Amongst the online hacking courses, conference talks uploaded to youtube, and hot takes offered by infosec’s Twitter thought leader army, it would seem aspiring infosec professionals have access to more personal development resources than they would ever need. Yet, by just looking at online resources, an infosec novice would neglect the industry’s secret sauce to development: other human beings.
Mentors and human interaction lie at the core of how individuals can develop in our space. Indeed, I believe mentorship is more important in infosec than in almost any other career path given the industry’s immaturity. Any school or university's career’s department will possess plenty of insight into well trodden vocations. A student interested in commercial law, marketing, or investment banking will have more glossy pamphlets and career guides than they will know what to do with. Try asking that same careers adviser on how to get started in penetration testing, threat intelligence, or malware analysis and prepare to be greeted with befuddlement and slight panic. This isn’t intended as a criticism of career advisors (although there is certainly room for improvement), it is simply the reality of dealing in a more niche and ultimately less mainstream industry. An industry where there isn’t always the graduate schemes and apprenticeships that exist elsewhere. This lack of infrastructure means that aspiring infosec professionals must find other ways of learning about a career in infosec. Here, mentors play a vital role in filling the void.
So if we can agree that mentorship is important, then what makes a good mentor? The good news is that almost anyone can be a mentor meaning the criteria doesn’t need to be narrow. Of course, you want someone generous with their time, that is willing to listen, and who enjoys helping out. But, apart from that anyone is fair game. This is because mentors come in different shapes and sizes. Some mentors will be those that you look up to in your specific subfield, while others can provide a broader picture of the industry, encourage and help you to get writing, be there to bounce ideas, or introduce you to their contacts. The discussions I have had with my most influential mentor (SecJuice’s own Guise Bule) for example have almost always been about issues outside of my immediate area of work. The point here is that we should be open minded about what mentorship can look like. Rather than endlessly searching for the perfect mentor, it is better to realise that you will get different sorts of help and insight from different people.
Mentorship is best seen as a practice rather than a static exercise. Being a mentee can be fluid: ranging from arranging a one-on-one coffee, to weekly catchups with a colleague, to asking a speaker for some advice after their talk. Mentorship can take place in replying to a tweet, a one-off encounter, or a decade-long friendship. Mentorship can take place in person, over Skype, or via Slack. Moreover, everyone should be looking for mentorship. The infosec space is simply too vast for anyone to have all the answers. Egos quickly become delicate in our industry with rockstars sometimes reluctant to ask for help or advice, choosing to instead portray themselves as an all-knowing expert. While this might appear impressive from the outside, it is ultimately superficial and hollow. Better to take a humble approach. By searching for mentors as a practice, we are constantly considering how we can learn from others.
Likewise, we can all be mentors. Someone that has been in the industry for only two weeks can advise an unemployed college student how they got hired; a sixteen year old whose expertise extends to the basics of python can point other students in the direction of online resources or even setup a coding club. InfoSec is rightly beginning to talk about imposter syndrome, yet most of the attention on the issue has been related to conference submissions. The all too-common sense that “I’m not enough of an expert for other people to be interested in my research or ideas”. Yet, I sense that we also have imposter syndrome when it comes to giving advice and this prevents us from providing much needed mentorship.
The industry I want to be part of is one where we are constantly looking for mentors and mentees, where we are simultaneously searching for those we can help and those we can learn from. For those lucky enough to have benefitted from fantastic mentors that have made a real difference to their careers, pay that generosity forward by helping out the next generation. For those not so lucky, why not help out anyway and contribute to developing a more accessible and welcoming atmosphere within our space?
This blog originally appeared on Secjuice.