profile picture

How I landed a PM role in Cybersecurity, thanks to (also) this home assignment

March 22, 2023 — 17 mins
#product-management #cybersecurity

Back in 2021, I switched from my Product Manager ("PM") job in the Unified Communications as a Service (UCaaS) market to a PM job in Cybersecurity.

Below I discuss why I changed industry, why Cybersecurity, what was the overall hiring process, and more interestingly the home assignment I faced during the process: a talk to the engineering team.

Yes I got the job 🥳, and yes I show you my slides for the sake of sharing.

Disclaimer: I am not your application coach and your mileage will vary. So don't take the following as a hiring / career advice: I am just sharing my experience (and slides).

Why changing industry?

At the time, I was working in the UCaaS market (details in my resume). The name changed over the years, and according to the last important trend, we have gone through Centrex, VoIP, IP Telephony, Cloud / Managed / Hosted / Mobile PBX, Cloud Telephony, Unified Collaboration. All to say we were shipping our private SaaS to Fixed or Mobile operators of all sizes.

These were 15+ of incredibly exciting years. With high and low years. Some very low. And some very high.

Overall, that was a real chance to learn so much in the technology, business and people areas. With a real cool team, we had the chance to explore uncharted territories, and pioneer a nascent industry. And we grew: ultimately the sector consolidated (Cisco had acquired Broadsoft in 2018, and Microsoft Metaswitch in 2020). Ultimately we were acquired by a larger (25x) European company. A cool outcome.

To make a long story short: with my Software Engineer background, and being curious about, well, everything, I had multiple opportunities to serve in multiple roles. Yeah, startups, you know 😎. Eventually I became a Product Manager as we started to grow. We were just missing that role and I naturally filled it. I did not even know that was a real position or title 😇.

And I found the PM role to be my sweet spot: acting a bit as a conductor between all teams / stakeholders / customers, constantly adapting and translating your speech to all audiences. And I do mean all. All of that to find the right thing to do. And deliver it.

Unfortunately, despite a pleasing atmosphere and friendly colleagues, I reached a glass ceiling in my position, and slowly but surely got bored. True, that was also Covid times, but it is not related. Yes, we went the remote work way during that period of course, but I adapted easily.

The reason is elsewhere: I was learning more about the PM role, was excited, and realised I will not be able to evolve in that direction in my personal situation.

As learning is very important to me, I started to look at opportunities at this point.

Why Cybersecurity ?

As a PM in UCaaS, I was facing more and more security topics with our products. Far from being a chore, that really resonated with me. True, security always fascinated me for long (remember Wargame, the 1983 movie? Wow!). Early on, I read a few books, had some hacking discussions, but never really dived into the subject, professionally.

(Now, thinking about it, it probably originated when I was learning UNIX system programming in C: with the same short C program I got both a segmentation fault on the older SunOS operating system, and a passing program on the newer Solaris version. Sceptical, I fired the venerable gdb) debugger, and stepping in and out, I saw one of my constant — or so I believed — changes its value just when my code returned from a function call. Out of the blue, in front of my dumbfounded eyes 🤯. Yes, that was my first, direc, unwitting experience with a stack overflow. An epiphany! 💡)

Anyway, I was having the opportunity to tackle some security challenges as a PM now. And I did embrace it, sometimes the hard way. Including:

And don't get me started on the very Cloud Telephony specifics: just know that Telephony fraud exists because it is a lucrative thing. But not for you. 💸

Also, after the acquisition, I jumped into the Holacracy management framework in use (cool experience. And, you bet it: I was active in the Security circle, with my security Europeans fellows.

So, a pretty diverse experience for a non-expert after all. And so much exciting and interesting.

That was the time for me to start looking into the field.

The hiring process I've gone through

My chance was to be short listed for a PM position in a hyper cool French Cybersecurity company, that had just been acquired 6 months ago by a bigger American one.

I had seven interviews in total — not counting the phone calls with HR (add two or three for them).

Some will say this is a lot, and I will agree. On the other hand, this is for the best if you think about it: both parties are discovering whether each side is a good fit for the other, as you progress. You can really have a good glimpse at whether you could or want to work for each other or not.

Of course, if you don't get hired, this could be seen as wasted time. But you could also have a chance to learn why it failed (provided the company gives you actionable feedback — but not always the case, I know first hand 🙄).

