Everybody has their own personal stories and their own ideas about how to get started and progress in InfoSec (whether it’s Pentesting or Digital Forensics or Incident Response, etc.). Getting started is just the beginning; making relevant progress is key. Smart and accomplished people have already documented their opinions about getting started and beyond.
In this post I want to write my take on the subject. Also, I believe that we can easily substitute Infosec with any other goal we’re working towards.
There’s tons of evidence that writing down your goals and making them public will help (more like force?!) you to achieve them. Same goes for your plans and sticking to them.
I’m not specifically agreeing with advice suggesting people to “focus on the journey, not the destination” in Infosec, destination is very important. But getting and enhancing your skills is an ongoing journey. What does this mean?
- Like anything worth having, it will be an investment of your time, money and dedication.
- You might need to give up on some other things.
- Sometimes it will be difficult,
- But still you should avoid shortcuts and easy tricks,
- And get out of your comfort zone as often as possible
Gauging your improvement
You can read articles and books and play CTFs all day long, but you’ve got to ask yourself - Are you making progress? One way to go about this is to set small weekly goals for yourself. Include both learning and practicing in those goals. Take small steps and stop from time to time to ask yourself:
- Do you know more about that topic than last week?
- Did you master that reversing technique you keep hearing about and wanted to be able to do?
- Are you more aware of what is left to work on? What do you need to focus next?
Just Keep learning
I hope this goes without saying. Things are evolving so fast and being complacent is not an option. This means (from the dictionary): you shouldn’t show smug or uncritical satisfaction with yourself or your achievements.
- Keep hacking, keep learning, stay curious, stay humble.
- Learn from your friends, from your teachers, from black/white/purple/any color hats.
- Read about new techniques/tools and practice them. I bet you’ll realise at least a few things you were’n aware before.
Engage with the community
One way to do that, as many people recommend, is writing a blog to demonstrate your skills and help other readers. There are many benefits but I will list the main 3 in my opinion:
- While writing about something you double check and correct your findings
- It is something to show to employers, way better than your CV.
- You improve your writing and communication skills. No matter how technical you are, being able to communicate better will only help you.
I believe the two main impediments to engage are (1) the fear of being criticised, of being wrong and (2) believing you don’t have something new/important/groundbreaking to say. Of course reason tells us these fears are unfounded. We just have to act on this logic.
Last but not least, a few words about interacting properly. I recently read Rafal Los’s very good article on How to Make Friends and Influencing People in Infosec. It explains very well the difference between networking and connecting. If you haven’t already, go ahead and read it!
Another very good article gives complementing advice on how to Be Present! and interact with people at Infosec events. In a nutshell:
- Be respectful of other people, their time and ideas.
- Engage others and help others engage.
- Be genuinely interested in people. Hear their stories.
I hope this will be helpful as I plan to update this and use it as a checklist for myself to keep me on track.