How to learn information security

Learning is a skill. A skill that can be, well, learned. I am often approached by young people who ask me what does it take to move into the information security field, what certifications are required, what training should be done, and so forth. In my opinion, the most important skill in infosec, and many other areas too, is the ability to learn.

Twenty years ago, security was a very different, and much narrower field than it is today. As technology evolves, so do the threats, and with new threats come new protection requirements. In order to be able to do a great job in the infosec field, you need to constantly up your game, and learn as much as you can every single day.

Here are some methods I use to learn, and I apply these not only when I study for a psychology class at the university, but also when I need to learn a new skill, or when I discover an new area of interest that I want to know more of.

1. Take interest in the new
The most important thing in life is to realize that there are always new things happening. Evolving technology, evolving threats, evolving business context – everything is in constant change. Accepting this fact will help you set out to discover changes before they become evident to others, and thus prepare yourself and your organization. Being on the lookout for new information and allowing yourself to be curious is very important when you set out to learn.

2. Mix sources
People are different, and so are our learning preferences. Some prefer reading, some prefer doing. Some need practice, others need time to reflect. For most of us, a mix of methods and sources yields the best results.

As a learner in 2014, you can easily mix sources. From university classes to certification trainings, from reading books to watching YouTube videos, and attending Massive Open Online Course (MOOC) classes – you have so many options when it comes to learning today that not learning should be no longer an option. And if you are one of those who prefer practice, well, go on then! Set up a virtual environment at your home, in your office, or even on AWS, and hack your heart out!

3. Always question common beliefs
As stated above, change is inevitable. Questioning common beliefs should be a habit for any individual working in the infosec field, but not many have acquired it. Ask yourself “Is this really what it seems?” and “How can this be?” and also “What other interpretations could explain this?”. Apply some of that scientific method you learned at the university (or learn some if you did not). Question everything, and you will learn more. You may even stumble across a bug, a new way of doing things, and even a blindspot no-one has ever even considered!

4. Challenge yourself
We incorporate a large amount of mental models, behaviors and habits on an individual level. Most of these can be changed if you want it bad enough. The way you do your job, the way you think, the way you learn are social constructs, meaning they are methods created through interaction with social groups. You are in charge of your learning, so you also need to take control and challenge your own status quo. If you think that you are “too old for this” or that “this is way too hard” for you, apply cognitive psychology, and change your thoughts into: “With my age comes experience I can use to learn more, faster and better,” and “This is a challenge I will rise to”.

5. Never stop learning
Some people seem to think that when school is out they don’t need to ever learn again. This is a wrong assumption – especially in infosec, where you need to be constantly on the alert. If you ever want to be good at anything, even if you are highly skilled by birth, you cannot stop learning – either by attending classes, researching new topics or just by doing something new. There are a number of ways to learn, and the topics are limitless, so why limit yourself?

You may think that in order to learn more about infosec, you should only learn things that are of relevance to infosec. But I disagree. Learning new things – no matter what they are – keeps you sharp. Set out to learn something new every week – it can be a simple thing like cooking a new dish, or something more advanced (for some) like building a robot. Connecting cooking to infosec is not that difficult: food security (cleanliness, ingredients, treatment, etc.), applying a method/best practice (using a recipe, tools, etc.), creativity (experimentation, figuring out what works best) are all easily “translated” to both learning and to infosec!

6. Apply the learning process that works best for you
Studies shows that the best students are those who adopt a good structure for their learning. There are a number of best practices out there, so I will only cover the main ones:

  • A strict schedule: reserve time to study, and follow the made schedule!
  • Work with the materials: read, write, answer questions, do the tasks, practice.
  • Practice tests: Spend time learning how to work the test. If it’s a written exam, do mock exams. If it’s a multiple choice test, run a demo.
  • Motivate yourself: Write down a personal goal, a reason for your learning, and put it in a prominent place to remind yourself. Also reward yourself when you reach milestones.

As long as you keep on pushing yourself towards more knowledge, more understanding, more learning, you are helping the infosec community to evolve and grow.