5 Essential Cybersecurity Leadership Tips for Technologists
TL;DR
In this Q&A, NetSPI Managing Director Sam Horvath, shares his career journey from penetration tester to cybersecurity strategist, offering five actionable tips for technologists who aspire to hold leadership roles:
- Embrace challenges and seek new opportunities to expand your skill set and advance your career.
- Be adaptable and open to reshaping your role to align with your aspirations.
- Seek mentorship from both internal and external sources.
- Focus on both hard and soft skills development, including technical expertise and strategic vision.
- Be proactive and show up with solutions.
Introduction
Career paths are rarely linear when working in security, and few stories show this better than NetSPI’s Managing Director, Sam Horvath. Sam’s journey into cybersecurity was fueled by a long-standing curiosity about the field. His entry into pentesting was a pivotal step, setting the stage for a transition from a technical role to a strategist position down the road.
Today, Sam is at the forefront of guiding some of the world’s largest technology companies and financial institutions toward robust security strategies. Discover how he navigated his career transition and gain insights from his experiences as he shares tips along the journey.
How did you get started in penetration testing, and how has your career evolved over time?
I was in a non-security role and really looking for what to do next but had no idea what to do. I always had a peripheral interest in security, but never had the chance to actively pursue specialization in the field.
That all changed one day when I got a text from a former classmate who asked me if I wanted a chance to learn more about security, and a new job to go along with it. A few phone calls and interviews later, and I was thrilled to join NetSPI University’s first formal class in 2018. I spent six months learning about the basics of information security and penetration testing, and then passed our internal assessments to work on real-world customers.
After a few years, I was able to expand my skill sets, both in web application penetration testing and social engineering, and really enjoyed the work. I found that I got a lot of satisfaction out of technical leadership for our large financial and technology clients, and really enjoyed interacting with our customers.
“A few phone calls and interviews later, and I was thrilled to join NetSPI University’s first formal class, back in 2018. I spent six months learning about the basics of information security and penetration testing, and then passed our internal assessments to work on real-world clients.”
Tip #1: Embrace challenges and seek new opportunities to expand your skill set and advance your career.
When I hit a point during the pandemic where I felt like I needed a fresh challenge, I was able to do something that I think really represents the core ethos of NetSPI — I approached our company leadership to express an interest in doing something different. At many companies, this would not be met with a warm response. At NetSPI, the response was: “Okay great – let’s figure something out.”
I transitioned to the Managing Director team and was very lucky to spend a year learning from a few of our most knowledgeable team members. Eventually, I was given my own customers to handle, and things took off from there! Fast forward to today, and I spend most of my time working with some of the largest technology and insurance companies in the world.
Tip #2: Be adaptable and open to reshaping your role to align with your aspirations.
What responsibilities do you have in your role as a Managing Director?
As a Managing Director at NetSPI, I leverage my past experience as a penetration tester and my more recent experience as a strategic advisor to ensure that NetSPI is constantly executing its work at the highest standard possible.
This can include anything from creating metrics with the customer that help measure the success of their penetration testing program to addressing concerns around testing focus areas and methodology. The major theme around my work is helping security leaders shift their viewpoint and operations from dealing with the next challenge six inches in front of their face, one after the other, to executing long-term planning and a proactive security strategy around what they want their penetration testing program to accomplish.
“The major theme around my work is helping security leaders shift their viewpoint and operations from dealing with the next challenge six inches in front of their face, one after the other, to executing long-term planning and strategy around what they want their penetration testing program to accomplish.”
What steps did you take to prepare yourself professionally for the transition from technologist to strategist?
The single most important step that I took professionally in this new role was to seek out and embrace mentorship.
Tip #3: Seek mentorship from both internal and external sources to develop your professional skills and navigate your career path.
I engaged with multiple folks both internal and external to NetSPI to help guide me through specific areas of skill development:
- Professional hard skills development, such as how to run a penetration testing program, policy creation, vulnerability measurements, and creating and running a business review.
- Soft skills development, including conflict resolution, leading from the middle, and managing up.
- Career mapping, as in how to point oneself and what they’re learning and developing in a specific direction.
By actively seeking mentorship and leveraging the experiences of the people around me, I built skills for leadership roles and navigating cybersecurity planning more effectively.
