Skyrocket your career: Choose your right next role

by Jeevan Singh

The new year is around the corner, which means there are a lot of folks thinking about their new year goals. In the past few weeks, I have chatted with a number of folks and many of them have a goal to switch companies in 2025.

Switching companies is a big deal and each time you switch organizations, you should aim to make a giant  leap forward in your career. Which way is forward? Only you can answer that question, but there are several thought experiments that you can do to guide you on your journey.

In this post, I will cover

  • How to decide what is the right next company
  • What I optimized for when switching roles
  • Questions to ask during interviews
  • General thoughts about applying

How to decide on the right next company

The below criteria is what I use to help decide which is the right next organization. Coleen Coolidge shared this framework with me and she learned it from Tido Carriero. Thank you Coleen and Tido 🙏

In your next role, you have three requirements:

  • Does my puzzle piece fit?
  • Inverted T-Shape
  • Is the role an evolutionary step forward?

Does my puzzle piece fit?
Imagine that you have applied to a role and you have finished the Hiring Manager round in the interview process. At this point, you will have a good idea of the person that they are looking for to fill in that role. Does your puzzle piece fit into their puzzle?

The company that you are looking to work at should have a role that perfectly fits your skillsets and it should be a strong match.

Why is this important?

  • Leveraging your strengths – having a perfect fit ensures that you maximize your impact at the organization. At my current organization, I have been able to fully utilize my strengths, I built out the vision for the Product Security team, I sold the business on the way forward and focused the team’s efforts on reducing risk.
  • Reduced imposter syndrome – having the perfect skillset match for the role will give confidence to you to ensure that you deliver at your organization. I know that this is something that I have struggled with a lot in my career, knowing the problems that I need to solve beforehand and knowing that I have already solved them at other organizations greatly reduces my imposter syndrome.
  • Reduced likelihood of turnover – since your piece fits, you will have satisfaction with the role and it will create a roadmap for long term success.
  • Growth opportunities – the better the fit that your organization, the more trust the business will have in you and the more growth opportunities are available.

Upside down T (⊥)
This particular recommendation applies more to manager and leadership roles, but is also applicable to individual contributor roles as well.

If you look at the symbol ⊥, use that to think about the organizational structure that you would like to chat with before joining the organization. If you are applying for a leadership or a manager role, you want to talk to all of your peer managers and as many people in your reporting structure (your future manager, your future skip level, etc).

You want to understand who these folks are at a deeper level because these are individuals that you cannot fire and that you will have to work with for the next several years. You need to make sure that you will not have obvious challenges working with them. It is possible that you will spend more time with these individuals than your own family 😅

You don’t have to worry nearly as much about chatting with your future direct reports because if you are the manager, you will have the ability to adjust how your future direct reports work and behave.

Make sure that you chat with as many peers and managers in your reporting structure as possible.

Role is an evolutionary step up

Ensure that every role that you take is an evolutionary step up from your current role. Evolutionary step up is defined by you and it can be defined in many different ways:

  • Responsibilities – taking on a management role vs being an individual contributor
  • Skillset growth – learning emergent technologies like building out AI capabilities
  • Team – working on a team that is world renowned, having learning opportunities to build a world class security program
  • Salary – getting a life changing amount of money

It doesn’t matter how you define the evolutionary step up, ideally it should be a massive step in the direction that you want to go. Ideally, you shouldn’t be running away from your current role, rather you should be running towards your next role.


What I optimized for when switching roles

My goals have been very different throughout my career when I thought about switching roles.

First job

I graduated in the middle of a recession (great timing), so my goal for my first job was to get a job, any job. I specialized in hardware design and my dream job would have been to work at companies like Intel, AMD, Motorola, Sony, but they were laying people off.

I applied for many different roles and eventually through a referral, I was able to land a job at a SaaS organization.

I optimized for anything in my first role, I didn’t care what industry, role, etc. I just wanted to work.

Early in Career

After my first role, I really enjoyed software development and working within the SaaS space. I started to work at companies that would help me grow my software development skillsets. Both of the organizations that I worked at earlier in my career were small and I had a lot of responsibilities. I learned a lot in a very short period of time and is a primary factor why I enjoy working in the startup space. I had the opportunity to work in a number of different roles and work on a lot of different projects that require skills that you don’t have (maximum growth).

I optimized for skills growth, I know that I enjoyed software development, joined organizations where I would be able to write code and grow.

