The original post: /r/cybersecurity by /u/NeuralNotwerk on 2024-11-21 14:17:43.

I’ve seen some hate posts lately related to constantly having to study/learn security outside of work. I believe this is framed incorrectly. I don’t think we need to constantly learn security. I think we need to constantly learn the tech we plan to apply core security concepts to.

This field simply requires a drive to continue learning and enough self directed learning skills to make digesting the influx of new tech easy. The core concepts of security stay exactly the same. The technology you apply them to changes by the minute. I think a lot of people conflate the passion for learning with the passion for security itself, admittedly I even make this same mistake regularly when mentoring, I say security instead of learning. Passion for both is absolutely great if that’s your thing, but the passion for learning tech or what ever you want to apply security to should be enough.

There’s also people with differing work experiences and differing intelligence levels. If your employer gives you time for continued learning and experimentation on the clock (which it absolutely should, if not, find another employer) - you don’t have to appear as passionate about learning new tech outside of your working hours. If your employer is short sighted and doesn’t provide adequate time/space/money for education, you are going to need to invest your own time outside of work in the pursuit of learning new tech and work towards finding a new employer. Even if your employer provides time for you to learn, but you are not someone that is capable of really handling self directed learning, you are going to need to appear passionate about tech outside of your job.

Are there employers where you can sit on arse and do almost no personal development without having to worry about it after hours? Yes, there absolutely are. These are not typically highly paid. You are also stuck should you have a desire to move or if the company shuts down. If you are forced into finding a new job after some time employed at a place that doesn’t change, your skills and knowledge on current tech would have become so irrelevant that you are now out of a job and job searching while having to try to make your resume and interview skills relevant again - you’ve effectively become a new hire or fresh grad again.

There’s another caveat to this. A lot of recent education and certification programs that try to get people into the industry quickly teach “security” (compliance) instead of the foundations that security can be applied to nearly anything. Most people who think security, not tech in general, are a constant slog are probably not well prepared to do security. People often misidentify security as compliance, checklists, antivirus, top 10s, and patching. If you’ve memorized “security” and you require someone else to provide you a checklist or some compliance framework to get things done, it probably really does appear like security is a grind game where your job is to memorize the latest framework and checklist. I’m literally cringing thinking about this closed view of what security is - and it doesn’t even work to improve legitimate and functional security.

You can effectively abstract all of security to the CIA triangle. The problem is most people that don’t seem to understand this aren’t technical enough to make that abstraction. They don’t want to be technical. For them, the constant drudgery of learning the latest security topic (not tech in general) really probably is miserable and I’d agree with them.

So what we do in security as competent security engineers and security professionals is apply basic concepts to tech we we keep up to date on. You can’t secure it effectively if you don’t know how it works.

What are the foundations that make you effective in security if they aren’t security? OS admin, Net admin, and coding skills are what makes you competent to take on everything in security. Throw in some cloud and AI if you want to spice it up, but these are mostly abstractions on top of OS/Net/Code. If you’ve got OS admin, Net admin, and coding skills, there’s almost nothing that is overly complicated and you can’t figure out how to apply security to. The core concept of security can be had in the CIA Triangle.