A Sensei is someone who helps others to develop, learn new skills, find personal success, achieve aims and accomplish personal challenges. Consultants work with one or more Sensei who can help them progress along their chosen “Pathway” and obtain the “Badges” that they covet. They will work with many different Sensei over the years. All of our Mentors and Sensei receive support, guidance and training for their roles.
- A road map that supports progression in a given direction
- Routes to progress that are technical, non-technical, focussed on a service and/or focussed on skills
- Support for the forging of new pathways (this is very much encouraged)
Pathways are designed to illustrate routes that, if a consultant chooses, they can traverse. They show possible stepping stones that will help them get where they are going, but also give the freedom to get where they are going any way they like.
What inspires the team at MWR is not job titles or arbitrary incrementing integers. Traditionally in the cyber security field, advancement has been recognised by way of a job title and grading. But that’s not very exciting is it? At MWR, we get excited about learning new things, doing great things and seeing the value we bring to our clients.
Not all career paths lie in consulting. Some in the team have more technically focussed ambitions. Some have no interest in becoming a senior consultant and instead are motivated by advancing their hardware hacking skills, their mobile hacking skills or being able to rob banks. As a business, we consider each of these ambitions to be as valuable as each other; we aim to support, recognise and reward all of our people's personal endeavours.
Pathways have been designed to illustrate how a consultant with a particular skill set or consulting level can progress along defined career paths. For example, a consultant who has an interest in becoming a leader or manager, can clearly see a way to achieve that within an “Operations” pathway. A consultant who is more motivated by gaining lots of technical experience delivering a variety of services for our clients, may choose the “Delivery” pathway. A consultant who wishes to purely focus on finding 0days and breaking things may choose a more “Technical – Research” pathway etc. Some consultants will simply invent their own, if none of the ones on offer quite resonate, and most consultants will have changed their pathway at least once in their career. There is nothing to stop this happening and it is actively encouraged.
Pathways are designed to illustrate possible ways to progress into roles that we as a business have recognized as being essential to our current situation and future ambitions. But if we’re missing a trick, and things change (as they always do), then we will create new ones. None of the Paths are linear, they provide logical milestones for a personal journey. But our people can take any route they like. Their achievements are recognized no matter how they choose to traverse their path!
To progress along a given pathway, certain skills, experiences and proven capabilities must be acquired. To enable this and to recognize such achievements, pathways are supported by “Teams” and “Badges”.
We enable development in many ways, including the provisioning of various training courses. Each Pathway is mapped to a training profile that combines educational opportunities, which is managed by a bespoke learning management system called Akademy. The Akademy itself contains a library of pre-defined training courses, some of which are delivered in a classroom, some are self-study and some are secondment or placement-based. It provides a way of standardizing the training that MWR offers while allowing everyone to benefit from the material there and contribute to it; yet still offering individual focus during secondments or placements. Pathway profiles consist of combinations of MWR developed training , internal training materials and workshops, and the offerings of trusted external providers such as MDSEC , Alex Ionescu or Saumil Shah, to list a few examples. Where appropriate these also include training that prepares for desired certifications, including but not limited to those such as CREST, SANS, Offensive Security etc.
The success of a lot of the technical training we do relies on the use of sophisticated labs that replicate numerous technologies and setups that we find in the real world. In order to facilitate access to all our training labs globally, we developed Playground. Playground is MWR’s cloud hosted training platform. It allows each consultant to spin up their own dedicated instance of a selected training lab, so that they can learn and play in a safe environment. Playground is very versatile. Consultants use it when they want to practice new skills or create labs to teach and share interesting things that they have learnt with the rest of the company. We also use it to facilitate “Capture The Flag” style events and, in general, to deliver on-demand training infrastructure to our clients.
For example, let’s imagine you wanted to learn about ways to compromise a Windows estate. You can go to Playground and spin up one of our labs, “BazaareCorp”. This is an entire Windows corporate network, complete with fake bot users that can receive and open emails. The lab comes with a guide, divided into different modules, that walks you through executing a phishing attack, handling C2 connections, pivoting through the compromised workstation and eventually compromising the whole Windows domain through a variety of techniques that we commonly use in our engagements. The guides on Playground offer enough direction so that a person new to the topic will be able to learn and accomplish the objective without being spoon-fed all the steps; at the same time the versatility of the lab infrastructure also allows consultants the chance to experiment with different tools and techniques beyond what is required/included in the lab documentation.
Sensei also offer various 1-1 learning sessions, where various skills are taught and acquired in more personal and tailored development dojos.
Not all training and educational profiles are technically focussed. We also support the development of leadership, performance and soft skills using the services of partners such as https://www.theglobaledge.com and http://www.bobdowd.com. Many of our leaders receive regular 1-1 personal performance coaching sessions to support their professional development.
Consultants are also free (and encouraged) to attend conferences, industry events, fill their book shelves and/or identify other training opportunities that align with their ambitions. Basically, we want all our people to seize every learning opportunity possible. We don’t put a cap on such things and we don’t want to make it difficult for anyone looking to better themselves.
The introduction of the new apprenticeships, most notably the roles of Cyber Security Technologist and the Cyber Intrusion Analyst, has provided an ideal opportunity to map our profiles and learning opportunities to these standards so that anyone attending the MWR Akademy can obtain national recognition for their achievements.
The training and personal development on offer at MWR is not a one-off gimmick; it is something that is deeply embedded in our culture. Everyone loves learning and developing and takes immense pride in it; the environment is designed to promote and reward that. We invest hugely in this to ensure that consultants are not missing out on development opportunities. Some modules last several days, others a few hours, and consultants are given dedicated time for this.
