Tip 1: Don’t be afraid to start, but also don’t attempt to boil the ocean
I am regularly approached by people who want to get into the cybersecurity profession. In almost every case I am asked two questions:
- “How did you get into the industry?”
- “What stuff should I learn?”
My answer to the first question is not the most helpful. Like many of my peers I “kind of fell into it at the right time”. Admittedly, as career advice goes, this is pretty useless. Truth be told, I also struggle with the second question.
If you are anything like me then the temptation is to try and learn everything at once. After all, that’s what books and the internet are for, right? When confronted with this task people tend to go one of two ways depending on their foresight. Some see the sheer size of the subject area and never start, while others forge on and after some time, give up disheartened and disillusioned.
The inconvenient truth is that the subject matter is too wide and the depth of information out there too deep for anyone to “know it all”.
Top (bonus) tip: Anyone who claims to know it all probably knows less than you already do!
The simple truth is that we cannot know everything any more than we can boil the ocean.
It is very difficult to reel off the comprehensive list of “must-knows”; especially considering how fast the industry is moving.
I thought to myself, why not consult job advertisements and reverse engineer my advice. Surely hiring managers will know what they want?
A good friend–and probably the cleverest person I know, Mark Carney (@largecardinal), disagrees.
He conducted extensive research into the job market and found that job specs are as helpful as my advice on “just falling into the profession”. Security Analyst and its corresponding skill requirements can cover roles from Penetration Testing to Incident Response to a Front of House Security Guard.
It was for this reason that he developed the, soon to be released, skills matrix. This is a very practical resource for professionals and hiring managers alike to ensure that the skills they need are filled – and filled comprehensively to form what is really required.
Another respected member of the information security community once commented around skills and competencies that:
“It doesn’t matter one bit If you have the skills to perform aerial acrobatics in a plane. If you don’t have the skill to both take off and land you cannot be a pilot”.
For this reason, both those in charge of engaging security professionals and professionals alike should take steps to understand what skills they seek.
When there is an understanding, the path and the destination become much clearer and achievable. A good start would be to engage with Mark’s work.
Tip 2: Know yourself as well as you know the technology
One of the latest topics to be widely discussed in the cybersecurity community is the crippling and confidence shattering issue referred to by many as the dreaded “impostor syndrome”. This is insidious and, like process injection, can hide itself in the scenarios of Tip 1 and Tip 3.
Have you ever felt yourself comparing your comparative lack of knowledge or skills to someone else and resigned yourself to the sad fact that you are simply not good enough?
Alternatively, if you have overcome that first hurdle and actually engaged in some “offensive security”: Do you get a sinking feeling of dread when you hand your report in for peer review? Do you sit there, behind your keyboard, waiting to be “found out?”
If so, this message is for you…
The way in which we interpret what is real around us can be seen a lot in the same way as the visibility offered by the technology we seek to protect.
If our source data is inaccurate or corrupted in any way, then so are our conclusions. This was seen by me once when examining a file server that had been compromised. The internal tools stated it was behaving normally. However, upon closer inspection it was “backing up” user data to many locations around the world.
Often, we can hold inaccurate beliefs about our skills and status as members of the information security community or indeed as members of humanity generally. These misheld beliefs can cripple both our effectiveness in protecting systems, but also cripple us in life.
It is important to have an accurate and comprehensive understanding of the makeup of the technical environments we seek to protect. In the same way it is essential to have a comprehensive understanding of our core beliefs of who we are.
If a person starts from a core belief of “I’m useless and I’ve only been able to get this far on luck alone”, then no degree of training, certification, or conference attendance will address this void. If unhelpful core beliefs are holding you back seek help to identify and challenge them.
In order to build a sustainable community, ready, and able to react to the ever-evolving threats against wave after wave of new technologies, we must ensure that we safeguard the health of our community. This involves support, but also challenging negative trends that would serve to corrupt or subvert our sense of worth.
You are not an impostor!
For this reason, be excellent to each other – and also to yourself.
Tip 3: Learn to write (amazing) reports!
Whilst the popular conception of ethical hacking and infosec in general may be all black hoods, Mr. Robot and/or skateboarding sysadmins from the film Hackers (if you, like me, are from the 90s) the reality involves a considerable amount of report writing and process.
It is not acceptable to be able to simply break into an environment and say “TADAA, I’m in!”
Speak to any seasoned Penetration Tester or Security Analyst and they will describe a roughly 80⁄20 ratio of time spent between report writing and attacking. (For clarity, the 80% is the report writing. Sorry, folks!)
It’s the quality of reports that matters. Again, simply printing and rebranding an output from a tool is not good enough.
We as technical security professionals have a responsibility to open up knowledge around protecting what really matters. All too often we do the opposite. Detailed descriptions of how we were able to deftly evade ASLR may make us feel clever, but do not serve to be inclusive to our non-technical audience, and ironically the people who are paying us!
The ability to identify and convey the areas of our findings that really matter in a business relevant way is a skill that is sadly quite rare. For many of the technical among us, this skill may not come naturally, unfortunately.
For this reason, strive to be amazing at this!