Newcomers to security, how do we give you the foundations you need?

Father teaching child to ride a bike

Like many, I get pulled in many directions yet I have to stay current on a variety of subjects. And let’s face it, that’s really hard to do. Especially when we have to shift focus from varying topics like going from an SDL design project to teaching a technical writing course. For better or worse, I also tend to be heads down on a focus area for a period of time before shifting to a completely different topic. But because the topics are so diverse, I inevitably lose focus on one area for a while and then I have to catch up and learn what I missed since I last dove in to the topic.

Welcome to the life of a security practitioner!

If you’re new to this field, or maybe you’re just expanding your knowledge and skill areas, you need to build strong foundations that will help you when you have to task switch, or leave a practice area for a while and then come back to it down the road.

As an example, I was putting together some content recently for a course. It had been a while since I last used the Firebug plugin for FireFox. So digging in to this tool, I came to realize I should be using the Developer Toolkits that are standard in most browsers now. (Wow, what great tooling and instrumentation they have! But more on that in a separate post.) But it didn’t take me long to learn the “new” (to me at least) functionality and how I could use and teach it.

Focus on the fundamentals – the blocking and tackling analogy

And then it dawned on me: Given a strong background in a subject, learning or relearning material feels natural and doesn’t take much time or mental energy (which is key). Certainly not as much as learning the material the first time around. And that made me realize something else. If we can help security professionals gain a strong background in the fundamental building blocks, then even if they end up working on something completely different, like writing policies for 6 months (which might drive them crazy), they’ll be able to jump right back in to more hands on work with a lot less effort.

Specifically, I think all security professionals need to have a firm grasp on networking fundamentals and protocols like SSL/TLS, HTTP, and DNS. They should also understand the basics of Microsoft networking and authentication and email messaging. This list isn’t meant to be exhaustive. There are certainly plenty of other important protocols, but imagine if everyone who works in GDPR, SOX, GRC, and internal audit had a firm understanding of these protocols, and how they can be abused. How much better would they be at their jobs? Not to mention that overall security awareness would increase, and you would have a larger army of people to socialize these security concepts to others.

What can we do with this?

This is one of the reasons we are designing our courses to provide our students with a strong background and context for technical security fundamentals. If you haven’t taken a look yet, see our course list here. We’re also working on putting these courses online, so stay tuned for that announcement!