Dave Hartley, Group Technical Director
15 mins read
If you’re the sort of person who thinks about long-term life goals and how you’ll achieve them, then you want a career with F-Secure Consulting (and we want you!). If this resonates with you, do please read on to learn about how we have built an environment that encourages and enables people like you to progress.
We want our people to have a long and successful career with us. Therefore, we aim to offer an environment where they can thrive and excel; one where the pursuit of excellence is encouraged, nurtured and rewarded. To help us realize this, we have designed a unique framework to support progression at F-Secure. We don’t know any other cyber security specialists that approach it the way we do. It’s cleverly titled the “Progression Framework” – and it does exactly what it says on the tin. It helps us recognize and reward achievements as our people traverse their chosen career paths. It’s designed to be agile and scalable so that it can bend, flex, twist, turn and grow as F-Secure and our people do. Things move fast in this industry; things change quickly and we need to adapt to that change. Our people change too; their interests, their ambitions, the things that excite them the most and, most importantly, what they want out of their work. We designed a framework that allows us to react to that change, rapidly.
Very importantly the framework does not force anyone down a given career path and no one is dissuaded from changing paths or forging new ones. Its focus is about enabling our people to do great things and making sure they are recognized and rewarded for doing them. Some of the team get their kicks from solving puzzles and challenges, or figuring something out by dismantling it and digging in to it. Others enjoy the thrill of building something and coming up with ways of solving interesting problems that they’ve faced. It’s a framework that is made up of several different parts, the sum of which makes it work. However, it does take some explaining for those that have not experienced it. The rest of this section will hopefully help you to understand its nuances.
The framework consists of four core elements:
These collectively come together to:
Underpinning this are some principal facilitating roles – Mentor and Sensei. A Mentor is a wise, experienced and trusted adviser, who helps to guide a less experienced or less knowledgeable person; a source of wise counsel in an otherwise complex environment. Every consultant at F-Secure is paired with a Mentor who will work with them through their career at F-Secure, supporting them to achieve great things.
A Sensei is someone who helps others to develop, learn new skills, find personal success, achieve aims and accomplish personal challenges. Consultants work with one or more Sensei who can help them progress along their chosen “Pathway” and obtain the “Badges” that they covet. They will work with many different Sensei over the years. All of our Mentors and Sensei receive support, guidance and training for their roles.
Pathways are designed to illustrate routes that, if a consultant chooses, they can traverse. They show possible stepping stones that will help them get where they are going, but also give the freedom to get where they are going any way they like.
What inspires the team at F-Secure is not job titles or arbitrary incrementing integers. Traditionally in the cyber security field, advancement has been recognized by way of a job title and grading. But that’s not very exciting is it? At F-Secure, we get excited about learning new things, doing great things and seeing the value we bring to our clients.
Not all career paths lie in consulting. Some in the team have more technically focused ambitions. Some have no interest in becoming a senior consultant and instead are motivated by advancing their hardware hacking skills, their mobile hacking skills or being able to rob banks. As a business, we consider each of these ambitions to be as valuable as each other; we aim to support, recognize and reward all of our people's personal endeavors.
Pathways have been designed to illustrate how a consultant with a particular skill set or consulting level can progress along defined career paths. For example, a consultant who has an interest in becoming a leader or manager, can clearly see a way to achieve that within an “Operations” pathway. A consultant who is more motivated by gaining lots of technical experience delivering a variety of services for our clients, may choose the “Delivery” pathway. A consultant who wishes to purely focus on finding 0days and breaking things may choose a more “Technical – Research” pathway etc. Some consultants will simply invent their own, if none of the ones on offer quite resonate, and most consultants will have changed their pathway at least once in their career. There is nothing to stop this happening and it is actively encouraged.
Pathways are designed to illustrate possible ways to progress into roles that we as a business have recognized as being essential to our current situation and future ambitions. But if we’re missing a trick, and things change (as they always do), then we will create new ones. None of the Paths are linear, they provide logical milestones for a personal journey. But our people can take any route they like. Their achievements are recognized no matter how they choose to traverse their path!
To progress along a given pathway, certain skills, experiences and proven capabilities must be acquired. To enable this and to recognize such achievements, pathways are supported by “Teams” and “Badges”.
