Move Choices and Information Warfare with Duncan Sparrell (2/2)

Welcome to episode 249 of the Nerd Journey Podcast [@NerdJourney]! We’re John White (@vJourneyman) and Nick Korte (@NetworkNerd_) – two technology professionals with backgrounds in IT Operations and Sales Engineering on a mission to help others accelerate career progression and increase job satisfaction by bringing listeners the advice we wish we’d been given earlier in our careers. In today’s episode we share part 2 of an interview with Duncan Sparrell, detailing Duncan’s progression into management and back to life as an individual contributor, how he evaluated decisions to change jobs and companies, advice on technology hype cycles and where to place yourself in them, and the genesis of Duncan’s cybersecurity experience.

Original Recording Date: 10-02-203

Duncan Sparrell is Chief Cyber Curmudgeon at sFractal Consulting, a boutique consulting firm for software and cybersecurity that Duncan founded which helps with his personal mission to make the world a safer place. If you missed part 1 of our discussion with Duncan, check out Episode 248.

Topics – Progression to Leadership, Training and Gaining Influence, Player Coach and the Manager to Individual Contributor Move, Move Choices and Enjoying Your Work, Information Warfare, Technology Hype Cycles and Following the Money

3:19 – Progression to Leadership

  • Is climbing the ladder that Duncan mentioned going into people management or continuing to progress as an individual contributor?
    • The answer is both! He went back and forth between the two (individual contributor and manager). Duncan climbed the tech ladder as an individual contributor as well as doing it as a manager.
    • Duncan was promoted to lead engineer early in his career (more responsibility and more pay) and later into “actual management” which required performance reviews and real people management.
    • Duncan was able to learn to manage people in what he calls the ideal way and was in a role that was half an individual contributor and half a people manager (so some responsibilities for each or a foot in both worlds). In this case the group he was managing was small enough to allow him to do it. Duncan says being in this position allowed him to get involved in bigger and bigger projects.
      • We might refer to this type of role as a player coach type role based on conversations with other past guests.
    • Duncan mentions direct reports (people reporting through you) and indirect reports (those you lead through influence without authority).
      • In order to succeed you need the ability to influence without authority. This requires credibility, integrity, and trust with your co-workers (trust with both subordinates and trust with your management). It is a balancing act do it well, and one must be persistent.
      • A mistake or bad day (like being a jerk) can erase many “did greats” and may come back to bite you. In Duncan’s experience, jerks do not get rewarded.
      • “Being a jerk is just the wrong time to be a jerk.” – Duncan Sparrell
  • Did Duncan ask for the role as half individual contributor and half manager (player coach), or did someone encourage him to do it?
    • Duncan says people encouraged him to do it and went through the process of feeling him out for it. Once an opening came up, he was sort of pushed into it. Some of Duncan’s other career moves were somewhat similar to this.
    • “I do think if you want to progress you have to both look up and look down. Look up in that you have to recognize the objectives of your management and what they are trying to do and how can you help your boss do their job better. But you can’t do that at the expense of your co-workers or the people who work for you.” – Duncan Sparrell, on progressing your career
    • At some point in the middle of his career Duncan was told if he wanted to progress further he needed to spend more time “looking up.”
      • Duncan progressed all the way to being a 4th level manager at one point in his career and made a decision to not spend too much time looking up. Maybe he could have progressed further into upper management, but Duncan chose to focus on his people’s needs, wanting to keep them happy despite his job acting as “the middle point in the hourglass.”
    • “When something needs to get done, somebody’s got to do it, and it isn’t always you that’s doing it. So one thing you’ve got to learn is it’s not always you that’s doing it.” – Duncan Sparrell, on tasks that may be better for a manager to delegate
    • A manager should play to their strengths and get others to help where they aren’t as strong. It’s important to get others to help in areas where they are strong because they can (even if you, the manager are strong in that area).
      • Sometimes it’s important to give someone the chance to do something when they don’t know how. It’s you training them.
      • This is you acting as a force multiplier for others, which can lead to career progression. People will take notice if you are a force multiplier but even quicker if you are acting as the opposite of one.
    • “My sole objective was always to have fun and enjoy what I was doing, and I happened to get a very successful career from doing that.” – Duncan Sparrell
    • Duncan would encourage us to keep the big picture and the organization’s goals in mind.
    • “In management you can learn something from everybody. Some are behaviors to emulate. Some are things not to do. You need to look at that.” – Duncan Sparrell, on learning as a manager
    • Duncan speaks to performance reviews not happening as quickly as perhaps they could and mentions people think certain behaviors go unnoticed. Likely there is just a delay in getting the feedback to the individual, particularly bad news.
      • Duncan has had to lay people off and fire people, and it is NOT fun. It’s also very hard.
      • Duncan mentions surviving both ATT splits and having to decide which members of his team would go to a new organization with him and which would remain. Even then he did not have full control of what happened and was only able to make recommendations. It was near impossible to make everyone happy with the outcome of the moves.
      • “People don’t like doing things that aren’t fun to do….Bad performance feedback doesn’t get given as often as it should because it’s hard to do. I have not had fun doing it…but I have done it.” – Duncan Sparrell
    • Was there support in place like training for the hard things Duncan had to do like layoffs and poor performance feedback?
      • Nick posits the individual contributor who steps up to even player coach likely does not know how to do this well.
      • Duncan says you sort of have to emulate the behavior before they give you the new position. Often times the training does not come until after you have been given a position and you are in it for a while. It is a tough trade off.
      • “The problem is if you go to the training and you haven’t had the experience, it doesn’t sink in.” – Duncan Sparrell
      • Duncan gives the illustration of emergency room doctors being forced to stay up for 24 hours so they can learn to deal with the mistakes they make.
      • Bell Labs was really into training. Duncan got to take some excellent management courses after he had been a supervisor for about a year.
      • Duncan did a lot of reading in his early years as a manager and learns well from books. The Mythical Man-Month was a new book at one point during his career.
      • Duncan says pressures on management have only grown over the years but that management theory has come a long way.

