Advice on getting ahead in cyber security - for leaders and their team members

  • By Nick Moore

DAVID Jorm heads up a team of 11 working on product security for a Big Four bank. AISA asked him for his best advice on career planning and development … for information-security leaders and their team members.

We began by asking why a manager should care about their team’s career advancement.

High on the list is amplification, he says. "From a purely selfish perspective the amount that you can influence and accomplish is mitigated by the extent to which you’ve developed your team,” said Jorm, who helps protect customer-facing assets at the bank such as the stock-trading, internet, business and mobile platforms.

To succeed at leading people you should be intrinsically motivated by the success of your people, he said.

“If, as a people leader, it's all about you and you are just using your team to achieve your objectives you are probably unlikely to be a particularly good people leader. There are narcissists out there who get away with it but for the most part you are going to be most successful if you are actually intrinsically motivated. You want to see that success.”

His top pieces of advice for managers to develop their teams are:

  • Set SMART goals
  • Stay true to your style
  • Foster diversity in all aspects

For team members looking to advance, he recommends:

  • Engage with the infosec community
  • Expand your skill set
  • Develop a speciality


SMART goals

Jorm recommends Specific, Measurable, Assignable, Realistic, Time-related (SMART) goals for team members. “That will enable you to align your team’s career development with the organisational objectives.”

He gives the example of a team member who asks to develop their hardware penetration-testing skills. Meanwhile, the bank is developing a new point-of-sale device, which includes hardware.

“For this person - your goal this year is to be the lead tester of the new point-of-sale embedded device, and to support that in your development plan we are going to send you on this training course for a week that's related to that, and then we are going to put that into your KPIs, that at the end of the year you have successfully delivered that test, you've got good findings, the stakeholders are happy and you have passed the exam for certification for the training we put you on.

“So then you've aligned the organisational objectives with the person's objectives and everybody wins.”

Stay true to your style

Jorm describes his leadership style as hands-off - “set a high-level vision, enable people to achieve and let them go and do it". He contrasts this to Apple co-founder Steve Jobs, who was a “hardcore micro-manager".

Jobs’s approach worked very well for him but “If I tried to adopt his style or he tried to adopt my style, neither of us would likely be successful so you need to just own that. That’s who you are, that's how you lead, and be true to that style”.

Foster diversity

This means in gender, orientation, ethnicity etc but also with neurological diversity to harness people who have “different ways of doing things”.

“Because if you had a team entirely of people like me it would all be pie-in-the-sky sketches on a white board and big dreams and visions and you'd never quite get the thing through QA and into production.

“If you had a team full of people who were focused on the minute details rather than the big picture you get lost in the quagmire of detail.”

So the mix is important and so is how you set them up to excel. With an extrovert, for example, allocate them a role with a lot of interaction. Whereas “if there's somebody who just wants to be left alone, heads down, put them in a role where they just pull all their work from a Jira queue and minimise the need for interaction.

“Set people up for success in their own diversity.”

Team members

Engage with the infosec community

“Particularly for people who are new to the industry this is really important because you need to build that network,” Jorm says.

“It’s so true that it's not what you know, it's who you know, particularly earlier on in your career, so do everything you can to engage with the community.”

In the restricted covid environment, he suggests virtual conferences (such as AISA’s Risk and Cyber Week) and online Capture the Flag events.

Expand your skill set

For example, if you work in risk and governance in a highly regulated industry “try to get some more technical skills, do a pen test course, do a CTF, it will really help to expand your own understanding of things”.

“It will also expand your horizons because no matter what role you are in there will always be stretch goals and opportunities where something will come up and if you have some of those skills you will be able to put your hand up.”

Develop a speciality

It is crucial to augment your skills whilst drilling down deeply into one specific area of expertise, Jorm says.

“If you don’t have a particular deep specialisation it will limit the value that you can add to an organisation.

“The people who I see who have the greatest career opportunities, because the industry is always moving, are the ones who have both a highly focused technical skill where they are one of the best in the field for it, but they also have a breath of skills where they can be applied into different things and that breath of skills is what’s going to allow you to pivot because what’s hot today is not going to be hot in 10 years’ time.”

Additional advice

Soft skills

For most of us, it’s worthwhile honing our people, communication, social and other soft skills, Jorm says.

“If you are just the best in the world at some particular technical speciality you can probably get away with not having very many soft skills.

“But let’s be a little bit humble and say we’re all not the absolutely best in the world at something and therefore having those soft skills, communication skills, is going to enable us to be successful.

“There can only be so many of those people who are really really good at something but don’t have the soft skills. There’s a finite cap on how many we can sustain before there needs to be people who do have those soft skills.”


In some areas of cyber - such as product security and offensive security - it pays to know your way around code, which Jorm terms “code literacy”.

“Without that literacy you will have a cap on what you are able to do.

“Obviously people will get away with it but it will put a hard limit on things you are able to do if you cannot read and write code effectively.

“You need to have those fundamentals otherwise you are always going to be dependent on people around you.”

Final thought

“As a people leader, who you hire is by far the most important thing you do in a role. It's the most important decision that you make and it has such lasting consequences.”

LEARN MORE: David Jorm will be presenting at AISA's Risk and Cyber Week virtual conference, which runs from November 9-13. His topic is "Managing technical security teams: desperation, deadlines, and desk flips”.


David Jorm: "You are going to be most successful if you are actually intrinsically motivated."