Tom’s Tips for InfoSec Professionals

Information security is a unique discipline. Few other fields combine the constant evolution of threats and technologies with the need to interact effectively with individuals of such varying experiences.

People often ask me, “Tom, what advice would you give to security professionals or someone looking to enter this field”. (Okay, well, maybe they don’t really ask me this all that often, but for the sake of this article let’s assume that they do).

Since starting my work at Hurricane Labs, I’ve grown from an entry-level firewall support engineer to having the responsibility of helping steer the course of our work as a whole. I’ve learned an enormous amount over just a few short years in this industry, both professionally and personally. This article serves to list and summarize some of these things and share them with you. Whether you’re a student interested in infosec, new college grad, or seasoned professional, hopefully the ideas I’ve included will help guide you to being the best that you can be.

With that introduction out of the way, let’s get started.

1. Learn something new every day

Infosec–and any technologically inclined field–is subject to constant change and innovation. My best advice for keeping up is to try learning something new every day. In my six plus years at Hurricane, I can confidently say that there hasn’t been a single day that has gone by where I haven’t learned something new–something I don’t see changing any time soon.

Also, don’t limit yourself. As tempting as it is to go home after being at the office for an hour (“I learned something today, time to go home!”), your employer probably won’t appreciate that and that type of mentality also won’t help you improve. Consider it an opportunity to learn even more that day.

That said, don’t spend 100% of your time focused entirely on work–although burnout may be prevalent across our industry, it’s something that can be prevented. Find something you can do as a hobby and use that to take a break from the constant activity of the infosec world. For me, my escape is music– being able to rage on the nearest piano (I even have one in my office at Hurricane) is a great way to burn off some stress and give my mind a break.

Most importantly, apply what you’ve learned to something you already know, or figure out a way to use it to overcome new challenges. I’ve had a lot of success working through various problems, figuring out a way to find similarities among what I’ve discovered, and drawing from my knowledge (both new and old) to deepen my understanding of the new issue.

2. School doesn’t teach you everything

For those of you that are still in school, at whatever level it may be, don’t expect to graduate knowing everything you’ll ever need to know. What you learn in school is likely only a tiny bit of exposure to what you will ultimately need to know as you start your career.

Consider your education a high-level overview of many different things, some of which will be helpful later and others which you may not necessarily see an immediate reason for. That said, don’t dismiss things that you’re learning that might not seem relevant. I’ve experienced many situations where I’ve used random bits of knowledge from college classes, not necessarily security-related, in order to handle things that have come up in my career.

Finally, understand that you won’t use everything you learned in college later in life. Don’t let this discourage you or get in the way of learning–consider it an opportunity to learn how you learn best, and leverage that later when you’re continuing your education in the real world.

3. You don’t have to know everything, just how to use Google

Within the IT fields, being able to find a solution is more important than simply knowing the answer off the top of your head. The breadth of knowledge, terminology, and technical details we work with exceeds anything that a single person is able to master. Our job isn’t to automatically have a solution to every problem, but knowing how to find information quickly.

The Internet is an excellent source of information and can be a powerful tool when used effectively. There are tons of people that are smarter than you or who have already faced the same problem you’re dealing with. Our industry embraces information sharing through resources such as blogs, forum posts, and Twitter.

Looking back at my college classes, many of the professors allowed us to use a single page “cheat sheet” for exams, where we could write down anything we wanted and use it during the test. While I didn’t realize it at the time, this was probably one of the best exercises to prepare me for the real world: I needed to determine what information was important enough to include in a limited amount of space, and also be able to find that information during the limited timeframe of an exam in order to use it. This is very similar to what I do today, only with Internet resources instead of a handwritten one.

The mantra I encourage here is to “be an expert in something you’ve never seen before”. We aren’t expected to be able to fly a helicopter having never done so before, but armed with a little knowledge, it should be a goal to which we can all aspire.

