Surviving and thriving as a “non-technical” professional in cybersecurity
Musings about what it means to be “non-technical”, career paths in cybersecurity that require less technical knowledge, and living with imposter syndrome.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Why I no longer call myself “non-technical”
When I started in product management, I often referred to myself as a “non-technical” PM. It began as a desire to explain that I do not have a background in computer science or software engineering which, at the time, dominated the profession.
As time went by, things changed. A decade later, after working with front and back-end engineers, data scientists, data engineers, site reliability engineers, platform engineers, and QA, to name a few, I have absorbed a lot about technology. I would read about tech in my free time, listen to demos of cutting-edge products and follow the emergence of new fields. Most importantly, I learned to speak the languages of people from a variety of backgrounds and to become a translator between many of them.
Thanks for reading Venture in Security! Subscribe for free to receive new posts and support my work.
I no longer refer to myself as “non-technical”, not because I became an engineer (I didn’t) or because I can understand every single term engineers around me are using (I cannot). Instead, I have developed the level of technological fluency required for me to be successful at what I do as a product leader.
In other words, I have started seeing the scope of what it means to be technical differently — in the context of what I need to be successful.
Technological fluency is a continuum
In 2022, technology has become ubiquitous — it’s powering everything from finance and architecture to farming and teaching. This proliferation of technology has led to the shift in the way we operate, and what is needed for people to succeed in their roles.
It is no longer about being technical or non-technical, it is about how technical one needs to be. Whether we are talking about a salesperson, a designer, or a journalist — nobody can now pride themselves in being “bad with technology” — technology is now an enabler for every field without any exceptions. Technological fluency is a continuum: if you are a salesperson using the software, you can be less technical than the customer support person answering questions about the software, who in turn can be less technical than a product manager who works to decide what to build, and who is generally less technical than the engineer who builds it.
I think people entering cybersecurity must develop the level of technological fluency required for them to be successful in their role. What that level is, will highly depend on the role itself. In any case, it’s a spectrum where on one side we have security engineers and on the other side — less technical roles of policymakers, compliance professionals, and others.
Where exactly a specific professional falls will depend on the particular organization, product, target customer, and other factors. For example, as LimaCharlie is a security infrastructure as a service provider, many of our users are security architects and security/detection engineers. Because of that, a person playing a customer support role will need to be more technical than someone who supports a GRC product used by compliance managers.
“Less technical” roles available in cybersecurity
Cybersecurity is made up of several disciplines and thankfully we are seeing more human-centered roles emerge in the field. Additionally, as security vendors and service providers evolve, they are starting to offer more and more career paths for people with various levels of technical fluency.
Here is a list of the roles available to folks with less technical backgrounds. The list is not exhaustive and is meant as a starting point for further exploration.
The goal of a product manager is to decide what the company needs to build and for whom to achieve its business objectives which most commonly include revenue growth and market leadership. With a large number of security vendors and security products, there is a strong need for product managers with and without a background in cybersecurity. I have previously written an article about Why security teams should start recruiting product managers.
Policy Writers are responsible for writing cybersecurity processes, policies, and procedures that guide organizations and various stakeholder groups (employees, partners, suppliers, and customers) in protecting the organization’s data.
Marketing Managers and marketing professionals work to increase brand awareness and company market share. They achieve it by planning and executing promotional marketing campaigns and establishing outreach and content strategies, to name a few.
Sales teams are in charge of growing the revenue by meeting customer needs through recommending products and solutions. They guide people and organizations through the buying journey and focus on finalizing the purchase.
Customer Support professionals are there to build and maintain customer relationships, grow product adoption and enable companies to leverage solutions effectively. They often provide training, respond to questions, and help customers remove any blockers that prevent them from solving their problems.
Brand Managers work to ensure success of brands and products. They build strategies, plan and execute marketing efforts that increase brand value.
Content Writers create various types of content (articles, graphics, infographics, reports, white papers, etc.) that educate people about the company’s mission and product offerings, and drive user growth, sales enablement, and marketing.
These are just some of the possibilities. You can also become a Technical Writer, Sales Engineer, Community Manager, Compliance Manager, Lawyer, Business Development & Partnerships Manager, or Business Analyst, to name a few.
As you can see, there is a wide variety of career paths in cybersecurity for people with less technical backgrounds.
My experience being a generalist in cybersecurity
I am a generalist. I have worked in product across a number of different industries — e-commerce, retail, wholesale, fintech, and now — cybersecurity. While as a PM, my focus has always been on ensuring product success (as Gibson Biddle likes to say — “delighting customers, in hard to copy, margin-enhancing ways”), the way I would go about accomplishing it would vary from one company to another. What was fairly consistent is the idea that I should understand the space I work in inside out.
This need to be an expert on customer problems would always push me to become customer-obsessed, regardless of what company or industry vertical I would work at. For example, when I joined a startup that built tools for mortgage brokers, in less than three months I became a licensed mortgage broker (not to practice but to immerse myself in their day-to-day).
Everything changed when I moved into cybersecurity. After less than a week, I realized that I will not be able to add value as a domain expert — the industry is incredibly complex, and my time is better spent focusing on understanding customers, industry players, market forces, trends in the industry, go-to-market strategies that worked and ones that didn’t, and many other things. It is not feasible for me to direct my time and effort on the technical side of cybersecurity as that’s not where I add the most value. The side effect of this realization was learning to live with imposter syndrome.
