Security Mentoring

How do you become a "Security Expert"? You can take classes in high school, college and trade school. You can attend "vendor training" or security related classes offered by many different organizations (Global Knowledge, ISC2, New Horizons, etc). You can attend seminars and conferences such as BlackHat, ShmooCon, SANS, etc. You can read books and practice with your own computer, home network or use some online labs. You can participate in forums (security catalysts community, friends in tech, etc). You can read blogs and "security" websites (Andy ITGuy, Tao Security, SearchSecurity, etc). You can join in on chats using IRC or other Instant Messaging type clients. You can join organizations such as ISSA, InfraGard, ISACA.

All of these are good and viable ways to learn about information security and how to practice it and do it. Of course the best way is OJT. On the Job Training. The school of hard knocks. Working side by side with other security professionals who have already been there and learned things by experience. It has been said that experience is the best teacher. This morning on my ride into work I was listening to Chuck Swindoll speak about learning through confrontation. He said that he thinks that the best teacher is "guided experience". I must agree. You can learn a lot from experience but if you don't have someone there to help you understand all that the experience has to offer then you are missing out. If you don't have someone there who will challenge your experience and more importantly, the lessons that you think you are learning then you are missing out on a valuable resource.

Chuck said that "the difference between experience and guided experience is confrontation".
Not confrontation in a arrogant, mean, way but in a way that is meant to challenge and lead. That is what makes a really good security professional. Someone who learns from others as well as on their own. Now please don't misunderstand me and think that I'm saying that w/o a "mentor" you can't and aren't a good security professional. That is not what I'm saying. But it will make you a better one. In order for that to happen you have to have someone who has the knowledge and the desire to pass it on. They have to be willing to be tough without being mean. Then you have to be willing to learn. Listen to what they say whether you like it or not. Take it to heart and make the change.

The security landscape changes too quickly for any of us to know it all and continue to know it all. It changes too fast for us to go it alone. We need mentors to help us along the way. Hopefully you will get the chance to actually work with others who can guide you and hopefully you will get the chance to guide others. If for some reason you don't have that opportunity (all you SMB IT and security guys) then look for ways to hook up with someone in your area. Look into some of the links above for organizations, blogs, training offerings and such that can guide you through the maze of information security.

Teaching IT to Teach

In my rants of late regarding User Awareness and the general attitude that IT has towards users I've commented on how I feel that often IT gets negative because it's easier than teaching. Many of us in IT are not great people people. We are comfortable around others who think as we do, but we feel out of place when taken out of our element. That is when it's easier to get irritated at users than it is to help them.

In talking with many in IT who are like this I've discovered that often they do really want to help the users learn. It's in their best interest to do so. It makes their job easier and frees them up to do the work that they really want to do and the job that they really need to do. I think that many in IT really want to teach they just don't know how and haven't been given the tools to do an effective job of it. This is also something that I hope to get more involved with. I want to train users and IT to be more secure. IT often understands security but they don't understand users. Users often don't understand either. I want to help both IT and users understand each other and as a result understand security.

If companies really want to take security seriously they will actively encourage and equip IT and Security Professionals to work with the users and help them learn how to be more secure as they do their job. As we rethink how we practice IT and start to be intentional about helping users learn we will all be better off.

Fast Security

I'm playing catchup before getting behind with the holidays so I'm posting more than usual today. Plus there is just more out there that is catching my attention today. Like this post from Richard Bejtlich of TaoSecurity. Someone sent him an email asking Richard to impart all of his security wisdom in a quick and simple format. Maybe this guy is a fast learner and could glean all of Richards knowledge in record time. Probably not though. In all likelihood this guy is probably an executive who really thinks that security is that quick and easy. Just kidding, but it does seem that upper management seems to think that we can work miracles.

I've been in IT for 10 years and doing Security for 6 of them. I've read books, attended classes, played with various technologies and such for much of that time and I still am not where I want to be in my skills or knowledge. It seems like I always see someone that knows much more than me. But I keep plugging along learning what I can as I go. I'll be glad to help this guy or anyone else who really wants to learn security (not that I could teach nearly as much as Richard), but there is one condition. They have to realize that it takes work, discipline, lots of time and there are NO shortcuts.