S1REN's Lesson's Learned from Conflict.
Be The Resource.
Yup, it's me - S1REN.
I'm here to give you what I can regarding the #BeTheResource challenge. I try my best every single day to reach out and be the resource that this field requires or needs. Wherever there is a hole, I work to fill it. So without further ado - please enjoy. <3
A lot of times in the world of Security, many people will view you as the "annoyance". This can cause us to have feelings of unfairness. After all, we look out for the well-being of others. That's our job. The purpose of this blog post is not another attack. The purpose of this post is to make a personal response to the #BeTheResource challenge put fourth by Tristram from Offensive Security.
Thank you Tristram for making an absolutely wonderful post on the struggles professionals end up facing in the world of Cyber Security.
I'm going to address each of the issues in their posting on Offensive Security's official website.
Here we go.
Regarding ::::$ Lessons Learned through Conflict.
I would be lieing to you if I told you that S1REN has not gone through their share of conflict. This field is one that has a very "solo" vibe to it, which is why I encourage Security Departments to work closely, have fun, and enjoy the passion. Sometimes however, we will face issues in the workplace or personal struggles in our minds. This is a fact of life, but for Penetration Testers - it can be easily "inflamed". We pride ourselves on our work. When we meet with Stakeholders and their anger due to compromise cannot be ignored - it means you did a good job. You proved yourself, your capability, and how vulnerable that Class-C was, that application, or even an entire Organization if you have that scope. It can leave you feeling a mix of emotions that stir in your mind. This kind of syndrome, at least for me, as been a struggle that I have faced in my career. You would think that people would be happy for finding their flaws, right? Turns out, not everybody has this kind of mindset.
I've learned a great deal in my career - one thing is to always speak with a smile. If you're delivering bad news to a client regarding their security infrastructure, make sure that you project positive energy in your voice and with the expressions on your face. Let them know that you're there to help them - not tell them how bad of people they are. As another professional tip, make sure that you're always telling them something that is good about what they have set up, what they've done, or how something was configured. Make sure that it isn't all bad news to them - they can feel better and it helps "soften the blow".
Regarding ::::$ "Whoami, Who are you?"
We are the hidden heroes of society. We make sure that the Public is safe - and let's face it, they don't always (if ever) get to know what we do or have done for them. People like us are behind a keyboard 24/7 - and Tristram pointed this out very well. It's easy for us to get locked within our own conscious after the period of an engagement. It's almost like saying "happy birthday to me". A celebration for how well you did...but for yourself.
I can't tell you how many times I've completed an engagement and due to confidentiality reasoning I've celebrated on my own. I've gone to a restaurant, sat at a bar, and thought to myself "well, nobody here gets to know it - but I've probably helped secure 1/4 of these people's bank accounts for them". In this light, we are the "unsung heroes" of the world. We don't get the acknowledgement you might get from being a Full Stack developer and having the corporation cheer you on for the launch of a new platform. Nope. We just get to celebrate to ourselves. This kind of thing is something that has to become accepted as time goes on - and trust me, it gets easier to deal with. These principles in Security will teach you to have a steady and humble heart. They will teach you to be proud of yourself without always requiring the acknowledgement of others.
These are just some of the lessons that I have learned on a personal level throughout my journey.
Regarding ::::$ "Accepted Risk"
Oh boy. Do we know this one.
I can tell you that in this field, you are going to perform an engagement for some Organization or entity, come back after 1 year for the next scheduled assessment and discover that nearly half or all of the critical findings you discovered have not been patched. This can lead you down a path of feeling worthless, after all - let's face it, they didn't do a thing to patch their security and just ended up ignoring all the hard work you put in. They jeopardize their own Organization; and as security professionals or enthusiasts, there is nothing that could anger us more. Especially after the countless nights of coffee, am I right? Up at 3 in the morning testing yet another Class-C? Only to find out nothing got patched a year later? You feel betrayed.
There are, however, ways of dealing with this emotion of betrayal. I have learned many mental techniques that will help you personally and in a healthy fashion. Remember during these times that it's not your fault. That's the first thing to recall. It's not your fault that people don't always patch the findings you put so much hard work into. It's a shortcoming on their part - make no mistake. The next thing, is a more personal approach.
Make sure that you have an outlet. This can be friends in real life, a guild in some video game, a movie that you love, or even just good quality music. Taking time with your outlet can help take your mind off of any negative interactions associated with your work or feelings of dread. It's important to take a step back and remember that even though this world is full of security holes, it still spins around and orbits the sun. Life will go on. You must stand firm. You must hold your ground. Know who you are and what you represent. Know yourself. This field can help you with that very much. The reason I state such a thing is that Pro-Active Cybersecurity is a personal journey. Not something that can be shared with friends and family. You can tell them "well, I've been in an engagement with an organization". But that's about as far as it goes. Be the resource to your fellows, share your experiences, but keep it confidential and never undermine the integrity of the Organizations you perform services for.
