The Transition From a Technical Position to a Management Role

Technical SecurityAfter several years of “on call” weekends, technical certifications study time and endless troubleshooting nights, all your effort is recognized by the company and your boss brings you the good news: A promotion to a management role! At first, a delightful happiness strikes for the new step given in your career, since you are now part of the select group called Management. A salary rise, possibly a company car and meetings at fancy restaurants, all the stuff you only heard and longed for will become routine for you, isn’t that great? … Until you realize that becoming a manager has its price. That’s what we’ll talk about in this article.

The main source of inspiration for me to write this article was an interview for a technical position I attended sometime ago, which ran somehow like that:

(Interviewer) Please tell me why adopting ISO 27001 standard is important for a company.

(Me) Adopting ISO 27001 aids the company to set its ISMS in a structured and controlled way, protecting its assets and bla bla bla…

(Interviewer) How would you audit a company against PCI-DSS?

(Me) Well, I would first plan the audit, defining its scope and bla bla bla…

(Me, thinking) So far so good…

(Interviewer) Can you describe how the SMTP protocol works if you watch the packets flowing through a protocol analyzer?

(Me) Err…. Hmmm… Give me a second…

(Me, thinking again) Damn!

Let me share a bit about my background: 14+ years experience in the field (2 as a network admin, 3 as a pentester, 4 as a Technical Security Expert); however, for the past 5 years I acted as a Global Information Security Manager, and the most technical hands-on experience I had at work was being part of the patch management pilot group…

No other word could describe my feeling better than disappointment. The knowledge is there, I simply didn’t have it at the top of my mind. But than I realized a fact that made me happy of being a manager again: If I were asked this very same question (SMTP) a couple of years ago, the answer would flow smoothly. But I would likely fail when answering the  “bigger picture” questions.

Now that the ground is set for your reading, let’s see what can be learnt of the transition from a technical security position to a managerial role.

While a technical security career can be very fulfilling, it can also turn out to be a dead end depending on your career aspirations. When you are in a technical position, there is a tendency for the organization to pigeon-hole you into a particular area or specific type of technology, which might make it difficult for you later to qualify for other information security jobs if you ever get downsized by your company or opt to move on. There is also the infamous glass ceiling we reach at a certain stage of our career where no obvious direction can be taken after holding the title of “Senior Security Engineer”. The only person above you is the Security Manager, or “the guy that spends the day preparing power point presentations”. After pondering upon your choices, the scenario looks like that: There is very little room for advancement if you keep holding technical positions; on the other hand, as a manager it is possible for you to move up and eventually become head of your department.

Technical versus Management - glass ceiling

One of the difficulties I faced when transitioning from a technical security career to a managerial one is that the skill sets involved are VERY different, especially if you are to become an Information Security professional (as opposed to IT Security). Let me further explain my point here: As a Security Specialist, my field of sight was restricted to making the tools (Firewalls, Antivirus, Content Filtering, you name it) do their job and keep the environment up and running. After a while, I became the company’s IT Security Manager and my responsibilities became less about “what signature the antivirus was distributing” or “if anti-spoof was configured in the firewall’s interface”, and more about designing high level architectures and influencing people to do what was needed to accomplish the goal.

Pages: 1 2

Filed Under: ArticlesCertificationsFeaturedFrom me to youFront PageJob MarketMy careerNews


RSSComments (16)

Leave a Reply | Trackback URL

  1. Ramboo says:

    Very nice article Adriano, its everyone’s feel during the transition. We cannot be technical lifelong, because of the new technology changes most frequently.

    Moving to management makes to lose our hardly earned technical knowledge and hands on experience.

    I am on the confusion phase,either to move to management from technical or not.

    Also have a plan to move to management where a team works on my technical skills.

    Please suggest.

  2. Mahendra says:


    A very nice article! Very well explained and written. It helped me validate my thoughts about switching to a management profile. Thank you!

    I am sure you make an excellent manager.



  3. Mugu says:

    I am not intresting in reading that much.. but your topic and the way you have connected things are really good and made me sit down and read the complete article.

    Good article 🙂

  4. Adriano, interesting post and, yes, some vocations have a definite food pyramid structure with very few fat cats at the top. One way to get into management: start your own company!

  5. Miguel Mena says:

    Good stuff Thanks!!!

  6. Sir Thinkalot says:

    Hello Prague Knight, i’m very please that this thing is going very well.
    I remember how it started about a few years ago, and now a huge success, well done 🙂

  7. harvesting boy says:

    This is one of the best articles on this site – thank you for sharing with us. I check every month to watch and you never let us down you do a fantastic service for the community, thumbs up keep it up.

  8. Mauricio Zuccolotto says:

    Great article!

    IMHO, An experienced manager from another field (such as Administrative) could be a good ITSEC Manager, but the one who had a techie field exp that improved the admininstrative/people skills during time could be a great one!
    The one who will not be fooled by techies or suppliers as well as be seen as a point of reference of knowledge.

    Congrats Adriano.

  9. […] preparation for an interview (regardless whether you are a senior professional going for your first managerial role or just starting your Infosec career), and my plan is to update it on a regular basis with further […]

  10. One thing I’ve seen stand in the way of many technical people is their belief that the technology exists for its own sake; they don’t see the business that they work for and they don’t understand the business needs that dictated the expenditures on the technology. If you don’t see the business needs for the technology then you are not going to see the business needs for the right level of security and you’ll never show the company that you are management material.

    The best management material I’ve seen are the people that understand the depth of the ISO 27000 series standard and how much more it is then just technology. Sure, probably about 60% of the material is related to the technology, but that isn’t because it is the most important only that it is the most complicated! Look at the standard and understand how people, facilities, services, and environmental aspects fit into the total security package. Know how to handle risk management (not just risk assessment) and how to handle risk through acceptance, transference, transformation, and avoidance as well as mitigation … unfortunately the “too technical” folks only thing about mitigation!

  11. shobha says:

    Thanks for the good article. I am in the transition phase now and looking forward showcase required soft skills to climb the ladder.

  12. […] the original post: The Transition From a Technical Position to a Management Role — My … Share and […]

  13. Chris says:


    This was a well written article that mirrors my own experience with moving through engineering to management. I think the point that MD was trying to make is that many organizations require management to be part of the technical team as well, being a senior engineer as well as having to take on the responsibilities of dealing with Human Resources, career development / mentoring, etc.

    Good read, thanks!

  14. MD says:


    Hands-down to your point about the higher you get in the ladder the less technical your functions become(for the most part). In addition to that, someone ends up spending more hours dealing w/ more pressure and crucial responsibilities. Thus, I am getting to phase where it makes more sense to have my own business(as you mentioned) as least whatever effort/energy you dedicate it’ll impact your business directly rather than someone else.
    Keep up the good work w/ posting security articles and btw I am big Brazil soccer fan and will definitely cheer for Brazil in 2010 WC 🙂

  15. MD says:


    Very good article which contains some useful tips (thanks for sharing). One point would like to make that there are some few security fields and jobs that combine both technical and managerial responsibilities (of course that also depends on the organization you work for). In my case (for example) I have been working in IPTV/VOIP field for few years and not only it’s great field to get into, it approaches security from both technical and managerial perspectives, which makes it always a live and full of new challenges.

    • Hey MD, thank you so much for your comment and for reading the article!
      Indeed, there are cases where you can wear both hats, but as I mentioned in the article, the higher you climb into new levels, the lower you contact with the bits and bytes. That’s kind of natural and should be enjoyed, not avoided.

      As for the job you currently hold, that’s the best of two worlds. Hopefully someday I’ll open my own company and give myself 50% time in either side! 🙂