/ career

Spreading joy is your job

There are basically two parts to work — technical skills and "soft" skills. What matters may not be what you think.

Earlier today I had a bad experience with a dental hygienist, prompting me to reflect on "work" as a whole (and to complain but that's not why you're here).

I suppose this person did a fine job cleaning my teeth. However, everything around that — you might say "soft skills", "bedside manner" — soured the experience entirely.

Let's elaborate on my own job instead of that specific experience... I'll show you what I mean.

What do I do? My official title is something like "senior advisory consultant." Very vague. Readers know I work in cybersecurity, and might understand further that I specialize in software security. Securing web applications.

We go into a client and review an application, reporting security controls that could be better. We'll look at the code. We'll hack it live. We explain what we found, how we did it, why it's bad. We may help automate these things. That's it in a nutshell.

But still... that's not really it. Being a good consultant depends a lot on what I call "the perception of value." You need to internalize that concept, and what goes into "doing a good job" as a consultant. This is where soft skills come into play.

In fact, this is all more nuanced and important than the application security, I say. That is the technical part of the job. The work.

That's all wrapped in presentation, reporting, socialization. Those are what's seen from the outside as value is perceived.


Photo credit - Kira auf der Heide / Unsplash

Previously on here I wrote about teaching junior engineers to search. The message of this post is something I also try to instill, and is even more important.

If I ask a college hire — an assistant — to sum up what our job is at my place of business, they might look at me funny. The eventual answer may be something like "helping companies with application security" or "keeping clients from being hacked."

Okay sure. We can go more general than that, however. As consultants our job is to spread joy.

I didn't come up with that

Derek Sivers came up with this before me, as I recall, in his book Anything You Want. It gets high praise from me as a short, colorful book on entrepreneurship.

At some point in there he talks about trying to instill joy in all of his business interactions with other people. You think differently when you look through that lens.

"But, but, stopping hackers!"

If one of my clients' applications gets hacked after I've assessed it, then that's terrible. That is a nightmare scenario for me. Missing something that a bad guy finds. But still, just saying my job is to keep that specific thing from happening is wrong.

Making my clients feel safer brings them a bit of joy. Automating or otherwise completing tasks they're responsible for also yields a warm, fuzzy feeling. Giving an excellent presentation and helping them better grasp some security concept brings joy too.

Of course, they have to trust my application security work is competent. The technical stuff. And certainly I don't mean to ever compromise work quality for presentation or sales quality, in some scammy way. But I mean the soft skills wrap around the technical ones.

Hypothetical pen test walkthrough

You can do the most brilliant job while assessing an application. You pulled off some super elaborate hack, and it's a high or maybe even critical severity issue. Thank goodness you found it. The application is also written in a programming language and framework you're deeply familiar with. You are confident you found everything there is to find in this application. Fantastic job — on the technical stuff.

Except, when your handler at this client came into the lab to check on you each day, they found you couldn't hold eye contact with them. You also appeared — and smelled — less than professional. You had on ripped skinny jeans, and a wrinkled button-down shirt with some missing buttons.

From your explanations, they never got a good sense of what you'd found so far or overall how things were going. You also didn't keep in touch with the development team of your app, who is supporting you by answering questions, etc. At the end of the day, you did not send out a concise, clear, grammatically correct email about current testing status to the team and your handler.

Your readout call to go over the finished report also didn't go very smoothly. Your audio kept cutting in and out on the call. You were testy when the client mandated some minor edits to your report format.

Let's not even get into whether there are typos or other issues in the report itself. You know — the report that's the overall deliverable and work output from this assessment.

That's how all the "soft skill" wrapper stuff around the technical part of my job can ruin that. In the situation I just described, the client will almost certainly complain to your boss. "Is there anybody else besides Randy available to cover the next assessment?"

It's not as much fantasy as you think. This is a very common situation in my job, where you have extremely computer-savvy people working, but who shouldn't be consulting per se. It's a whole other can of worms.

Closing thoughts (dental hygiene)

With all that said, a dental hygienist's job is to spread joy as well. The technical part is cleaning your actual teeth. But once you've got that down, you must realize the patient's experience is influenced by you asking inappropriate questions, forcefully moving their head around, yelling at them... any number of things.

I probably don't know you personally or what your job is. But I've been known to bet, and would wager that "spreading joy" is a helpful lens to think of your own work through.

Consider that before your next professional interaction. If you've got the bandwidth, do check out Anything You Want too. It's a short read.