Why Visibility Beats Technical Skills for Security Career Growth
Producing absolutely brilliant work will get you nowhere unless the right people know about it.
I used to think careers went like this: Do excellent work. Get noticed. Get promoted.
That's how it’s supposed to work, right?
I spent years stuck in this mindset. Head down, believing my work would speak for itself. That if I just kept solving increasingly complex problems, someone would eventually notice.
Here's what happened: They didn't.
The problem wasn't the quality of my work. The problem was that almost no one got to see it.
Lie: Your most brilliant technical work will advance your career.
Reality: Your most visible work advances your career.
This is the thing about security careers—they're invisible by design.
You're solving problems behind closed doors where the best outcome is that nothing bad happens.
Which ironically makes it look like nothing happened at all.
Your threat model prevented a breach that would've made headlines.
Your incident response stopped a ransomware outbreak before it spread.
That critical vulnerability you caught in code review never made it to prod.
The reward for all your brilliant work? Business as usual. Nothing blew up. No one panicked.
Which means no one noticed.
Meanwhile, decisions about your promotion are being made in rooms you're not in, by people who've never seen what you actually do.
They're judging you based on external signals—how you present yourself, whether they've heard your name come up, that one presentation you gave six months ago that you thought went terribly.
Unfair? Completely.
You shouldn't have to market yourself on top of doing excellent work. Technical skills and hard work should be enough to progress your career forward.
But the reality is that visibility isn't some optional extra for people who like self-promotion.
It's part of the job.
We’re just not told that when we sign up.
So why don't we just make ourselves visible?
You'd think knowing this would change how we show up.
It doesn't.
Instead, we tell ourselves comfortable stories that let us avoid the uncomfortable work of being visible:
"Excellence speaks for itself."
"Management tracks everything."
"Politics are for people who can't deliver."
I lived by these lies for years:
"I'm not comfortable self-promoting" → I'd rather complain about promotions than earn them
"I'm too busy with real work" → I don't understand that visibility IS real work
“My manager should know what I do" → I expect mind-reading, not management
"I'm an introvert" → I'm confusing personality with skill
The truth is, I was scared.
Scared of seeming arrogant.
Scared of judgment.
Scared of playing a game I thought was beneath me.
So I stayed where it was safe. At least with technical work, I knew I was good. This visibility stuff? I had no idea where to start.
After watching enough less-technical people get promoted ahead of me, I eventually realised my head-in-the-sand approach was only holding me back. That simply ’working harder’ wasn’t going to advance my career.
The choice was simple: Stay invisible and resentful, or admit I was wrong about how careers actually work.
Prioritising visibility changed my career
I used to follow the mainstream advice for career success: focus on high-impact work. Maximise efficiency. Important over urgent. Business value over busywork.
That's not wrong, but it ignores an important reality:
High-impact work that nobody sees doesn't advance your career.
I'd spend weeks building elegant solutions to problems nobody knew existed.
Then wonder why I was still getting average performance reviews.
Now I ask myself two questions before I commit to any task:
Is it high value?
Is it visible?
These two questions create four boxes that changed how I prioritise my work:
Every task you touch lands in one of these boxes. Here’s what belongs in each and what to actually do about it.
Career Makers (High Value + Visible)
The 10% of work that creates 90% of your career momentum.
What lives here:
Leading incident response when customer data is at risk
Presenting the security architecture redesign to the board
Being the face of the zero-trust migration that everyone in leadership is watching
The play: When these land on your desk, clear your schedule. These are the moments careers are built on.
Hidden Gems (High Value + Not Visible)
Your best work that nobody knows about.
What lives here:
That authentication bypass you caught in code review that would've leaked 2M records
The certificate automation you built preventing this year's outage
Mentoring the junior who's now crushing it as the lead analyst on your team
The play: This is 80% of what we do. Critical stuff that nobody sees. Your job isn't just to do this work, it's to make sure the right people know about it.
Bathroom Jobs (Low Value + Visible)
Low-value work with high-maintenance stakeholders.
