• United States



Security Career Problem 7: Perspective Stuck in a Box

Apr 25, 201011 mins
CareersIT Leadership

Try this experiment: Go to and begin a job search with “security professional” in the skills/keywords box.  If you search nationwide and leave the job title blank, you will see thousands of available jobs. Click on a job title that intrigues you (regardless of the work location) and read the job description. You’ll probably see headings that include a list of responsibilities, skills required, experience necessary, education and/or certifications needed, and perhaps additional information, such as percentage of travel.

Appealing? Tempted to click on that “Apply Here” button? Or maybe you don’t qualify. You need a degree, certification or more experience to even have a remote chance at that exciting role. Just for a moment, ponder the question: what if that were my job?

We’ve come to the final topic in this series addressing why security professionals fail. But problem seven isn’t about job searches or dreaming about living somewhere else on the planet. If you are at all like me, you have invested a tremendous amount of time and energy getting to your current position. It’s a difficult task to gain the skills and experience required for any professional role. 

When you started your current job, you were likely given a position description (PD) along with several objectives, metrics and/or stretch goals to achieve. Think of these duties as your “inside the box” PD activities or what is expected of you to succeed at the office.

 Here are some basic elements that apply to most professional security positions:

1)      For the first six to eighteen months, it takes most of your energy, dedication and plenty of training to master your basic duties. You must demonstrate essential competencies to your management to be successful “inside the box.” 

2)      Others, including customers, office co-workers, your boss and even student assistants, are watching to see if you will “make the cut.”

3)      If you succeed, you will no longer be treated as a rookie and may be given more challenging work.

At this point you reach the next step in your career. Perhaps you move up one, two or even three levels at your company or move to another company that pays better. You follow the given career track to become a respected security pro. But eventually you reach a dead end. You hit that seemingly inevitable barrier that most professionals reach at some point and only a few “special people” seem to move beyond.

If this introduction describes your situation, you probably feel stuck in your career. Being the best at what you do (inside your box) can even become a liability if everyone else in your business thinks of you only in those terms. Perhaps you’re a top forensics person or the best at administering some security appliance or firewall configuration. But if management can’t picture you making the leap to the next level with more responsibility as a supervisor or team lead, you become trapped. You could be struggling with:

Problem 7 for Security Professionals: Too Much “Inside the Box” Thinking

There are many reasons to focus on our basic job duties. As I mentioned earlier, that’s all you should be doing in the first six months of a new job. But over time you need to be thinking broader. 

We all need to learn the power of the Pareto principle – which states that 80% of the effect of our work comes from 20% of the causes. In John C. Maxwell’s book, entitled Leadership 101, he describes the power of the Pareto principle at work. Here are a few examples:

–          20 percent of your time produces 80 percent of your results.

–          20 percent of the people take up 80 percent of your time.

–          20 percent of your work gives 80 percent of your job satisfaction.

–          20 percent of the people will make 80 percent of the decisions.

–          20 percent of the presentation produces 80 percent of the impact.

 Maxwell goes on to point out that we need to develop skills in four areas to be successful and maximize our effectiveness: attitude, relationships, equipping and leadership. But many have given up trying to improve at work. They have decided that they will continue “going through the motions” for the next decade or more until they retire. They can do their job fairly well, but they either can’t or won’t put forth the effort to move to the next level as a security leader. They have occasional good days, but their job has long ago lost any real sense of purpose or excitement. They come to work just for the paycheck. 

Skeptics might respond by asking: what’s wrong with a good day’s work for a decent salary? Not everyone wants to go the extra mile or move up (or branch out). No doubt, some staff want to do “just enough.”

But “inside the box thinking” will limit your personal and organizational effectiveness – whatever your role. Mediocrity (or worse) can spread and undermine the entire security team and business. When new paradigms or industry changes occur, you will be left behind as others forge ahead.

So how can we avoid this career dead end? What is “outside the box” thinking in a security context? Most important, how can all of us gain a wider perspective to help our careers and our business clients?

Solution 7:  Be a Leader by Moving Beyond Your Position Description

Here are ten pragmatic strategies to help:

1)      First and foremost, understand that “the box” placed around your position is a good thing which must be respected. Always complete your stated duties and objectives and be sure to meet or exceed these basic expectations. This is your first priority. [Note: Staff not completing their basic tasks are often seen as lazy and not respected.]

2)      Volunteer for key committees or important ad hoc teams. This may be a “Tiger Team” for some essential executive sponsored project. On the other hand, you may just become the organizer for the office Christmas party. Strive to lead, deliver and exceed expectations in these roles.

3)      Generate good ideas. Look for organizational needs that aren’t being met. Think ahead to upcoming challenges and technologies. Discuss these problems and potential low cost solutions with your management. Don’t be a complainer, but ask to be put in charge of implementing the fix.

