September 19, 2019 By Katherine Rowan 5 min read

When asked recently how my role as a graduate security architect within cloud security services was going, my response was, “Really good! Working on a new bid. Wish I could tell you who the client is, but…” — pretending to be the successful big-shot businesswoman that I’m not quite yet. Self-deprecating jokes aside, I love my role, and it makes me feel important. I’m working for a real client. I’m one of the team.

So, what does that mean? My role requires me to have a strong understanding of cybersecurity and all its competencies, and to take a technical deep dive in one specialized area. I was recently asked to assist the security team in solving a bid for a client, and I learned more than I could have ever expected to.

Graduates and Interns Are Disruptive by Nature

At the start of the bid, I had all these ideas and thoughts, but they all seemed so obvious — I had nothing new or original to say. I decided to sit tight, listen for a bit and, once I understood it all, chip in my two cents. That’s OK because I’m learning, I thought. That’s what the graduate scheme is all about.

Then, one day, my manager said, “Katie, I want you to voice your opinion. Speak up more.” I knew then that I had to start adding value.

Bid work is challenging. It involves a significant amount of research to truly understand client requirements. You need to be thorough, meticulous and hardworking. The graduate scheme is not about sitting back and learning — it’s about being essential, just like everyone else.

But here’s my biggest challenge: I want to challenge! I’m eager to suggest improvements, to say I don’t agree, to change the status quo. But I’m just a graduate, and this is my first bid. What on Earth do I know?

At my induction, I learned that graduates and interns are expected to be innovators to keep IBM at the top of its game. We are agile, outside-the-box thinkers. We’re disruptive by nature, but what if our calls for disruption aren’t well-received? How can we challenge outputs that people are paid to achieve, solutions on which clients spend millions, and projects that IBM spends months and hundreds of thousands of dollars preparing for? How can I challenge my twice-senior manager and the bid leads, sales expert and technical architects who have been working in this area for the past 25 years? How could my mere eight months’ experience and the odd university group presentation possibly stack up?

The truth is, IBM empowers all its employees at every level to make their voices heard. The challenge is to take the right approach.

Why Budding Cybersecurity Professionals Need to Speak Up

After my manager prompted me to speak up, my confidence began to grow as I forced myself, as a rule, to interject at least twice in every meeting, no matter how minor my points were. I suggested simple improvements, such as creating decks and diagrams, breaking down challenges to solve smaller problems, developing new layouts for documentation and even some project management improvements. To my surprise, actions were taken. It was a great start and a solid confidence boost, but it’s one thing to define the structure of a spreadsheet and another to come up with a multimillion-pound solution.

However, suggesting and ultimately implementing these minor adjustments helped me build trust with my colleagues, grow my understanding and prove that I was willing to question the status quo. After all, if I couldn’t pitch in on minor changes such as these, how could I be trusted with a big decision?

When it came to making more crucial decisions and facing opposing views, I was out of my comfort zone again. This tended to happen more toward the end of the bid, when time was tight and critical decisions were being made with input from senior leadership. When there was a conflict among the senior leaders regarding the presentation style and which artifacts would be most beneficial to present, I was asked to share my opinion. To what extent should I challenge? How much should I push?

In this situation, my opinion differed to what was being proposed, even after taking the time to understand the thought process. Having enhanced my level of input throughout the bid, I felt my opinion was taken seriously and therefore I could say what I truly thought.

“The reason I think we should present the artifact is because its different,” I explained. “It’s not what the client is going to expect, and it highlights just how much time and effort we put into the bid, proving to the client how seriously we have taken their challenges. I worry that if we remove it, the presentation might not be engaging enough.”

Lessons From My First Bid as a Graduate Security Architect

Looking back, I can identify two errors I made in the team room.

When I said, “I worry it might not be engaging enough,” it sounded as though I doubted the others’ ability to engage with the client through the presentation. This was a point I had made before.

Following this debate, the group ultimately decided to remove the artifact from the presentation, and I respected that decision. But it wasn’t a total loss: During the presentation, the client asked questions to which the artifact modeled the perfect answer, so my manager decided to show it. It was a great feeling of validation, and it showcased my managers’ belief in my work — and the belief I should have in my work.

Returning to my second learning point, we must be aware of when we’ve said enough. There were times when I made a point that got lost in conversation. I made the point again, and still no acknowledgment. I’ve since learned that this is where I should leave it. By that point, the team had heard my opinion; if the other team members had agreed, it would have been put into action.

It’s also a matter of observing and assessing the seniority and the reception to your previous injections. Your comments won’t always be taken positively, but look at all the others in the room and watch how they are challenged. I can guarantee it’s a lot more than you think.

Back Your Ideas, But Know When to Back Off

Take being challenged as an opportunity — it’s a chance to prove your point and a test of your commitment and confidence in your views. Being challenged is not the same as being shut down. Learn to back your ideas, but know when to back off.

So, how did my first bid go? Here are my top takeaways: Start with the small injections and build trust. Read the room. When someone challenges you, take that as a sign they’re interested to learn more and a chance to strengthen your viewpoint, but also know when to pump the brakes.

We are the disruptive generation, but we need to remember that we’re still inexperienced. We will grow with time, and this experience was one of the first, most crucial steps toward finding my professional voice in cybersecurity.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today