This is a five-part series about getting a job, keeping a job, and staying healthy as you progress in your career as an information security professional. There is no one way to do things, rather there are many. I won’t cover all advice, or THE advice, I will offer my advice. Some of the information covered in this series is also found in my book; Unsecurity, chapter 10.
The series consists of the following articles:
This is the fourth installment in the aforementioned series; Becoming Good.
Becoming Good – Introduction
Assuming that we’re progressing through this series in order, maybe you’ve landed your first job! Your first gig! Good for you!
If you’re like most* of us, you’re going to progress in your career. Some will progress because it’s just the natural thing as a function of time and opportunity. Some will progress because they deserve it, because they’re damn good at what they do!
It’s one thing to be an information security professional, it’s an entirely different thing to be a good information security professional. I say “professional” because we get paid, and I also use it as a generic term to apply to all the various types of jobs we do in this industry. Here’s a small sampling:
- Chief Information Security Officer
- Chief Risk Officer
- Penetration Tester
- Security Researcher
- IT Security Engineer
- Information Assurance Analyst
- Security Systems Administrator
- Senior IT Security Consultant
Every position in our industry, plays a specific role in an organization and comes with specific responsibilities. The specific responsibilities may not be documented (different issue), but that doesn’t mean they don’t exist. They exist, and they’re not the same from position to position. Each role in information security requires the mastery of certain skills.
Is skills all it takes to be “good” though? The answer is NO. There’s more to it than that. Read on.
*NOTE – I use the word “most” because it’s generic. This means there are exceptions. Some (the leftovers from most) people have no desire to take on additional responsibilities in their career, they’re content right where they are. Perhaps they’ve reached the top, maybe they’re just OK with their place in the middle, or at the bottom somewhere. If you haven’t reached your potential, it’s sad to leave so much more untapped potential.
Not Good? – You’re A Problem
When you’re not good at your job, there’s a good chance someone else, or many someone elses, pay the price to compensate for your lack of goodness. Sure, information security is about managing risk, not eliminating it, but your lack of “good” leads to poor risk management, and that costs someone something.
You see, information security isn’t as much about information or security as it is about people. It’s always been about people and it will always be about people. The more you and I suck at our jobs, the more people suffer for it. Sure, we can’t eliminate suffering, but we can do our best we can to make it less likely and less impactful*. If nobody suffered, there wouldn’t ever be a need for what we do.
The less good you are, the more people will suffer (in general).
*Less likely and less impactful ring a bell? That’s risk. The likelihood of something bad happening and the impact if it did. That’s the layman’s definition of risk.
If you’ve been around long enough, you can thinks of dozens, even hundreds of examples where bad advice was given, and an organization suffered for it, and through that, customers also suffered (eventually). If you haven’t been around long enough, here’s a quick example off the top of my head:
You advise an organization to buy an SIEM solution because monitoring and alerting is a good thing to do. They spend $100K+ on the SIEM and struggle over the next 6-12 months to get it working right (operationally). Great. They don’t patch and they have no asset inventory. Two questions then, 1) was SIEM the best place to spend the $100K+, meaning was it the most significant risk, and 2) how effective do you think the SIEM is going to be when the company doesn’t even know what assets they need to protect?
Was there more harm done than good? The devil’s in the details, but yes. There was more harm than good. Money is a limited resource and constraint; therefore, it must be spent wisely. The money spent on SIEM should have been better spent on the organization’s most significant risk(s), not on a technology because it’s “a good thing to do”. The most significant risk still exists, and customers are still more likely to suffer for it.
Simplified example, but you get the gist. Good intentioned security professionals aren’t aware of the harm they cause sometimes, and this might be most obvious in the rapid growth in consulting.
We see them all the time, and they come in all shapes. Some are really good people with great intentions to make a difference. Some consultants are people a little less virtuous, wanting to make as much money as possible, regardless of who they help or harm. Both types of consultants can be dangerous if they’re not good. That’s the simple truth.
Read some books, passed some tests, bought a laptop, and setup a Web site. You are now an information security consultant! You’re smart. You have the best intentions. You’re likeable, and you’re inexpensive. You’re ready to advise organizations on what they should do to secure their livelihoods, right?
Mmmm. Maybe, but God I hope not.
There’s more to being good, than that. It takes more than skills and more than good intentions. More than reading books, and more than passing tests. Smart helps, but there’s still something missing.
If you’re going to be a consultant, get good first. Please.
It’s easy to convince someone who’s more ignorant than yourself that you’re an expert. Use buzzwords, look confident, talk fast, and you’re well on your way. But you’re not good (yet).
- Good consultants don’t need buzzwords, they can explain things in plain English so that others can learn and apply concepts.
- Good consultants are confident when they’re doing what they’re good at. A good consultant will admit when they’re not good at something, but they usually know someone who is.