We enable development in many ways, including the provisioning of various training courses. Each Pathway is mapped to a training profile that combines educational opportunities, which is managed by a bespoke learning management system called Akademy. The Akademy itself contains a library of pre-defined training courses, some of which are delivered in a classroom, some are self-study and some are secondment or placement-based. It provides a way of standardizing the training that F-Secure offers while allowing everyone to benefit from the material there and contribute to it; yet still offering individual focus during secondments or placements. Pathway profiles consist of combinations of F-Secure developed training, internal training materials and workshops, and the offerings of trusted external providers such as MDSEC, Alex Ionescu, and Saumil Shah, to list a few examples. Where appropriate these also include training that prepares for desired certifications, including but not limited to those such as CREST, SANS, Offensive Security etc.
The success of a lot of the technical training we do relies on the use of sophisticated labs that replicate numerous technologies and setups that we find in the real world. In order to facilitate access to all our training labs globally, we developed Playground. Playground is F-Secure’s cloud hosted training platform. It allows each consultant to spin up their own dedicated instance of a selected training lab, so that they can learn and play in a safe environment. Playground is very versatile. Consultants use it when they want to practice new skills or create labs to teach and share interesting things that they have learnt with the rest of the company. We also use it to facilitate “Capture The Flag” style events and, in general, to deliver on-demand training infrastructure to our clients.
For example, let’s imagine you wanted to learn about ways to compromise a Windows estate. You can go to Playground and spin up one of our labs, “BazaareCorp”. This is an entire Windows corporate network, complete with fake bot users that can receive and open emails. The lab comes with a guide, divided into different modules, that walks you through executing a phishing attack, handling C2 connections, pivoting through the compromised workstation and eventually compromising the whole Windows domain through a variety of techniques that we commonly use in our engagements. The guides on Playground offer enough direction so that a person new to the topic will be able to learn and accomplish the objective without being spoon-fed all the steps; at the same time the versatility of the lab infrastructure also allows consultants the chance to experiment with different tools and techniques beyond what is required/included in the lab documentation.
Sensei also offer various 1-1 learning sessions, where various skills are taught and acquired in more personal and tailored development dojos. Not all training and educational profiles are technically focused. We also support the development of leadership, performance and soft skills using the services of partners such as https://www.theglobaledge.com and http://www.bobdowd.com. Many of our leaders receive regular 1-1 personal performance coaching sessions to support their professional development.
Consultants are also free (and encouraged) to attend conferences, industry events, fill their book shelves and/or identify other training opportunities that align with their ambitions. Basically, we want all our people to seize every learning opportunity possible. We don’t put a cap on such things and we don’t want to make it difficult for anyone looking to better themselves. The introduction of the new apprenticeships, most notably the roles of Cyber Security Technologist and the Cyber Intrusion Analyst, has provided an ideal opportunity to map our profiles and learning opportunities to these standards so that anyone attending the F-Secure Akademy can obtain national recognition for their achievements.
The training and personal development on offer at F-Secure is not a one-off gimmick; it is something that is deeply embedded in our culture. Everyone loves learning and developing and takes immense pride in it; the environment is designed to promote and reward that. We invest hugely in this to ensure that consultants are not missing out on development opportunities. Some modules last several days, others a few hours, and consultants are given dedicated time for this.
We don’t believe in rigid hierarchical management structures at F-Secure, instead we like to be a little more creative and trusting of the talented people we have working here. We’ve found that small autonomous groups of smart like-minded folk achieve great things when they work together. We do our utmost to create an environment that fosters this approach.
Each team has a charter. This is basically a list of Objectives and Key Results. OKRs are a simple tool we use to create alignment and engagement around measurable goals. Each team has a small list of objectives, and the realization of those objectives is evidenced by the results it produces. Once a team has met their OKRs, the team’s focus may change by producing new OKRs.
Teams structures consist of a ‘Team Lead’, ‘2nd in Command’ and a number of ‘Team Members’. To remain agile and productive, teams should ideally have no more than six consultants within them. Their purpose is to bring together a group of consultants to better themselves, deliver strategic projects, enhance existing services, or build new ones. However, we don’t want anyone to be dissuaded from forming teams that do not fit into these buckets. Consultants are encouraged to come together and form new teams for whatever exciting reason they have. This is about nurturing innovation and creativity, not stifling it by with excessive restrictions.