(Personal advice: the feedback is nothing personal and you should really embrace it. Still, you could be surprised: I remember having been told I was arrogant once 😲. Much to my surprise because everyone who knows me will say you I am rather on the opposite humble side of the spectrum. That made me think. A lot. And in retrospective, I figured out I was really over-enthusiastic with the interviewer. Too much in fact. I could see how it could have been easily misinterpreted, especially with introvert people. A man learned a lesson: I pay extra attention to control my enthusiasm since 😅).

Anyway, one of the interview was actually an assignment: a 20 minutes talk I had to give in-person, to the (hiring) VP of Engineering, his Director of Engineering and his Program Manager, plus the PO / Engineering Managers and a few other key roles. Maybe 8–10 people overall, with 2 or 3 being remote.

That's a lot of people in the room 😅.

Let me say I did prepare the assignment.

Flashback: what happened just before getting the assignment…

At this stage, I already met the hiring VP of Engineering, his Director of Engineering and his Program Manager. The power dream team, say.

In the previous interview, I also met the CTO (Chief Technology Officer) of the company, which was a bit unexpected, as opposed to a CPO (Chief Product Officer), or Head of Product, or Director of PMs. Anyway, talking to all level of stakeholders is a core skill for PMs, so that is another fair and valid step in the process.

It must have been a good one, since I was told afterwards that the CTO did approved me. Good! 💪

So far, everyone knew I did not come from the Cybersecurity field: remember this is the crucial activity of the company. Reason why I can remember these exact words from the CTO, who told me:

As a PM, you don't need to be a Cybersecurity expert.
We have pretty good people for that.

I did not consider myself ignorant in Cybersecurity with my experience, but yeah, I am not far from being an expert either. I am only a PM who (1) left engineering behind, and (2) will certainly not compete with any security researchers or security engineer. So hearing that was quite reassuring about the level of Cybersecurity knowledge I was supposed to have. Spoiler: I was wrong 😅.

After that step, I've got the assignment.

The assignment

It was about delivering a "PM panel presentation" with two key points to present in twenty minutes (I duly respected the timing). And then a ten minutes Q&A session with the engineering team (which was largely exceeded, but I obviously embraced it).

The two topics were a very security centric question first, and then a generic PM question, in that order.

You can see why these questions:

Let's see first the PM question.

a. The PM question

It read:

Explain in detail how you would operate on a day-to-day
basis your job as a PM in charge of understanding customer
requests, identifying the features, planning the roadmap,
tracking success and validating with customers.

Almost expected in a way. Still, an interesting topic to develop in front of the engineering audience who did not work with a PM before.

Note it will answer all type of questions the engineering team — the people with who I will spend time — may have. Like:

Indeed, behind the direct question, multiple goals are served:

  1. Make the candidate show its ability to present
  2. Make the candidate feel how responsive and welcome the team is
  3. Make the hiring VP see how his engineers react, understand, and approve if the role is needed (you know: "ask & suggest, don't dictate")
  4. Make the hiring VP see if there is a fit happening. Bonus points if lessons are learned from the team's behaviour.

That was the easiest question.

The other one was a bit of a "ouch" question to prepare… 😵

b. The specific security question

Remember the you don't need to be a Cybersecurity expert sentence above? And also that everyone did know I was not coming from the Cybersecurity industry?

Good. Because the question was:

Which cybersecurity product or service has been launched
in the past three years that you believe has been a
game-changer in the industry?

I mean, I'm coming from another industry, faced a few general and specific security challenges. But do I know more than average the current landscape of the Cybersecurity industry? No. My own industry, yes I'm more comfortable, but another one: ouch!

(⊙.☉)7

After the initial "ouch" second or so, I realised this is obviously a difficult question, meant to test a candidate in a difficult situation outside his comfort zone. And this is very fair if you ask me.

After all, what I would be doing here, applying for a Cybersecurity PM position? PMs have to deal with uncertainty all the time. A train of thoughts could easily go like this:

So a pretty valid and smart question for such an assignment.

I dealt with it by making sure of the scope of the question: as an outsider, that was of course seeing me talking about a Cybersecurity offering, in front of experts. So, with an idea in mind, I went the "reduce risks" way and qualified I could choose a topic:

  1. About a non-commercial project?
  2. Older than 3 years BUT having a kind of renaissance moment

Amusingly, I realise now I was reducing the risks, as PMs do during their Discovery track, before going the Delivery track. How meta 😇.

Both answers to my questions were "yes", and indeed, as I suspected, the goal was to speak about a security offering with the experts engineers.

So with that in mind, I went with my idea: I still required lot of analysis, but I could start with some prior knowledge rather than from scratch, hence use an unfair advantage.