13:30 – Training and Gaining Influence

  • John mentions the ATT System Center for Technical Education.
    • Duncan says the name has been changed over time, but it had massive training centers. There were a million employees working for ATT at one point. Now it’s more like over 300,000 employees (still very big).
    • When a company has this many resources, the best way to utilize them is to train people well. That’s looking at it from a business perspective.
    • Duncan mentions they had training budgets that they had to figure out how to spend. And he emphasizes our day jobs do not go away when we have to do training on top of it.
    • Some training we get by experience. Duncan is a big fan of influence without authority and people being able to do it
      • “It’s usually knowing what you are talking about and not being a jerk. And then people respect your opinion.” – Duncan Sparrell, on how to influence without authority
      • Duncan’s reputation in cybersecurity gave him influence without authority (inside ATT), but after retirement he needed a certification to prove his expertise ([CISSP]((https://www.isc2.org/certifications/cissp), CSSLP, and others).
      • “Doing what’s right will get you recognized and get you that influence.” – Duncan Sparrell, on gaining influence

16:01 – Player Coach and the Manager to Individual Contributor Move

  • If Duncan was designing an organization, would he ensure there were player coach type roles to try people out in a management role?
    • Duncan says if he could afford it he definitely would.
    • A piece of advice for listeners is to have a good life partner. Duncan was an electrical engineer and his wife a chemical engineer. They worked for different companies in different roles, but they did a lot of “bedroom benchmarking” and discussed how things were going at each of their companies. Duncan’s wife progressed along the management ladder up to senior executive at Exxon Mobile.
    • At Exxon, there was a player coach type role people were put in for 6 months as part of career pathing. Later on some people would get full time roles as managers while others would not.
      • Nick sees this as being like an internal internship.
      • Duncan saw this program as a way of acknowledging not everyone was going to work out in management and that there was a way back to individual contributor.
      • Duncan enjoyed going back to individual contributor and mentions he went higher up the technical ladder than he did on the management ladder. He tells us not all companies have equal ladders up to senior most positions because they may be limited by size.
      • When Duncan went back to being an individual contributor he had a lot of influence already and perhaps even additional influence because of his title. Part of his job description was to be broad across many areas, and that was something Duncan really enjoyed.
  • Nick asks about what questions are asked when someone goes back to IC from being a manager.
    • At Duncan’s company the management ladder went higher than the technical ladder. There are only so many senior level executive roles, for example.
    • Duncan says he went higher than he needed to go, and he was compensated better than he ever thought he would be for his work.
    • His goal was to enjoy is work and have fun, but he did not enjoy every job. Duncan would either stay in it until a job change arose or seek one out on his own. Being in a big company also helped, and he was able to find different jobs within ATT when needed.

