I have been in the infosec field for little over three years at this point, in the IT industry for almost five, and passionate about learning since birth. As in every career, infosec is all about continuous learning. That journey can be a rocky one for a field as ever-changing as ours is.
Leaving aside sadly perennial issues such as gatekeeping, which will probably get tackled in later posts, I wanted to share with you the reasons why I believe meeting my learning goals (certs, bits of knowledge on specific topics, mastering tools/technologies, etc.) has been quite a challenge for me ever since I started having an interest in this field, and, hopefully, share a bit of personal advice as well along the way. These are in no particular order:
Reason#1. Not knowing what to learn.
Perhaps the first challenge I encountered. There are too many blanket statements when it comes to learning. Too many sources (peers, sites, YouTube videos, forums, etc) throwing statements like “learning linux is important”, “you must learn programming“, “make sure you know networking if you want to get into this field or get this position”. That information is often ingested without a context by newcomers or even people within the field that just want to build upon their skills or further their careers. It is obvious that when you seek the knowledge you can appreciate a bit more of context. Seeking answers to questions like “Why do I need to know that?” “What part of such a large area/technology/field should I tackle first?” “How would I apply that in my current position or in the position I want to have in the future?” is common. As we try to help others, it is important to keep in mind that the richer the content the clearer the direction or game-plan anyone will have to set in order to meet their goals with our help.
Reason#2. Not allowing the learning to actually take place (imposter syndrome?)
This is yet another proof of how fascinating the human mind can be. With this point I wanted to refer to the “I should know this by now” feeling that overcomes you when you try to learn the fundamentals of any topic. We can find hundreds of excuses for that feeling to arise; maybe you got a degree but never really learn the technical aspects that now you try to do, maybe you have a cert but never had the hands on experience you are trying to gain now, maybe you have been in the field for a while but never did get to do exactly what you are trying to learn about, etc. There is definitely a close relationship between this type of thoughts and imposter syndrome, which we have addressed in previous posts and can be described as the fear of being singled out as an imposter as well as downsizing any achievement earned thus far.
That relationship with the imposter syndrome is made more obvious when the “I should know this by now” pressure develops into wrong conclusions (“I am a fraud because I got to this point without knowing this, etc.””). This rapid escalation and negative spiral often ruins the study session or even the learning effort all together, perhaps before it even starts. It is important to realize that what we are doing, essentially, is to tell ourselves “I should know this by know – therefore, I am not going to learn it” when we let that negativity haunt us. This is infosec, nobody knows everything about everything, nor about any single thing (unless you coded it).
Quite an interesting one, given the fact that I have experienced it more so once I started working in the field, as the mere excitement to break into the field kept any burnout at bay in the past. The nature of infosec, where goal posts are constantly being moved not only by adversaries but by the “good guys” (new products/technologies, new policies/procedures, new compliance requirements, new frameworks to adhere to, etc) is quite a stressful one. Once you are working in the field, there is a feel of urgency to most of the tasks/projects that are assigned to you, and there are often talks about restructuring work, changing the way you operate or have become familiarized with. Obviously, that stress can reach even higher levels depending on the unique circumstances of your role or the organization you work for.
Burnout is a serious threat to the learning goals, and has to be handled as such. I learned to be practical with burnout; I learned that, while I can appreciate complete breaks from infosec altogether, being oblivious to my learning goals long term only resulted in more frustration. Once that principle is clear, the key to prevent yet another factor to contribute to the burnout is good discipline.
Reason#4. Lack of discipline or proper planning
For an admittedly long amount of time, I would completely overdo it in pursuit of my learning goals and subsequently abandon the efforts mid-way due to burnout. It was only after many failed attempts that I started to understand I needed a plan that worked for myself. I felt as if I needed to be one of those inspiring examples of folks that got a cert with only a couple of weeks of studying, a big name cert right after college, or complete SMEs of a tool or technology recently launched. I also felt that not achieving so should be considered a failure. While platforms like LinkedIn, YouTube, Twitter, and different blogging or micro-blogging sites can definitely be incredibly useful and good tools to utilize in your learning journey, it is important to remember that in the infosec context, just like in any other one, social media is mostly used to showcase and highlight the very high points of a career or a product, and not necessarily the low points or the challenges encountered along the way.
When I set those pretty ambitious goals I never did set them tailored to my personal and unique circumstances, but mostly fueled by the “I should know this by now” urge mentioned above. I also failed to realize that learning is all about making progress towards the goal, where the goal is only a consequence of the learning. That change of perspective allowed for a change in the way I planned and worked on my learning goals, with attainable goals being achieved in realistic timelines, moving past the frustration of not making progress, but also avoiding the burnout or establishing a toxic relationship with something that, as I said, I was always passionate about: learning.
This is mostly what I learned about learning as of late. I hope you find any of this helpful, let’s continue the conversation either here or on Twitter @spapjh.