Security Mentoring

How do you become a "Security Expert"? You can take classes in high school, college and trade school. You can attend "vendor training" or security related classes offered by many different organizations (Global Knowledge, ISC2, New Horizons, etc). You can attend seminars and conferences such as BlackHat, ShmooCon, SANS, etc. You can read books and practice with your own computer, home network or use some online labs. You can participate in forums (security catalysts community, friends in tech, etc). You can read blogs and "security" websites (Andy ITGuy, Tao Security, SearchSecurity, etc). You can join in on chats using IRC or other Instant Messaging type clients. You can join organizations such as ISSA, InfraGard, ISACA.

All of these are good and viable ways to learn about information security and how to practice it and do it. Of course the best way is OJT. On the Job Training. The school of hard knocks. Working side by side with other security professionals who have already been there and learned things by experience. It has been said that experience is the best teacher. This morning on my ride into work I was listening to Chuck Swindoll speak about learning through confrontation. He said that he thinks that the best teacher is "guided experience". I must agree. You can learn a lot from experience but if you don't have someone there to help you understand all that the experience has to offer then you are missing out. If you don't have someone there who will challenge your experience and more importantly, the lessons that you think you are learning then you are missing out on a valuable resource.

Chuck said that "the difference between experience and guided experience is confrontation".
Not confrontation in a arrogant, mean, way but in a way that is meant to challenge and lead. That is what makes a really good security professional. Someone who learns from others as well as on their own. Now please don't misunderstand me and think that I'm saying that w/o a "mentor" you can't and aren't a good security professional. That is not what I'm saying. But it will make you a better one. In order for that to happen you have to have someone who has the knowledge and the desire to pass it on. They have to be willing to be tough without being mean. Then you have to be willing to learn. Listen to what they say whether you like it or not. Take it to heart and make the change.

The security landscape changes too quickly for any of us to know it all and continue to know it all. It changes too fast for us to go it alone. We need mentors to help us along the way. Hopefully you will get the chance to actually work with others who can guide you and hopefully you will get the chance to guide others. If for some reason you don't have that opportunity (all you SMB IT and security guys) then look for ways to hook up with someone in your area. Look into some of the links above for organizations, blogs, training offerings and such that can guide you through the maze of information security.