September 19, 2019 By Katherine Rowan 5 min read

When asked recently how my role as a graduate security architect within cloud security services was going, my response was, “Really good! Working on a new bid. Wish I could tell you who the client is, but…” — pretending to be the successful big-shot businesswoman that I’m not quite yet. Self-deprecating jokes aside, I love my role, and it makes me feel important. I’m working for a real client. I’m one of the team.

So, what does that mean? My role requires me to have a strong understanding of cybersecurity and all its competencies, and to take a technical deep dive in one specialized area. I was recently asked to assist the security team in solving a bid for a client, and I learned more than I could have ever expected to.

Graduates and Interns Are Disruptive by Nature

At the start of the bid, I had all these ideas and thoughts, but they all seemed so obvious — I had nothing new or original to say. I decided to sit tight, listen for a bit and, once I understood it all, chip in my two cents. That’s OK because I’m learning, I thought. That’s what the graduate scheme is all about.

Then, one day, my manager said, “Katie, I want you to voice your opinion. Speak up more.” I knew then that I had to start adding value.

Bid work is challenging. It involves a significant amount of research to truly understand client requirements. You need to be thorough, meticulous and hardworking. The graduate scheme is not about sitting back and learning — it’s about being essential, just like everyone else.

But here’s my biggest challenge: I want to challenge! I’m eager to suggest improvements, to say I don’t agree, to change the status quo. But I’m just a graduate, and this is my first bid. What on Earth do I know?

At my induction, I learned that graduates and interns are expected to be innovators to keep IBM at the top of its game. We are agile, outside-the-box thinkers. We’re disruptive by nature, but what if our calls for disruption aren’t well-received? How can we challenge outputs that people are paid to achieve, solutions on which clients spend millions, and projects that IBM spends months and hundreds of thousands of dollars preparing for? How can I challenge my twice-senior manager and the bid leads, sales expert and technical architects who have been working in this area for the past 25 years? How could my mere eight months’ experience and the odd university group presentation possibly stack up?

The truth is, IBM empowers all its employees at every level to make their voices heard. The challenge is to take the right approach.

Why Budding Cybersecurity Professionals Need to Speak Up

After my manager prompted me to speak up, my confidence began to grow as I forced myself, as a rule, to interject at least twice in every meeting, no matter how minor my points were. I suggested simple improvements, such as creating decks and diagrams, breaking down challenges to solve smaller problems, developing new layouts for documentation and even some project management improvements. To my surprise, actions were taken. It was a great start and a solid confidence boost, but it’s one thing to define the structure of a spreadsheet and another to come up with a multimillion-pound solution.

However, suggesting and ultimately implementing these minor adjustments helped me build trust with my colleagues, grow my understanding and prove that I was willing to question the status quo. After all, if I couldn’t pitch in on minor changes such as these, how could I be trusted with a big decision?

When it came to making more crucial decisions and facing opposing views, I was out of my comfort zone again. This tended to happen more toward the end of the bid, when time was tight and critical decisions were being made with input from senior leadership. When there was a conflict among the senior leaders regarding the presentation style and which artifacts would be most beneficial to present, I was asked to share my opinion. To what extent should I challenge? How much should I push?

In this situation, my opinion differed to what was being proposed, even after taking the time to understand the thought process. Having enhanced my level of input throughout the bid, I felt my opinion was taken seriously and therefore I could say what I truly thought.

“The reason I think we should present the artifact is because its different,” I explained. “It’s not what the client is going to expect, and it highlights just how much time and effort we put into the bid, proving to the client how seriously we have taken their challenges. I worry that if we remove it, the presentation might not be engaging enough.”

Lessons From My First Bid as a Graduate Security Architect

Looking back, I can identify two errors I made in the team room.

When I said, “I worry it might not be engaging enough,” it sounded as though I doubted the others’ ability to engage with the client through the presentation. This was a point I had made before.

Following this debate, the group ultimately decided to remove the artifact from the presentation, and I respected that decision. But it wasn’t a total loss: During the presentation, the client asked questions to which the artifact modeled the perfect answer, so my manager decided to show it. It was a great feeling of validation, and it showcased my managers’ belief in my work — and the belief I should have in my work.

Returning to my second learning point, we must be aware of when we’ve said enough. There were times when I made a point that got lost in conversation. I made the point again, and still no acknowledgment. I’ve since learned that this is where I should leave it. By that point, the team had heard my opinion; if the other team members had agreed, it would have been put into action.

It’s also a matter of observing and assessing the seniority and the reception to your previous injections. Your comments won’t always be taken positively, but look at all the others in the room and watch how they are challenged. I can guarantee it’s a lot more than you think.

Back Your Ideas, But Know When to Back Off

Take being challenged as an opportunity — it’s a chance to prove your point and a test of your commitment and confidence in your views. Being challenged is not the same as being shut down. Learn to back your ideas, but know when to back off.

So, how did my first bid go? Here are my top takeaways: Start with the small injections and build trust. Read the room. When someone challenges you, take that as a sign they’re interested to learn more and a chance to strengthen your viewpoint, but also know when to pump the brakes.

We are the disruptive generation, but we need to remember that we’re still inexperienced. We will grow with time, and this experience was one of the first, most crucial steps toward finding my professional voice in cybersecurity.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today