A request for any security engineers who are Lead/Staff/L6 level or above (e.g. Senior Staff, Principal, Sr. Principal, Architect, etc…). What advice would you give to senior engineers (and below) on things they should learn or prioritize for “leveling up” technically?

I understand a lot of what goes into promotions is not necessarily technical, i.e. politics, visibility, being on high-impact projects, etc… but strictly on the more technical plane, what skills, tools, trainings, frameworks, etc… would you recommend?

Thanks!!

  • stevedidwhat_infosec@infosec.pub
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    6 months ago

    I’m an InfoSec guy (cybersec, intel, risk)

    The biggest thing I attribute to my various success is mostly personal growth. You can learn everything in the world about tech, but it means squat if you can’t get buy in, don’t have trust, etc. As much as we hate to see it, silos are still very real and InfoSec can be hard to communicate sometimes. I look at it like this: most departments can hang up their jackets at the end of the day and say “im done working” and not have to worry about it from there. With security, it’s constant and affects pretty much every aspect of your life. Information/strats/etc are changing constantly, by the hour and that means we have to take a different approach to things.

    However, for the purposes of this discussion, I’d have to say OSINT frameworks and being one with the intel community are huge. You can learn a lot from peoples failures, success, and what threat actors/hacktivists/etc are doing. MISP is pretty cool, but it can be a bit unwieldy to the uninitiated. My recommendation would be to lock it down as much as you can off the bat, run it in a vm, and learn the inter-workings from youtube and their documentation/other sec. companies documentation until you feel more comfortable. I’d also recommend going to some conferences, competing in some ctfs, etc to not only network, but to also work on skills and learn from others and their techniques/paths/routes.

    Automation and scripting are also huge, of course. Learn Python (I can’t stress how much I fucking love python and it’s syntax - genuinely enjoyable to use for 99% of your ‘I need a thing that does this for me quick’), JavaScript (I know, I know, but the bad guys loooooove obfuscating JS - like it or not, these be yo’ vegetables. The faster you eat your vegetables, the faster you get to desert.), etc.

    There’s always certs too - I have mixed feelings about them, but I would recommend only going for certs you know are in high demand in your area. So many people shell out hundreds of bucks for what are essentially paperweights. I think Thor (youtube shorts guy aka piratesoftware) mentioned something about only going for keys that you know will unlock doors you want to open.

    Don’t feel like you have to learn everything at once either. Cybersec is fucking massive, and there are maaaaany facets for you to get snuggy inside. Pick whats interesting, and run it into the ground. Don’t stop until you get bored. When you’re bored, pivot into other areas that may now be more interesting to you.

    Which brings me to Cryptography. This is huge today, and it will become more important as we progress towards commercialization of quantum computers. This area is a bit book heavy, because its an intricate process, but push through it. Embrace the Chaos Theory! If math isn’t your thing, thats okay too. Like I said, there’s a lot of other areas you can become an expert/advanced in.

    As I also mentioned, networking and being social with the Cybersec/IT community is huge. Back in the day, hackin was about fuckin around with what you had and doing whacky stuff to show your buddies. Share with each other, be kind to each other, never stop learning and let those creative juices fly. Find what inspires you and love the fuck out of it.

    Hope this helps anyone who’s interested. Might not be the best advice, but it’s what has worked for me. Looking forward to any conversation!

  • cmg@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    6 months ago

    My #1 recommendation is reading https://staffeng.com/book. There’s so much variance between orgs at this level (or worse, implied during a reorg).

    One of the things that book helped me with is understanding the lens others view this level as four separate personas. That unlocked for me that you might be getting advice from people expecting something other than you’re going after.

    Another lens is the product engineering v corp/cloud security world. They can act very differently and you often find these roles straddling 2-3 unique orgs.

    1. Services / customer experience of what your org delivers
    2. Threat modeling mindset: look for the big picture so you can help make sure you can help put emergencies and day to day stuff in context.
    3. Get real feedback from others to put that judgement in perspective. Sometimes they are missing your perspective and other times you are off base!

    Just remember there’s a lot of variance in higher level processes. Read the book above, then read 20 job descriptions for these titles. See if you can understand what they really want from the role.