One question I get on a regular basis is “I want to start a career in infosec where do I start?” and when I ask in what area of infosec one of the most common answer if not the only one is “I want to hack”. When I hear this, I see the focus is mostly on doing cool stuff, that is their strategic goal. I believe having this goal is not a bad one since they are looking for something that will fulfill them and they find fun but, in my opinion, I find it to be also a goal that will lead to more stress and frustration since it will not match reality. You see when one works in information security consulting or as an internal team the business goal of your customer is the security of the system, your goal is to provide as much as possible a service that ensures that all security risk that can be managed are covered. What does this then entail for the person that wants to become a practitioner? It means that since they work under the context of value to the business that a lot of their work will be around how they can best serve the goals of the business without impacting them in a negative manner. What does this mean for the person that wants to be great at their job in infosec, you have to remember not everyone wants to be great many just want to do tasks they like and that ambition of being great professionally is not part of their goals, for those that do it means that they have to focus on areas other than the technical side of TTPs and IOCs. The areas of study and focus should be:

How does a business operate, one has to remember that depending on customer one has to ask how are they structured, what do they do and what are the business goals? Without this basic information one does not have the proper context to make decisions on the actions they need to do.

• Understand Team dynamics, in addition to the regular business processes, one also needs to cultivate political collateral, by this I mean to understand the different inter department and internal department politics, build rapport with the leaders of the teams and their key members. Many times, when it comes to getting thing done this built collateral will help in getting things approved and also come in to play in better understanding what level of effort will be involved to get things done since all play a part and they buy in will dictate the tempo of operation.

• Soft skills, any consultant with experience will tell you that the quality of the reports and presentations that are the results of an engagements will make or break the reputation of the consultancy, if recommendations are implemented and if one becomes a trusted advisor or not that gets brought in in the future. This is where having that business knowledge and political collateral come in to play because one can tailor how information is presented so it has the biggest impact.

• Understanding the market, many practitioners will subscribe to podcasts, YouTube channels and blogs on only the area they are interested in, be it attack emulation or incident response, security operations or DevSec but very few subscribe to other technology podcasts that discuss enterprise technology. Gaining this information is key in to understanding where to allocate time to study and practice since those with the knowledge in those areas when a enterprise decides to look in to it will have a higher advantage, also when operating in enterprises many do not focus on those systems with the depth of knowledge that may be needed to know how to target and communicate in relation to it. (Examples are Software as a Service, Platform as a Service and Infrastructure as a Service in cloud environments).

• Investment on self, one area that I hear complains constantly of those that are in a field and been able to get their foot in the door is lack of personal development planning in consultancies and business. My normal advice may sound harsh but a softer version of it is to don’t care and invest in one self, it is an investment that with time and effort will provide compound interests. Don’t wait for others but move first, many resources are free like the Microsoft Virtual Academy, others are low cost like Udemy, others provide a wider range of subjects missed by the technical side like LinkedIn Learning. The important part is to plan and invest in yourself, outwork the naysayers.

As you can see there is a lot of foundational areas of understanding and mastery outside of the technical, in fact many of these areas dictate where you invest your time and resources when it comes on what you focus on the technical realm since at the end of the day you are providing a business with a service.

An example from when I was a Senior Solution Architect working on how to secure a new datacenter for a customer in Central America. The datacenter was going to be hosting very important data. As part of my prepwork I made sure to find out the mission statement for the government agency I was working with, how did the project and goals related to the mission statement, who where the backers of the project, their motivation and many more in lunches, conference calls and any other opportunity. When I flew back to work on the plan I knew how to target my wording and phases of the project design to ensure each of the stakeholders inside and outside the agency would resonate with parts of it and ensure the rest in some way supported their individual goal and agendas in one manner or the other. This ensure quick buy in and ensured as a pushed for stuff to be monitored, controls be placed on different areas that the benefits expressed for each would mean that they would be putting in risk their own goals and ambitions in risk, I hacked the organizational thinking structure you may say. This is something that it is not a bit that is on or off, it was me getting out of my confort zone and being happy that my boss at the time took the time to mentor me and forced me to go to project management training, sales training, effective communication seminar and many other stuff outside of my technical area of expertise so he could have a more balanced resource.

Your mentality has to be to never be outworked by the competition. or unprepared for the situation, always striving to be balanced and not leave stuff to chance. Set your standard, work on achieving it and then set a new one.