A post by Harlan Carvey as he ties up some draft thoughts on 2017 piqued my attention. Part of the post deals with building a personal brand in infosec, which channels information from a post by CryptoCypher over on AlienVault on the same topic.
I particularly dig this bit of advice when looking to build your brand online and using a blog as a means to that: “The first step is understanding that you do not have to come up with original or innovative content. Not at all. This is probably the single most difficult obstacle to blogging for most folks.” That really is it; it’s very hard to come up with original content. Often, the best bet is to build upon or give personal opinion about other topics, or just share information/links about things that others may not have seen. If nothing else, it’s also good practice for formulating opinions and thoughts on various topics, ahead of when a VP or developer comes walking up with questions (or a sales guy slides you into an ambush at a conference!).
And I totally agree when he says this about one of the purposes of a blog: “…a blog post is a great way to showcase your ability to write a coherent sentence.” If nothing else, a blog can do that and give an employer a hit on a Google search that will demonstrate interest in the industry. Everything else accomplished beyond that is bonus.
What I’m grateful for, though, is being pointed to the other article by CryptoCypher. This article is a very complete, and actionable bit of advice for anyone in infosec. And I think the guy practices what he preaches. For instance, I’m aware of the Twitter handle and see him participate in discussions, and recognize the handle/bio image elsewhere. (Granted, it might not always be positive recollection, as things like n–bsec can teach us, but images and the people you associate with can be cleaned up with sincerity and effort and old-fashioned time.)
Getting back to the blogging part, he had this bit of truth to add: “A lot of people do not blog at all so just by having one you are already ahead of most students in that regard.” Not just students, but most professionals!
I really love the rest of his items. Getting involved in college and hackathons (or CTFs) and conferences is a huge boon of contacts and experience. I know, there are many introverted infosec insiders out there (myself included!), but there needs to be some focus on just saying, “Hi, what-do-you-do/what-brings-you-here?” to someone random at an event where you both clearly have intersecting interests to some degree.
Even more so, I love the inclusion of mentoring, though I would say this goes both ways: being mentored and being a mentor. I don’t care if the mentoring is formal in person or informal over Discord/Slack, but mentoring and teaching what you know is the best way to solidify what you actually know, and paves the way to share ideas, improvements, and consume even deeper topics. Be positive, be approachable, be helpful, be sincere.
I also believe many of us just need some friends in our lives, to share our lives with and stay on a positive track.
I also believe that we need far less mentoring than we think we do. If you can pass Sec+ or other entry level certs/material, you can truly consume anything in the industry given some measure of time and effort. Infosec is a half step up from “just” being a sys/desktop/network admin or other IT grunt. But it’s just a *half* step up. The imposter syndrome can be very real, but that devil just needs to be ignored and relegated to a basement office.
And, as the author mentions, I believe Twitter is one of the best places to cultivate a personal brand. You get immediate exposure and access to like-minded persons. Likewise, Slack and Discord and even Reddit can offer similar opportunities to get on board.
If anything is missed in all of these mentions, I think it would be developing a Github presence and populating it with some scripts and other pieces of work (it can also double as a wiki or place you keep links/resources or something).
A personal brand isn’t for everyone. There are plenty of infosec folks who do not define themselves by their day job; they do not hang out on Twitter with us or go to more than 1 local con every few years. They probably have their own interests and ways to spend their life’s time. And that’s perfectly fine. But putting in some effort on a personal brand can certainly help anyone with the interest to invest. And this applies to things outside infosec as well.