think about roles Beyond staff is there another role that's a step function like this or like for you personally what do you see your next step where does your career go um you know as a I see are you headed into management now right every Everything ends in management or no

um so I'm lucky I work at a large company there's a lot of ladder ahead of me um if I were to leave I've actually given this a lot of thought someone one of my uh mentees was like so like are you happy with where you're at and I was like wait but I'm a principal do I have to actually think about like that literally went through my head I was like do I have to think about this still and so it forced me to so I love mentoring for that reason because it forces you to to think about things right and I think for me like if I were to leave my company which I'm not saying I

have any plans to I want to be very clear about that um please do not take note yeah I I would really like to be a technical advisor to a ceso at some point I think that's a really nice role for me um it's you know looking across the business strategically you're on the leadership team but again I don't have to do performance reviews so I love that sweet spot um added to that yeah I think similarly there's a lot of career growth ahead just doing um larger projects more company-wide impact and potentially getting slightly more technically deep in some of the technical stuff that I'm looking at um but also for me personally like the

management uh like I swung the pendulum once I might go back again it really depends on what type of roles exist um where I'm at now there is one ladder Beyond where I'm at there is a principal ladder ahead of where I'm at um I'm probably shooting for something like research architect in terms of like title like that title uh it will be uh make your own title so it's I I really like this sort of like systems you know stuff like I every now and then I'll be like watching a trashy TV show from the early 2000s and like you know Hands-On keyboard stuff but like I really do like that sort of like

understanding and like systems view of things and a lot of research doesn't it it's very like specialist and like I know you know this language backwards towards and upside down I know DNS really well I know cryptography really well there isn't really a like shape of everything kind of like where should we send research because uh if you're not familiar with sound rep we have a fairly large research team for the size of company we are so we have a lot of these really smart really talented researchers and we need to send them places and we don't have a great map for that and I don't know sorry you're saying we should focus on the

business impact of our work yes tldr focus on the business and back to your work yeah and um yeah and so we're all different types of Staff engineer the last question that was asked and for folks who we didn't answer a lot of these questions are actually really important and and might be even more important to you like find any of us ask us talk to us and talk to all the other really experienced ICS you'll meet this weekend um last question is sort of what do you do to make your role legible or understandable or comprehensible like if you were to switch jobs um do you just like throw in a staff engineer application like do I apply for

Kurt's job or is it giving toxic conferences like what's the one thing to do um I frame it in terms of like the business impact again I'm like I help make the company more secure and like I focus on these two flavors of things yeah yeah all plus one business impact like I haven't applied for a job my like last two or three because I was like they're all in network like hey like we need someone who does X and I know through the grapevine or personal experience that you are very good at X like I actually got punted into my current job by my mentor who was my boss at my last job he's like you are an idiot if you

don't take this job so yeah have have friends and mentors have friends and mentors and that that will solve itself kind of I guess I would just say be able to sell the story right like so much of this is is selling which I really hate to admit to because I actually think I'm a terrible salesman um but I think you know know your narrative be able to speak to it and if someone pushes you back on you just just keep pushing and keep selling because I I that's the value you can add awesome thank you all uh always be selling no um thanks folks for your questions again please feel free to Hall Wake on us we're always happy to talk

more about this and if anyone's a staff plus engineer and wants to share their story um reach out to me I'm very easy to find a fairly unique name and happy to promote your story as well so other people can learn from it thank you thank you thank you please keep your eyes on the plus [Applause]