Mid Career

At this point in my career, I had switched to security engineering and I started to focus my attention on companies and scale. Unfortunately, I didn’t feel that Canadian based organizations had as many interesting problems as SF-based companies. I started applying to SF-based companies because they have more interesting problems and scale that I wouldn’t find elsewhere.

I optimized for problems to solve, I wanted to be challenged and I wanted to solve really difficult problems, ideally problems that haven’t been solved before.

Later in Career

I now have over 20 years of experience and I focus on many items when I look for new roles. I still care about growing my skills and interesting problems to solve, but now I spend a lot more time thinking about the people that I want to work with. At this point in my career, I still need to be challenged, but I also want to be fairly compensated for the time and effort that I put in, money is important.

I now optimize for 1) skills growth, 2) problems to solve, 3) people that I want to work with and 4) total compensation. I still don’t know if I am doing it right, but I have really enjoyed my time doing it over the last many years. I have been able to work with great people that have challenged me and it has forced me to continually think about doing AppSec differently.

Questions to ask during interviews

At this point in my career, I ask a LOT of questions during the interview process. I want to make sure that I am the right puzzle piece for the company and that I am making an evolutionary step forward in my career. Here are some questions that I will ask and the reasons that I ask these questions.

Who does the Security team report into? I have found that I do my best work when the security team reports into the Engineering organization. We are more tightly coupled, we have more shared responsibilities and I can work with the Engineering leadership team to align on goals for the organization. When I report into the other parts of the org (CFO, etc), Security is often thought of as a cost centre for the business and the org invests as little as they can into security.

How is the security team organized? I want to get a better understanding of how many people are on the Security team and how the team is divided. This question helps me understand a lot more about the CISO and how they think about security. I have chatted to organizations where the majority of security employees were in the GRC function and they were not heavily regulated. I made the assumption that the CISO cares more about folks following rules vs building guardrails. Understanding the Security team’s structure will give you a lot more insight into how leadership thinks security should be implemented.

How many people are in Engineering? I specifically ask this question to better understand where the company would likely be in their security lifecycle. If the engineering organization is small (<100), I know that I would be helping build out the beginnings of their security roadmap. If the engineering organization is medium sized (<2000), I know that they likely have a security program, but they may be looking to scale the program.

What does the engineering to security engineering ratio look like? This question doesn’t paint the entire picture, but it is a good question to ask and dive deeper. On average, I have seen SF-based companies have a 1:45(ish) ratio, world class Security orgs have a much better ratio. Depending on the industry you are in, ratios can go all the way up to 1:15. Understanding the ratio will let you know how important security is to the organization. The ratio is just a baseline and just the beginning of the questions. I worked at an organization that had an Engineering team dedicated to reducing security issues, which did not count in the ratio conversation.

How does the executive team show that they care about security? There are a couple of ways to build security culture, top-down and bottom-up. Bottom up approach is great to help ensure that you are making security fun for engineers and that they are excited to talk about security. A top-down approach is great to ensure that security is prioritized within the organization. If a company cares about security, there should be several good stories that the hiring manager can share about the e-team pushing security initiatives.

How do you think about security maturity? I don’t necessarily need a good answer for this question, I ask it to better understand where they are in their security lifecycle. If they have no thoughts, they are early on in the security lifecycle. If they are using a framework (BSIMM, Open SAMM), I know that they have some maturity, but I would dive deeper to see if there has been any benefit with using frameworks to drive roadmaps/controls, etc. Some companies may not have a framework, but have philosophies around maturity, it is fun to have conversations with them.

Overall thoughts

When chatting with folks that want to move on, I typically ask questions around motivations. Why are you looking for a change? What do you hope to gain at your next company? What is your end goal, what do you hope to achieve?

Don’t choose companies, choose leaders

This may be obvious, but too many individuals don’t spend enough time researching leaders in our industry and figuring out leaders that they want to work for and leaders that they want to avoid. Way too many people focus their efforts on joining brand name companies.

Spend time on LinkedIn and find the leaders whose voice resonates with your ideals. There are great leaders in our industry, but there are even more poor leaders out there. Great leaders will build their organization to allow everyone to flourish and your career will move much faster when you work for them.

