How To Be Good at Cybersecurity… and Also Everything Else
A Guest Blog by Joseph Perry, Senior Technical Instructor at Mandiant, a FireEye Company
A Surprisingly Concise Answer
Start at the beginning. The end.
A Substantially Less Concise Explanation
Just kidding, but it’s not a bad introduction, right? A bit cocky, a bit coy, but a decent hook, if you continuing to read further is any sign. Admittedly, it’s doesn’t have a place among the truly great introductions. For aficionados, there can be no greater title than Vincent Musetto’s “Headless Body in Topless Bar”, the headline read round the world, though a small newspaper experiencing a printing issue did offer the thought-provoking title “Fhgfhdfdfdffgfgfgfgfgfgfgfg” as a decent competitor.1 Even if this beginning were among such lofty company, just having a good hook is hardly enough. When do we start getting good at cybersecurity?
The good news is that you’ve already finished the hardest parts.
Some Unusually Reassuring Statistics
If you’re reading this article online then you have, by definition, learned to navigate both the written word and the internet. Since the first hunter-gatherers realized the joy of not hunter-gathering and began cultivating herds, somewhere in the neighborhood of 110 billion people have lived and died.2 Around 80 billion of those were born before the year 1500 CE, when literacy rates first began to climb above 20 percent.3 Out of the 110 billion to ever live, only around 20 billion people have been literate. The numbers for the internet, as you might imagine, are a fair margin smaller. Even today, only around 60 percent of people are active internet users, so a generous estimate might give us 10 billion total internet users thus far in history.4 Just by being able to read this article, you’re better suited for a role in cybersecurity than 100 billion other people from history. If we include all people since the first recognizable humans, practically zero percent of people throughout history would have the slightest chance of success against the cybersecurity prowess you’ve already displayed.
Blaming an Innocent Goatherd
You may reasonably point out that this is hardly fair. True, you might have a stronger rèsumè than Og the Goatherd, but Og retired a long time ago and you need a job now. What I said at the top wasn’t that you were already finished, but that you’d finished the hardest parts. Literacy and the internet aren’t new because our ancestors were stupid. They weren’t stupid at all; they were simply ignorant. Ignorance may seem like stupidity, but ignorance is simply the absence of truth whereas stupidity is the willful retention of falsehood. Literacy is relatively new for the straightforward reason that inventing a functional written language from scratch is hard. And though it may not be as difficult as inventing a language, learning to interpret written language is certainly difficult enough for anyone to take pride in their accomplishment. Someone may have figured out the impossible challenge of capturing sounds in scratches, but you learned the nearly as remarkable skill of freeing sounds by examining the scratches.
The problem of teaching cybersecurity isn’t actually that the field is particularly complicated. In fact, compared to the alchemical genius required to combine rocks and lightning and produce video games, configuring a firewall can feel almost aggressively pedestrian. The problem of teaching cybersecurity is that complication is assumed. Or, put a bit more formally, cybersecurity education is actively harmed by the widespread belief that cybersecurity is too hard to learn. A student who begins class assuming they’ve already failed is a student unlikely to get much out of that class. Fortunately, we’ve sidestepped that problem by realizing we’ve already handled the herculean tasks of learning to read and Google things, so cybersecurity can hardly feel too difficult after that. Right?
There are Skills and There are Skills
Alright, so maybe it isn’t quite that easy, but it’s closer than you may think. The title of this article is meant to draw attention to exactly the same fact we just examined there.
When we talk about “cybersecurity”, we’re really talking about multiple skills interacting with one another in order to produce a new discipline, creating what we might call a composite skill (a skill defined by the combination of simpler, more broadly applicable, skills). Literacy and internet competence are, obviously, also composite skills, though of a substantially less specific nature. In the same way, problems in cybersecurity are really composite problems, which have many potential causes and many potential solutions, each made possible or impossible by both the composite problem itself and any component problems. Thus, the difficulty of cybersecurity is less that any one problem is particularly complicated, and more that what we’re calling one problem is really a lot of smaller problems we’re trying to solve all at once.
This often gets peddled by the unskilled or insincere advice-giver as “Break big tasks up into small tasks”. That instruction is something like an art teacher who politely explains to their students that objects called “brushes” exist and are quite useful in the art world, then expects those students to discuss the philosophical underpinnings of a Goya painting. Rather than assuming the recognition of a fact to be the sum of our work, we can instead apply a bit more of our time and effort to the point and see if the idea of composite problems can offer any useful advice.
Talking it Through
Literacy is a useful metaphor here. Most likely, you didn’t learn to read by opening Webster’s dictionary (or Oxford/Cambridge, if you really like the letter ‘u’) to the first page and working your way to the end piecemeal. Instead, someone who already understood the concepts and essential facts, often a family member or teacher, used examples from the world you understood. Learning a language doesn’t start with grammar, it starts with labels. When you understand that d-o-g means the same thing as “dog” and you can point at the dog in the photo, you open an entire world of comprehension, one to which 90 billion humans have been denied entry.
So instead of just “Break big tasks into small tasks”, we might say “learn cybersecurity the way you learned to read, by finding someone who can help you relate it to what you already understand and starting with the easy parts.” We can go from an empty, slightly condescending bit of nonsense to a reasonably specific, useful plan of action. As so often happens though, this improvement comes with a drawback. We now have to figure out who is going to help us learn.
Here, we can use the internet for something a bit nobler than its most common purposes. If you’re reading this essay, as previously mentioned, it’s quite likely you’re familiar with the internet. If you’re reading this essay where it was originally published, you’re probably also familiar with the fact that the internet is chock-full of training material taught by people from all sorts of perspectives and skill levels. Beyond just the training available online, though, remember that it also serves as the greatest connector of humans since that first written word. Look for the people whose explanations you enjoy, whose skills you respect, and whose professional careers you’d like to emulate. Look at the people they consider peers. Look for the people they and their peers look up to. Then, talk to as many of the people you’ve identified as possible and find yourself a mentor.
With your mentor, take baby steps. Don’t “break big things down”, just look for small things. Find something you can do without too much trouble, then do it until it feels perfectly natural. Then, see what that new comfort allows you to do next that you may not have had previously available. By iterating through this process, not only will you begin to develop the composite skills you originally sought, you’ll also find yourself applying old lessons in new ways. This brings us once more to our critical how-to, in a finally useful form:
“Use the tools available to find the most basic relevant information, apply that information until you’re comfortable with it, then seek new information. Use the reliable sources you identified in finding that basic information to find a guide who can help you learn new information in the most productive way. At each step, focus on what makes sense and trust that what doesn’t yet make sense is simply the result of missing information.”
An attentive reader may point out that there’s no part of this advice exclusive to cybersecurity. It’s certainly far less vague and far more useful than “break stuff”, but it doesn’t make mention of SIEMs, Firewalls, IDS/IPS, fifty-if-statements-we-hope-people-will-believe-are-ai, or any of the other pillars of cybersecurity. In truth, this reads less like an explanation of cybersecurity, and more like a strategy on how to learn.
That’s the trick, of course. Just like we can start with the premise “some skills are really a lot of other skills combined” and reach the useless “SMASH!”, by steadily breaking the big sentence “break big things up into small things” into smaller and smaller expressions of itself until the whole thing collapses, or we relate something alien (cybersecurity) to something deeply familiar (language) and find ourselves quite casually moving from realization to realization, every step seeming quite obvious and unremarkable until one day we look down from the lofty perch of our success and see six little words.
Start at the beginning.