You worked hard, you got all the certs, you know your stuff. Surely, you will be the next in line for promotion in your cybersecurity job, right?
To a point, that is true. Technical credibility matters and nobody is going to promote someone who doesn’t know what they are doing (in theory… 😉 ).
But sometimes that is not enough, I see many competent people stay in the same place, where it is convenient (to others!) that they stay. Basically you become so good at your job that it’s best for everyone that you keep doing that and only that.
So what is actually going on?
Before we get into that I want to reflect on the meaning of “getting promoted” in cyber.
In many organisations the only visible path upward is into management. Team lead, head of, director. And so people pursue it, not necessarily because they want to lead people but because it seems like the only way to be recognised, to earn more or to feel like they are moving forward.
The problem is that managing people is a completely different job. It takes you away from the technical and operational work that many cyber professionals genuinely love. And not everyone wants that trade-off, or should have to make it.
So before thinking about how to get promoted it is worth sitting with a few questions:
- When you imagine your ideal working day five years from now, what does that look like?
- Do you get energy from developing others or from developing your own expertise?
- Is the promotion you are chasing something you actually want or something you want to want because it feels like the logical next step?
- And if management isn’t the right fit, what else could progression look like for you? (More scope, more autonomy, more specialist recognition, a seat at the table without the people management responsibility…)
There is no wrong answer. But knowing your answer changes everything about how you approach your next move.
With that said, for those who do want to move up whether into leadership or into a more senior individual contributor role, here is what I consistently see making the difference.
The jump from being a strong individual contributor to someone who gets promoted is not a technical jump. It is a perception jump.
It is the difference between being the person who solves the problem and being the person others turn to before the problem even arrives. That second person is what most organisations call a trusted advisor and trusted advisors get promoted.
A trusted advisor is not just competent, but is fully aware of the bigger picture and understands that complexity. They are someone whose judgement people rely on, someone who makes others feel more confident and less alone with their decisions because he/she empowers them to make them. Someone who communicates in a way that lands equally well with a CIO and a developer.
Becoming a trusted advisor has some elements of being political to it, but at its essence it is about being useful at a different level.
Another helpful factor for your promotion is visibility.
If the right people don’t know what you are contributing you are essentially invisible, and invisible people don’t get promoted regardless of how good they are. This doesn’t mean shouting about yourself or turning every team meeting into a personal monologue on your greatness. It means being strategic about where you show up and what you say when you do. Writing things down so your thinking is on record. Not shying away from those conversations that are above your pay grade, offering your view and experience.
Relationships are the third helpful factor.
Building genuine professional relationships with people across the business (the legal team, finance, the board if you can get there…) will help people experience you as someone they can approach and they can trust and will pay dividends once that promotion is a done deal.
In cybersecurity we spend a lot of time communicating risk and the people who get promoted are usually the ones who have figured out how to do that in a way that builds confidence rather than anxiety. That is a relationship skill not a technical one.
One more thing and it is probably the most uncomfortable one:
if you don’t ask you don’t get.
You have to make it known that you want to progress. So many people I work with assume their manager can see their ambition, or feel that asking feels pushy or somehow wrong. In reality most managers are busy and they are not mind readers. If you have not had an explicit conversation about where you want to go and what you are doing to get there that conversation is overdue.
It doesn’t have to be awkward. Something as simple as “I’d like to talk about what progression looks like from here and what you would need to see from me” opens more doors than another certification ever will.
Technical and operational skills got you where you are today and they will keep you credible. But being trusted, being visible and being genuinely useful beyond your job description is what actually moves you to the next level.
(Also, once you get there you will find that nobody teaches you how to be a leader, but that’s a story for another day 😀 )
If you are ready to think more strategically about your career in cyber I would love to help.
Book a free 30-minute consultation here and let’s get started.