Dec 18 2008

Investing in my career

Published by at 6:33 am under General,Microsoft,Simple Security

I made two fairly major purchases this week, even though I had to use the credit card to make them, something I hate doing.  Both are aimed at promoting my long term health, one physical, the other career.  The first was to get a small amount of exercise equipment and order the DVD’s for the P90x system.  I’m sure anyone who’s following the security guys in Twitter has heard more than their fair share about P90x lately and Chris Hoff has gone so far as to create a new blog of his own to monitor his progress with the P90x system.  I probably won’t go as far as he has with the blog, but I think I will follow his example and take a ‘Week 0’ picture and occasional pictures after that.  I’m not starting the program until after Christmas myself, mostly because I’ll be heading out for the in-laws for a week and don’t want to start something this hard then stop for a week.

The second purchase I made was to get myself a membership in Microsoft’s Technet Plus.  I’ve had access to TN+ several times before through employers and I’d used it a lot to build and rebuild servers, test out new programs and generally learn aspects of Microsoft programs I wouldn’t normally have access to.  Unluckily the last time I had access to TN+ was just after XP came out and when Vista came out the only reason I got to try it at all was that I happened to recieve a copy of Vista Ultimate at an event I attended.  Not that I ever successful upgraded a system to Vista, but at least I got to try.

The truth is, TN+ is also a tax writeoff for me.  I haven’t earned much from Google Ads this year, but it’s more than the cost of the TN+ subscription and this will help me conteract what little tax burden there is.  But more importantly, this is an investment in my own continuing education for security and technology.  I work from home and while I get a chance to see different networks and OS’s with every new client, it’s not the same as getting your hands into the guts of a server and administering it yourself. 

So I’m viewing the purchase of TN+ as in investment in my technical skills for the future.  And that’s how I’m selling it to my wife as well.  I put a lot of time in to reading blogs, writing my own blog and creating the podcast, but the amount of money I’ve put into furthering my skills has been minimal the last few years.  My training comes through going to events like RSA, Black Hat and Defcon.  I don’t have a lot of time and energy to read security books, but several of the publishers occasionally send me those to read and review.  I often think about investing in a Masters Degree.  It’d be expensive and time consuming, but it’s a piece of paper that helps you go a lot further in life than a BS will.  But until my wife finishes her own college courses and gets a job, any further courses for me will have to wait.

What other venues should I be spending money on to further my career as
a security professional?  Is there something I’m neglecting that might
eventually catch up to me?  How are you investing in your career?  Are you investing in your career monetarily or are you making your investments in time and energy instead?  I know there are a lot of people out there who are beginning their careers who are curious about how to get into security, but I’m wondering how the people who’ve been in the field for years are continuing to improve their skills and preparing for that next step up or making themselves as ‘recession proof’ as possible.  I don’t think anyone in this field can afford to say they’re resting on their laurels.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

7 Responses to “Investing in my career”

  1. David Bergerton 18 Dec 2008 at 7:00 am


    Add any Visualization Tools, VMWare, VirtualBox, etc to help you load up images from TechNet – I have a technet subscription for different Windows Servers and Applications – both for a “security test lab” as well as for product development and testing purposes. Also dabble with other OS’s and apps in Virtualzation – Linux, BSD, – webservers, databases, etc and all their services. this let’s you play with a suite of security tools if you do much technical security assessments.

    I’m a newbie to the P90x group as well – mostly because of your post on it – so I have and a similar outlay of cash to fund that.

    Most recently I attended the Agenis – CPISM Training – and became a CPISM and CPISA – which was both a great networking opportunity as well as more PCI based knowledge – which was a welcome refreshing for a former QSA.

    Lastly what I recommend, it is schedule time for your self, to engage in these activities, so other tasks don’t commandeer time that you had wanted to spend on these activities. I have a daily block of time in my Calendar that I’m “Busy” daily for P90x, and a weekly R&D time slot of a few hours to learn and play.

    Additionally, I’m trying to delegate some tasks that I do, I find that as I explain or teach others, I learn myself, as others approach and see things differently or from a different angle, and this exercises your mind a bit.

