Alternative InfoSec Career Recommendations
I have been in InfoSec for a long time, so people seem to think I can dispense sage wisdom on their Information Security careers for themselves or their kids. So instead of answering each one individually I thought I would sum up my 40 years of experience here in order to share and reference it in the future.
I can summarize my sage wisdom in Two Words “Soft Skills”
In my career some of the best InfoSec colleagues I have known are those that could make me laugh, build trust, serve others, had deep integrity, build consensus, win-win negotiation, improvise and remain calm in tense situations, speak in clear simple short phrases, draw pictures, use analogies, prioritize based on objectives and had my back in good days and bad.
Why are these skills so important in an InfoSec career?
If you are about to take on University courses, you can eventually learn to hack, write scripts, click deploy, write a policy document, be the tech hero in an attack scenario, etc. Smart lone wolves are valuable in certain situations but they can never hold back waves of nation state attackers. They are only a tactical defense, a sniper in a WWZ zombie movie.
Whether it’s defending against lone hackers living in their mom’s basement with all the time in the world or a nation state team attacking critical infrastructure, group think is the only enduring defense. For me Information Security is 75% people skills and 25% technical. People that have the ability to encourage cooperative groupthink in both strategic and tense tactical situations are the true InfoSec professionals for whom I uphold the greatest respect.
In the old days, production deployments took 6 months to 1 year. We had time to familiarize ourselves with the product and observe its normal and abnormal behaviors and recommend security modifications. In these days of agile CICD development and 2 week sprints, deployments happen several times a day. Traditional InfoSec defenses can no longer keep up with the velocity of software deployments. The application and the developers are our new firewall. Shifting Left into the development teams is the ONLY enduring strategic defense. As true InfoSec professionals we have to embed ourselves into the development teams or we will be spending our careers believing we are Kim Yo Jong’s issuing decrees that our loyal followers will blindly embrace.
Ask yourself…Can You?
Development | Can you convince a development team that has 2 week sprints to implement their own security reviews on pull requests, include security sensors (not related to their primary objective) in the application, remove secrets from their code, remediate vulnerabilities detected by DAST, SAST, SCA in the CICD pipelines? Remember, developers are financially incentivized to produce functionality. Security tasks just create more bugs, slower code, slower sprints, more testing, more complexity, pissed off marketing people, etc. |
Operations | Can you detect abnormal behavior in an app that has a production release every day with new functionality? |
Incident Response | Can you guide an incident response team which includes non-security personnel, through an distributed attack scenario where groupthink and info sharing is critical? |
Architecture | Can you motivate your architecture team to re-architect a broken authentication infrastructure? |
Management | Can you convince management and marketing to incentivize not just functionality but also security efforts? Remember, functionality produces cash flow, security features are a liability. |
All the above scenarios require years of experience and patience, so you might as well start developing a collaborative personality now. Python, infrastructure-as-code templates, buffer overflows, CICD pipelines can be mastered in months and as you move through your career you will forget some technical skills as you learn new ones. But soft skills are enduring. You will always build upon and refine soft skills in order to solve the above scenarios.
Of course you will require University InfoSec basics, but as you choose your electives, mentors or outside activities I suggest you think long term with some non-traditional alternatives. These are my recommendations for skills that you will use throughout your career and gain true lasting respect from your peers:
Books | ||
Negotiation | Look for the long term win-win, not just a path that feeds your ego or people will avoid you in the future | |
Building Personal Relationships | Trust is the foundation for any security program. If people do not trust you, they will go around you or ignore you. Look up Dr. Gottman books. Changed my world in life, love and work relationships. | |
Motivation and Leadership | Get others to believe they are the masters of their destiny and you will always have their back. | |
Business Finance | Money – not logic – rules the world. Get used to it and learn to play within its boundaries. | |
Anger Management | Replace your ego with laughter and you will win many battles. Praise in public, admonish in private. | |
Priority Management | Learn to prioritize based on cost/benefit/threat/risk/impact | |
Sales Techniques | Just because you have a good idea, does not mean people will back it. Learn how to sell your ideas by getting people to buy into it. | |
Activity | ||
Improvisation | Get outside your head and learn flexibility, thinking fast, anticipate others thoughts and movements, playing into the big picture | |
Comedy classes | Making others laugh is worth 1000’s of pages of security policy manuals. Make people laugh at your faults, believe me you have a lot of material to work with there. | |
Rock Climbing | Team building, trust, risk management, focus | |
Art classes | Express your ideas in pictures instead of 1000 words | |
Listening exercises | You listen but do you hear? Do you really understand what developers and management are struggling with? Until you do, you will not be able to fit your agenda into the business solution. | |
Escape rooms | How to work together in teams in tense situations to solve problems. Can you lead the team? | |
Communication | ||
Draw cartoons | Express your ideas in pictures to capture attention and tell a story with humor | |
Public Speaking | Can you capture a crowd explaining what information security is? Can you make them laugh so hard they cry? Will they go home and tell their friends and family? | |
Teach with Pictures | Try teaching your parents, spouse, kids a topic you are interested in only with pictures and no words. Then see if they can repeat the lesson to someone else. | |
Technical | ||
Powerpoint | Become a powerpoint expert with pictures. Tell a story. Get rid of the details. Add animation. Capture attention. This is how you sell your ideas. | |
Excel | Become an Excel expert. Pivot tables, graphs. You have to put your statistics/probability courses into real life to prove your ideas with numbers. Like Powerpoint, it captures attention but with facts. | |
3d animation. | Be a 3d Blender expert. Great skill for both building websites and presentations. Once again, it captures attention. |
These soft skills will not only help you in your career but also with personal relationships. And that is what is sorely needed in building the next generation of human firewalls.
Many thanks to Gene Leonard, my mentor for showing me the way.