By Julie Fugett
When I have the occasion to share my hobbies with others, I usually list “running†among them. I am not particularly fast and I don’t have any delusions that at the age of 31 I am suddenly going to become a competitive runner. I am, quite frankly, pretty lousy at it. It’s hard for me. It’s rare that I experience that “runners’ high,†and I will never win a race. At this point, you’re probably thinking “she’s a masochist,†but you’d be wrong! Here’s why I run: It takes me out of my comfort zone. It makes me push myself to keep going.
I apply this thought process to working in information security as well. I am into my third year of working full time in this field and I finally feel as though I’m getting a handle on where my strengths and weaknesses lie. It would be easy to retreat into what I know and do only those things. I firmly believe, however, that my employer and my career are far better served if I work to keep my knowledge broad and my interests well-rounded.
By mindfully pushing yourself out of your comfort zone, you are bound to improve the parts of your information security practice in unexpected ways. I am a mediocre runner, but when I run regularly my pants fit better and I have more energy. Think over the things you’re expected to do as part of your job. I’m guessing there are parts of your job you could do in your sleep. Maybe you’re a rock star at packet analysis and you can build firewalls in with half your brain tied behind your back but don’t know much about federal regulations affecting your company. Perhaps you can audit information systems with ease but wouldn’t know who to call first in case of a security incident. In most situations, you won’t be called upon to know everything there is to know, but I promise that your work product will be improved by seeking out people who excel at tasks with which you struggle.
In some offices cross training and collaboration are encouraged and even expected. If that’s the case where you work, take advantage of it! Where appropriate, ask to sit in on meetings. Request training. Shadow colleagues who do what you’re interested in. If this kind of activity isn’t encouraged, work to change the culture—but go elsewhere to get your cross training fix. I know a great place: http://www.securitycatalyst.org/forums/
Try things you’re “bad†at in the privacy of your own home, or at least away from work. Do you spend all day on compliance issues? Pick up a copy of Ultimate WRT54G Hacking, a wireless router, and set to work. Configure the firewall. Experiment with security settings. Practice notifying your family about unplanned outages. (Maybe that’s just at my house…)
Perhaps you’re shaky on building presentations on information security. Ask friends and family what their concerns are—they’ll tell you. Build a talk on a simple idea like “surfing securely†or “how to spot a phish†and then find people who will listen to it. Church groups, retiree groups, and community-based organizations (among others) are all on the lookout for people who are willing to come in and talk. A side bonus? Depending on the certifications you hold, you may be able to count these activities as CPEs!
While it’s possible you will tap a new well of previously undiscovered talent, the main goal here is to push yourself and find new ways of thinking about problems you see in your daily work life. Don’t worry if you don’t become a genius at network architecture or if you still break out into cold sweats when you think about giving a presentation. Get out of your comfort zone now and again—you just might find it makes you even better in the areas where you already excelled.
Engage with Michael Santarcangelo