Throughout my information security career, the source of my greatest joy also happens to be my greatest defense. Gartner doesn’t have a Magic Quadrant for it, to my knowledge no schools teach it, and a lot of us in InfoSec are not wired for it: I’m talking about networking. I’m talking about connecting with your peers to learn and share best practices, threat information, and experience in all elements of our field.
In fact, I’d go so far as to say that an InfoSec peer network is critical to thwarting cyberattacks. Rarely are we up against a single novice hacker. Instead, we tend to face well-funded cybercriminal groups, experienced hackers, and even attackers backed by nation-states. If Fortune 500 companies with dozens or even hundreds of dedicated security staff can’t thwart a breach, there’s little chance we can go it alone to defend our organizations. The best security programs are not those that isolate themselves in an imagined Avengers Tower of Security, but those that are engaged with the broader community. There are numerous ways to do this.
Engage in Small Private Peer Groups
In the 00s, I was the head of network services at a law firm in Boston. Figuring that my counterparts at other firms were also struggling with issues like exchange administration and backup tapes (yes, I’m dating myself a little here), I reached out to several firms and invited colleagues over to lunch. Everybody likes free food, and this group eventually morphed into another that, while still relatively small (< 50 people), had members from San Francisco to London.
Engaging in small private peer groups like this may be the most valuable way you engage with your peers, regardless if those engagements occur on a Slack channel, a discord, a listserv, or monthly meetings at a table in the back of a Tex-Mex restaurant. In the interest of good operational security and/or office politics, you don’t see people asking sensitive questions on open social media or a listserv of thousands. You need a forum where you can safely collaborate with people who have been there and those who still are there.
Reach out to your neighbors to get one started. Your “neighbors” could be security practitioners who are literally in your geographic area, are in the same industry as you (yes, your competitors), or—if you’re in a large city—both of these.
Seize the Day
Focusing on your specific industry won’t always work, especially if your industry is niche. When I joined the educational technology field, I learned that I didn’t have a lot of direct peers. This meant I had to get creative.
I was at a local gathering of security folk when we went around the room introducing ourselves. Amongst the 30 or so present, a surprisingly large percentage (75%) of the group were hired into “greenfield” environments—they were that organization’s first-person dedicated to infosec. I pointed out that many of us had this in common and offered to host a mailing list (open to anyone in the room, I wasn’t out to exclude anybody). To my pleasant surprise, one member of the group was from another edtech company, which established an additional common ground.
Attend (Preferably in Person) Local Group Chapter Meetings and Smaller Conferences
If you’re new to the field and/or unfamiliar with some of these groups, some suggestions, in alphabetical order are: BSides, CSA, DefCon Groups, InfraGard, ISACA, ISC2, and SecureWorld, among many others.
Two other types of groups worth a separate mention are Industry ISACs or assorted ISAOs. ISACs (Information Sharing and Analysis Centers) were formed at the direction of the U.S. government at the turn of the century to encourage industries to share security threat intelligence with each other. ISAOs (Information Sharing and Analysis Organizations) serve the same purpose. I wholeheartedly recommend reaching out to an ISAC or ISAO if there is one appropriate for you.
I also highly recommend you attend, participate, and volunteer at events or conferences beyond simply sitting in on lectures. Roundtable discussions and more open forums give you the opportunity to contribute and listen to more voices. You don’t have to be an extrovert, but it certainly helps not to be a wallflower.
If imposter syndrome is creeping up on you, know that your experience has value. You don’t have to be a brilliant super-sexy-techno-security-all-star. I am enjoying an incredibly fulfilling career in information security, can afford to send my kids to good colleges, and I had less than 500 followers on Twitter before the Elonocalpyse. Just got out of a cybersecurity program in college. You have fresh insight; most of your elder colleagues didn’t even have that opportunity. Work for a tiny company with no security budget and little support from leadership? You are not alone, and there are people that want to help.
Make Connections and Practice Better Security
Not only does peer networking make you more effective in your practice, but it will also make your work life so much more satisfying. Someone out there solved that firewall configuration problem you have, while another would love to know how you conduct phishing assessments to your staff. Find them!
Got Funding? Here Are Other Sources of Knowledge and Networking
- IANS Research – Membership provides access to information security faculty (some of the all-stars I mentioned earlier), a document library (one literally saved me $20,000), and CISOs from around North America.
- ·Cybersecurity Collaborative – A newer group with groups of peers developing best practices for security programs.
- The SANS Institute – InfoSec training of many flavors, including classes set up in a conference with networking opportunities. Scholarships are available, and I’ve seen more than a few ex-military attend sessions for free or close to it.
