JR Logo
James Roberts

Why Visibility Beats Technical Skills for Security Career Growth

Producing absolutely brilliant work will get you nowhere unless the right people know about it.

Why Visibility Beats Technical Skills for Security Career Growth

I used to think careers went like this: Do excellent work. Get noticed. Get promoted.

That's how it’s supposed to work, right?


I held onto this mindset for years. Head down, believing that my work would speak for itself. That if I just kept solving increasingly complex problems, someone would eventually notice.


Here's what happened: nobody noticed.


If you’ve been in security for a while, you've probably hit the same wall. I've watched this pattern play out with some of the most talented security people I know. Brilliant work, zero recognition, no idea why it's not translating to career progress.

This post is the advice I wish someone had given me earlier: what work actually advances your career, how to talk about it without the cringe, and the common mistakes that kept me invisible for years.


Lie: Your most brilliant technical work will advance your career.

Reality: Your most visible work advances your career.


This is the problem with security careers: they’re invisible by design.

You're solving problems behind closed doors where the best outcome is that nothing bad happens. Which ironically makes it look like nothing happened at all.

  • Your threat model prevented a breach that would've made headlines.

  • Your incident response stopped a ransomware outbreak before it spread.

  • That critical vulnerability you caught in code review never made it to prod.

The reward for all your brilliant work? Business as usual. Nothing blew up. No one panicked.

Which means no one noticed.

Meanwhile, promotion decisions are being made by people who haven't seen 90% of what you do. They’re going on what they do have: how you present yourself, whether your name comes up, that one presentation you gave six months ago that you thought went terribly.

A former manager once described this to me, completely unironically, as 'manager's intuition.' So, yeah, vibes.


Is this fair? No, it’s completely insane.

We shouldn't have to market ourselves on top of doing excellent work. Technical skills and hard work should be enough to progress your career forward. But the reality is that in security, visibility isn't some optional extra for people who like self-promotion.

It's part of the job.

We’re just not told that when we sign up.



So why don't we just make ourselves visible?

You'd think knowing this might change how we show up. But knowing doesn't make it any easier, and self-promotion isn't in our DNA.

So instead, we tell ourselves comfortable stories that let us avoid the uncomfortable work of being visible:

"Excellence speaks for itself."

"Management tracks everything."

"Politics are for people who can't deliver."


I lived by my own set of these stories for years:

  • "I'm not comfortable self-promoting" → I'd rather complain about promotions than earn them

  • "I'm too busy with real work" → I don't understand that visibility IS real work

  • “My manager should know what I do" → I expect mind-reading, not management

  • "I'm an introvert" → I'm confusing personality with skill

The truth is, I was scared. Scared of seeming arrogant. Scared of judgment. Scared of playing a game I thought was beneath me.

So I stayed where it was safe. At least with technical work, I knew I was good. This visibility stuff? I had no idea where to start.

After watching enough less-technical people get promoted ahead of me, I eventually realised my head-in-the-sand approach was only holding me back. That simply ’working harder’ wasn’t going to advance my career.

The choice was simple: Stay invisible and resentful, or admit I was wrong about how careers actually work.



Prioritising visibility will change your career

Mainstream advice is pretty consistent when it comes to career success: focus on high-impact work, maximise productivity, prioritise business value over busywork. That's not wrong, but it ignores an important reality:


High-impact work that nobody sees doesn't advance your career.


We end up spending weeks building elegant solutions to problems nobody knew existed.

Then wonder why we still get average performance reviews.


Instead, try asking yourself two questions before you commit to any task:

  • Is it high value?

  • Is it visible?

These two questions create four boxes that will change how you prioritise your work:

highres3

Every task you touch lands in one of these boxes. Here’s what belongs in each and what to actually do about it.


Career Makers (High Value + Visible)

The 10% of work that creates 90% of your career momentum.

What lives here:

  • Leading incident response when customer data is at risk

  • Presenting the security architecture redesign to the board

  • Being the face of the zero-trust migration that everyone in leadership is watching

The play: When these land on your desk, clear your schedule. These are the moments careers are built on.


Hidden Gems (High Value + Not Visible)

Your best work that nobody knows about.

What lives here:

  • That authentication bypass you caught in code review that would've leaked 2M records

  • The certificate automation you built preventing this year's outage

  • Mentoring the junior who's now crushing it as the lead analyst on your team

The play: This is 80% of what we do. Critical stuff that nobody sees. Your job isn't just to do this work, it's to make sure the right people know about it.


Bathroom Jobs (Low Value + Visible)

Low-value work with high-maintenance stakeholders.

What lives here:

  • Updating the security awareness deck for the fourth time

  • Being the security checkbox on projects that don't need you

  • Building dashboards your manager will look at once, then forget

The play: Minimum viable effort. Nobody compliments a clean bathroom, but they'll notice if it's dirty. Do just enough to not get called out, then move on.


Time Thieves (Low Value + Not Visible)

The work nobody will miss.

What lives here:

  • Perfecting documentation nobody reads

  • Automating a process you do twice a year

  • Maintaining that Python script one person uses

The play: Delete it. Delegate it. Or accept that every hour here is an hour stolen from work that could actually advance your career.



