Recently someone asked how they could further their career as they felt like they’d hit a glass ceiling and couldn’t progress internally. They weren’t having too much luck externally going through recruiters.
I’m always surprised when someone asks me for any kind of advice. But I thought I’d give it my best shot based on my personal experiences.
When working in a knowledge industry like information security; one doesn’t get any benefit from hoarding any knowledge. In fact, quite the opposite happens – you can end up like a book on a shelf that’s never been read.
Sharing your expertise with others not only benefits those around you, but also yourself. Not only does your own understanding increase of a topic by teaching it, but you get the added benefit of framing your professional competency and capability as opposed to letting others frame that opinion in their own way.
I myself have found that by sharing whatever little I know through blogging, speaking and by making youtube videos, my career has benefitted and opened far more doors than in the 10 years prior to doing so.
It boils down to the simple fact that until someone knows what you know – they won’t know. A concept that I like to explain using my knowledge and reach graph
The graph is not scientifically measured in any way shape or form – so it’s not like anyone is definitely in a particular place. But it’s a fun exercise to carry out in your own time. Take a topic, say forensics and how much knowledge you have compared to your peers… then see how effective you are compared to them in sharing that knowledge. Be it within your company or externally.
A simple check to see who has done a great job at sharing knowledge it to play the ‘fantasy infosec team’ game. It’s where you are given the task of assembling your infosec dream team.
Example would be, choosing someone like Didier Stevens for PDF exploits or Per Thorsheim for passwords.
Maybe you need bloggers that can churn out quality content at a high rate, so you’ll look towards Troy Hunt or Rob Graham. For IDS bypass you can call in Arron Finnon and for security culture you can call Kai and Mo.
The Grugq will be in charge of Opsec, and of course you can’t be going nowhere without a couple of red teamers like Chris Nickerson or Freaky Clown.
These are just some examples that came to mind quickly and there are dozens of more people I could add to the list. However, what’s interesting to note is that I’ve never actually worked with any of these people professionally – my whole perception of these fine people is built up solely from what I’ve learnt from them over the years as they’ve shared their knowledge through blogs, tweets or talks.
You probably know more about certain aspects of security than most other people. Maybe you know how to tune a particular SIEM, or reverse engineer malware in a unique way. But until you share it, no-one will know and you may struggle to escape the rut you’re in.