What kind of challenges did you encounter and how did you move past them?
The early challenges I encountered were around being in a role that was undefined at the time. When you’re still shaping your role, it can be easy to get caught in the same trap that security executives do – just putting out the next fire or responding to what people need from you. It signifies an admirable intent to help everyone around you, but six months later you can look back and realize you haven’t made the lasting impact you wanted to.
Tip #4: Focus on both hard and soft skills development, including technical expertise and strategic vision.
“When you’re still shaping your role, it can be easy to get caught in the same trap that security executives do – just putting out the next fire or responding to what people need from you. It signifies an admirable intent to help everyone around you, but six months later you can look back and realize you haven’t made the lasting impact you wanted to.”
The other early challenge I encountered was my skill set. I was very familiar with being a penetration tester and had led and participated in highly complex technical programs for some of the world’s leading tech companies. But that didn’t begin to cover what I needed to know to be successful in my new role.
I had to look to the direction of a handful of folks senior to me at NetSPI to learn how to earn trust and become a strategic advisor to a customer, negotiate difficult situations both internally and externally, understand security program strategy and maturity, and many other items. And I had to learn it all as fast as possible.
How does your day-to-day as a managing director compare to your day in the life of a penetration tester?
My current role is very different than my time as a practitioner. First, work isn’t assigned to me, and there’s no one else who I can look to as responsible to drive an effort forward. If we don’t succeed for our customers, the buck stops with me.
I miss being technical, but I love that I can be more strategic. In my current role, I often get to have “big idea” strategy discussions – how we attune our larger movements and goals for the year ahead, and I then work with our teams to translate that into tactical actions and initiatives.
An important piece of these discussions is the preparation and use of vulnerability data to illustrate the overall state of a customer’s program, and that’s something I love doing as a Managing Director, that I did not get to do at all as a consultant. I often spend hours and hours working with vulnerability data to discover trends and recommend initiatives to our customers. This is one of a few key areas at NetSPI where true impact to the security program becomes a reality.
Can you share any advice for technologists looking to evolve their role into cybersecurity leadership?
To move into bigger shoes, you first have to show you’ve got big feet. Take responsibility for an initiative or ask to ride along with someone on it. Find something you’re passionate about within the company and become the expert!
Be ready to screw up – you’re going to make a lot of mistakes as you learn to play a bigger role, and that’s okay. Having a good mentor will help you learn from those mistakes, and so will being self-aware.
Become borderline maniacal about feedback. Ask for it from everyone you can. As human beings, we tend to have an opinion on most things we see in the workplace, and life in general. Most people won’t proactively share their opinions with you at work regarding your own performance, so make sure you go ask whoever you can for feedback on your working style and skill set. You’ll be surprised at how valuable that process is.
“Be ready to screw up – you’re going to make a lot of mistakes as you learn to play a bigger role, and that’s okay. Having a good mentor will help you learn from those mistakes, and so will being self-aware.”
Tip #5: Be proactive and show up with solutions.
Finally, and most importantly – act on the feedback you get. Everyone has things they can get better at – if you do 1% better every day, you will be 37 times better at that thing in a year.
Conclusion
Sam’s journey from pentester to Managing Director shows the dynamic nature of career paths in cyber. His insights are a valuable guide for technologists aspiring to step into leadership roles. By embracing challenges, seeking mentorship, and actively developing both hard and soft skills, professionals can position themselves for growth and influence in their fields.
Whether you’re getting started in cybersecurity or contemplating a shift into leadership, the tips Sam shared provide a roadmap to navigate the complexities of this critical transition. Explore NetSPI’s open positions and help secure the most trusted brands on Earth.
Authors:
Explore more blog posts
Part 1: Ready for Red Teaming? Intelligence-Driven Planning for Effective Scenarios
Take time for dedicated planning and evaluation ahead of red team testing to prepare your organisation for effective red team exercises.
The Strategic Value of Platformization for Proactive Security
Read about NetSPI’s latest Platform milestone, enabling continuous threat exposure management (CTEM) with consolidated proactive security solutions.
Backdooring Azure Automation Account Packages and Runtime Environments
Azure Automation Accounts can allow an attacker to persist in the associated packages that support runbooks. Learn how attackers can maintain access to an Automation Account.