Are you a top-down or bottoms-up person? it will matter while switching career in cybersecurity

In “build: an unorthodox guide to making things worth making”, Tony Fadell talks about bridging top-down and bottoms-up type of thinking. An example is in chapter 1.4 where he urges ppl to not only look down but to look up. Those tips are worth reading about.

I have seen the following 2 ways people think and learn. While the example are from my field (information security), I believe they could be applied in general.

I don't think one way is better than the other. However, I do think that if you pick a vocation, skill, or career path that is contrary to the way you think or learn, you will have to be ready to invest more time (than you normally would) and assume difficulties.

1. Top-down
2. Bottoms-up

Top-down person

1. think in systems, interconnections between components, before learning about a specific component. Comfortable with abstractions.
2. focus on 'understanding the big picture first, then doing it'. e.g., read the ToC, sections on how a book is organized, before reading the book.
3. fish-in-water for professions that need system level thinking (oft-abused 'big picture' view) and execution like auditors, risk assessors, project managers, architects, people who do architecture reviews, designers, senior management, stockbrokers, market analysts, economists, etc.

Bottom up person

1. Prefer doing first and learning along the way. e.g., prefer hands-on workshop than reading a book.
2. Uncomfortable with abstractions.
3. fish-in-water for individual contributor roles like security testers, programmers, bug bounty hunters.

‌Bottom-up guys can do top-down work, but they will take up slightly more time ((to account for moving from component level thinking to system level thinking)

• e.g., if a penetration tester wants to become a security auditor, the tester will have to learn how each vulnerability is rolled up to a risk (not every 'high' severity vulnerability is a 'high' risk, even if it may result in RCE), how that potential risk is translated into an audit finding, how to articulate remediation to the finding (people, process, technology), how these findings are articulated into a report, how is that report different from a pentest report, and how to present the audit report to customer so that the findings result in a holistic improvement in the security posture of the customer. This takes time.

Top down guys can do bottoms-up work, but they will take more time ((to account to learn about the components rather than the holistic picture).

• e.g., if an auditor wants to become a penetration tester, the auditor will spend time learning about the various pentest methodologies, tools, technologies, and how do they all fit in together, before learning how to actually do it. This takes time.

Knowing your thinking and learning process (top-down or bottoms-up) is crucial in general, but it takes center-stage when you mull over a career switch. e.g., if you want to become a manager (rather than a pentester) without understanding what it entails (hint - testing will take backseat, managing a pentest project, pentesters, and customer will be the primary role), it may result in burn-out.