- Good consultants talk at the pace of their audience. They’re not only good information security professionals, they’re also good communicators.
I could write all day about good versus bad consultants. Probably gone too far already.
What about you? Are you already good? We’ll see. Let’s explore how to get good!
How to Get Good
One more thing before we dig in. Are you a sports person? If you are, you’ll get this a little better than those who aren’t. In sports (depending on the sport), there are players, coaches, and player/coaches. Players perform on the field, or behind the keyboard, or wherever the game is being played. Coaches mentor, teach, lead, and prepare their players for the game. Player/coaches do both; they’re typically really good coaches, but they don’t play as much as they used to.
I say these things because I’m a player/coach. I don’t play nearly as much or as well as I used to. It’s important for you to know that as you consider my advice.
I assume you’re here because you want to get good. So what does it take to be a good information security professional, or good at anything really? Like most things in information security, the concept is simple, but the application is hard. There are three simple ingredients; intangibles, education, and experience. Anything else is icing on the cake.
These things (or ingredients) are in the book, they were in a recent tweet (above), and they’re also here. Consistent message from me because it’s truth.
Words of caution…
It’s important that you don’t rush things. There’s enough stress in most information security jobs, and I highly recommend that you refrain from adding the stress of trying to outperform yourself. Take your time, keep moving forward, don’t take shortcuts, and you’ll be fine. I know there’s lots of opportunity out there, and I know there’s a ton of money to be made, but my best advice is DON’T RUSH. The opportunity and money will come, and you’ll be healthier for it, if you do things the right way.
You might recall that I also covered intangibles in the second article of this series (The Right Person). Intangibles are things that can’t be taught. You either have them or you don’t. There are moral intangibles, like the ones covered in the previous article, and their are gifts (sometimes called natural talent).
Some people are just gifted for certain things while others are not. Do what you can to find your gifts or strengths early and often. The sooner you understand what you’re gifted for, the sooner you’ll find what you’ve been built for. The information security field is broad enough to accommodate a wide variety of gifts, so don’t fret about that.
Get honest with yourself and discover what you’ve been built for, but how?
I don’t think that there is any one way that works best for everyone. Meditation works great for some, but not others. Faith works well for some, but not others. Therapy and/or counseling works well for some, but not others. I’ll share what works for me, but let me remind you that you may not get the same results. I find my honesty and gifts through faith, and I found good value in a book called StrengthsFinder. My faith provided a foundation, while StengthsFinder led me to what I’m naturally good at.
Find what your gifts are and keep seeking. No matter how good you get at knowing yourself and your gifts, you’ll still need to engage in some gotrial and error. You will learn what your gifted for over time (if you focus on it), but you’ll need to find the courage to act.
I include skills with, or under, education. There are millions of opportunities to educate yourself. Some people prefer a formal college degree, some don’t. Some people prefer certifications, some don’t. Some like books, some like instructor-led courses, some prefer video. Whatever method of education works best for you, do it. Then keep doing it. You will never learn everything there is to know. Learning is awesome. DON’T EVER STOP LEARNING.
If you stop learning, you die. At least your career does.
Find the learning resources that work best for you. If you recall, I shared some learning resources in a previous article too. One learning opportunity that I invite you to personally is the FRSecure CISSP Mentor Program. It’s free, and it’s a great opportunity to learn (and share).
This is the one ingredient that I see new information security professionals struggle with the most. It’s because this is the one ingredient that takes the most patience. People who de-emphasize the value of experience are some of the most dangerous information security people in our industry. Without experience, we lack the street smarts to know how things will really (or actually) work. Education and skills will teach us how to do stuff, but we won’t learn all the circumstances, context, and oops’ unless we’ve done it before (or been with/witnessed someone else who did).
The experience catch-22. You need experience to do something (or progress in your career), but the only way you’ll get experience is by doing the something. The experience catch-22 sucks, doesn’t it? Here are some suggestions to overcome:
- You might need a mentor to take you under his/her wings a little.
- Sometimes we have to take calculated risks, like doing something that we’ve never done before, but doing it in a way that will be calculated and not reckless.
- Hate to admit it, but sometimes we (hopefully slightly) fake it until we make it too.
Combatting the experience catch-22 isn’t easy, but you can find your way over it (or around it) if your focused and determined.
Wrapping This Up
That’s it. Want to get good? Focus on you. Work on what you’re gifted at, get educated, get out there and take your lumps in the real-world. If you lack experience in something that you need experience in, go get the experience, even if it means a different job. At the end of the day, you work for you (ahead of your company).
Whatever you do, don’t ever try to be someone you’re not. You will fail, and you will fail those who believed in you.
We’ll wrap up this series in our next article. Once that article is complete, we’ll compile this series into a small ebook for you and anyone else who liked it.