We have a large professional services team, filled with consultants who are skilled in a number of different disciplines. Some consultants choose to align themselves with several of our existing service offerings and as such, they choose to join multiple teams to allow them to get involved with a variety of projects. Others choose to specialize in a particular field and focus their time and efforts on a single team with the ambition of leading or being the 2nd for that team. We also have a number of services and areas that some consultants aspire to specialize in. Such consultants look to join teams that will bring them closer to that goal. We also have some really talented folk who want to forge new paths, shake up the industry and push things forward. These consultants are free to spin up new teams and take us to new and interesting places. Teams are there to support all of our people in whatever it is they want to do – because we recognize that given this freedom – whatever they do will be awesome.
Badges allow us to recognize, reward and promote consultants’ achievements as and when consultants pick up a new skill, do something cool or demonstrate impressive levels of awesomeness. We don’t do this on a calendar-dictated schedule – such as at biannual appraisals or reviews. They are an integral part of our progression framework.
We use badges to tokenize the acquisition of skills and capabilities but they can also serve to symbolize valuable contributions to the company or team. They can also be leveraged to illustrate a clear path of progression. For example, a number of badges may be incrementally combined in a stepping stone fashion so that they illuminate possible pathways for consultants to achieve their individual career ambitions (these may or may not align with pre-existing paths). Progress along a chosen path can be illustrated by the badges that have been obtained.
There are hundreds of badges that have been created by the consultants within the professional services team; these badges are awarded to consultants by their peers. It means a lot when the people that you work with and respect take the time to recognize your achievements. To facilitate this, we use a peer feedback process.
Some badges carry really desirable rewards. These range from gift tokens to experiences (sniper shooting, acting classes, track days) as well as cool toys; the latest gadgets that produce feelings of envy in small children, geeky friends and colleagues!
- Shock Troop: awarded for acquiring the skills required to take and pass OffSec OSCP and/or CREST CRT examination.
- All Your Base: awarded for obtaining domain / enterprise admin on multiple penetration tests.
- Appsolute Boss: awarded to those who are masters of all things AppSec.
- Hunter: awarded to those who show distinct prowess in Blue/Purple Team activities. Those that have evidentially improved clients' detection and response capabilities.
- Labs Advisor: awarded to a consultant when their work is published on the esteemed F-Secure Labs site.
- Radiographer: a badge of significant honor for the most impressive of reverse engineers.
- Voight Kampff: signifies the holder possesses superior skills in relation to the Android operating system and mobile devices.
- Advanced Persistent Threat: awarded to the Red Teamer that never fails to get in and out undetected.
The above is a small sample of the available badges that our consultants covet. Each team has on average 10 badges that illustrate a progression path within a discipline or field. But consultants are free to work towards achieving any that they are enticed towards, regardless of seniority or team memberships that they’ve opted to self-identify with.
Achievements are recognized and communicated to wider audiences through the feedback system. This is where badges are also awarded to tokenize accomplishments. This can be done via a web app, or even a slack bot. The idea is to make it simple and easy to give feedback. Feedback is given and received by peers, mentor, sensei as well as managers. The system is designed to capture constructive feedback from all the sources that matter. You’ll never wonder how you are doing, how you are progressing, how you are thought of – you will know. The team will know (and your mum will be so proud – we promise, show her your ¬laptop sticker of a storm trooper or the one that says “Media Whore”).
You can choose from a number of pre-defined career paths at F-Secure. Your mentor will work with you to help you along your chosen path. Sensei will work with you to teach you the skills that you wish to acquire, so that you may take on new roles or do new and exciting things. You can take any direction you want, you can get involved in any service or field you want. You will not be restricted in any way. You will know how you are doing, because those that you work with, your colleagues, peers, sensei and mentor, will provide frequent feedback, on you. There is a whole training and education framework which has been designed from scratch to support you, educate you and bring out the best in you, where the content is maintained by those who are doing the job that you want to be doing.
As and when you pick up new skills or accomplish great things, your achievements will be tokenized and rewarded. Your awesomeness will be known to all – as you acquire many, many, many different badges that you can wear with gushing pride. The reality is that this job is not for everyone. It is sometimes intense; it will push you, challenge you and give you both technical and life skills that will change you as a person. It doesn’t really matter what you currently have; we’ll bring out the best in you if you let us. And if it is for you, there’s no better job in the world.