I've made several career plans for myself before, but I don't think I've ever done it in a formal manner. I've never said to myself "I should make a career plan" until I was sitting in Martin Fisher's "How to Hack the Career Development Life Cycle" at B-Sides Atlanta. It had always been more of a "I want to do this, so first I need to learn this technology" kind of mentality. However, Martin's talk really made me think. In some ways, it was sort of unsettling, but I think it can be unsettling anytime you start to really think about the direction your life is going. I had a sort of "life passing me by" feeling by the end of the presentation (through no fault of his -- it was a great presentation, with some great takeaways.) I'm hoping making myself this transparent doesn't come back to bite me later, but I'm also hoping that this transparency might get me some feedback from my more experienced readers. (Insert "what readers?" joke here.)
Where I am now
Currently, I'm doing Devops for a small group at a university. There are many good things about this: I'm fortunate to have a lot of autonomy and good management; I've received 2 title bumps in as many years, so I believe my efforts are being recognized and appreciated; and I've had a chance to work with a variety of things and expand my skillset and horizons quite a bit. There's also some downsides: being in a small group, I end up doing more direct end-user support than I'd like; I don't feel that many of my coworkers and I are on the same page; and I feel like some areas of my worklife have become stagnant. I do really enjoy doing most of the Devops tasks, but unfortunately, I'm doing more "routine Drupal" than I'd like. I also have to admit that, given the size of the group I'm in and the title I have, I have to wonder what opportunities will come for me.
My Career Goals
The first problem I have in laying out a career plan is that I have a hard time articulating my career goals. I have a number of interests, and I'd like to incorporate them all into what I do. I like Devops-style System Administration (there's a lot of satisfaction in getting things running and keeping them running just right), I like writing code (interesting code, not the boring business-rules or data-shuffling kind of code that too many code monkeys are forced to write), and I really like Information Security. Even in InfoSec, there's a lot that piques my interest. Pentesting is quite a rush, but so is forensics/incident response. Both of those areas are the sort of puzzle that leads to me working until 3 in the morning because I just can't bring myself to stop. The only single title that I've seen that comes remotely close to describing my interests is "Security Operations," but that's such a vague and all-encompassing term that it doesn't narrow things down much.
What I don't want to do
So, I have certain standards that I'd like to stick to. First off, I don't want to do things that cause me any (more) concern over my financial situation. Secondly, I'm a FOSS guy at heart -- a Linux geek through and through. Any job where I can't put those skills to good use would be a waste for both me and my employer. Thirdly, I'm not a policy or management guy. I'm happy to give input on policy, but pushing papers all day is not my forte.
So how do I get there?
This is the most important part of the career plan -- I can sit and wish and dream all day long, but if I don't do something about it, I'm not going anywhere.
- I'm currently pursuing a M.S. in Computer Science. I'm hoping to do a thesis project that's security-oriented to get the most out of my program.
- I'd like to obtain either a CEH or OSCP. While I may not necessarily put a lot of weight in certifications, I belive that either of these would be of benefit. I've heard OSCP is an interesting one in particular. (Unfortunately, they're fairly pricey on a higher ed salary.)
- I need to find a security-oriented FOSS project to really get involved with. This will help me learn, contribute back to the community, and help me focus my interests.
- I should find more security events to attend, and do more networking.
What have I learned?
I'm okay with not wanting to be a manager. I'm okay with not wanting to be a CSO. People look at me like I have two heads when I say I want to "stay technical," that I don't want to "move up." Of course I want to "move up," but I want to do so by being the best technical guy out there. Managing people, managing budgets, managing policy -- there are others that are good at that, so let them do it. I'm glad I went to Martin's presentation -- I'd actually begun to wonder if I was the only person who wanted to keep getting his "hands dirty" for his entire career.
Have I done something risky by posting all of this out there? I don't think so, but it wouldn't be the first mistake I've ever made. I have no immediate plans to leave my current job, but it's important to think about what's at the end of the tunnel. I think it's a good thing to be perfectly clear with both present and future employers -- I've seen what happens when people aren't clear with each other, and it's not pretty.