What lives here:
Updating the security awareness deck for the fourth time
Being the security checkbox on projects that don't need you
Building dashboards your manager will look at once, then forget
The play: Minimum viable effort. Nobody compliments a clean bathroom, but they'll notice if it's dirty. Do just enough to not get called out, then move on.
Time Thieves (Low Value + Not Visible)
The work nobody will miss.
What lives here:
Perfecting documentation nobody reads
Automating a process you do twice a year
Maintaining that Python script one person uses
The play: Delete it. Delegate it. Or accept that every hour here is an hour stolen from work that could actually advance your career.
This isn't a personality transplant, it's 10% time reallocation
You don’t need to change everything about who you are. You just need to redirect a little effort to visibility:
Stop perfecting Bathroom Jobs. Nobody will notice the difference between good enough and perfect
Spend 30 minutes making your Hidden Gems visible to decision-makers
When Career Makers land on your desk, treat them like the career-defining moments they are
Two to three hours per week.
That's the difference between staying stuck and getting promoted.
Make your impact visible without the cringe
Now, I know what you’re thinking:
"Okay, I get it. Make my work visible. But HOW? I don't want to become a LinkedIn influencer posting about how I 'learned about leadership from my 3-year-old.'"
This is where most advice on visibility falls apart.
It tells you to "build your personal brand" or "share your wins" without acknowledging how gross that feels.
I struggled with this too.
I actively avoided self-promotion because the whole thing felt performative and fake.
But here's what changed my mind:
Visibility isn't about bragging.
It's about giving your manager the ammunition they need to advocate for you in promotion discussions.
You're not showing off.
You're making your manager's job easier by translating your technical work into business impact they can actually defend to leadership.
That reframe made all the difference for me.
I wasn't promoting myself—I was helping my manager promote me.
Good self-promotion focuses on problems, not boasts
When you talk about your work, structure it around the four questions decision-makers actually care about:
What was broken?
What did you do?
Why should anyone care?
What happens next?
Use this formula:
PROBLEM → ACTION → IMPACT → WHAT'S NEXT
Lead with the business problem. Show your solution. Quantify the impact. Tell them what's next.
"Fixed the authentication service"
"Customer logins vulnerable to session hijacking → Implemented secure token rotation → Protected 2.3M accounts → Rolling out to mobile next week"
"Improved monitoring"
"Zero visibility into API abuse → Built rate-limiting detection → Blocked 3 credential stuffing attacks this week → Expanding to all endpoints"
"Finished security review on Project X"
"Found hardcoded AWS keys in production → Rotated all secrets, moved to vault → Prevented breach that would've cost us £2M → Auditing all repos this month"
Flex the formula based on your audience.
Technical manager? They want the implementation details. Head of Engineering? They want to know what didn't go down. CISO? Business risk and cost avoidance.
One more thing: ask your manager directly how they prefer to receive updates.
Quick chat? Email? Weekly summary?
You'd be shocked how few people actually ask this question. Most just guess and wonder why their updates aren't landing.
Learn from these mistakes before they tank your reputation
I've spent years screwing up visibility in creative ways. Here are the six mistakes that did the most damage, so you know how to avoid them.
Underselling
What I said: "Just updated some firewall rules" → Actually: Redesigned the entire network segmentation, cut attack surface by 60%.
My manager's reaction: "Why are you wasting my time?"
Why this happens: You're so close to the work that a massive architecture overhaul feels like "just doing your job." To you, it's Tuesday. To leadership, it should be a career highlight.
Overselling
What I did: Created a 47-slide deck for a log parser update.
My manager's reaction: "Could've been an email.”
Why this happens: You confuse effort with impact. You spent three days building the parser, so you think it deserves a three-day presentation. It doesn't.
Tech babbling
What I said: "Migrated to HashiCorp Vault with dynamic secrets and automated PKI with short-lived credentials."
My manager's reaction: "I have no idea what you just said."
Why this happens: You're explaining HOW you did something when they only care WHY it matters. Your manager doesn't need to understand the technical implementation. They need to understand the business problem you solved.
