Jun 07 2011

New to Security? Get on Twitter

Published by at 6:36 pm under General,Simple Security,Social Networking

It’s not uncommon for me to get questions from aspiring security professionals asking, “What should I be doing to break into security?  How can I learn more about security?”  More and more, my answer to that is becoming simpler:  Get on Twitter.  (I’m @mckeay, unsurprisingly enough)

Twitter has become the “digital water cooler” for a huge number of security professionals.  I’m not saying all security professionals are on it, nor should they be.  But we long ago reached a point of critical mass where there are regular conversations on that used to only happen in the hallway tracks at conventions.  If you look at some of the organized conversations that several companies have done on Twitter (Symantec comes to mind) you’ll start to understand that they see a value to it.  If you look at some of the conversations I’ve personally had in the last 24 hours on almost any day, you’ll see bits and pieces that are of great value, even if the majority of the tweets are stupid quips and pointless jabs at friends.

And that’s what twitter is about, not the huge sweeping conversation or revelation that happen once in a blue moon, but the accretion of little ideas, little questions that will lead you to a deeper understanding of what the people who work in the security world day in day out are thinking.  Don’t expect a single tweet to rock your world and reveal the secrets of the universe.  Instead, look for the threads that explain how many people view security and the inner dialogue that led them there.  Don’t try to read every tweet, dip your toes into a communal stream of consciousness.  Boy, that sounds so pretentious when written out, but in a lot of ways, that’s exactly what twitter has become.

You’re going to have to dredge through a lot of crud to find the jewels in the twitter stream.  I know my own twitter stream is a perfect example of that.  For every one tweet I send that has value, I probably send twenty that are in-jokes or stupid references to some meme that no on cares about.  But I hope I make up for that when get started on a rant about PCI compliance or get involved in a conversation about the difference between learning security and learning business. You may have to put up with a hundred tweets or a thousand, but when you get the one piece of information you needed to hear at that specific moment, it will make everything else worth it.

Don’t plan on getting involved in twitter, other than very superficially, for the first month or so.  Send out a ‘hello world’ tweet before you follow your first person; we security types tend to be a little paranoid and may report you as spam if you’re just a raw profile with no tweets or a description of who you are.  Don’t spend a lot of time on twitter, just check in from time to time and add people who sound interesting as time goes by.  If you need a seed list of people to follow, start with Bill Brenner’s Security pros to find on Twitter.  He updates it almost every Friday.  Soak in the conversations and when you feel the time is right, start responding to people and putting forth your own ideas.

My boss recently started on twitter.  I was a little concerned when he followed me, but I figure anything I say on twitter is public anyway, so if he wanted to check in on what I said, it wouldn’t take more than an extra 30 seconds to find anything, so why worry.  If you’re worried about your friends or family or coworkers following you, then make your profile private or just make sure you don’t tweet anything you need to worry about (unlike certain Congressmen).  But one of the most interesting things I realized from having my boss follow me is that I’ve completely abandoned my RSS feeds in favor of getting most of my news from Twitter.  I learn about new stories faster on twitter than I ever did when they were coming to me through my news reader.  Better, I get to benefit of having people who’s views I have some understanding of filtering through the stories before I ever read them.

Once you’ve been on twitter for three to six months, you’ll no longer be an outsider if you’re making an attempt to engage.  Don’t force it, but don’t be afraid to contribute either.  Be natural, talk to the people who are out there, and get an understanding of the community.  There will be many voices, like mine, that seem to be nattering away at almost every hour of the day.  There will be voices that only speak up once every week or two.  Both have their value, both are worth listening to.  And don’t be afraid to unfollow someone if they offend you or seem to be a waste of time.  I won’t mind at all… I mean they won’t mind at all.

You should be looking to get an understanding of how security professionals view not only the hard security issues, but life in general in all the myriad aspects of a security career.  These are real people candidly expressing their viewpoints, exchanging ideas and generally growing by being part of the community.  Once you’ve started gaining that understanding of how people think, the part that’s really going to improve you as a security professional starts: challenge the status quo, question assumptions and look for the areas that people are turning a blind eye towards.

It’s important that new security professionals understand we don’t exist in a job space that’s stable and safe.  Information security as a profession isn’t even 50 years old yet!  Some would say that it’s not even 25 years old as a distinct profession.  And it shows; every day the playing field is changing.  Right now it seems that the bad guys are winning, but by this time next year we may have turned things around and have a good handle on it.  Or things may be so bad you can’t trust anything that your computer tells you.  In either case the only constant you can reasonably expect in a career in security is change.  If you can’t live with that, get out now.

Why is this understanding of change important?  Because a lot of people on twitter come across as experts, either because they purposefully portray themselves as such or because they speak with such authority that other people ascribe that description to them.  In either case, there are a lot of people with strong opinions about how security came to where it is now, what is what in security, and how security should be.  Every one of them has a valid point somewhere, but every one of them makes mistakes and has ideas that won’t fit in your worldview or make sense as they’re presented.  So don’t take them at face value, challenge these ideas, form your own and come to a new understanding of how security was, how security is and how it should be.  If you’re going to be spending time in the security community, you have to realize you’re going to be one of the people who’s going to make the future happen, for better or worse. 

