August 18, 2011

Leveling Up as a Security Professional

I read a great blog post by Jason Rudolph the other day. The post made me think about all of the people I have encountered over the years that were interested in the information security profession but were not quite sure how to get started.

It also made me think about all of the e-advice tossed about that really amounts to misguided anecdote that is driven by unsubstantiated opinion rather than objective evidence. Finally, I thought the idea of leveling up is insightful insofar as it applies to not only the uninitiated but also to seasoned veterans.

The focal point of my thinking then has been to find an analogue between Jason Rudolph’s software development model and information security. I believe I have figured it out.

Buckle up, dear readers, and let’s give this a whirl.

What is a Level?

First, we need to agree that the term level in this context is a qualitative code and not a quantitative value. You might call yourself a level 85 wizard however the numerical coding 85 is no more quantitative than that of the coding of wizard. This does not mean that such a label is meaningless. Rather, this means that we need to employ a qualitative method and use qualitative concepts throughout our leveling up framework. Agreed?

Experience versus Practice

In addition, to extend the software development model Jason Rudolph proposed, we need to agree that we can breakdown experience to mean practice. Moreover, by practice what we really mean to say is situated learning (situated learning being the dominant learning theory espoused by cognitive scientists, pedagogy experts, and psychologists just to name a few). Thus, experience in our context means an accumulation of situated learning exercises or practice. The distinction I am attempting to make is that with situated learning we are explicitly calling at an active, engaged component to the exercise or practice. Experience alone could be passive. Agreed?

The Five-Fold Path

Next, we need to modify the path outlined by Jason Rudolph to the following:

  1. Identify the situated learning exercises or practices that advance a person as a security professional.
  2. Select a specific situated learning exercise or practice to engage in.
  3. Engage in the situated learning exercise or practice.
  4. After completion, perform a post-mortem on the exercise or practice.
  5. Repeat step 2 with the next exercise or practice from our list constructed in step 1.

Leveling Up

In the next and final part of this series, we will outline a sample achievement framework for security professionals to use in the process of leveling up. In the meantime, loyal readers, start thinking about what learning exercises or practices you have engaged in over the years that you would endorse wholeheartedly. Leave your ideas in the comments- don’t be shy- and we’ll see where we can go with the framework next time.