4. Phone calls and onsite work

Needing to work with customers is inevitable. This will typically take the form of phone calls, onsite work, or some other type of correspondence. At first, this might not be something you’re comfortable doing, but with practice it will become much more natural.

My advice for this: practice your acting skills.

Being able to convey confidence in these situations is actually more important than technical skills. Even if you’re the only person onsite or on the phone, you still have your support structure there to back you up. Don’t worry about having to research something that comes up that you aren’t familiar with–as long as you act confidently and don’t appear completely clueless, the client will generally be understanding.

That said, there will be things that come up that you don’t know. When this happens, don’t lie. Find out what the answer is first.

5. Be Humble

Probably one of my biggest peeves with the infosec industry is the culture of rockstars and experts that it breeds. I encourage everyone to avoid getting sucked into this.

None of us knows everything. That includes you, me, and anyone else reading this. We are all good at certain things, and there are others in the industry that are better at other things (and can complement what we are good at). Our strength is in the collective knowledge of the people across our industry, and not just any individual standing alone.

When you’re in a group, don’t be the loudest or most talkative in the room. Instead, be curious and learn from others. As one of my coworkers says, “If I’m the smartest person in the room, I don’t want to be in that room”. I totally agree with him there.

Be good at what you do, and recognition will follow.

6. Mistakes

You will make mistakes. We all have and will continue to do so. Making mistakes is inevitable–computers can do some stupid things and people can do some even stupider ones. Not every mistake will directly be your fault, but sometimes it will be the direct result of something you did (or didn’t do).

When you make a mistake, admit it and make sure you address and/or fix the problem. The worst thing you can do when making a mistake is to lie about it or blame someone else. But most importantly, learn from mistakes and gain experience from fixing them. This is the most valuable part–it won’t necessarily prevent every future error, but will better equip you to deal with similar issues in the future.

7. Trust

Strive to be someone that your team can count on. When you make a promise, follow through on it. Don’t be the person that says they’ll do something and never does.

Don’t always go for what’s easy or the least amount of work. Take on the challenge that no one wants to solve or that might even seem impossible. The worst that can happen is that nothing will improve or change, but you might come up with an interesting solution to a problem people haven’t been able to solve.

8. Expectations

It’s always a good idea to keep your clients happy. Setting appropriate expectations is the single most effective way to do this.

When setting expectations, always underpromise and overdeliver (not the other way around). Be realistic with what you can do–don’t promise to have something done in a timeframe that isn’t practical or doesn’t allow for unexpected roadblocks to come up along the way.

Let’s say that you need to complete a project for a client. It’s Monday, and you figure you can do the work in two days (assuming no unforeseen issues). An inappropriate expectation would be to say that you’ll finish this on Wednesday, and then have to push this back to Thursday or later. It’s much better to promise that this be completed by Friday, and return it to the client on Thursday instead, a full day ahead of the promised schedule. Clients will love you if you consistently meet or exceed expectations as opposed to always being behind, and the best way to ensure that this happens is to set these expectations appropriately up front.

Finally, don’t make promises you can’t deliver. When presented with an unrealistic deadline, it’s best to establish an alternative timeframe as opposed to agreeing and failing later. Your work is often a small piece in a much larger project, and a delay in one place could result in the whole project being postponed.

9. Effort

Whatever you lack in talent, make up for it with effort. Always try your hardest. Don’t settle for less than 100% of the best that you can do every single day.

Don’t be afraid to ask questions from your peers and coworkers. But when asking questions, take notes so you don’t ask the same questions twice. There’s nothing wrong with getting a second opinion (something I do myself frequently), but you don’t want to appear as if you’re not respecting your coworkers’ time.

10. Now it’s your turn

Ending a list on nine items seemed weird so I’m making a tenth one, even though this is more of a summary than anything else. If you ignored everything else in this article, I want you to leave with the following:

• Never stop learning
• Always try your best
• Never settle for good enough

Now it’s your turn: Go change the world.