Inspiring Advice from 5 InfoSec Pros

July 8, 2015

This is the second in a series of posts on other people’s advice for growing your information security career. The first post is here. Thank you to all of the people who contributed to each post. I’ve linked the header before their quote to their LinkedIn profiles so you can read more about them.

Let getting into a comfort zone be your cue to move on to a new subject. Join user groups where the focus is something you don’t know… until you know it well enough. Security is a cross-cutting concern. It’s also cross-discipline.

Try to understand the business even when you lean mostly toward technology. Technology enables and often simplifies processes. It’s rarely ever the case that your job or anyone’s job is all about technology. Seek business mentors.

Work on communication skills. Volunteer to present, even if you hate the idea. You might be the smartest person in the room, but if no one wants to listen to you, what is it worth? Realize you’re not the smartest person in the room and deal with it. Learn how to speak in a way that makes people want to listen. Make yourself a go-to guy.

Finally, realize that the goal of security is not to turn all the knobs to 11. Figure out when 5 will do and learn how to make the case for less.

Discover what your natural built-in Strengths are and then align your career choices with your natural Strengths. After 25+ years of placing people into jobs, I’ve come to the conclusion that most people go through life settling for what they “Can” do and never figure out what they “Should” do. Aligning one’s work with one’s natural Strengths sets a person up to deliver a Great performance.

My advice for security professionals has been to not overlook the “softer side” of security which includes building business cases, presentations, stakeholder management as they represent areas that keep you talking with key decisions makers and relevant. Learning to manage Layer 9 (i.e., politics) is critical!

Look at InfoSec holistically — it makes no sense to put an extra deadbolt on the door, if the window next to it is unlocked, so to speak. Go get the skills and breadth to evaluate risk across the enterprise (not just technology), and make balanced decisions about where to spread limited dollars against essentially limitless risk. I spend a lot of time thinking about “metrics that matter” to drive good behavior, and frameworks like Cynefin to apply effective techniques for the situation. Lastly, when in doubt, focus on the data! Oh, and assume you’re already breached, so how are your reaction/triage/communication skills?

I will address Application Security, which, according to Alex Stamos, formerly of Yahoo security fame and now CSO at Facebook, is eating security.

Application Security has the biggest leverage on security outcomes, in my opinion. If you want to get into this exciting segment of the field, here is what I recommend to get started.

First, be a good programmer. Without great skills in programming, you will be at a serious disadvantage.

Which language? Pretty much any mainstream language, such as

  • C
  • Java
  • Python
  • Lisp
  • Others

What are the some of the other qualifications?

Probably the most important is a deep curiosity about how things work. Things such as a web stack, crypto library, distributed processing, parsing, networks, and cloud services. You may not have mastered them, but the ability to quickly dive into an area you haven’t seen and find places to attack will go a long way.

Another key skill is the ability to puncture abstractions. This is a bit of an odd thing, coming from a development point of view. Developers build upon abstractions, and create new abstractions as they create systems. So as an exercise, think of the levels of abstraction that are part of a web application. If you can break through the web application layer and influence the network layer, you may be onto a vulnerability. Ability to demonstrate this knowledge in an interview will put you head and shoulders above those who can’t.

Finally, the ability to communicate your findings to developers and management will advance the cause.

As a successful application security pen tester, you will learn interesting things about the software system that you are testing, quite likely things that the developers don’t know.

It’s great to read all of the quotes together as everyone has taken a different approach to growing and building your career. Thanks again to all of those who gave their input. More inspiring quotes will be published next week.