20:25 – Move Choices and Enjoying Your Work

  • Duncan found different jobs inside ATT when his wife was transferred.
    • Duncan lightly mentions getting involved in the federal workspace and having a clearance to do so.
  • Be open when management comes to you with an ask to do something that they feel will help your career. If you say no, your manager will remember.
    • Duncan mentions a manager coming to him suggesting he needed a security clearance to work in a specific area. Duncan had come to Bell Labs because he did not want to get a security clearance.
    • Listen to the story of how Duncan’s manager presented the value of getting a security clearance by having him first focus on the reasons he did not want to get the clearance. After the discussion, Duncan thought about it and decided to get a clearance. Looking back, Duncan is glad he got the clearance, acknowledging that it helped his career.
  • Duncan’s wife was transferred to Virginia, and he used the clearance as a way to get a job inside a new organization. This was another boost to his career and was extremely rewarding.
    • Duncan got to run a business unit for a while.
      • Duncan had to handle contracts, operated his own profit and loss statement (or PNL), and even got to brief the ATT chairman of the board once per year on the program.
      • Duncan made his own luck in that he went and found this particular role working in an organization he was already supporting through previous work inside ATT (supporting through being a consultant to this group on a part-time basis). Working with this specific group in the first place is what got Duncan the security clearance mentioned earlier.
  • In the early to mid-1990s, a friend of Duncan’s from earlier in his time at Bell Labs made the move to a small company called Microsoft located in Seattle. When he suggested Duncan consider making the move as well, Duncan declined, saying he was having too much fun where he was.
  • If Duncan had known Microsoft was going to take off like it did, would he have made a different decision?
    • Duncan does not think he would have, feeling the work he was doing back then was really making the world a safer place and also something he enjoyed.
  • John makes the observation that it’s important what we say yes and no to throughout a career. Likely something such as working for a tech startup may have always been an option, and the Microsoft suggestion was likely not the first time someone suggested Duncan do something different. Each choice set him on a specific path.
    • Duncan says there were job move choices for both him and his wife over time which they would look at together and make a decision. Based on specific reasons for Duncan or his wife, they were both ok with saying something wasn’t for them.
    • "If our objective was to make the most money we could ever make we would have probably made some of those differently, but we’re very happy with the ones we made. I’d much rather be happy at a well paying job than unhappy at a super rich job. " – Duncan Sparrell, on making job move choices jointly with his wife
    • John mentions therapy from working a high stress job / a job you hate can be quite expensive and have an impact on your overall health (mental, physical, etc.).
    • Duncan says there will likely be periods of our careers in which we will have a certain amount of angst and not be happy. But these periods should be brief, and we should see some sort of end to them in the future. Otherwise it might be time to make a change.
    • John mentions there may be difficult times during a career we need to endure because it will be best over the long term.
    • “Don’t confuse working hard with being unhappy.” – Duncan Sparrell
      • Duncan tells us he put in so many hours over the course of his career usually because he liked what he was doing most of the time. Even in retirement Duncan is still working on the things he likes to do.
      • Before retirement Duncan was working much more than 40 hours each week. Now that he is retired he’s cut back to 40 hours each week with a few paid hours via his consulting business and the rest for volunteering.
      • “It’s not like you can coast. You gotta provide the value, however you provide the value. Some people can provide the value in a very short amount of time. Some people have to really slug at it to provide the value. Most people are…it’s a combination of both.” – Duncan Sparrell
      • “It can be exhausting, it can be draining, and you can still love every minute of it. And you could be in a situation where you’re not actually working that hard and also hating every minute of it.” – John White
      • Maybe we should not equate required or requested effort with good or bad. You can enjoy or not enjoy your work separate and apart from how hard you’re being asked / required to work.
    • Duncan says enjoyment can come in different ways – liking something we are doing or liking the end result of what we’re doing.
      • Duncan is very proud of the work he did for the government and feels what he did has helped make the world a safer place. Not every hour of it was fun. But the result was rewarding.
      • There was an on-call aspect to the work which sometimes made it rough.
      • “It was literally saving lives at times…that you just walked away feeling very good from, that it was worth it after the fact.” – Duncan Sparrell
      • John says this goes back to process and outcomes. Sometimes the process can be enjoyable, and other times it is the outcome that brings the enjoyment. Both can be ok.
      • “In the ideal world it would be both. The case you want to avoid is the neither.” – Duncan Sparrell, on enjoyment of process and outcomes