It's like a rule, not just for them, but also for you. It will teach you rigidity in your own mind. It will teach you discipline.
Regarding ::::$ Hostile Interactions.
Let's face it, in this kind of field - we can work together or against each other. The trick is to find ways to get along and work as a team for a common goal. Not every situation you experience in this field will lead to emotions of joy and happiness - but I can tell you that there are some situations that certainly do. I can tell you, that S1REN has been made a better person and feels more accomplished because I have personally helped individuals in this field. I aim to inspire those who want to secure this world, not take it down. I aim to educate the next generation and because of this - I don't really ever experience "Hostility". In-fact, I experience quite the opposite. Offensive Security is an has always been an incredible place to work. Hostile Interactions are very few and far between. But the workplace is the workplace, and sometimes heads will butt together.
I have a joke about two bright minds that work together.
Sometimes I think that the minds are so bright and the discussions are so heated and sensitive - that the brains might just collide like magnets coming together.
It often feels that way, but we always make sure that our common objective or target is well understood. The security of the Organizations we protect is our top priority at all times. Remembering this type of thing, at least for us, brings us back to common ground and moves us forward. Well, forward leaning.
Don't let yourself be "taken" by any hostile situations you might experience in this field. Whether it's with Stakeholders who don't know a single thing about Organizational Security Posture, whether its a colleague you work with, or even a boss that can be extra firm.
The fact is that everybody has positive intentions. Everybody has good intent in their heart when it comes to Pro-Active Cybersecurity. This is something that the CEO of Offensive Security once said and it has stuck with me ever since.
Thank you, Ning. We are in-fact in this together and we all do really have good intentions.
Regarding ::::$ "Impostor Syndrome"
Okay, the elephant in the room. Yeah? Here's the deal - this field is going to make you feel like an impostor to yourself. It happens. It's a fact. To ignore that fact would just be foolish.
With that being said, we need to commonly discuss pro-active ways of dealing with this "impostor syndrome".
I will tell you the truth. Even for myself and the success that I have built upon, I still to this day experience the feeling of "being an impostor" or a "pretender". I know that these are just lies that my brain tells me to push me further. It becomes a vicious cycle if I had to envision it. But, at some point, we must individually come to terms with this syndrome. Each of us is going to have a different way of dealing with this particular beast.
So here is my #BeTheResource regarding Impostor Syndrome.
For me, dealing with Impostor Syndrome has meant a couple of things. For one, I look at my Resume. My Resume is something that sticks with me and is like a report of my entire journey in Pro-Active Cyber Security. I take pride in my work, and remember all of the good that I performed for all of those Organizations. Recalling all the positive experiences and the hard work that you've already put in will help you with this beast of a syndrome. Remember your own success. Do not dwell on those that you look up to and think "well, I will never be as good as them". Or how's this one - "Well, I will never amount to this success that <insert person here> currently has".
These are lies that the brain will tell you at a sub-conscious level to push you forward. Sometimes, it works. Sometimes we give in and we end up pushing forward, trying harder. In-fact, if it wasn't for me trying harder, and harder, and harder, and harder, and HARDER in this field - I would not be where I am today. The trick, is dealing with the Syndrome that sticks with you. I am not saying that the two are related - and if they are, well, that's a personal thing for me and one of the reasons I share this.
Remember to take a step back. Remember all of the good things that have come out of your hard work.
Remember all the good times that your work has paid for. The food it puts on the table, the roof it keeps over your head. Dwelling on these types of thoughts or "successes" will help ease the Syndrome. Remember again you are and "set firm" objectives and priorities for who you want to become in life. Make sure that this person is always yourself. Envision it in your mind and realize that you already on the right path.
I know all of you see my notes regarding targets that we stream every Friday. I'm not talking about your enumeration. I'm talking about your life and dealing with Impostor Syndrome. My father use to have a saying: "Count every small victory."
I know now what he meant by that. He meant that the "big victories" will seem few and far between, so it's important to take the time each day and account for at least two (the more the better) things that you have done to put you in-front of yourself. Forward leaning. But not so far as to fall over or lose yourself. Always stay on the front-line. Follow the feeds, follow the information, follow the attacks that emerge and learn what you can from them. But most importantly - follow your heart.
Make notes of these victories so that every day you open your laptop you see a bullet-point list of your successes. Even if they're small - you'll see over time that each and every one of them actually adds up to a "big success" and can help you cope with this Syndrome.
Follow your heart. Follow your dreams. To take the words from a song that I love: "Dear lost child, your dreams are wonders."
::::Happy Hacking - Intruders.
Follow your heart.