I chose to talk about the Have I Been Pwned service: a well known non-commercial project, that was getting a strong traction due to plenty of national CERTs adopting the service recently (at the time).

My unfair advantage was that I knew it, used it, and already explored briefly how it worked. The owner, Troy Hunt, is also a well known security researcher, and the way he was managing the service as a one-man show was interesting too.

(Tangentially, we considered integrating our product with the service months later. Not even my idea. How cool, after the fact 😇.)

And I built the presentation.

Preparing the deck

I started iterating on my content, structuring it. I designed my deck with beautiful graphical slides. I was inspired years ago by these Steal This Presentation! slides, and worked with its principles.

Actually, I made a point to keep text to a minimum (or at least I believed so, because re-reading my deck today, I see too much text towards the end — meh).

So I built it. I spent quite a timelooking for beautiful images. And a color theme. As a by-product, I took the opportunity to learn deeper Apple's Keynote. And could feel the creative feeling I don't find in neither Google Slides nor Microsoft Powerpoint.

And I tuned my speech and my key points. Over and over, finding my transitions and my core messages. According to the time frame, that is.

And I made sure I was sticking to the time: ten minutes for each topic is short.

I practised and rehearsed a lot.

In the end, I had fifty slides (!), but believe me: a graphical slide is brief and powerful. Skipping through all of them is easy as you speak, and one can keep a high pace and retain a high attention from the audience. The opposite of boring.

But one has to find a balance: too much is too much. I thought I had found mine, as no one told me it was too long, and thanked me for the presentation.

Pro tip

When ideating/creating: set up a specific trigger and context to bootstrap quicker. It could be a place, a ritual, a given time. In my case, because I was in my Synthwave musical period, I went with this playlist on Spotify:

Retrowave Synthwave playlist cover
Retrowave Synthwave , by Cheerzo

I played it each time I worked on my speech and slides, so that I had a specific trigger and context to enter my flow zone. It really helped to focus and boost my creativity quickly.

It works for me, at least!

Presentation day

I woke up at 4:30am, took a flight to Paris (I'm 800km from there) and then took a taxi to reach the office.

Being very early, I took time to recognize the area to feel confident. I took a walk in a nice green park nearby, very quiet in the early morning.

I took my time, got slowly closer to the office, then sat outside a cafe and took a breakfast with a delicious French croissant. Why not relaxing and enjoying the time?

I did not need to review my deck, because I rehearsed like hell the days before (until I mastered it as I wanted 3 times in a row). I knew what I wanted to deliver and I was feeling ready. No need to stress when you are confident, right?

The remaining part of the day is delivering the presentation the morning, meet wonderful people, have lunch with a couple of them and flight back home with the satisfying feeling I performed as I wanted.

I got positive feedback the following days, and I did another round of interview with the leaders from the other departments.

Then I left in family vacations for the summer break. Somewhere in the middle of nowhere with a very weak paying wifi and no cellphone signal (it looked like my very own Telecom background wanted to block me: how ironic!).

But I did get my offer when I was there (cellphone were working not so far away), hundreds of kilometres away from home: strange but happy feeling!

The deck

If you're curious, you can have a look at my slides:

2021-07-21 Emmanuel Roubion PM Panel presentation.pdf

Fair warning: if you read correctly above, you will see they will look a bit empty without my speech on top, due to the style I adopted. But I am happy to share anyway.

Also note: I'm not saying they are the best slides you ever saw (they're probably not). And they were likely not the turning point of my hiring process. I guess they were useful, and as important as the others in my opinion. Yes, they did consume more energy though 😅

Takeaways

My story shows that yes, you can change market as a PM, but you have to prepare and show you already know a bit.

I did use a bit my unfair advantage in my case: probably PMs can be generic enough in their role, but it's true that choosing between two similar PMs, the one with prior experience of the market has an advantage.

Also, you saw smart questions that served several agendas. The team I worked with next was indeed quite smart. It's a good sign to have great questions!

Having a good balance with the PM aspect and the industry aspect is probably how to get as much as you can in an interview. In my case, Cybersecurity was the lingua franca and testing my knowledge with the engineers who did not have a PM before was probably a smart way to handle the situation.

And when you have to prepare: use your tricks to reach your flow zone quickly 😉.

Your mileage will vary, and mine was a very nice experience I wanted to share.

Comments?

I am experimenting with the CommentBox comments service provider. It seems reasonably privacy-friendly but please do check their Privacy Policy and Terms of Service. Or you can always contact me here.