Imposter syndrome in cybersecurity
Imposter syndrome is the self-doubt that fuels the inner voice screaming “you are not good enough”, “you shouldn’t be here”, and “you are not qualified to do this job”. People suffering from imposter syndrome generally dismiss any counterarguments and evidence of achievements as luck or something else and do not feel like they are worthy of attention.
Many careers in cybersecurity make people vulnerable to experiencing imposter syndrome; product management and other less technical roles are not exceptions. I think two factors contribute to this the most: the absence of a clear career path, and the absence of clear measures of success.
Most career parts mentioned above such as product management, sales engineering, community management, and cyber policy writing, are not learned in school. Nobody gets a degree in digital community management. Because most of these roles are new, people are expected to learn as they go, and since the nature of every company is different, some variations can make you fail at one place and be insanely successful at another. Definitions of success are blurry as well. With no pedigree or clear success criteria, it’s no wonder many people in cybersecurity feel like an imposter.
It’s important to call out that imposter syndrome does not only affect less technical professionals in the field; it plagues the whole industry, from analysts to CISOs. Both technical professionals and security leaders doubt their skills and abilities:
Do I really know what I am doing or am I a fraud who somehow convinced others to trust me?
Am I really a cybersecurity expert?
Am I really capable of protecting an entire organization?
Should I be here if I don’t know X?
People without deeply technical backgrounds are faced with an additional reason to feel like they are fraud — their technical skills (or lack thereof):
Should I be here if I am not technical?
Am I qualified to do this highly technical job?
Do people around me think I am a fraud because I don’t understand the technical intricacies of security?
Ways to thrive with imposter syndrome for people with less technical backgrounds
After joining LimaCharlie as a head of product, I have definitely suffered from imposter syndrome. Here is a brief pitch about what we do.
LimaCharlie is a Security infrastructure as a Service (SiaaS) provider. SiaaS is a different approach to security, one that enables security professionals to access security tools & capabilities they need, for however long they need them and pay only for what they use, similar to how AWS or other major cloud providers deliver the components of IT infrastructure. Whether you are looking for an EDR, log collection, security data storage optimization, automation, CI/CD, building your own products, or anything else — LimaCharlie’s approach enables a broad range of use cases and possibilities.
Leading a technical product in a company that promotes an engineering approach to security and not being a security engineer is not always easy. Product managers don’t have to be domain exports: asking powerful questions, active listening, and the ability to zoom in and zoom out are much more critical to our success. And yet, at least once a week the imposter syndrome creeps in: “Should I be here if I am not technical?”.
I have learned that fighting this feeling is a waste of time. Tech is changing rapidly and no one is ever going to know everything there is to know, whether you are a generalist or a domain expert. Coming from a different background gives me the ability to see problems from a different angle, which, when combined with the domain knowledge of security professionals, ultimately leads to better decisions.
Here are a few tips for embracing the imposter syndrome for less technical people in the industry:
Acknowledge and embrace the fact that you can’t know everything. Don’t be afraid to say “I don’t know” or “I am not sure I fully understand this” and ask questions to learn as much as you can. The fact that you don’t know something is not a reason to be ashamed nor the reason to be proud; be curious and you will succeed.
Don’t be afraid to be vulnerable and to admit you don’t understand something. Being vulnerable is a sign that you have humility — a quality that helps you build more genuine relationships with people around you.
Remember that most (if not all) complex concepts can be explained in simple words or with the use of analogies/metaphors. Find people who can do it, and build relationships with them.
Try to learn from the fundamentals (first principles), focus on understanding the problems, use cases, forces at play, and how different components affect one another. Cybersecurity is full of jargon and confusing abbreviations, so understanding the concept of, say, asset management is much more important than being able to list five vendors in the space.
Don’t equate your knowledge of a specific thing (domain, technology, market segment) with your worth or value you bring. Be adaptable and willing to learn.
Embrace collaboration: two heads are better than one. Work with people who have complementary experiences and different perspectives; diversity of perspectives improves decision-making. Getting people to collaborate will also increase their buy-in into final decisions.
Remember there are two ways you can act when you are not an expert in something: double down on the experiences you have and the value you bring (play on your strengths), or try to become #1 in a new field (compensate for your weaknesses). While you should always strive to understand the basics, doing the latter at the expense of the former rarely leads to great results.
Network with people in your field coming from the same backgrounds. If you are a sales engineer — join the community of sales engineers; if you are a marketer or a salesperson — join the community of peers as well. Don’t be afraid to acknowledge what you are struggling with and ask for advice; you will be surprised how many people will relate to your experience.
Talk to people from different backgrounds. Try to understand their perspective, their view of the world, and the mental models they operate under.
Cybersecurity is a multifaceted field with a wide variety of roles and opportunities available to people coming from virtually any background. Something you studied or did ten years ago should not define what you are capable of decades later, and the unique perspectives you bring to the table are an asset, not a liability. However “technical” you are, cybersecurity will most certainly provide a space for you to do what you are great at.
Imposter syndrome is an issue that can stifle personal and professional growth and lead to psychological disorders. What worked for me and many people I know are embracing the imposter syndrome, and learning how to live with it. Keep learning, be open about your challenges, and ask questions — all pretty basic stuff that will get you where you want to be.