Sunday, March 4, 2018

Life After Law Enforcement: Life In The Fast Lane

The first part of our Life After Law Enforcement series talked about the decision to leave. In this installment, I’ll compare and contrast life in the consulting world versus the corporate world. Before I do that, however, it’s important to discuss a couple concepts that drive the differences between life in the public sector and the private sector.

One of the biggest differences is there is virtually no unionization in the private digital forensics world. At least here in the United States, most law enforcement jobs are going to be unionized civil service positions.  This means that the relationship between the government entity and the employee is doing to be defined by a collective bargaining agreement. Even if an officer isn’t covered under a collective bargaining agreement, they’re almost certainly going to be under some sort of civil service type protection.

This means that there is much more job security compared to the private world in that you can be thoroughly mediocre, but unless you are really screwing up in a well-documented way, you get to keep your job. It also means that your compensation is largely just a function of how long you’ve managed to stick around rather than how much value you add to the organization.

Not so much in the private sector, where your job security and compensation will be primarily a function of the value that you provide your employer rather than how long you’ve managed to go without egregiously screwing up.  You’ll certainly see your fair share of mediocre people in the private sector, but they tend to have stagnant career paths and they’re the first people out the door when a re-organization comes or revenues are down. Since collective bargaining and civil service generally aren’t in play in the private digital forensics world, your relationship with your employer is going to be individual rather than collective and revolves around the value you provide. 

This is very good news for people who are motivated and want to excel. One of the reasons I left law enforcement early in my career is that I recognized that no matter how good I was at my job, my career path and compensation would largely be a function of time rather than talent.  This is very bad news for someone who just wants to do the minimum and punch a clock.

Another important difference is that many private sector digital forensics jobs will put you in the position where you are a necessary evil to the organization rather than someone driving the primary mission of the organization.  Law enforcement agencies are put upon this earth to put bad people behind bars.  Whether it’s a police officer in patrol car arresting baddies or a digital forensics detective putting some evil wretch in prison until shortly after mammals are extinct because of something they did to some child, police officers are primary people advancing the goal of that agency. 

In the private sector, unless you are in a consulting type position, digital forensics people are a necessary evil to an organization and are the dreaded indirect spend. Direct spend is spending that is aligned with delivering a product or service to a customer. Indirect spend is everything else.  Spending money to create and staff a manufacturing line to build cars that are then sold to customers is direct spend. Spending money on information security people to keep that manufacturing line from getting hacked and stopped is indirect spend.  Indirect spend is important to an organization, but it’s a big fat juicy target for cutting costs and increasing profits. The closer you are to impacting the profit and loss of an organization, the more important you are. The more important you are to an organization, the more you will be paid, the better your promotion chances, and the better your job security.

There are some similarities in that large bureaucracies whether they are public or private tend to follow the late Jerry Pournelle’s Iron Law of Bureaucracy more often than anyone would like to admit. I’ll just quote directly from the Jerry Pournelle website when it comes to explaining this:  

Pournelle's Iron Law of Bureaucracy states that in any bureaucratic organization there will be two kinds of people":

 First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.

Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.

The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization.

The good news is that this isn’t as universal as the name Iron Law would imply.  I’ve worked for organizations where the first group of people ran the show and the health, effectiveness, and morale of the organization reflected that. The organization I work for right now is one where the Iron Law doesn’t even remotely apply, but I’ve gotten to know the Iron Law of Bureaucracy all too well during various periods of my career.

Let’s add another common element in private sector life into all of this and that’s organizational change.  I’ve long since lost track of how many reorganizations I’ve lived through in the private sector, but it’s a constant part of life in large private organizations.  About the time you get comfortable with an organizational structure, someone will come along and blow it up.  Change is such a constant in the private sector that top business schools like can demand wheelbarrows of cash offering training in organizational change management.

One of the primary drivers of organizational change are changing business conditions.  Markets are dynamic so organizations have to adjust their products, services, and how they operate to adjust to changing market conditions.  As organizations change, the security portion of the organizations have to change to continue to securely enable business operations.  Security leaders who can’t manage change and keep up with the business leaders don’t last very long.  And when they get whacked you can expect another reorganization.

This brings up another potential driver of organizational change and that’s the Ides of March.  Politics are part of any organization whether they are public or private, but in the private sector, the stakes can be very high because of the amount of money involved especially if an organization is highly profitable.  There is quite a bit of careerism in the private world.  I define a careerist as someone who puts their own career goals ahead of the needs of the organization or their people. They’re an odious fact of life in the private sector.  They exist in the public sector, but union rules and civil service protections blunt the impact that they can have on individuals in an organization.

Executive political life can be pretty…staby in the private sector, but the rewards can be great especially when you factor in that successful security executives in large organizations can make over a million dollars a year in compensation. In many cases, you will have reorganizations that have no real functional purpose, but have everything to do with palace intrigue and who got knifed on some senate steps.

So why am I telling you this? Because with change comes both peril and opportunity. If you play your cards right in knowing how to obtain and retain power in organizations, there could be new opportunities during a reorganization to advance your career as new teams are created, new positions are created, or even more money floating around for things like training or tuition assistance.  In security organizations, one of the best times for funding can be after a major breach when the senior executives (and they may be the new ones that just replaced the now fired ones) are scared straight and start throwing immense amounts of money at the security organization.

Power in organizations translates not only to career progression and increased rewards, but also to survival. While you certainly can gain power by moving up the organizational ladder and increasing your influence and responsibilities, you can also gain power by the value you add to an organization through your individual abilities.  Some of the most powerful people in a security organization are the individual contributors who have skills that are mission critical and hard to replace. 

The more value you add to an organization, the more power you have to influence things around you, the greater your rewards, and the less you have to worry about job security. The less valuable you are to an organization, the less power that you have which harms your ability to change things around you, your compensation, and your job security.  The less value you add to an organization, the greater your risk during one of the inevitable reorganizations or if your organization hits hard economic times.  It’s not the highly skilled individual contributors who are going to be marked for termination when costs have to be cut in an organization or the inevitable next reorganization comes along.

Let’s talk about two broad categories of private sector jobs.  The first I’ll talk about is the consulting world and then I’ll address corporate life.  I’m not going to directly talk about non-profit type organizations like where I work now because depending on how they are structured they can essentially act as a government organization or they can feel more like consulting or corporate. It depends on how their mission, funding, and management.

Let’s start with consulting.  Consulting can be an immensely rewarding experience that can greatly increases your knowledge, job satisfaction, and value or be a joyless dystopian hellscape where the living envy the dead not.  I’ve seen a couple golden eras of consulting during my time in the industry.  The first was the eDiscovery golden age that started roughly near the year 2000 and ended, the best I can tell, about the time of the financial crisis.  During this time, eDiscovery consulting organizations where shaking down corporations and law firms for confiscatory prices for providing eDiscovery services.  There were countless eDiscovery consulting firms spread across the land and they were desperate for consultants who they could put into the field and their labs so that they could crank out as many billable hours as they could get away with.  Life as a consultant during this time involved burning an immense number of hours traveling and collecting mountains of data.  The data was then brought back to some lab somewhere and either the same consultants or different consultants then processed and hosted the data for attorney review.   Since the primary billing model was consultant hours, consultants were basically just another commodity to be used up.  I saw a lot of burn out during this era and more than a few very unhappy police officers enter this space thinking they were going to be doing interesting digital forensics analytical work and catching bad guys when all they were doing was just endless grunt work slinging data around from one place to another.  If you were an eDisco manager during this era, your life was constant pressure to make sales goals, making sure your faceless commodities consultants were being fully utilized for billing purposes, and plenty of stuff that had nothing to do with chasing bad guys and solving digital forensics mysteries.

The golden age of eDiscovery went bust because the industry overplayed its hand and their customers starting to bring those services inside of their organizations. The result was quite a few of these consulting firms going out of business or being purchased by larger consulting firms that were better diversified and positioned to survive the bust. I also think the legal system generally just responded negatively to the high costs and how things were being done. Cost containment started to be a big deal in the legal world since even in an adversarial legal system everyone could see that the consultants were saddling up their customers and taking them for a very expensive ride. 

Another thing that really hurt the eDiscovery industry was the rise of the golden age of cyber security consulting that continues to this day.  The eDisco consulting industry faced increasing pressure from the cyber security consulting world for talent and customer money.  This golden area of cyber security consulting has been partially a response to the near impossibility of defending networks from persistent skilled attackers.  There have been legions of high-profile breaches and the rise of public disclosure laws has meant that many of these incidents end up in headlines that result in great financial loss, embarrassment, and senior executive careers coming to an end.  This has provided powerful incentive for organizations to greatly increase their cyber security capabilities which lead to an immense amount of money being thrown at cyber security consulting firms.

This golden age is meat on the table of enterprising and skilled law enforcement officers who are looking for their second career.  There are countless consulting firms who are looking for talented people to come help them serve their customers both by offering proactive services such as penetration testing and threat intelligence and reactive services such as helping them detect, respond, and remediate incidents.  Some of these firms are going to be nightmares to work for where your life will be similar to what I described above, but many others have learned that retaining critical talent requires providing a reasonable work-life balance, rewarding work, and a career path. 

This gets back into the point I made earlier about the more power you have in an organization, the more you can influence you have about the world around you.  One of the things I learned as a police officer is that trauma comes from lack of control. A great way to have a traumatic consulting experience is to have minimal technical skills and to land in a job where you’re traveling nearly constantly doing low-skilled grunt work.  The best way to have a rewarding consulting experience is to have in-demand job skills (and a security clearance is worth crazy bonus points in this space) where you are being used for high-end work that your employer can charge near-confiscatory prices to customers.

Which gets us to life in the corporate world.  In the consulting world, you’re generally going to be direct spend which means the money an organization puts into you is directly involved with the service that is being provided to a customer.  In the corporate world, you’re indirect spend.  You’re a necessary evil when the money that is spent on you doesn’t involve making or selling a product or service to a customer.  That’s the bad news.  The good news is that because we’re in this golden age of cyber security, corporations are just fine (for now) with this sort of indirect spending. I spent most of my career building and leading high-performance digital forensics and incident response teams for a couple Fortune 100 enterprises.  Landing on one of these teams can be a very rewarding experience as long as you do your homework and find a team and organization that is a good fit for your skills and temperament. 

Corporate digital forensics jobs can take several different forms but the primary tasks that you’ll see in the corporate world are also the same that are being offered up in the consulting world such as eDiscovery, threat intelligence, incident response, security operations, digital forensics, malware analysis, and the like.  That which is necessary in the cyber security world is either going to be brought in internally (which creates corporate positions) or purchased externally (which creates consulting positions) or a combination of both. 

Life in the corporate world will be more predictable that in the consulting world since corporate jobs tend to be more of a normal business offer hour situation with nights and weekends as necessary when things get busy.  There are some exceptions such as corporations that have 24/7 security operations centers that require shift work.  I don’t see too many people from the law enforcement world doing security operations shiftwork, but that isn’t to say that it can’t happen and those security operations roles can be very rewarding and educational.  I’ve seen many people start in security operation centers and used that time to build a skillset that led to very rewarding career paths.

I think one of the biggest shocks for law enforcement people going into the private sector is the concept that you are now a salaried employee and there is rarely such a thing as overtime or compensation time.  You’re expected to get your work done and that frequently involves working over 40 hours a week to do that.  You are also now competing with other people in your organization.  Remember what I said earlier about gaining power in an organization.  Having a reputation as someone who just does the minimum is a great way to undermine your corporate career even if you are a highly skilled person.  A good attitude and a strong work ethic will go a long way in the private world.

There is also another aspect of the private sector which is going out on your own and starting up your own business.  Frankly, this is one of the areas where I have the least amount of experience with and I think the best way to handle this will be for me to just pester someone to do an interview here on the blog.  If you have any suggestions on who you might want to see interviewed, let me know.

I’m at about 3,000 words on this blog post and I think I’ve covered a decent overview of life on the private side. I’ll still continue to address some specifics as the series progresses especially in the next blog post where I talk about what you should be doing as a law enforcement officer to prepare for life on the private side.