A leader creates more leaders and this does not happen overnight. In today’s world, if an organization wants their security team to be exemplary, they need to have experts who think like leaders while performing their day to day activities. While learning varies from one business model to another, some fundamentals apply to most of them.
Business Specific Learning
This is essential for all teams belonging to businesses that offer anything but security. Teams must have the basic understanding of the business they operate in and how it interacts with its customers. In this process you are bound to come across all layers, from network to application. This is also helpful in a complex network of APIs consuming and sharing data from various sources.
Knowing the business helps you connect the dots; see for yourself and better communicate the risks that your technical expertise will bring along. Otherwise, even critical issues such as code executions, injections, etc may get drowned in the noise of functional priorities that fast growing companies & client teams, tend to have.
Role Specific Learning
Your role in the team may desire various skills which are not in the tech syllabus. As a n00b all that you may need to learn is the fundamentals of networks and infrastructure, applications, to technical details of vulnerabilities, the how and why of it, to finding new issues . One of the things to learn here is to show the right business impact and let an issue go if it has none. The fixes you suggest should be applicable and/or contextual. But remember there are operational and alternate controls as well which may be more practical at times. Only business learning will tell you that.
As you grow up to be a manager and later a CI/SO, your horizon needs to widen. No tech certification will teach what real life challenges can help you learn. As one grows up in such roles, one must learn the high level interaction of tech and non-tech paradigms, hence starting from products and offerings to conversations and markets that the business depends on.
Anyone who has worked in offensive security knows the wide range of existing systems we get to assess daily. On top of it, there are scores of new technologies that we need to be aware of to be able to successfully exploit and demonstrate impact to client. As such knowing systems such as Cloud & containers, Kubernetes, Machine learning, AI, IoT, etc goes a long way.
While there is cutting edge infra, there are also evolving tech-stacks(especially the revolution in NoSQLs)& serverless; new languages and methodologies. Traditional systems of learning are long passe and are going to stay so..
Product & Security Technology
What can your team learn if into defensive security? While there are plethora of tools and security products in the market, the fundamental thing to learn first is to perceive the various layers of security your organization has/needs. Although products are only a means to an end, when configured and automated correctly can save huge costs and bring proactive security. Eventually simplifying security across will yield more benefits and be more scalable, but this is an art learnt over time.
Role of Certifications
While we fancy very many certifications, in my opinion, it’s best do those that enhance your contribution to the Organization’s business and/or pertains to your domain of choice. What you want but don’t necessarily need, will be lost and gone. If you can’t apply what you learnt, it is a waste. Also about adding it to your resume, companies will look for what they need not what you have.
Certifications are just one of the many ways of upskilling. You can go for books, tutorials, videos, bug hunting to understand and explore various tech stacks, or create vulnerable systems(a good way to learn), explore the paradigms above and look for the right opportunity to invest in for practical learning.
Continuous upskilling for your team can be tricky especially given that each of them has a different taste. However, it’s still an easier decision to make if they somewhere align with your business goals.
Power of Communities: Encourage the team to join communities. The sum of the whole is larger than the that of individuals. The more they work in silos, the less open they are to new ideas or even new offerings. This creates acceptance and awareness of the changing technology. The Industry participation teaches you amply if you’re willing to explore.
Research: It is one of the best ways to innovate and do some real work simultaneously. Ensure you have some KPIs tied to individual research. This broadens their horizons and makes them proactive in their initiatives. Feel free to have a mentor if need be.
Certs: Go for certifications where you deem necessary for example those that help assess new technology. This is a simple and tangible way to catch up with the pace of development.
Artifacts: This, I learnt pretty late in life, but creating artifacts when you learn a new thing or carry out a good attack helps immensely.
Lastly have an open mind, forget all stereotypes and learn both actively and passively.