This isn't a personality transplant, it's 10% time reallocation

You don’t need to change everything about who you are. You just need to redirect a little effort to visibility:

  • Stop perfecting Bathroom Jobs. Nobody will notice the difference between good enough and perfect

  • Spend 30 minutes making your Hidden Gems visible to decision-makers

  • When Career Makers land on your desk, treat them like the career-defining moments they are

Two to three hours per week. That can be the difference between staying stuck and getting promoted.



Make your impact visible without the cringe

Now, I know what you’re thinking:

"Okay, I get it. Make my work visible. But HOW? I don't want to become a LinkedIn influencer posting about how I 'learned about leadership from my 3-year-old.'"

This is where most advice on visibility falls apart. It tells you to "build your personal brand" or "share your wins" without acknowledging how gross that feels.


I struggled with this too.  I actively avoided self-promotion because the whole thing felt performative and fake.

But here's what changed my mind:

Visibility isn't about bragging. It's about giving your manager the ammunition they need to advocate for you in promotion discussions.

That reframe made all the difference for me.

You're not promoting yourself. You're helping your manager promote you.



Focus on problems, not boasts

When you talk about your work, structure it around the four questions decision-makers actually care about:

  • What was broken?

  • What did you do?

  • Why should anyone care?

  • What happens next?


Use this formula:

PROBLEM → ACTION → IMPACT → WHAT'S NEXT

Lead with the business problem. Show your solution. Quantify the impact. Tell them what's next.


"Fixed the authentication service"

"Customer logins vulnerable to session hijacking → Implemented secure token rotation → Protected 2.3M accounts → Rolling out to mobile next week"


"Improved monitoring"

"Zero visibility into API abuse → Built rate-limiting detection → Blocked 3 credential stuffing attacks this week → Expanding to all endpoints"


"Finished security review on Project X"

"Found hardcoded AWS keys in production → Rotated all secrets, moved to vault → Prevented breach that would've cost us £2M → Auditing all repos this month"


Flex the formula based on your audience.

Technical manager? They want the implementation details. Head of Engineering? They want to know what didn't go down. CISO? Business risk and cost avoidance.

One more thing: ask your manager directly how they prefer to receive updates.

Quick chat? Email? Weekly summary?

You'd be shocked how few people actually ask this question. Most just guess and wonder why their updates aren't landing.



Avoid these mistakes

I've spent years screwing up visibility in creative ways. Here are the six mistakes that did the most damage, so you know how to avoid them.

Underselling

What I said: "Just updated some firewall rules" → Actually: Redesigned the entire network segmentation, cut attack surface by 60%.

My manager's reaction: "Why are you wasting my time?"

Why this happens: You're so close to the work that a massive architecture overhaul feels like "just doing your job." To you, it's Tuesday. To leadership, it should be a career highlight.


Overselling

What I did: Created a 47-slide deck for a log parser update.

My manager's reaction: "Could've been an email.”

Why this happens: You confuse effort with impact. You spent three days building the parser, so you think it deserves a three-day presentation. It doesn't.


Tech babbling

What I said: "Migrated to HashiCorp Vault with dynamic secrets and automated PKI with short-lived credentials."

My manager's reaction: "I have no idea what you just said."

Why this happens: You're explaining HOW you did something when they only care WHY it matters. Your manager doesn't need to understand the technical implementation. They need to understand the business problem you solved.


Friday bombing

What I did: Sent a 500-word email at 4:47 PM Friday.

My manager's reaction: "I'll definitely read this never."

Why this happens: You finally had time to document everything, so you did. In one sitting. Right before the weekend. You optimised for your calendar, not theirs.


Review-time hero

What I did: Radio silence all year, then flooded my manager with updates right before review season.

My manager's reaction: "How convenient."

Why this happens: You hate self-promotion, so you avoid it until you can't. Then you panic and overcompensate. Your manager sees right through it.


Situation blindness

What I did: Announced major vulnerabilities during a strategy meeting with the CTO.

My manager's reaction: "Your timing is a vulnerability.”

Why this happens: You found something important and wanted to act with urgency. Admirable. But context matters. That vulnerability wasn't going to be exploited in the next 30 minutes.



The pattern I eventually figured out:

Underselling makes you invisible. Overselling makes you exhausting. Both kill your career.

The solution isn't finding some mythical middle ground. It's to:

  • Match the communication to the impact (log parser = chat message, network redesign = meeting)

  • Speak in business outcomes, not technical features

  • Share updates consistently, not just during review season

  • Read the room before dropping bad news

You don't need perfect judgment. You just need to stop making the obvious mistakes that signal "I don't understand how organisations work."



The work doesn't speak for itself—you do

So does this mean that visibility is the most important thing?

No, the most important things are doing an excellent job and being a positive part of your team. But right after those, it’s ‘making sure people are aware of the work you are doing’.


The good news?

Visibility is a learnable skill. I'm not naturally good at this stuff. I'm still not great at it.

But I'm better than I was a year ago, and that's made all the difference.


Here's what to do this week:

  • Pull up your last few weeks of completed work

  • Find the 3 highest-impact projects

  • Translate them into PROBLEM → ACTION → IMPACT → WHAT'S NEXT

  • Share them with your manager

That's it. Four steps. Maybe two hours of effort. It won't fix everything overnight.

But it's how you start closing the gap between how good you are, and how good people think you are.