Friday bombing
What I did: Sent a 500-word email at 4:47 PM Friday.
My manager's reaction: "I'll definitely read this never."
Why this happens: You finally had time to document everything, so you did. In one sitting. Right before the weekend. You optimised for your calendar, not theirs.
Review-time hero
What I did: Radio silence all year, then flooded my manager with updates right before review season.
My manager's reaction: "How convenient."
Why this happens: You hate self-promotion, so you avoid it until you can't. Then you panic and overcompensate. Your manager sees right through it.
Situation blindness
What I did: Announced major vulnerabilities during a strategy meeting with the CTO.
My manager's reaction: "Your timing is a vulnerability.”
Why this happens: You found something important and wanted to act with urgency. Admirable. But context matters. That vulnerability wasn't going to be exploited in the next 30 minutes.
The pattern I eventually figured out:
Underselling makes you invisible. Overselling makes you exhausting. Both kill your career.
The solution isn't finding some mythical middle ground. It's to:
Match the communication to the impact (log parser = chat message, network redesign = meeting)
Speak in business outcomes, not technical features
Share updates consistently, not just during review season
Read the room before dropping bad news
You don't need perfect judgment.
You just need to stop making the obvious mistakes that signal "I don't understand how organisations work."
Use visibility multipliers to make your work undeniable
Once I figured out the basics of visibility, I started noticing patterns in what made certain updates stick while others disappeared.
These aren't required moves. But they'll triple your work's perceived value when you use them.
The screenshot play
Screenshot the before/after. Drop it in chat. Let the image tell the story.
Why it works: Pictures bypass the brain's scepticism filter.
The time comparison
"Remember last month's 3-day firewall nightmare? Built automation. Same issue today: fixed in 20 minutes.”
Why it works: Shows you're not just responding to problems—you're eliminating entire categories of problems.
The external validation
"That RCE we found last week? Microsoft just released a patch. We were 7 days ahead."
Why it works: Third-party proof you know what you're doing.
The progress ticker
Week 1: "Found 10K endpoints running ancient Chrome. Building fix."
Week 3: "Deployment at 50%. Zero user complaints."
Week 5: "Done. 10K endpoints secured."
Why it works: Gets you credit for the grind, not just the glory.
The credit share
"We reduced incident response from 2 hours to 27 minutes." Always use "we," even if you did 90% solo. You'll still get the credit without creating enemies.
Why it works: Leaders build leaders. This move proves you're already thinking like one.
The numbers game
"Reduced false positives by 78%." "Cut mean time to detection from 47 minutes to 9." "Saved 328 engineering hours per year."
Use weird, specific numbers. They’re more believable than round ones.
Why it works: Managers report up. Numbers travel well.
Don't use all six for every piece of work. That would be exhausting (and obvious).
Your goal isn't to be everywhere all the time. It's to make sure your best work doesn't disappear into the void because nobody saw it happen.
One warning:
These multipliers only work if the underlying work is actually good. You can't screenshot your way out of mediocre execution.
But if you're already doing solid work?
These moves make sure it gets the recognition it deserves.
The work doesn't speak for itself—you do
Every stagnant security career follows the same pattern: Brilliant work. Invisible person.
Every breakout security career follows a different pattern: Solid work. Visible impact.
Does this mean that visibility is the most important thing?
No, the most important things are doing an excellent job and being a positive part of your team.
But right after those, it’s ‘making sure people are aware of the work you are doing’.
The good news?
Visibility is a learnable skill. I'm not naturally good at this stuff. I'm still not great at it.
But I'm better than I was a year ago, and that's made all the difference.
Here's what to do this week:
Pull up your last few weeks of completed work
Find the 3 highest-impact projects
Translate them into PROBLEM → ACTION → IMPACT → WHAT'S NEXT
Share them with your manager
That's it. Four steps. Maybe two hours of effort.
It won't fix everything overnight.
But it's how you start closing the gap between how good you are, and how good people think you are.