4)      If you are thinking, “I tried that (#3) once,” but no one listened. Try again. Repackage your ideas with a different approach. Perhaps it was the wrong time for your solution.

5)      Find out how you can help make your boss’s boss become successful. What are his/her priorities? Discuss opportunities to work those projects with your supervisor.

6)      Think beyond your own organization. What industry-wide opportunities can help? Can your government or company partner with others to provide a better service at a lower cost? Talk to others that you respect if you are unsure on ideas.

7)      What external industry groups will add value? Get involved or even lead these groups. Build cross-boundary partnerships. Think medium or long-term about possibilities, but stay pragmatic and look for tangible results.

8)      What security skills or functions will be needed in the future in your office? What is lacking now? Obtain those skills or offer to provide training and mentor others if you already have those skills.

9)      Be known as the “go to” person in the office for specific answers. Start a blog or wiki. Don’t hoard knowledge, but freely give it away. This will build trust and respect all around. 

10)  Start a brown-bag lunch series to share knowledge if work time for new ideas and approaches is limited.  

When I discuss these approaches with others, I am often asked for practical examples that I can share from my career. So here are three examples to illustrate “outside the box thinking,” taken from my years as Michigan’s CISO.

In each case I took a calculated risk at work which, by the grace of God, turned out to provide many more benefits than I initially expected. None of these duties were initially listed in my job description. However, these activities became vital to our security team’s success. It is also true that I was blessed to work for CIOs who saw the potential benefits and supported my ideas. 

Emergency Management (EM) Coordinator – I became Michigan’s first state-wide CISO in May 2002. I was also the Director over enterprise security within the newly created Michigan Department of Information Technology (MDIT). After seeing the need for a department emergency management coordinator, I volunteered for this role and became the technology department’s liaison with Michigan State Police for all state declared emergency situations.

During the Blackout of 2003, I led coordination for our department’s response to this major incident.  Our department’s successful planning improved our reputation and led to numerous new relationships and activities. We also improved emergency cyber response procedures and participated in Cyberstorm I & II.  We obtained millions of dollars in Homeland Security grants for cyber security. Later, we built lasting technology and process improvements into other emergency situations such as pandemic response.

Michigan InfraGard Executive Board Member – In 2004, I was invited to join Michigan InfraGard. Initially, I was “too busy” and reluctant to get involved. However, after attending a meeting, I saw potential benefits. Calls came from Washington DC for more public/private partnerships on Homeland Security matters. Over time, I came to see that this group could help Michigan companies and overall emergency response in important ways, including critical infrastructure protection  (CIP) measures. Most critical infrastructure elements are owned and operated by the private sector.

I joined the group, and over a six year span I became Vice President, President, and Chairman of the Board for Michigan InfraGard. We helped organize a Great Lakes CIP conference which was the first of its kind in the nation with representatives from the auto makers, chemical sector, energy sector, and many other businesses in Michigan. Michigan InfraGard now sponsors many cyber and other events which directly correlate with the Michigan CISO’s wider role.

These relationships between state and local government and the private sector have become vital to our success in achieving daily cyber-response functions. Through InfraGard, I became personal friends with many FBI experts, and Michigan has developed detailed procedures on cyber incidents with the criminal justice community. In one case, information provided by our security team led to an arrest in Europe in a cyber case.

Our InfraGard relationships now help before, during and after incidents occur. Trent Carpenter, our current CISO, has continued as a Michigan InfraGard Executive board member and is also our department’s EM coordinator.  

NASCIO Coordinator to Department of Homeland Security (DHS) IT Government Coordinating Council (IT-GCC) 

The National Association of State CIOs (NASCIO) coordinates technology actions amongst the 50 states and with many part of the federal government. NASCIO has several sub-committees, such as one on security and privacy. As CISO, I participated in a variety of committees, and I volunteered to represent NASCIO to the US Department of Homeland Security (DHS) when they established the first Information Technology Government Coordinating Council (IT-GCC).  Not only was I able to comment on the draft National Infrastructure Protection Plan (NIPP), I helped to write and coordinate implementation of the NIPP’s IT Sector-Specific Plan on behalf of NASCIO.  

There are tremendous benefits provided by building national-level relationships as a CISO, CTO, CIO or other technology or security leader (at any level). This time invested enabled new processes, new programs, improved cyber defenses and more. Our organization’s involvement was a WIN/WIN/WIN for my personal career as well as for Michigan, NASCIO and the federal government agencies involved.   

In conclusion, each of us has opportunities to think “outside the box” every day at home and work. One of my favorite John C. Maxwell quotes is this: “To reach the highest level of effectiveness, you have to raise the lid of leadership ability.”

And to lead, we need to think differently. Wherever you are at today, I challenge you to move beyond the box placed around your role.


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author