On variety, humility and the value of sucking at something

There is such a vast amount of responsibilities and skills that go into cybersecurity. It is impossible to learn it all. Quite a few security professionals tend to have some sort of niche that they most closely identify with. Maybe it is Blue Team, Red Team, PKI, cryptography, risk management, etc.

While this is certainly important for knowing what job roles suit us best, I don’t feel like we should confine our learning and curiosity to those labels. When we do, we might start to think that our perspective about security is superior to another. In reality, all of the different areas of the field are interconnected. This is not to say we should expect ourselves to be professionals at every aspect of the industry. However, the more I learn skills that are different than what I’m used to, the more I appreciate what others can do, and the more aware I am.

For instance, I’m most interested in security operations, malware analysis, threat hunting, and incident response: Blue Team skills and responsibilities. You could say — in spite of its challenges — this is my “home base”, my strong suit, and what I want to do professionally. The focus is on monitoring and analyzing network perimeter activity. But in the long-run, as someone trying to break into the field as a security professional, only having these skills isn’t sufficient.

As an analogy — I grew up playing music. I was all in with it. I majored in jazz saxophone performance and composition at a performing arts college. I’ve been fortunate to play with some stellar, world-class musicians. One common trait among professionals is that very few know how to play just one instrument.

Most saxophonists and trumpet players also know their way around the piano, myself included. This doesn’t mean we can play it at a professional level, but we can sit down and work through harmonies and write music and practice ideas through all 12 keys.

I took some drum lessons during my studies in college. I wasn’t trying to become an expert at the drums, just enough to get a handle on the fundamentals. I didn’t have the time or the interest in pursuing drums as my primary instrument, but I did want first-hand experience with a drummer’s perspective.

Getting these different perspectives is both humbling, enlightening, and necessary. If I’m writing music, and I’m playing with a keyboardist and drummer, having some skill, knowledge and insight into what’s going on from their perspective, will only serve me.

While music is not cybersecurity, it is a broad field, and every aspect of it brings something important to the table.

I feel it’s crucial to have some first-hand awareness of what cybersecurity looks like from a range of perspectives.

If you are predominately a penetration tester, learn some cyber defense basics. Know how to read logs, analyze a packet capture file, etc. If you are predominately a Blue Teamer, get familiar with the different red team skills.

For instance, I’m working through labs by PortSwigger, the company behind the popular web application vulnerability tool, BurpSuite. They offer a ton of free labs and courses through their Web Security Academy. It covers all the different web application attacks, such as XSS (Cross-Site Scripting), SQL injections, Broken Authentication, and much more.

It’s a great way to get hands-on experience with what these attacks look like, as well as in depth explanations of what each attack is all about. Each lab includes a link to a vulnerable web application, an objective, and a tutorial video. All you need is a web browser and BurpSuite (the Community Edition works fine), at most.

It’s cool to learn how these attacks work, and why they are successful. This is great for someone who wants to work in a SOC role, because if the attack happens over the network, it can be monitored. The skills in learning something out of our ordinary are helpful to one’s knowledge base.

Humility is also important. I think it’s good to always suck at something, even if we have certain areas in the field we excel at. This is not to say we can’t be humble if we just focus on what we are comfortable with, because every area of the field will come with its many challenges. But range makes us more well-rounded.

Every learning opportunity will glean some valuable insight into something else, if we keep an open mind about it. It prevents us from getting bored and stagnant in our learning. And when I’m a total newbie at something, I gain tremendous respect and admiration for the people who can do it professionally.

While it is definitely uncomfortable to try something completely out of our ordinary, it helps us keep an open mind, and to think smarter about the problems we might be faced with.