Jonathan Studebaker, Senior Security Consultant at InGuardians, Inc.
Editor’s Note:
Part 1 of this three-part series discusses the pros and cons of some common learning approaches, information resources for infosec information security (infosec) topics that may interest you, ways to get involved in the infosec community, and setting realistic goals, budgets, and expectations for yourself to maintain work/life balance.
Part 2 will discuss some specific training resources and projects like building a home lab, tinkering with Raspberry Pi, and ways to explore mobile, cloud, wireless, and physical security.
Part 3 will provide a simplified direct reference list with links and resources broken down by topic to provide periodic updates as resource relevance and availability change over time.
From an early age, I’ve had a sense of curiosity and a strong desire to tinker with the world around me. As a kinesthetic learner, I prefer to learn by doing and experience a developing skill first-hand. Whether we are new to the information security space or seasoned veterans, we are often called upon to wear many hats across a wide variety of disciplines. Regardless of our backgrounds, skillsets, or learning styles, information security as a career choice requires us to be life-long learners. But with so much information and so many disciplines within this broad category, how do we decide on where to start or what to learn next? How and where do we learn it? How much does it cost? How do we maintain work/life balance?
A few common approaches to learning
The Fast and Furious Approach
Learning quickly may sound appealing and sometimes it may be unavoidable if you have a tight deadline or requirement. It is possible to learn a great deal this way, and it can be a good way to get quick exposure to a topic. If a topic isn’t for you, you also get through it quicker and can move on to other things. However, the downside of this approach is that long-term retention and overall depth of knowledge are not as strong. Additionally, taking on too much too fast can be a massive contributor to burnout and stress.
The Slow and Steady Approach
In some cases, we can take our time and move at a slower pace when learning a new topic. For some, this is the only option, as busy schedules and other commitments prohibit them from focusing all their attention and effort on learning the new skill. Consistent learning over time leads to a strong foundation, increased depth of knowledge, and greater mastery of a subject before moving on. Unfortunately, if a topic isn’t for you and if you have a lot invested in it, using this approach may make moving on a very long and arduous process.
The All or Nothing Approach
Another option is to fully immerse yourself in a topic. For example, when I was in college, I had to write code in and for Linux. At the time I had not used Linux very much and had received only a brief intro to the basics. The first semester I struggled with it, but when I realized that this was going to be my new normal if I wanted to pursue my major successfully, I removed Windows from my personal computers. Not a dual boot. Not a VM. Windows gone. Linux only. While this may sound extreme, it forced me to pick it up quickly while consistent daily use over time helped me to learn it well. Obviously, the downside to this approach is that turning back may be difficult and can result in a significant loss of time, money, and effort if you do.
The Goldilocks Approach
An alternative approach is to start with small, quick, and free/cheap learning resources or projects. This gets you some exposure to a topic and if it continues to interest you, you can expand upon it with additional time and effort. If you decide that the topic isn’t for you, that’s okay, pick a new one and move on. The course correction won’t incur substantial loss, you still learned something, and you have a better idea of the direction you want to go. Remember using this approach we’re just tasting the porridge until we find the one that’s just right. Not everyone is cut out for every infosec topic and there are a lot of topics to choose from. This approach will be the focus of this blog series, just remember to watch out for bears.
So much information, so little time
There are so many free resources available to aid in infosec education. Some of the most obvious sources are social media, online blogs, vlogs, and podcasts. The amount of content can be overwhelming at times and knowing who to follow and what sources to trust can be a challenge. If you’re looking for a place to start, consider creating a free SANS account. This will give you access to free webcasts, newsletters, white papers, and more. These resources can also introduce you to subject matter experts, industry leaders, and organizations that you may want to follow on other platforms. Once you’ve made a few connections it can really start to snowball from there.
Check out online chat resources like the BloodHound Gang Slack and the InfoSec Prep Discord. These are by no means the only options available but are well-known and active places to connect with like-minded individuals on a variety of topics. There are quite a few free online and in-person security-related events as well. Check out Free SANS events and other security-related events on services like Eventbrite, or meetup.com. Live or online security conferences are also a great opportunity to learn and network with peers. Many conferences like DEFCON also post the presentations online either during or soon after the conference.
Books and magazines are another great option, but often incur a cost of some kind. Bookstores like Barnes & Noble and Amazon are great resources for a variety of technology-related publications including information security-specific titles. Publishers like No Starch Press, Packt Publishing, Wiley Publishing, and O’Reilly Media have substantial security-related content collections. Check out Humble Bundle for an amazing resource that frequently offers bundles of infosec and technology-related software and books for extremely reasonable prices. Traditional public libraries typically provide free memberships and sometimes have excellent technology and security sections. Some public library systems and university libraries even offer free access to online learning resources like LinkedIn Learning and O’Reilly Media. Finally, audiobooks from services like Audible and podcasts like Security Weekly and Darknet Diaries can be a fantastic choice for information ingestion, especially if you have a frequent commute to school or the office.
For the folks that prefer a more traditional learning approach, with an online or in-person course, check out training opportunities from groups like InGuardians, SANS, OffSec, INE, Black Hat, or local schools and colleges. This is far from an exhaustive list of available options but will hopefully give you a starting point to aid in your searches or discussions with your peers.
Get Involved
Depending on where you live, there may be local DEFCON groups, OWASP chapters, security clubs/groups, and other security-related meetups. These meetups are often free to attend, have fantastic content, and are a great way to network with people in your local community. In many cases, these groups also offer speaking opportunities for you to present something that interests you. If there aren’t any local to your immediate area, check to see if any have online meeting platforms.
Local colleges may also participate in events like the National Collegiate Cyber Defense Competition(CCDC) or other security-related programs which can provide opportunities to network and volunteer in a variety of ways.
Set realistic goals, budgets, boundaries, and expectations
Pursuing professional development options and interests in the information security space is an endless endeavor. Nobody can know everything about every facet of the industry. Trying to learn too much too fast and during your off hours may lead to burnout and/or negatively impact relationships.
Make sure to set realistic goals regarding the development of your interests. If the interest is being sponsored by your employer, make sure you discuss the timeline for completion and if studying during work hours is permissible. If you are learning something on your own during your free time, establish a timeline and set realistic hourly allocations per week. Ensure that your significant other and/or other family members are aware of, in agreement with, and support of your plans.
Buying all the books, training, and hacking gadgets that interest you can get pricey, so set a monthly or annual budget for yourself and stick to it. Don’t forget about free or low-cost alternatives. Check with your friends and co-workers to see if they have something before taking the plunge yourself. You might be able to get a demo, ask for feedback, or even borrow a book or device. If you have resources at your place of employment, ask about opportunities to learn, borrow, and use them. Don’t forget that many employers offer a professional development and training budget which may help you cover the costs.
Finally, make sure to give yourself time to connect with and maintain relationships with your family and friends. Have some hobbies away from a screen, go for walks, eat a healthy diet with foods that will keep your brain and your stomach fed, sleep, play sports, or do whatever you need to do to take care of yourself mentally and physically. Setting boundaries and maintaining balance is key to our greater happiness and success professionally, individually, and at home.
Wrapping Up
Learning and change are not easy, and the first few days, weeks, or months may be difficult. Start small by reading a blog post, listening to a podcast, or doing a small project. If your interest grows through these small exposures, pursue the next steps for growth. If not, move on and start the process again with something else that interests you. Google is your friend. Ask questions and seek out other available resources. Hang in there and push forward. Doing something, repetition, and making mistakes will help you to adapt, learn, and grow.