Re: Security career coaching, mentoring or suggestions welcome

[Michael Dickey <lonervamp () gmail com>]

1- Absolutely keep up the blog! Even if few people use it, it serves *you* a
great purpose to self-publish and organize thoughts. Or give people a place
for trackbacks, linkbacks, etc. Nothing demonstrates your security geekness
quicker than a blog/web presence.

2- Double-absolutely! I have found on my own site that how-to types of posts
get by far the most interest. Plus they let you learn more and give you a
place to return if, a year later, you forgot what you did and need your own
refresher. I also tend to, myself, like posts that are how-to types. Most of
us mean well when we want to post more how-tos (i.e. go over a BackTrack
tool every week...yeah, that happened!)...  If you want, I'd also suggest
video tutorials to then post places like theacademy or securitytube.

3- This can be a slow burn, if a burn at all, unfortunately. For those
assessments you do, as long as you can properly sanitize them, I would
*potentially* suggest publishing them on your blog as well. They can act
almost like an example of your work. And web assessment examples by someone
who knows what they're doing...yummy! At the very least, this should help
illustrate to yourself your work for when you rebuild your resume; that
you've added value and done security stuff to the benefit of your company.
There may not be a dollar-sign attached, but I think most will understand
that not every company *can* put dollar signs to such activities.

4- If you qualify for the CISSP (and you can weasel those years of
experience in many ways if you work at all in IT), I'd really suggest going
for it. It can't hurt you other than in your wallet. (If you've been
listening since episode 1, I'd bet a whole night's worth of beer you
qualify.)

5- Organizing time...ack, I can't help you there! Security books are
awesome, but definitely try to set aside a place and time to work along with
some books. I would definitely take as much time reading security blogs,
listening to podcasts, and watching con presos.


My addition: If you have development background, feel free to find a really
cool tool that you cover on your blog, and donate some time to create
something to add/plug into it.


On Thu, Dec 9, 2010 at 11:24 AM, Abraham Aranguren <elaabraham () gmail com>wrote:

> Hi lads,
>
> I have been a listener of the show since podcast 1 and I love the show. I
> have decided to be more active and involved in the security community from
> now on.
>
> I would appreciate if (some of) you could coach me, mentor me or provide
> some suggestions regarding my security career, this is my draft plan, please
> let me know what you think:
> - Keep up with security news and maintaining
> http://securityconscious.blogspot.com. Background: I have been publishing
> this for over a year for my company internally, the main point is to educate
> users but it also sets my accountability high (i.e. "forces me" to keep up
> with the news and stay more or less current). Recently a colleague asked if
> it was ok to send this to a customer, because I was publishing it on the
> intranet that would not work so I started publishing this both internally
> (on the intranet) and externally (on http://securityconscious.blogspot.com
> ).
> - Use the blog to publish security research on different topics, in a
> similar fashion to what irongeek does (not that I will ever match him of
> course), try to research a topic relatively deeply, experiment with it,
> learn a bit about it and then publish a post explaining what I learned,
> steps, screenshots, etc. This would also keep me accountable and motivate me
> to research more (I think) and also perhaps be a bit more known in the
> industry if some of the posts gets relatively popular.
> - Try to keep pushing the business case for security internally at my
> company. Even though I am not happy with the security situation in my
> company and not being on security full-time I must admit I have performed
> quite a few vulnerability assessments mostly on web applications and web
> servers at this point. There has also been a lot of involvement in the
> internal security policy and general security advice for secure
> implementation solutions or other security related questions. So the
> situation is far from ideal but there has been significant improvement, my
> morale is a bit low because it has been more than 2 years trying to push the
> business case for security forward and to really work on security fulltime
> 100% (I am always back to development when "there is no security work") but
> it is very hard and slow to get management to do anything. Advice on this
> topic is particularly welcome.
> - Try to get some more certifications like OSCE (already got OSCP), which
> actually prove you can do something and not just answer multiple choice
> questions.
> - Try to make time to read security books more often (how often do you read
> security books? there is so much to do between watching conferences, reading
> news, researching topics, etc than advice on how to organise my time is
> welcome too!)
>
> Any other ideas or improvements?
>
> Thank you,
>
> --
> Abraham Aranguren
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com