💾 TCP Byte #4: 27 Things I've Learned Throughout My Career in Cybersecurity and Product
I recently turned 27 years old which led me to pause and reflect on all I've learned in my years of living and more specifically, my time in the cybersecurity industry. I wanted to distill this into some of the things I’ve learned and advice I would give my younger self. Before we dive in though, here's a bit about me:
I've spoken at 7-8 security conferences including DEF CON, fwd:cloudsec, Texas Cyber Summit, and Security Weekly Unlocked. I've attended probably ~50 more.
Thanks to internships, my network, and the dynamic nature of consulting, I've spent time as a red teamer, IoT blue teamer, cloud security consultant, security public policy, GRC, business continuity, detection engineering, and most recently, product management across a slew of industries.
I've dissected tens of thousands of security articles and research reports for fun, educational purposes, and the TCP newsletter. I've also worked at 9x RSA award-winning podcast, Security Weekly. Shout out to Paul, Sam, Johnny, Tyler, Larry Et. Al.
I started the cybersecurity club at my uni and taught 60+ students how to use tools like Nmap, Wireshark, and coached them for 3 seasons for the National Cyber League (NCL) competition.
Certs. I have a few including the Certified Kubernetes Admin (CKA), Azure Security Engineer (AZ-500), HITRUST Certified CSF Practitioner (CCSFP), AWS CCP, CCSK, AZ-900, Security+, FEMA ICS-000100, and FEMA ICS-000200.
I've scaled the TCP newsletter to 1.7K+ subscribers in 9 months. You can subscribe below if you haven’t already.
In short, I've seen a lot, done a lot, and have a few takeaways that can hopefully help you wherever you are in your journey whether you're a VC, CISO, GTM, practitioner, or someone looking to land a security role.
The Cybersecurity Practice🥷
The hacker mentality is not something that only serves offensive security professionals. As a security practitioner, you have to be able to put yourself in the shoes of an attacker and understand how they may be able to infiltrate your environment, hide their traces, exfiltrate data, etc. For malicious actors, nothing's off the table so while the MITRE ATT&CK Framework is awesome at providing an understanding of attacker tactics and techniques, it's not a catch-all. Use your creativity and curiosity especially when testing out detection hypothesis and threat modeling.
As a security practitioner, grasping your engineering and business counterparts' goals and language is essential. Deep knowledge of the industry, the applications you're building, architectural decisions, tech stack, etc. is crucial. Understanding each team's motivators enhances your role as a team player and leader, ultimately leading to better-informed risk-based decisions and increasing your value.
Becoming a strong security practitioner is not easy and there are no shortcuts. You must get the fundamentals down first and understand that if there's something you're avoiding to learn, it's almost certainly something you need to dissect and master. Otherwise, you're sabotaging your progress. For example, I avoided learning how to program for the longest which was 110% removed from being considered for tons of roles I applied for. On the other hand, I doubled down on cloud + Kubernetes security and it gave me an advantage.
Whether you're a red teamer or blue teamer, being resourceful and adaptable are superpowers. It's 2023. You have the power of Generative AI, web-based virtual labs, Google, YouTube, podcasts, newsletters, books, and direct access to industry leaders on X and LinkedIn. Nothing is off-limits. There's almost no excuse for what you should be able to learn and achieve.
Though you need not be a master of all security domains, it's crucial to understand their purpose and how they relate to each other. For example, understanding how identity and access management ties into endpoint, IaaS, PaaS, and SaaS security + the impact it has on the compliance frameworks that govern your organization. This is why GRC is a great starter role, it provides you with a bird’s eye view of how the different security domains make up the bigger picture.
Never take security findings from solutions for face value, especially if the app's logic is a black box and it's a serious issue. Go to the source of truth, the logs, the said-to-be-impacted system(s), and the systems that have access to those systems. Perform your root cause analysis before jumping the gun. Many products produce false positives especially as it pertains to reachability. An API may be flagged with a critical severity vulnerability but it lives within a segmented private network with strict access controls meaning only authorized services can communicate with it. With this context, you help prevent whiplash in your team and can coordinate a more appropriate response.
Products are getting better at providing context on reachability, exploitability, and impact but there will always be blind spots and as a security practitioner, it's key to live off the land.