A closing thought: if you’d like a role-model for how to approach the security profession and twitter, ask Joseph Sokoly aka @jsokoly.  Joseph is young, hasn’t quite graduated from college yet, but has already created a name for himself in the community; first by reaching out to other security professionals to learn and later by presenting on breaking into the security field at BSides Las Vegas in 2010.  Is Joseph smart?  Hell yeah.  But is he so special that that alone makes him stand out in a crowd?  Not by a long shot; in a field that includes some brilliant minds, he only sits a little above average.  Where he has proven to be exceptional is that he’s integrated himself into the community and used twitter as his tool to get it started.  Not too many people will be able to reproduce his efforts, but not many people should try.

Twitter is an echo chamber.  Don’t ever make the mistake of thinking it is the sum total of what is out there for the security community or any community.  But do understand that it’s a powerful tool in learning what it means to be a security professional and its a valuable tool for getting to know people.  That involvement may be what gets you your first job as a security professional.  Or it might just teach you a new way of thinking about security.  And its always possible that I’m completely wrong and twitter may be a complete waste of time for you.  But it is worth looking into.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

9 responses so far

9 Responses to “New to Security? Get on Twitter”

  1. Boris Sverdlikon 07 Jun 2011 at 7:09 pm

    Listen to the man. I have been on Twitter for 5 years and have only used it as a real time news engine. I just recently started using it to half of it’s potential, because of security professionals such as Martin.


  2. Eric Deeringon 07 Jun 2011 at 8:15 pm

    Amazing, the steps you laid out are pretty much what i had in mind when i realized that i wanted to get into security and started college though it has taken me a bit longer to really get into these conversations and understand the principles. That could be more because I am really just now getting into my student career where I am taking computer science and digital forensic/security courses and starting to understand what is being discussed. Though I have to admit when I step back and try to grasp everything it is still a bit intimidating to me.

  3. Cindy Valladareson 07 Jun 2011 at 8:42 pm

    Great advice, Martin. Very true about being natural in the way you engage with people. Twitter has allowed me to connect with many infosec pundits and practitioners, learn from them, and contribute ideas to the conversation.

  4. Joe Schorron 08 Jun 2011 at 6:24 am

    I echo the sentiments of the comments above. Plus I completely agree with you on this point: “I’ve completely abandoned my RSS feeds in favor of getting most of my news from Twitter.”

    I’ve been amazed at the Real Time data that comes out of my timeline. I had a preconceived notion that Twitter was another vehicle for American Idol fans to vent about Sandgina getting booted, but if managed correctly it is an amazingly powerful news and networking tool.

    Again, great points in this article.

  5. […] to find someone like that. A great piece of advice on how to get better known in this way is in a post that Martin McKeay wrote yesterday about Twitter.  It’s some great advice on this kind of networking. I know we rambled a bit there, but the […]

  6. Elizabeth Safranon 10 Jun 2011 at 6:09 am

    Killer post Martin!! Despite my ADD nature, I didn’t really take to Twitter. It was way too distracting and I felt like I was monitoring public IMs filled with private jokes and really, I didn’t care what people I knew from conferences or only via their Twitter handle were eating for breakfast. That said, especially as a PR person, I have been feeling like it is time to dip back in – if not for me, then for my clients, and for all the reasons you outlined in your post. So thanks:-). ES

  7. Kevin Haleyon 16 Jun 2011 at 2:22 pm

    There is tremendous value to this idea even if you can’t stand to “dredge through the crud” or don’t have the time to follow tweets during the day (good for you for being able to focus on your day job). Use Twitter with an app like Flipbook. It gives me a magazine with up to the minute content no matter when I pick it up to read. And the content is edited by people I trust who pick what they think is the most interesting stuff being written from sources I may not even know about.

  8. @Corumon 05 Jul 2011 at 6:36 pm


    Two things I would add: follow some people who hold ideas in opposition to each others. When I started following them, @JoshCorman and @MikD had not yet sat down with you, Gene and good scotch whiskey. They debated their differences about the value of PCI and it’s execution in ways that helped me build a better understanding and a better project plan. (That my then-employer was too short sighted to move forward with it was both instructive and irrelevant.)

    Find some people who consistently point to items of value and just pop open a tab in your browser to read everything they post for a while. It may not work for you – I have spoken with a couple of folks at BSides who thought it was a foolish exercise because it didn’t work for them. I’ve also spoken to a few folks who – like me – find it highly useful. In the infosec world, I always have a tab open with you, Josh Corman, Jack Daniel, Andy Ellis, and Shrdlu – people who I find have a high signal to noise ratio for the things that interest me. I will be utterly unsurprised if those tabs change whenever $NextJob arrives and my information needs change either in the long or short term. If nothing else, some of you act as a filter for the firehose which is Hoff’s tweet stream. It also brings other interesting people to my attention – I first found Andy by following Shrdlu, and Boris by following you. The people who seem to bring the most value tend to talk to other people who will bring similar value or bring rigor to your thoughts through challenging your shared assumptions.

    YMMV. It’s the internet after all…


  9. Alex Scobleon 11 Jul 2011 at 1:11 pm

    Ugh, Twitter is such a horrible tool for conversing with anyone, even on simple things, let alone IT security. I’m not sure how you can justify that you are having conversations on that service.

    I follow your tweets on friendfeed and find them to be entertaining, but the medium is so limiting that you can’t be very informative on it.

    Hopefully, IT security professionals get on Google+ and see how removing that 140 character limit creates a landscape of much greater utility and conversation.

    Unfortunately, many in this space (and in other spaces as well) prefer the more broadcast nature of Twitter to more conversational services like Google+, but I hope these people get pushed to the wayside as more enterprising and visionary professionals see the real power of a conversation engine.

%d bloggers like this: