Skip to content

Career Growth & Public Learning

Security work should be part of regular job responsibilities, not "extra." Build career paths and knowledge-sharing systems.

Tactic 1: Time Allocation & Career Growth

Security Without Time Is Theater

If security isn't in sprint planning and capacity allocation, it doesn't happen. Time allocation must be explicit, tracked, and protected. 5h/week for security champions is non-negotiable.

Security work requires dedicated time and a clear career progression path.

Implementation Steps

  1. Allocate time explicitly:
  2. Security champions: 5h/week (20% of time)
  3. All engineers: 1-2h/week for security PRs, reviews, training

  4. Include in sprint planning and capacity planning

  5. Create career progression path:

Individual Contributor → Security Lead → Principal Engineer (Security)

IC Level:
- Writes secure code
- Contributes to security reviews

Security Lead Level:
- Leads security initiatives for team
- Mentors junior engineers
- Works on tooling/automation

Principal Level:
- Sets org-wide security strategy
- Advises C-suite on risk
- Builds security culture
  1. Include in performance evaluation:
## Performance Evaluation - Security Component

**Secure Coding Practices** (20% weight)
- Code reviews: Identifies security issues
- Implements security fixes without prompting
- Champions secure patterns in team

**Security Ownership** (15% weight)
- Proactively identifies and remediates risks
- Participates in security initiatives
- Mentors peers on security practices
  1. Offer specialized training budget:
  2. Security certifications: $500-1000/year per engineer
  3. Security conferences: Attend 1 per year

  4. Online courses: SANS, Linux Academy, Coursera

  5. Create internal mentorship pairs:

  6. Senior security-focused engineer pairs with junior engineer
  7. 1 hour/week pairing on security topics
  8. Formal mentee feedback and impact tracking

Metrics to Track

  • Training Participation: % of engineers completing security training (target: >80%)
  • Certification Rate: # of engineers holding security certs (target: grow by 10/quarter)
  • Career Progression: # of engineers promoted to security-related roles
  • Engagement: Survey on perceived career growth opportunity in security

Common Pitfalls

  • No Budget: "Do training on your own time" equals low participation. Fund it.
  • No Career Path: Security seen as dead-end. Create clear progression.
  • Evaluation Disconnect: Security not in performance reviews. Make it explicit.
  • One-Off Training: Single course with no follow-up. Build continuous learning.

Success Criteria

  • 80% of engineers receive ≥8 hours security training per year

  • 50% of engineers hold or pursuing security cert

  • Clear career path for security-interested engineers
  • Engineers cite security growth as career benefit

Tactic 2: Public Learning Content

Document Lessons Learned, Not Best Practices

Teams remember stories, not bullet points. Write about what broke, what you learned, and what you changed. Real failures teach better than theoretical perfection.

Champions and security-focused engineers should share their knowledge publicly.

Implementation Steps

  1. Internal blog posts:
  2. Champions write about lessons learned
  3. Security incidents turn into educational content

  4. Feature on internal wiki and newsletters

  5. "Security Deep Dive" video series:

  6. Record 15-minute sessions on specific topics
  7. Make available on internal learning platform

  8. Track views and engagement

  9. Lunch-and-learn sessions:

  10. Monthly 1-hour sessions on security topics
  11. Rotate presenters across teams

  12. Record for async viewing

  13. External content (with permission):

  14. LinkedIn articles on general security patterns
  15. Conference talks at regional DevOps meetups
  16. Open-source contributions to security tools

Metrics to Track

  • Content Production: Blog posts, videos, presentations per quarter
  • Engagement: Views, comments, shares on internal content
  • Knowledge Retention: Survey on what topics teams remember from sessions
  • External Visibility: Mentions, citations, community engagement

Common Pitfalls

  • No Time to Create: Content creation requires dedicated time. Budget it.
  • Generic Topics: "How to be secure" doesn't stick. Focus on specific, actionable patterns.
  • One-Way Communication: Presentations without discussion kill engagement. Make it interactive.

Success Criteria

  • 2-3 pieces of educational content produced per month

  • 60% of team engages with at least one piece per quarter

  • Champions report confidence in teaching security topics
  • External content drives recruiting and brand recognition

Integration: Building Continuous Learning

Security training works when:

  1. Champions are empowered - Not just trained, but resourced and recognized
  2. Career paths are clear - Security expertise leads to growth, not dead ends
  3. Time is protected - Training isn't "extra," it's budgeted and expected
  4. Knowledge is shared - Learning spreads through mentorship and content

The goal: Turn security training into operational capability that compounds over time.

Comments