Currently in security jobs are plentiful. LinkedIn connection invites and recruiter calls are as normal as a daily Agile meeting. But those with career foresight know, it’s not enough to be complacent. To become an expert at the top of the field, progression is essential.
Understanding, Not Illusions of Competence
In his interviews with candidates, OpenDNS Security Researcher Kevin Bottomley proposes a simple test that will quickly uncover how much a candidate knows. “I ask them to draw me a picture of a DNS request,” he said. “That’s it. Simple.”
It sounds simple, but there is a lot to learn from someone’s impromptu illustration of how DNS works. Does this person know the difference between authoritative and recursive DNS? Where does the ISP fit in the traversing route of DNS traffic? As a result, Bottomley gets a good idea of the person’s understanding of the concepts involved, and also how the candidate thinks logically and can apply that understanding. Security is no place for the illusions of competence.
Personal challenges are a huge component to advancing knowledge in any field. The skillsets of security professionals, sys admins, and software programmers are very closely tied, and as such so are the career progression of all three. And for all three fields, being adaptable and flexible plays a huge role. Sys Admin Shahab Sheikhzadeh reiterated this in an e-mail interview, “[Security professionals] have to be crafty & be able to adapt to the situations that arise. Being able to know how to overcome the failings of a script & how to write code to perform an operation, or use different system calls to accomplish the same task, is paramount.”
In terms of skills, there are no shortage of resources to mine for knowledge: hundreds of technical how-to books, classes and MOOCs, sites like IronGeek.com. But to become an elite security pro, it takes a lot more than skills. To Digital Forensic Analyst and SANS Institute Fellow Hal Pomeranz, it’s also about putting yourself into the community.
Apply Knowledge, Then Share It
“The people that I am more likely to listen to and trust are the ones who are doing work, doing research, and actually talking and writing about it effectively,” Pomeranz said in an interview. “Putting yourself out there means you have enough confidence in your abilities to withstand peer review. And it also demonstrates good communication skills, which are important in any field, but also one of the distinguishing factors for an expert.”
Pomeranz alluded to a progression that security professionals — and really any programmer or developer — goes through to reach expert level. The major difference in the progression is knowing how, versus knowing why. “Practicioners can perform skills that they’ve been trained to do. Experts can integrate knowledge, possibly from multiple disciplines, to solve novel and complex problems.”
And then of course, there’s the continued learning that is required. Because in security, like many other related fields in tech, everything changes. Constantly. Pomeranz quoted a friend of his, Celeste Stokely, who told him “Learn one big new thing every year.” It’s not bad advice, because staying sharp and ahead of colleagues means working and learning while they are sleeping…or doing that extra conference talk.
Don’t Focus on the Right Tools
According to Spotify Developer Mattias Johansson — who also runs the programming YouTube channel “funfunfunction” — it’s also important to not get hung up on which system or toolset will give you an edge and career longevity. In a video posted September 2015, Johansson covers a topical question he gets constantly from early level programmers. What is the best toolset or programming language to learn? Johansson decoded this question and reinterpreted it to find what commenters were really asking: What should I learn to keep myself employed?
“Learning a popular tool or the next big thing will get you a job,” he says in the video’s summary. “But in order to be relevant, you should learn programming, not tools. If you practice programming well, and not just tools or languages, you will be a very sought after programmer.”
Regardless of the career field in question, Bottomley, Pomeranz, and Johansson all allude to one unifying theme to becoming a respected expert: a fluid mastery. A tip-of-the-tongue, verbose understanding of the field, it’s tools and all that’s required to solve problems, with the added tenacity to do it.
It’s a mindset more than just a skillset.
Security