The Cybersecurity Industry 💼
Most startups that have been formed over the past decade are nothing truly groundbreaking nor solve an entirely new problem. Most, not all, try to solve a problem better than an incumbent and if they're able to execute well, they can carve out enough market share to be successful.
While many vendors say they provide a "single pane of glass" across the security domains that their offerings cover, some, sadly, do not correlate the findings from those different sources to give the user a true, comprehensive view of their security posture. This is part of the reason why best-of-breed and data-driven security is continuing to become the favored security approach.
Security marketing has gotten better but it's still broken. Traditional marketing approaches that are fear-based do not work here and it's gotten a lot of vendors bad feelings in the community.
Our industry is different than most. For one, it's still fairly small compared to other industries and we also have a strong sense of community. CISOs, practitioners, and founders congregate amongst each other in private slack groups, cigar lounges, etc., and share their war stories, lessons learned, and talk about other things humans talk about. In short, reputation in this community is more important than in other communities, whether as an individual or as a vendor.
The best resources I know of for cybersecurity industry news and opinions are Security Weekly,
, Hacker Valley Media, and .Paying large ticket prices for a booth at the major security conferences doesn't reap the same rewards that they used to. For startups, that money is much better invested elsewhere.
Data-driven security strategy is truly a game changer. IF implemented correctly, think about all of the possibilities that having all of your identity-related data funneled into one place and in a common model/schema can provide you. You can ask the most pinpointed questions, maintain a continuous pulse on posture via dashboards and metrics, and you can prime and leverage that dataset for unique AI/ML use cases.
The Cybersecurity Career 👨🏽💻
The best ROI I've gotten on my time and efforts while in security is attending conferences and being part of the security community and its micro-communities.
This probably goes without saying but for every new technology and underlying advancements, our industry will be the one that has to secure that technology. For career advancement, it's crucial to stay on top of the latest tech such as Gen AI, ML, Quantum, Data Science, etc.
You must give back as you learn and grow in your career. Our industry is small, understaffed, and changes every day. We need more practitioners and your knowledge + experience can help close this gap. Mentoring, sponsoring, and being active with non-profits are just some of the ways you can give back to those coming into our industry. It's also an extremely fulfilling pursuit.
Personal branding is icky but regardless of what you call it, you should somehow showcase your body of work whether it be on LinkedIn, Github, Substack, YouTube, etc. The sooner, the better.
O'Reilly Safari Learning Platform is the best $500 you can ever spend. Live courses, labs, 35k+ books, and videos on various topics. Next to this, is TryHackMe. Thank me later.
Build and break stuff. It's one thing to learn, it's an entirely different thing to do. When you do things repetitively, the grooves in your brain become deeper and it eventually becomes second nature. When you solely read or watch videos about things but don't actually do them or do them sparingly, that knowledge flees you soon and you won't be able to solve problems or speak about them as well as people who are doing them do.
Certs. They help especially depending on your learning style but after the first ~2 years of your security career, they rarely matter.
Building Products ⚒️
Attention to even the smallest details is part of what makes a great product.
Your ability to influence leadership, engineering, and design is crucial. Use data, user feedback, and market intel to aid in your decision-making and influencing abilities.
Think about user journeys and jobs to be done by the respective user persona. It'll make things much clearer.
Day-to-day operations are a grind but never lose sight of the bigger picture and always make time to think about new features or enhancements that can give you an asymmetrical advantage in the market.
Life ⏳
Health is wealth. You can bang out 60-80hr work weeks but nutrition, fitness, and mental stability should rarely fall on the back burner.
Life is short and can be gone tomorrow. Think about the people who passed suddenly. Think about how unexpected events like war and COVID-19 can severely limit what you can do for extended periods. Travel, take risks, spend time with the people you love, and do stuff that you've always wanted to do.
Self-confidence is everything. I know geniuses who lack it and have limited their opportunities and impact on the world because of it. Of course, be humble and understand emotional intelligence but never doubt yourself or your abilities to accomplish something. You should be your #1 supporter.
Great post Darwin ! You are right: stay healthy and you will enjoy more years in the cybersecurity community and industry