29:45 – Information Warfare

  • Duncan got the security clearance we mentioned previously as a result of his knowledge of digital processing. He and his wife moved to Washington, D.C. This turned out to be a career move for Duncan’s wife and a career move for him. Duncan got involved with an organization inside ATT focused on special projects.
    • Before this, Duncan’s experience was at Bell Labs. The focus was research and development, and they had high quality individuals as employees (i.e. many who were at the top of their class at a university). These people were all well versed in technology.
      • When Duncan went into the special projects organization, many of the people had worked their way up from being phone technicians in the field after getting a high school diploma (very different from Duncan’s career path). Some of these people were at the same level as Duncan or higher.
      • This presented Duncan with an opportunity to grow and gain a broadened perspective from working with this new group of co-workers. He’s made many friends from that time period and from every stage of his career.
      • Certain career choices expand our breath as humans and help people become better managers, and this was Duncan’s experience working in the special projects organization (i.e. it made him better).
      • Duncan’s wife had a similar experience. On her path to becoming a senior executive (previously a chemical engineer with a R&D background) she was a leader of people who drove tanker trucks and those who piloted tanker ships. Having different types of people work for you or with you can teach you a lot (and it did for Duncan’s wife too).
  • The security clearance was for work on special government projects.
    • This entailed working with the White House Communications Agency, working with communications of the FBI or NSA, and other projects that cannot be shared.
    • Duncan had the clearances and the technical knowledge. He says he was a hacker without realizing it, and people noticed.
    • Duncan tells the story of having someone work for him, and he was not allowed to know the location where this person worked. He had the clearance level to know but not a need to know.
    • ATT was not allowed to make computers back then, so early computers they had were called processors.
      • These ran the PBX or telephone switching system, and the systems needed some work.
      • This was a highly classified, covert operation. The leadership wanted to bring in a technician without a clearance to repair the computer. Duncan had the clearance and happened to know the operating system of the PBX was Linux-based (something he was familiar with).
      • Duncan asked for an hour to report back anything he could find and was granted access to the test system that had the same configuration as the live production system. Duncan figured out the program and did the work on the live system. They did not allow the uncleared technician access to come help.
      • “It turns out that was my first experience being a hacker without realizing I was being a hacker. But it got noticed.” – Duncan Sparrell
    • Not long after Duncan fixed the system mentioned previously, the first Gulf War broke out Desert Shield. And in 1990, because Duncan had the clearance and had a depth of knowledge they sent him to a place that would eventually be known as the Air Force Information Warfare Center.
      • “I had literally never heard those words information and warfare in the same sentence before….This is not the internet as you know it. This was way before all that.” – Duncan Sparrell
        • At this time we had 4.8 Kbps modems, and Duncan had been involved in making standards to upgrade them to 9.6 Kbps speeds.
      • The Air Force had hackers who would break into systems. Duncan was part of an attack team tasked with attacking enemy air systems so US bombers would not be shot down. They could only do reconnaissance once planes were in the air.
      • Duncan says they were not great at it and would practice on dead systems (which the team got really skilled at doing).
    • Once Duncan returned to ATT he shared what he had learned from his time with the Air Force and explained the same things could be and needed to be done for ATT’s network.
      • The word cybersecurity had yet to be invented at this time.
      • Duncan got in on the ground floor of creating the Chief Security Office at ATT, and one of his proteges became the first Chief Security Officer of ATT and only the second ever Chief Security Officer (CSO) at a company.
      • Duncan was ATT’s Chief Architect, and the organization eventually grew to 2000 people.
      • All this happened because Duncan had the right clearance, the right skills, and was sent to the right place at the right time.
      • At this time in history any vulnerability known in a government computer system was classified information (classification level of secret). It would be the equivalent of a CVE today on a Microsoft system and not being able to say you had a Microsoft system with that CVE present.
      • Duncan became skilled at thinking evilly, and because of that he was able to help stop people from doing bad / malicious things.
        • “I saw all sorts of ways to do bad things, and then we stopped people from doing them.” – Duncan Sparrell, on his cybersecurity work at ATT
      • In the 1990s about 10% of the world’s internet traffic traveled through ATT’s network as they transitioned from voice only to an internet provider also. Duncan and others started running into things never seen before. For example, one of Duncan’s patents is on how to detect DDoS attacks because that is one of the things he and his peers started to see as they were setting up and working on ATT’s systems.
      • “Some of that’s just luck because it was a new field and I was there. But you know what? There’s going to be other new fields created in the next decade.” – Duncan Sparrell, on getting into cybersecurity at its infancy

