It’s not uncommon for me to get questions from aspiring security professionals asking, “What should I be doing to break into security? How can I learn more about security?” More and more, my answer to that is becoming simpler: Get on Twitter. (I’m @mckeay, unsurprisingly enough)
Twitter has become the “digital water cooler” for a huge number of security professionals. I’m not saying all security professionals are on it, nor should they be. But we long ago reached a point of critical mass where there are regular conversations on that used to only happen in the hallway tracks at conventions. If you look at some of the organized conversations that several companies have done on Twitter (Symantec comes to mind) you’ll start to understand that they see a value to it. If you look at some of the conversations I’ve personally had in the last 24 hours on almost any day, you’ll see bits and pieces that are of great value, even if the majority of the tweets are stupid quips and pointless jabs at friends.
And that’s what twitter is about, not the huge sweeping conversation or revelation that happen once in a blue moon, but the accretion of little ideas, little questions that will lead you to a deeper understanding of what the people who work in the security world day in day out are thinking. Don’t expect a single tweet to rock your world and reveal the secrets of the universe. Instead, look for the threads that explain how many people view security and the inner dialogue that led them there. Don’t try to read every tweet, dip your toes into a communal stream of consciousness. Boy, that sounds so pretentious when written out, but in a lot of ways, that’s exactly what twitter has become.
You’re going to have to dredge through a lot of crud to find the jewels in the twitter stream. I know my own twitter stream is a perfect example of that. For every one tweet I send that has value, I probably send twenty that are in-jokes or stupid references to some meme that no on cares about. But I hope I make up for that when get started on a rant about PCI compliance or get involved in a conversation about the difference between learning security and learning business. You may have to put up with a hundred tweets or a thousand, but when you get the one piece of information you needed to hear at that specific moment, it will make everything else worth it.
Don’t plan on getting involved in twitter, other than very superficially, for the first month or so. Send out a ‘hello world’ tweet before you follow your first person; we security types tend to be a little paranoid and may report you as spam if you’re just a raw profile with no tweets or a description of who you are. Don’t spend a lot of time on twitter, just check in from time to time and add people who sound interesting as time goes by. If you need a seed list of people to follow, start with Bill Brenner’s Security pros to find on Twitter. He updates it almost every Friday. Soak in the conversations and when you feel the time is right, start responding to people and putting forth your own ideas.
My boss recently started on twitter. I was a little concerned when he followed me, but I figure anything I say on twitter is public anyway, so if he wanted to check in on what I said, it wouldn’t take more than an extra 30 seconds to find anything, so why worry. If you’re worried about your friends or family or coworkers following you, then make your profile private or just make sure you don’t tweet anything you need to worry about (unlike certain Congressmen). But one of the most interesting things I realized from having my boss follow me is that I’ve completely abandoned my RSS feeds in favor of getting most of my news from Twitter. I learn about new stories faster on twitter than I ever did when they were coming to me through my news reader. Better, I get to benefit of having people who’s views I have some understanding of filtering through the stories before I ever read them.
Once you’ve been on twitter for three to six months, you’ll no longer be an outsider if you’re making an attempt to engage. Don’t force it, but don’t be afraid to contribute either. Be natural, talk to the people who are out there, and get an understanding of the community. There will be many voices, like mine, that seem to be nattering away at almost every hour of the day. There will be voices that only speak up once every week or two. Both have their value, both are worth listening to. And don’t be afraid to unfollow someone if they offend you or seem to be a waste of time. I won’t mind at all… I mean they won’t mind at all.
You should be looking to get an understanding of how security professionals view not only the hard security issues, but life in general in all the myriad aspects of a security career. These are real people candidly expressing their viewpoints, exchanging ideas and generally growing by being part of the community. Once you’ve started gaining that understanding of how people think, the part that’s really going to improve you as a security professional starts: challenge the status quo, question assumptions and look for the areas that people are turning a blind eye towards.
It’s important that new security professionals understand we don’t exist in a job space that’s stable and safe. Information security as a profession isn’t even 50 years old yet! Some would say that it’s not even 25 years old as a distinct profession. And it shows; every day the playing field is changing. Right now it seems that the bad guys are winning, but by this time next year we may have turned things around and have a good handle on it. Or things may be so bad you can’t trust anything that your computer tells you. In either case the only constant you can reasonably expect in a career in security is change. If you can’t live with that, get out now.
Why is this understanding of change important? Because a lot of people on twitter come across as experts, either because they purposefully portray themselves as such or because they speak with such authority that other people ascribe that description to them. In either case, there are a lot of people with strong opinions about how security came to where it is now, what is what in security, and how security should be. Every one of them has a valid point somewhere, but every one of them makes mistakes and has ideas that won’t fit in your worldview or make sense as they’re presented. So don’t take them at face value, challenge these ideas, form your own and come to a new understanding of how security was, how security is and how it should be. If you’re going to be spending time in the security community, you have to realize you’re going to be one of the people who’s going to make the future happen, for better or worse.
A closing thought: if you’d like a role-model for how to approach the security profession and twitter, ask Joseph Sokoly aka @jsokoly. Joseph is young, hasn’t quite graduated from college yet, but has already created a name for himself in the community; first by reaching out to other security professionals to learn and later by presenting on breaking into the security field at BSides Las Vegas in 2010. Is Joseph smart? Hell yeah. But is he so special that that alone makes him stand out in a crowd? Not by a long shot; in a field that includes some brilliant minds, he only sits a little above average. Where he has proven to be exceptional is that he’s integrated himself into the community and used twitter as his tool to get it started. Not too many people will be able to reproduce his efforts, but not many people should try.
Twitter is an echo chamber. Don’t ever make the mistake of thinking it is the sum total of what is out there for the security community or any community. But do understand that it’s a powerful tool in learning what it means to be a security professional and its a valuable tool for getting to know people. That involvement may be what gets you your first job as a security professional. Or it might just teach you a new way of thinking about security. And its always possible that I’m completely wrong and twitter may be a complete waste of time for you. But it is worth looking into.