I have worked with many great leaders in my career and they helped me flourish. I did want to call out two great security leaders, Coleen Coolidge and Eric Ellett. I worked for Coleen and Eric at Segment and Twilio and I grew tremendously in those organizations. At Segment, I was an individual contributor and I learned that you can do the impossible if you have the support of your leadership team. At Twilio, I owned the Product Security program and I was given the autonomy to build the program in my vision. In both of these scenarios my leadership team gave me the type of support I needed to be effective in my role. Both of those roles were vastly different and the support they provided was different, but they knew exactly what I needed to flourish.

The more you invest to understand who the great leaders are within our security community, the more dividends it will pay off when you are able to work for them.

Small aside, great leaders put out great content:
Coleen Coolidge – I knew that I will work at Segment after I watched Coleen’s talk at BSides SF: BSidesSF 2017 – How to Build a Security Team and Program (Coleen Coolidge)

Eric Ellett – Talked about his amazing vulnerability management program at Segment, coincidentally also at BSides SF: BSidesSF 2022 – Embracing Risk Responsibly: Moving beyond inflexible SLAs and… (Eric Ellett)

Don’t be afraid to leave orgs quickly

One question that comes up often is around leaving an org before one or two years of tenure and if that raises red flags for hiring managers. Every hiring manager is different and every org is different, so results may vary.

Managers are trying to protect the team and their time. They are worried that a candidate will leave before the investment into the candidate will pay off, it may take six months for a candidate to become fully productive and they want the candidate to maximize their time at the organization in a productive state.

Life is short and if you are not happy with your current situation, don’t be afraid to jump ship. When I review resumes, having one short stint wouldn’t raise any flags, but having several short stints would be a yellow flag and I will dive deeper with the candidate to learn more. I have had short stints in my career and I can empathize with a candidate if they felt that it wasn’t worth it to stay longer at an organization.

It is ok to stay at a single company for a longer period of time

I get asked the flip as well, what is considered too long at one organization, does it raise any red flags?

I worked at a company called Vision Critical for 11 years. I had four different roles during my tenure, but I felt that I was growing with every new opportunity there. When I felt that I couldn’t learn any more at the pace that I like growing, it was finally time for me to move on.

Typically staying at a company doesn’t raise any flags, especially if you can see that the candidate has grown in their career and their responsibilities, but if the candidate has a singular title for the last eight years, I would dive deeper to understand why there wasn’t any growth.

Questions that may run in my mind

  • Why were they not promoted?
  • Is there any other evidence that there has been growth in the role?
  • Is there a lack of drive or initiative?
  • Have they worked at other companies or is it just one company?
  • Is the candidate at a terminal level? Are they a Staff, Senior Staff, Principal, Lead, etc? Not a red flag.

There are a lot of different (good) reasons as to why this can happen, so I would dive deeper with the candidate and understand why they had that singular role.

Do your research

The most important thing that you can do is research. Dive deep and research the organization, the security leaders, understand how the organization is set up, read the employee glassdoor reviews, read blind, ask friends working at the company many questions.

You can’t do this to all of the companies that you have applied to, but if you are targeting specific companies or if you have gotten scheduled for the onsite interviews, you should dive really deep and don’t be afraid to ask hard questions.

As a hiring manager, I love those sorts of questions and it shows me that the candidate is really invested into the organization. I have worked for companies that had poor glassdoor reviews and I have had a lot of questions from candidates about it. I want candidates to know what they can expect from the company and why there are poor reviews. The worst thing that I can do as a hiring manager is not paint a real picture for the candidate or new employee.

Practice Interviewing

I know that I will get a lot of flack from my recruiter friends about this, but interviewing is a skill and some skills you need practice.

I recommend that before you apply to your dream job, you should apply to a number of other companies. Also, whenever recruiters reach out, take that opportunity to take interviews. A candidate that is more articulate and relaxed will be able to get further into the interview process.

There are a lot of benefits to interviewing:

  • As mentioned, interviewing is a skill and it needs to be practiced
  • The Security Engineering process of interviewing changes, it is always good to know what is happening in the industry
  • You better understand the compensation bands and if you are being fairly compensated with your current employer
  • You get to meet a lot of new people and hopefully you meet leaders that you want to work with

Do not burn bridges when interviewing, our community is small and people have long memories.

5 Next Role Takeaways

Here are some questions that you should have before you accept your next role:

  • What is my objective for the next role?
  • Will the leaders in this company push me to the next level?
  • Does my puzzle piece fit into their puzzle?
  • Is the role an evolutionary step forward (or am I running away from my current job)?
  • Have I done enough research to feel comfortable with my decision?

Best of luck to all of you job seekers in 2025.