38:08 – Technology Hype Cycles and Following the Money

  • It’s easier to innovate in brand new fields. Duncan would encourage us to take time to learn about the newest fields if we can spare the time.

    • Newer fields according to Duncan will be automation in cybersecurity, things in the AI (artificial intelligence) realm, quantum computing, and something else that we don’t even know about yet which could be next year’s hot topic.
    • John mentions we have seen the pattern of educating ourselves on technology waves, picking one we enjoy, and trying to “ride it.”
    • There is a timing element here too according to Duncan.
    • “Things are going to follow the hype curve. You want to be NOT following the hype curve. You want to be ahead of it on its way up, and you also want to be ahead of it on its way down.” – Duncan Sparrell, on the hype cycle of technology waves
    • In the early days of cloud, people were against it from a security stand point. Duncan knew it would save money and allow some funds to be put into security. But he remained ahead of the point where cloud became overhyped.
  • Duncan says we should recognize the hype cycle for a technology wave will be a curve, and it will not happen for all technologies at the same time.

    • AI (Artificial Intelligence) is finally making it Duncan thinks even though he has been hearing about it for 20 years now it seems. IoT (internet of things) is another trend that could make the world a different place in 10 years. Quantum computing seems further out (i.e. not a reality as of yet).
    • We need to do our research on a topic to determine when a technology’s popularity will really go up and down. Duncan suggests reading up on the technology, the problems it tries to solve, and what it means to you.
    • “If you really like the stuff you’ll get into it enough to figure all that out, and if you don’t like it you probably should find a different one. There’s going to be enough of them.” – Duncan Sparrell, on selecting a technology wave to pursue
    • John emphasizes that market timing is also important for different technologies.
  • One of the sayings Duncan likes to use is “follow the money.” But we need to be careful and diligent when it comes to following the hype curve.

    • Pouring money into venture capital endeavors may not be the right money to follow. Money gets poured in here because many of these will fail (i.e. on the upslope of the hype curve) – and this applies to companies and the technologies.
    • But in general following the money is a wise thing to do. Duncan says most anything can be turned into money, even cybersecurity risk for example.
    • Duncan references a book by Hubbard and Seiersen called How to Measure Anything in Cybersecurity Risk that is helpful in understanding how to turn things into monetary risk.
    • If we can speak in terms of monetary risk we’re leading people in the right direction in our organization and will be successful. These are the things on which business decisions should be based. And this is all a byproduct of following the money.
    • John reiterates how much people generally hate buying insurance.
      • Duncan has hopes for the insurance industry in cybersecurity. His father was a safety engineer for an insurance company and is co-author of a paper about why we have seatbelts.
      • Duncan shares the story of the invention of the Survival Car 2 made from popular car models at the time. The team of people working on it added safety features like seatbelts, anti-lock brakes, and many other items to it. They proved with statistics that people would be safer in our country having those features in cars and convinced regulators it was the right thing to do. No single car manufacturer would have included these features on their own because it drove up manufacturing costs, but when the government said they had to do it to decrease traffic deaths, it was a different story.
      • Duncan is hopeful the same model will end up taking place in cybersecurity. It took a long time for this to happen in the auto industry. We’ll see what happens in cybersecurity. Duncan says we have to get smarter in that area.
    • Nick says follow the money and know how to create the business case to get what you want. But in order to follow the money you need to be able to speak the language of money. The business case demonstrates that you can speak it.
  • Duncan also says “the cobbler’s children should not go barefoot.” This is in reference to some of the worst security things getting overlooked in the security discipline.

