I recently posted the below on the SANS Internet Storm Center.
We are all privileged to work in the field of information security. We also carry the responsibility to keep current in our chosen profession. Regularly I hear from fellow colleagues who want to learn something, but do not have a training budget, feel powerless and sometimes give up. I would like to share several approaches that can be used to bridge this gap and will hopefully inspire a self-investment both this weekend and beyond. None of these ideas cost anything more than time.
I decided to borrow an idea from an informal mentor, something I generally give them credit for, but not always. I decided to wake up early each morning with the intent to learn something new every day. Maybe the something is a new tool, a new linux distribution or taking an online class. Having done this now for the last 7 years, I can say without hesitation or regret that it has been pivotal in making me a better me. I am convinced that applying just a little bit of incremental effort will serve you well as well.
Ideas to get you started:
- SANS Webcasts and in particular their Archive link
- Serve as an informal mentor to a junior team member, while being open to learn from them
- Volunteer help out in a local information security group meeting
- Read that book on your shelf that has a little more dust that you would like to admit
- Subscribe to Adrian Crenshaw’s YouTube channel
- Be intentional by creating a weekly appointment with your team in order to learn something new over a brown bag lunch
- Foster an environment that facilitates a culture of learning
After considering this topic for a long time, I want to ask this question – What are you doing to invest in yourself, particularly in ways that do not cost anything but your time? Please leave what works for you in the comments section below.
Russell Eubanks
"Foster an environment that facilitates a culture of learning": what does that mean, in practice, Russell? I like the idea of using team meetings as learning opportunities – for instance inviting anyone to "Describe something new in 5 minutes or less" or "Precis a book in 5 mins or less" or "My top ten blogs in 5 mins or less" (spot the pattern!). Another idea is to set up a team library with textbooks, journals etc., plus a virtual library with electronic docs, standards, guidelines etc. Yet another is to encourage people to study for qualifications/certifications, releasing them for study time and perhaps organizing study groups (something some ISSA and similar local chapters do).
Personally, I'm constantly learning through researching topics and writing materials for our security awareness service. I read loads, both books and assorted web content (blogs, webinars, advisories, The Register etc.). I actively engage with several infosec discussion forums. I don't get to many real-world meetings/conferences, so when I do I make the most of my time – taking and sharing notes (e.g. blogging), discussing stuff with peers, making new contacts etc.
Gary,
Thanks so much for your comments.
First of all, I very much like your time constrained approach! I see that as a way to literally get a quick win.
My idea behind fostering and environment was intended as a call to action – one that encourages others to see the value in continual learning.
Russell
Fair enough on the 'call to action' and 'encouragement'. Like you, I'd be interested to know how people are putting those kind of broad, hand-waving objectives into practice, on the ground.
Besides infosec, other teams face the same kinds of issues with team building, motivation, personal development, competence development etc. so perhaps we should look to the HR training-related literature for guidance.
One thing that stands out for me is the value of strengthening the 'social contract' between workers and the organization, including benefits that extend well beyond the pay packet (e.g. the pride that comes from being acknowledged as part of a successful, professional, competent team) and, to be fair, costs that extend well beyond the nine-to-five (we're hoping for workers' engagement, concern and commitment to the organization – it's not just about the number of hours they spend in the office). Finding and maximising common interests (such as the training and personal development opportunities we're discussing) is an important part of that.