incomplete: leveling up your security career wow-style

This is an incomplete thought I first jotted down a while back, but never fleshed out into some more coherent. I liked the thought though, and wanted to just release as is and get it off my “unpublished” list! I was reminded of this post by Rothman’s recent Securosis blurb about practice (way at the bottom). Thoughts added just now are in bold. Keep in mind this is incomplete, unedited, and unpolished. I ramble and mix things and even repeat things with wild abandon! Oh, and even now as I play some Starcraft 2 and get my ass repeatedly stomped in Platinum 1v1, I know that I can read and practice against the AI and read some more, but nothing will replace actual experience in going into another game and getting stomped and learning the hard way.

I’ve not made it a secret that I’ve been an avid World of Warcraft (WoW) gamer for years. I definitely don’t play as obsessively as I used to (for those in the know, I ‘hardcore’ raided MC, BWL, AQ40, and even some of Naxx40, then skipped ahead after a break to ‘softcore’ raid Hyjal and BT pre-nerfs; since then I’ve done a couple naxx25 clears and that’s it beyond 5m heroics and casual leveling), but even my casual playing sparks some interesting thoughts now and then, especially when it comes to “leveling up.”

In WoW, and really any other RPG game, there are a few key tenets to making the most of your effort. Surprisingly, these tenets can match exactly across to real life endeavors. And every time I put forth some effort to improve one of these tenets in WoW (leveling up a toon, making some gold…), I’m reminded of the opportunity cost of putting that effort into something more tangible like my security career. (Don’t get me wrong; I’m a lifelong video game hobbyist, and I’m not saying video games are useless, but it shouldn’t dominate one’s time, just like any other hobby pursued in leisure time!)

So if you find yourself stuck in an MMORPG gaming rut, start looking to translate that effort over to something useful in security. This may start with asking yourself what it is about gaming that is relaxing, and why security does not bring that same relaxation. If it relaxes, stimulates, and makes you happy, then your free time will be spent in it just as casually as a 4-hour trip into WoW.

1. Knowing your class. From here I was going to go into knowing your skills, strengths, and weaknesses. In WoW, a warrior class doesn’t try to heal, and translate that into security skills and roles…somehow.

2. Grinding (aka leveling up). This is pretty basic to any role-playing game: your character gets stronger the more experience he gets, aka “leveling up.” In gaming, “exerience” is usually a value, even if it is hidden behind the scenes, which accrues as you fight and kill monsters. As your experience increases, you gain more power, and can tackle more powerful monsters, which will gain you experience…and so the hamster wheel begins to turn. A more physical version of this is lifting weights and slowly increasing your limits as your muscles and supporting structure build and grow.

Sometimes this is a “grind.” “Grinding” in WoW means the slow cycle of killing monsters and doing the same ol’ quests to gain your experience; basically it becomes a long, boring grind…kinda like work!

Growth in a security career comes much the same way; the more experience you have, the better you are able to handle the challenges in front of you. Often, this is gained by simply doing security-related things. The more nmap port scans you run, the better you are able to tackle complex scans. The more you use Metasploit to expand your empire, the more you can dig into the lesser-known components of the tool and not get bogged down on strange gotchas. The more PCI audits you do and reports you make, the better and quicker you get with them, and the more value you can provide efficiently to your client.

We often don’t have an end goal in sight, but rather know that we simply want to level up.

3. Leveling up tradeskills. WoW has what are called “tradeskills.” These are skills you build up by doing that activity. For instance, Fishing and Blacksmithing are two tradeskills. You can fish better and do blacksmithing activities better by, well, doing them in the first place. For something like blacksmithing, the higher your skill, the better your opportunity to make really cool and valuable things.

In other words, if you want to be good and useful at something specific, you have to practice it and get better, especially when it comes to various skills you want to acquire. Unlike leveling up, most often this begins with an end goal in mind, for instance, being able to use a particular skill to create/do XYZ which will gain you money or notoriety.

You want to be good at public speaking? You have to do some public speaking. You want to be good at coding exploits? You have to code some exploits. You want to be good at picking locks? Obviously, you have to pick some locks. (Nicely, WoW has a lockpicking skill you can build!)

And just like starting out your skills at a puny level in WoW, you usually start small. You do some low-key public speaking. You walk-through an exploit tutorial. You pick training locks.

So if you want to be known as being good at some tools or aspect of security, you gotta practice it and build up your skill. This isn’t so much a part of your character and confidence like leveling up your character, but more like being good with the tools you have and want.

In WoW, you can leverage these grown “tradeskills” to make in-game money so you can buy cooler gear and weapons. In real life, well, these skills will get your nice REAL things.

3. Gearing up. In WoW, your character’s success relies more on just his level (aka amount of experience earned). Success, especially as you get further into the game, resides very much in the gear and equipment you’ve acquired for your character. You won’t be very successful with a low level sword, but if you find a badass high level sword which you can use, you’ll be nicely ready to do some damage to the next red slime that oozes your way. Gearing up means a few things. First, giving yourself a chance to get/buy/find the gear. Second, knowing what gear is useful to you.

Security careers have the same dilemma. Some tools are going to be useful to you, but some will not.

Strangely, WoW doesn’t have unlimited inventory space for you to keep 1000 pieces of gear. In life, you really don’t have the aptitude and time to likewise hold onto and learn 1000 tools. Figure out what you need to improve, and pursue the tools that will help you succeed in your goals.

WoW players can put a ton of time into picking out, pursuing, and testing out their gear.

Oh, and don’t forget that you can get a bit literal with “gearing up.” A nice pair of slacks and a tie can increase your chances of getting what you need out of management, at times.

4. Socialization. The “MMO” part of the MMORPG genre means “massively multiplayer online,” meaning you’re playing with lots of other actual people around you. You can spend your time in a game like WoW and neven bother with anyone else, but you’ll only be able to learn on your own only so far, and you certainly cannot see most of the end-game content and challenges unless you socialize to some degree. Most often to experience end-game content, you have to join a guild (a group of players, much like a team) and start participating in group runs through tougher dungeons.

Obviously, careers are the same way. You can probably get by on your own for quite some time, but there will be many doors you simply can’t open or even get near without socializing with others in the career. Whether that is simply networking to find new opportunities, gaining contacts you can turn to when you need assistance, or finding smart people from whom you can learn new skills and knowledge. Better yet, this also means socializing with people more “newb” than you are; which gives you a chance to reinforce your own knowledge by regurgitating it to others to help them.