    • Duncan learned in the first Gulf War that the first thing taken out is enemy radar (even before taking out the guns). Ideally the radar works perfectly and just doesn’t show he planes coming.
    • “The first thing a cyber attacker should go after…the cybersecurity stuff.” – Duncan Sparrell
  • To follow up with Duncan on this discussion, you can find him…

  • Mentioned in the outro

    • Special shout out to our listeners in Poland – thank you for putting Nerd Journey in the top 250 on Apple Podcasts in the business and careers category! If you’re out there and think we need to be on the charts in other countries, please share an episode that you found helpful with a friend, rate the show 5 stars, and leave a review.
    • Sometimes gaining influence means you need to build expertise, and the perception of your expertise will be differently inside and outside your company. Maybe you pursue a certification like Duncan did or perhaps it is a blog, video, a talk you gave, etc. Put all these things that are public proof of work on your LinkedIn profile!
    • We hope you have someone (even if not a spouse, perhaps a friend or family member) to go to about career decisions and job changes just as Duncan and his wife did in their “bedroom benchmarking.”
    • Dr. Sirisha Kuchimanchi shared in Episode 246 that if someone recommends you for a new role it is a compliment to you and evidence they understand your reputation.
      • We can be open to maanger suggestions of things we should pursue. Be careful if you decide to say no, and make sure it is for the right reasons.
    • There’s another great example of relatable experience in this episode in the way Duncan took his experience from the Airforce Information Warfare Center to ATT to help provide value. Are we seeking to apply learnings from other areas to what we do?
    • Nick mentions getting the chance to work with an innovation team inside VMware earlier this year for two straight weeks and getting an energy high from it the entire time. If you want more detail about that experience you can read about it in this blog article.
      • We should pay attention to the energy we get or don’t get from the work we do. We have to be mindful of this and really pay attention to energy levels over time to really understand the elements draining us or energizing us. Maybe it’s not everything and only some things. Consider taking on a new task or project.
      • Listen to Episode 173 with guest Evan Oldford for discussions on energy.
    • We’ve talked to at least 4 people (including Duncan) with some measure of cybersecurity experience now, and each of their paths was slightly different.
    • Donovan Farrow now owns a cybersecurity consulting firm.
      • Episode 133 – Forensics and the Boredom of Peacetime with Donovan Farrow (1/2)
      • Episode 134 – Pass down Your Legacy with Donovan Farrow (2/2)
    • Bill Kindle was a systems administrator who took that experience and applied to security engineering.
      • Episode 180 – Hired on the Spot with Bill Kindle (1/3)
      • Episode 181 – Crossing the Burnout Fault Line with Bill Kindle (2/3)
      • Episode 182 – Security from the System Administrator’s Lens with Bill Kindle (3/3)
    • Kenneth Ellington got into cybersecurity and has founded Ellington Cyber Academy, a place that can help others looking to break into the industry.
      • Episode 239 – Introduced to Cybersecurity with Kenneth Ellington (1/2)
      • Episode 240 – Nurturing Cybersecurity Talent Development with Kenneth Ellington (2/2)

Contact us if you need help on the journey.

One Reply to “Move Choices and Information Warfare with Duncan Sparrell (2/2)”

Leave a Reply

Your email address will not be published. Required fields are marked *