We don’t believe in rigid hierarchical management structures at MWR, instead we like to be a little more creative and trusting of the talented people we have working here. We’ve found that small autonomous groups of smart like-minded folk achieve great things when they work together. We do our utmost to create an environment that fosters this approach.
Each team has a charter. This is basically a list of Objectives and Key Results (OKRs - https://www.perdoo.com/blog/okr-vs-smart-goals). OKRs are a simple tool we use to create alignment and engagement around measurable goals. Each team has a small list of objectives, and the realization of those objectives is evidenced by the results it produces. Once a team has met their OKRs, the team’s focus may change by producing new OKRs.
Teams structures consist of a ‘Team Lead’, ‘2nd in Command’ and a number of ‘Team Members’. To remain agile and productive, teams should ideally have no more than six consultants within them. Their purpose is to bring together a group of consultants to better themselves, deliver strategic projects, enhance existing services or build new onesHowever, we don’t want anyone to be dissuaded from forming teams that do not fit into these buckets. Consultants are encouraged to come together and form new teams for whatever exciting reason they have. This is about nurturing innovation and creativity, not stifling it by with excessive restrictions.
We have a large professional services team, filled with consultants who are skilled in a number of different disciplines. Some consultants choose to align themselves with several of our existing service offerings and as such, they choose to join multiple teams to allow them to get involved with a variety of projects. Others choose to specialize in a particular field and focus their time and efforts on a single team with the ambition of leading or being the 2nd for that team. We also have a number of services and areas that some consultants aspire to specialize in. Such consultants look to join teams that will bring them closer to that goal. We also have some really talented folk who want to forge new paths, shake up the industry and push things forward. These consultants are free to spin up new teams and take us to new and interesting places. Teams are there to support all of our people in whatever it is they want to do – because we recognize that given this freedom – whatever they do will be awesome.
Badges allow us to recognize, reward and promote consultants’ achievements as and when consultants pick up a new skill, do something cool or demonstrate impressive levels of awesomeness. We don’t do this on a calendar-dictated schedule – such as at biannual appraisals or reviews. They are an integral part of our progression framework.
We use badges to tokenise the acquisition of skills and capabilities but they can also serve to symbolise valuable contributions to the company or team. They can also be leveraged to illustrate a clear path of progression. For example, a number of badges may be incrementally combined in a stepping stone fashion so that they illuminate possible pathways for consultants to achieve their individual career ambitions (these may or may not align with pre-existing paths). Progress along a chosen path can be illustrated by the badges that have been obtained.
There are hundreds of badges that have been created by the consultants within the professional services team; these badges are awarded to consultants by their peers. It means a lot when the people that you work with and respect take the time to recognize your achievements. To facilitate this, we use a peer feedback process.
Some badges carry really desirable rewards. These range from gift tokens to experiences (sniper shooting, acting classes, track days) as well as cool toys; the latest gadgets that produce feelings of envy in small children, geeky friends and colleagues!
||Shock Troop, awarded for acquiring the skills required to take and pass OffSec OSCP and/or CREST CRT examination.
||All Your Base, awarded for obtaining domain / enterprise admin on multiple penetration tests.
||Appsolute Boss, awarded to those who are masters of all things AppSec.
||Hunter, awarded to those who show distinct prowess in Blue / Purple Team activities. Those that have evidentially improved clients' detection and response capabilities.
||Labs Advisor, this is earned when a consultant’s works are published on the esteemed MWR Labs site.
||Radiographer, a badge of significant honour for the most impressive of reverse engineers.
||Voight Kampff, signifies the holder possesses superior skills in relation to the Android operating system and mobile devices.
||Advanced Persistent Threat, awarded to the Red Teamer that never fails to get in and out undetected.
The above is a small sample of the available badges that our consultants covet. Each team has on average 10 badges that illustrate a progression path within a discipline or field. But consultants are free to work towards achieving any that they are enticed towards, regardless of seniority or team memberships that they’ve opted to self-identify with.
Achievements are recognized and communicated to wider audiences through the feedback system. This is where badges are also awarded to tokenise accomplishments. This can be done via a web app, or even a slack bot. The idea is to make it simple and easy to give feedback. Feedback is given and received by peers, mentor, sensei as well as managers. The system is designed to capture constructive feedback from all the sources that matter. You’ll never wonder how you are doing, how you are progressing, how you are thought of – you will know. The team will know (and your mum will be so proud – we promise, show her your laptop sticker of a storm trooper or the one that says “Media Whore”).
That’s a lot to take in, so to summarise as briefly as possible….
You can choose from a number of pre-defined career paths at MWR. Your mentor will work with you to help you along your chosen path. Sensei will work with you to teach you the skills that you wish to acquire, so that you may take on new roles or do new and exciting things. You can take any direction you want, you can get involved in any service or field you want. You will not be restricted in any way. You will know how you are doing, because those that you work with, your colleagues, peers, sensei and mentor, will provide frequent feedback, on you. There is a whole training and education framework which has been designed from scratch to support you, educate you and bring out the best in you, where the content is maintained by those who are doing the job that you want to be doing.
As and when you pick up new skills or accomplish great things, your achievements will be tokenised and rewarded. Your awesomeness will be known to all – as you acquire many, many, many different badges that you can wear with gushing pride.
The reality is that this job is not for everyone. It is sometimes intense; it will push you, challenge you and give you both technical and life skills that will change you as a person. It doesn’t really matter what you currently have; we’ll bring out the best in you if you let us. And if it is for you, there’s no better job in the world.