    I also buy and read a lot of books, and try to pick educational items for CPE requirements for my certifications, I find local “chapter” meetings some what boring, but I suspect that is more to do with size of these groups and my locality.


  2. Kevin Rigginson 18 Dec 2008 at 7:13 am


    This is a great question and a very timely one. Beyond it being important to keep our skills up-to-date just as a general tenet to follow, today’s economic uncertainty is probably an even more imperative reason to do so.

    I do several of the things you have already mentioned, read blogs, write my own, read books, etc. I have also invested in an pretty beefy server at home so that I can support multiple virtual machines for experimentation and learning purposes. Being active in conversations on twitter and other avenues like the Security Catalyst Forums also helps keep me sharp.

    I am not self-employed and for the first time this year I did something I didn’t think I would ever do. I paid my own expenses to attend a security conference. Granted I didn’t have to cover the cost of the conference itself since I had a press pass, but it was still a significant outlay. I anticipate doing the same thing in 2009 as cost containment efforts are in full swing at my company. I feel strongly enough about needing to network and keep current that it is worth me paying for things out of my own pocket.

    Independent of information security specific topics, I also participate in Toastmasters to increase my speaking and presentation skills. These types of skills can be just as important to furthering you career as keeping your infosec specific knowledge current.

    Finally, I am a member of ISSA and Infragard. Both offer opportunities to further you knowledge in a fairly inexpensive way.


  3. Eric Irvinon 18 Dec 2008 at 7:31 am

    I have the p90x dvd’s but I need to get to using them. A co-worker used them for a few months and go some massive results.

    I’m beginning Master’s classes next month and have also been looking at taking some legal courses. I’m not sure I want to totally get my JD, but I think part of the future (just like the past) will be determined by the laws and regulations that are passed. I’m hoping a larger legal foundation might assist in that respect.

  4. Tom Lakeyon 18 Dec 2008 at 7:42 am


    This is also something I have been pondering as of late. Even though I am employed by a relatively stable employer with no intent on leaving, I am still concerned about staying on top of my game and positioning myself such that I could move if I needed to.

    I have invested heavily thus far in my career in becoming trained and certified. I now feel the need to branch out more and look for ways to strengthen the community. My motives are mostly noble in this endeavor, but I also hope it helps build my career network somewhat. I believe this potentially helps the security community at large, myself, and my employer.

    So what are these career strengthening activities? I don’t think I am really pioneering any of them. Rather I am foolowing in the footsteps of those like yourself who have came before me. Adding one more voice to the blogosphere, twittering when it feels productive, joining professional organizations and providing pro bono security awareness training. Individually I dont believe these actrivites provide great value, but collectively I hope they do.

    I am also attending more and varied security conferences. The quality of most conferences seems jaggedly inconsistent though. I am hoping to find the ones that are more about the security conference and less about the party after the conference. Perhaps the economy will winnow them out some.


  5. wishion 18 Dec 2008 at 7:52 am

    Oh my god…. home training? Dunno, I like leaving the house. I do some Ninjutsu, for finding balance and not being home near my computer stuff ;). Winning distance is essential I think. To have something completely different.
    – p90x – sounds funny. But Chris experiences seem to be painful…

    Well… when it comes to technical stuff itself… I read Safari Books Online stuff. – Research about topics I like to know more about. It’s a nice repository. Has got some videos and articles.

  6. […] have offered some input. There is some good stuff there. Go check it out and add your own ideas. Network Security Blog >> Investing in my career Tags: ( career education […]

  7. Peteron 20 Dec 2008 at 11:29 am

    I am in the same boat. My employer is fairly stable but you never know. I have considered getting certified. I fell into this job and learned everything (which is a lot) on the job so I have no formal training or certification. My employer is a small company so we don’t have a huge infrastructure and will not likely deploy many of the new virtualization and management tools.

    I too am considering a TN subscription so I can learn some of these technologies and keep myself valuable should I need to move. You can read about stuff all you want, but there’s nothing like doing it yourself.

    Anyone have any suggestions for a small cheap machine I can use for testing? Must support hardware virtualization.


%d bloggers like this: