The stories are out there: the smart co-workers who get in their own way instead of getting ahead.CISOs know them, too. One remembers a brilliant employee who liked to remind others how smart she was and how she deserved way more money than she was making. Another recalls a talented staffer who did exactly what was required, but nothing more. Neither made it very far, as their bosses finally had enough of their drag on morale and decided to let them go.Those are just two of the many ways to kill your career, say CISOs, career coaches and executive consultants. Some actions, such as illegally accessing computer systems, are obviously fireable offenses, while numerous others will simply halt any upward mobility.Skipping over the outright unethical and illegal behaviors (which professionals should already know not to do), here are 12 common traits that security leaders say will keep you from advancing your cybersecurity career \u2013 and how you can avoid such a fate:Believing security is the end goal\u201cThe biggest problem I\u2019ve seen is security people who think security is the be-all and end-all. They go in with that attitude, and they don\u2019t see how they have to enable the business,\u201d says James Carder, CSO of the security tech company LogRhythm. He says they instead need to collaborate with their business-unit colleagues to understand their objectives and then be an enabler, not a hinderance.Others agree. \u201cSecurity is a profession that has plenty of standards and regulations and frameworks, but too many times we try to implement them in a blind way, from the perspective of the standards instead of trying to implement them in the context of the business,\u201d adds Russ Kirby, CISO of software company ForgeRock.Getting stuckSimilarly, Kirby has seen security pros become so focused on their own objectives that they alienate other departments that may otherwise want to work together to find a solution. He points to one scenario, where security staffers wanted to change an application\u2019s minimum password length from 8 characters to upwards of 20. The IT application team pushed back, explaining that they could go to 12 characters but anything more would take significant time and money to change. The security folks dug in, refusing to back down from their demand and generating bad karma and a reputation for being unreasonable in the process.\u201cIf the security people had had a better relationship or were better at listening, they could have understood the problem, come to a middle ground and understood the roadmap for the app would have allowed for passwords to be any length within a year,\u201d Kirby says. \u201cBut the immovable, draconian attitude they took meant that [the security workers] were to be avoided, and they missed out on opportunities that otherwise would have been presented to them in their roles.\u201dActing like the smartest one in the roomThere\u2019s no question that the security fields attracts many brilliant minds. But no one should believe they\u2019re the only ones who are smart\u2014 and they certainly shouldn\u2019t act that way. Yet Lis\u00eb Stewart, principal-in-charge of the Center for Individual and Organizational Performance at the professional services firm EisnerAmper, says it\u2019s a common problem. She coached one young employee who executives believed had potential but whose arrogance held him back. \u201cHe\u2019d do a big heavy sigh when people didn\u2019t understand what he was talking about. He was very quick to criticize, and he always had a negative word to say about others, so even though his technical skills were good, he came across as someone who couldn\u2019t be trusted,\u201d Stewart says, adding that people requested to work with others who \u201cdidn\u2019t make them feel stupid.\u201dStewart notes that smarts\u2014even true brilliance\u2014only gets you so far. \u201cMany people believe it\u2019s their technical skills that will take them places. That\u2019s simply not true. That only happens in a few cases. Steve Jobs might have gotten away with it, but he was the exception.\u201dBeing too timidOn the other hand, Katie Cassarly, associate director of career services at Carnegie Mellon University\u2019s Heinz College, says she sees some security workers\u2014particularly new ones\u2014lack the confidence they need to move up the ranks. \u201cThey think that they\u2019re not good enough, that they\u2019re not talented enough,\u201d she says, adding that workers in this class might not volunteer for high-profile projects or apply for promotions as a result of their self-doubt.\u201cThey might not know how to speak up or disagree with a boss or colleague, even though they could shed light that could solve a problem or mitigate risk,\u201d she says. Time and experience can help them gain confidence, but some might do better by seeking out a mentor or coach who can guide and encourage.Losing your coolMost work environments these days come with a lot of pressure, with security teams often under the added stress that comes from being a constant target of cybersecurity threats. Everyone feels it, Stewart says. But no one\u2019s helped by the colleague who goes off the deep end from frustration. \u201cSomeone who yells and screams and exacerbates the problem by doing so tends to damage their own reputation and their own career,\u201d she says, adding that co-workers will recognize it for the emotional immaturity it is.Moreover, she says, colleagues will want to avoid team members with such alienating behavior, leaving them out of the loop on key projects that could help them get ahead. \u201cYou really need to have the ability to control your emotions,\u201d she adds. \u201cA higher level of emotion is absolutely acceptable when you\u2019re celebrating, but it\u2019s unacceptable when you\u2019re dealing with problems.\u201dTalking techJames Stanger, chief technology evangelist at CompTIA, a training and certification trade association, remembers spilling into technical talk during one of his first presentations to a board of directors and then seeing their eyes glaze over. It\u2019s a typical rookie mistake, and one he quickly recovered from by switching back to more relatable business language. Many, however, don\u2019t know or try to make that switch from tech talk to business speak, Stanger says, which keeps them out of board rooms, the C-suite, and even management.\u201cPeople will ignore what you say when you\u2019re only speaking technical. Your career doesn\u2019t advance and then you have to deal with the downstream issues that you\u2019re causing because no one is listening to you,\u201d Stanger says.Sticking to yourselfProfessionals in every discipline advance in part by helping others do their jobs, becoming trusted partners to their colleagues, and building relationships throughout their organizations. Some people find networking easy, while some roles require the kind of collaborating that helps forge those workplace bonds. However, the security function at many organizations doesn\u2019t frequently fall into either of those categories even though building relationships is no less important for both successful security programs and individual career advancement, says Kimberly Roush, founder of All-Star Executive Coaching.As a result, security workers must create more of their own opportunities. She suggests you let colleagues know you\u2019re interested in connecting: Reach out and ask questions, acknowledge others\u2019 successes, set up meetings to learn from others. \u201cYou should absolutely be doing those things if you want to have influence beyond your own [department],\u201d Roush says.Failing to build other skillsSecurity pros value their technical skills and certifications, and rightly so, but they need to understand how those fit into their organization\u2019s overall tech stack, its objectives, its understanding of security threats, and its tolerance for risk. Moreover, security professionals need to lean on that understanding as they progress up the ranks in order to succeed at that higher level. However, many fail to develop that broader portfolio of business, management, and leadership skills.\u201cSecurity professionals too often fall into the trap of focusing too much on technical skills and not enough on soft skills such as writing and presenting. Cybersecurity is about communicating solutions to problems, communicating threats and risks, and mitigations to those threats and risks. What good are technical feats if you cannot communicate their results or value to the right stakeholders whether they are clients or leadership?\u201d says Will Mendez, managing director of operations at the consulting firm CyZen.Staying stillCarder sometimes comes across security workers who have been in the same position for lengthy stretches. Tenure isn\u2019t necessarily bad, but Carder says it does raise questions on whether they\u2019ve hit a ceiling. \u201cI look at their career growth, and I know if they\u2019ve stayed at a certain level for a long time, there may be a reason. It\u2019s a red flag,\u201d he says. Carder says he looks to promote workers who take on new assignments, learn new skills and broaden their knowledge. \u201cI look for security professionals who see that there\u2019s room to grow,\u201d he adds.Staying in securityJenai Marinkovic, a virtual CTO and CISO with Tiro Security and cybersecurity expert with the ISACA, a professional association focused on IT governance, once got a blunt message from a mentor: She told her she couldn\u2019t understand the business perspective so she couldn\u2019t effectively communicate and collaborate with the business-side teams. The mentor suggested that Marinkovic get some experience outside of security to help her expand her horizons. So Marinkovic took a series of CTO jobs with startups, where she learned to be a more effective business leader; she ultimately spent three years in roles outside of security. \u201cI wouldn\u2019t be where I am today had I not done it,\u201d she says.Mistaking vulnerabilities for risksMany security professionals consider their team\u2019s priorities and objectives in terms of cybersecurity threats, identifying vulnerabilities that must be addressed instead of viewing them with a more nuanced, business-driven lens focused on risk, says Lisa Core, senior director, security, for enablement and compliance at the software company Zendesk. She speaks from experience, having once faulted business-side colleagues who were approving changes via emails instead of through a preferred ticketing solution. She was set straight by her boss, who reminded her that the real risk was not getting approval versus the process through which it happens.\u201cA lot of security professionals tend to be very black and white: Here\u2019s the vulnerability, here\u2019s how someone can exploit this, here\u2019s why we need to fix it now. They\u2019re not able to see past the back and white. They can\u2019t see whether the vulnerability is also a risk. So they need to think about vulnerabilities more broadly. They need to learn to live with risk, to understand that it\u2019s not all or nothing,\u201d Core adds.Being tactical, but not strategicMarinkovic says most security people she knows are more likely to be tactical thinkers, working through linear plans to address issues and needs. \u201cWe put together tactical plans that we call strategic plans,\u201d she says, explaining that that approach can fail both the long-term needs of the organization as well as stymie professional career growth. CEOs and boards want security leaders who can work with them to devise a future vision as well as understand how security enables that vision, where it can actually help shape it, and where it could even become a differentiator. Security professionals who can think along those lines instead of presenting a 12-month schedule of security plans are the ones who get promoted.