Whenever you enter a new community, the hardest part is always finding your way around and making friends. With InfoSec, it’s analogous to being dropped in the middle of Europe without a map, and you only know how to speak Spanish. It’s an incredibly broad subject area that encompasses different focuses and personalities, all of which adds to the need for a nuanced approach when trying to engage with security professionals. It’s a stark contrast from the web developer world, where people are much more open to sharing personal information and embracing newcomers.
In “From Dev to InfoSec Part 1 – The Journey Begins,” it started as a lone adventure but quickly became apparent that it wouldn’t be that way for long. It was very reassuring that many let me know, “You’ve got a friend in me.” But remembering that everyone has their “eye” on you, I learned early on that a little paranoia is a good thing… on both sides. In this article, I’m going to share some of the insights I gained trying to build relationships in the security community, challenges I faced and techniques I used to improve my understanding of the people involved in the security field.
Privacy and Sharing Names While Making Friends
Many security folk are hypersensitive to openly sharing the same type of information even to a point of using an alias or ‘nym’ on conference badges or using apps like Wire instead of giving out their personal cell phone number. Some even take it to the point of creating themselves a completely separate identity. Call them by their real name at a conference, and there’s complete silence. Whether you agree with this or not, you must respect their decision on what they share as well as how they choose to share it.
Now that I’ve been involved in this for a bit, I have a much better understanding of why they’re this way. The phrase that comes to mind is “Ignorance is bliss,” and, as you delve deeper into the world of security, you start to appreciate how important privacy and not oversharing can be. For a newcomer, it can be a jarring experience to ask for someone’s name and company and get summarily rejected. I know this from experience.
If you notice what I wrote, I said “many security folks”. That was purposeful because by and large, the security community is very accepting of new people. It’s important, though, to understand the culture of security and privacy and ensure that you adapt yourself to interacting with others accordingly. Being a developer advocate, my job is to actively engage the community and be social, so not being able to know a person’s name, company or what they worked on was a bit of culture shock for me. How would I get to know this person better? How would I follow up with them? Are they going to hack me now that they know my name?!
In my last article I mentioned that I tweeted about being scared to go to DEF CON because of the reputation of mischievous hackers compromising everything including toilet paper and children’s candy. That turned out to be a blessing, because it allowed me to engage directly with people who really cared about me being a part of the community and having a great time at the event. It opened the door to having real conversations with professionals that helped me get a foundation for how the community “kind of” functions and helping to better interpret how & why people act in specific ways.
Leveraging Social Media
Twitter, by far, has been the best medium for building new relationships and establishing lines of communication that can respect anonymity to an extent. It allows you to directly engage someone without that awkward moment where you ask for their details. Basically, whatever they have in their profile and their stream should give you an understanding of some of their perspectives on security and the world. If you’re savvy enough on starting a conversation in real life, most of the time it should be easy to jump into a tweet or invite someone else to discuss something important to you. Just like in the real world, you’re finding common ground to discuss and kick off the relationship.
As I met new people on Twitter, I leveraged the lists capability of the platform to be able to better track what’s happening in the community. I follow a diverse set of people from developers to politicians and as most of you know, as you follow more people, your stream becomes challenging to keep tabs on. I really wanted to manage the signal to noise ratio, so creating a list not only let me focus on security-minded people but also gave me a resource to share with others. This is an important capability for anyone entering this space to take advantage of, and I continue to use it to this day. Getting to know your environment is key to successfully integrating into it, and here are three pieces of advice for Twitter interactions:
- Take your time to understand the community landscape you want to jump into. I know that I invested time in getting a good understanding of how people work together before diving into verbal exchanges.
- Be prepared to be rebuffed regularly but also be ready to embrace those that are willing to help you. Sometimes those are one in the same. Therefore, it may not feel like help at first, but it very well might be the best advice you’ll receive.
- Think before you hit the “Enter” key. This is a community that can be very protective, so you need to earn their respect.
Lastly, if you’re new, embrace the n00bness. We all have to start somewhere, and it’s a widely accepted position to be in. You’re more likely to get the help and guidance you’re looking for if you’re humble and eager to learn. So don’t be ashamed to put it out there first. My willingness to be vulnerable and not pretend to be something I’m not when admitting my fear of DEF CON was the very thing that opened the floodgates of support and encouragement.
Getting a Mentor
The topic of “mentorship” is a tumultuous one. When I started my journey, I immediately sought out someone who could mentor me in how to become a security professional. I quickly came to realize that this is a very common thing new people do, and the unfortunate result is that the phrase “looking for a mentor” has been equated to “show me how to hack”. In speaking to several experienced people, mentorship is perceived as a time sink with sparse results. The consistent feedback is that the people that ask for a mentor initially are excited and committed but either don’t follow the guidance given or quickly fall off the radar.
Having a mentor can be a really good thing, but the way I’ve approached it is finding someone that can guide me to:
- Relevant and current learning materials.
- Mediums where I can ask questions.
- Events that allow me to learn and build relationships.
I have a crazy busy schedule, and I don’t want to be one of those people that wastes someone’s time by falling off the radar. If you choose to seek out a mentor and are lucky to get someone to help, you need to be prepared to commit to this relationship. Block off time to drive on the feedback they’ve given and communicate regularly to show that you’re vested in their advice. Time constraints and life changes are normal and expected. So if you do have to drop off, ensure that you communicate that to them and thank them for their guidance. Personally, I think having people to guide you is very helpful, but I’ve also appreciated finding things on my own. I’d recommend a nice balance of both.
I know that a lot of people prefer online interactions and meeting in real life can be awkward and challenging to many. I actually enjoy meeting face-to-face, because it brings another dimension to a relationship and allows me to better understand the person behind the alias. For example, I recently met @zuphzuph in person at DEF CON. Till then, I had several exchanges with him, but there was no way to get a real understanding of the person due to his typically short and satirical tweets. Meeting him in person allowed me to put an actual face to a name and turn him into a real person, not just a random Twitter handle or Discord alias. There’s something to be said for shaking someone’s hand and having a good chat over dinner.
With so many conferences and meetups happening worldwide, there’s endless opportunities to meet people you’ve only known online. To me, the biggest value of these events is not the presentations but the conversations you can have with others. It humanizes exchanges affording you the luxury of better discourse both offline and when back online. Many people refer to these as “hallway cons”, because the conversations and gatherings that happen in between sessions are generally as good as the sessions themselves. Think about being able to sit down next to your online hacking buddy and doing a CTF together or building out that next great tool. There’s power in real life interactions, and I would urge you to take advantage of those opportunities. Shoot, you can even get an awkward hug from Jayson E. Street, if he’s at an event!
Whether you’re a hobbyist or looking to get into security professionally, the ability to make friends and build lasting relationships will help make your experience substantially better. While many perceive hacking as a lonely art form, it’s not what I’ve seen in the real world. People tend to gravitate to others of like interest and being able to connect with others can lessen the friction to learning new things, allow you to share triumphs and bring you up when you fail. In this regard, entering into the hacking community is really not much different than with any other groups of like-minded individuals.
The security community is definitely a little more privacy-focused, so making friends will take a little more effort. But from the people I’ve met and the help I’ve received, it’s definitely worth the investment. How they embrace you is directly correlated to how much effort you put in to demonstrate respect, support and caring for the community. Take the time to really get to know people and be a person who helps to contribute to and build a fantastic security community, and you will see a return on that investment in something much more valuable than money.
Rey Bango is a developer advocate at Microsoft focused on helping developers build awesome cross-browser experiences. He’s an ardent supporter of standards-based development and open-source development. He’s taken an interest in information security, especially appsec, and wants to help build more secure experiences.bango career defcon highlight mentor privacy twitter