Monday, October 4, 2010

Guest Post: Dan Burrowes "Passion to Drive Action"

Today, our guest blogger is Dan Burrowes. Through his participation in the InfoSec Mentors Project, I learned that Dan has a fascinating perspective on what the Information Security community is like in Japan. He has offered to share an essay on the power of communication and letting your passion drive you. Dan can be found at his bi-lingual blog:

I'm an English teacher. In Japan. Moved here from the States seven years ago. It pays the bills. Before this, I was in IT, but long story short, right now I'm not.

It's funny how life works. Sometimes you close one door in your life, and you think that it's closed for good. In the meantime, you look for another door, only to find one and discover that it looks eerily like the last. However, when you open it, the landscape looks different. It's clearer. You can see clearly now exactly which path you are meant to take. You passion has been found. This is infosec for me.

In this revelation, you also realize that your progress down this new path is equal only to how much effort you expend. Your passion drives you to take action. You ask when you don't know, you take initiative, and you seize every opportunity you're given.

But you quickly realize that you can't do it alone. No one can do it alone. Nobody who has ever done something great accomplished it in the vacuum of their own solitude. You need somebody to ask when you don't know. Somebody to help you turn your initiative into progress. Somebody to give you opportunities and guide you to begin creating your own.

Somewhere in the back of their mind, everyone knows this, but they often don't act. They wait, believing that greatness will seep into them as if by osmosis.

Well, guess what? You can't wait. You need to start somewhere. This was true for me, as I did.

I took my Japanese language studies seriously. I went back to basics, studying networking, protocols, and programming. I read white papers, watched presentations, and listened to podcasts. I was learning a lot. But I was still in a vacuum. I needed to interact, however social networking was never my forte. Marisa Fagan gave a talk and wrote a blog post about how to prepare for a career in infosec. The simplified premise is that you need to socially integrate into the community and be active in it.

It took me a little while before I truly understood this. The point of this integration is not to create a platform for narcissistic drivel. The point is that the more connected you are to the community, the more you'll get back in return. Being part of the community means that people will help you, people will teach you, and people will inspire you. But it won't happen unless you become involved.

Keep in mind that "the community" can be looked at in two ways. One is the larger, international infosec community — the global entity comprised of practitioners, researchers, and analysts. Here, infosec rockstars travel the globe to do their thing because of their expertise and notoriety. But rockstars don't become rockstars without first busking on local street corners and honing their skills in the neighborhood garage. This is the other way to look at the infosec community: the local entity. This entity is local in language and region — it is a microcosm of the global version. The international and local spheres cannot exist independently; they are the same group, just different scopes.

Since one of my primary infosec goals is building my infosec career in Japan, I realized that I needed to start to integrate myself locally. The challenge was daunting. I'm not a native speaker, so I was linguistically separated from the community. I didn't know anyone else in infosec, so I was socially separated from the community. My city lacked a hacking group, so I was physically separated from the community.

So I decided to make a community. A local one. A group didn't exist with the goals I envisioned, so I created the Kyoto Information Security Users' Group: a mailing list and monthly hands-on learning sessions to ask when you don't know, turn your initiative into progress, and give you an opportunity to share, teach, learn, and do. So I do so. In Japanese. Every month. It scared the crap out of me at first. Me, the only non-Japanese speaker, getting up to lead a hands-on session about ICMP attacks to thirty people who are most definitely more knowledgeable than myself.

I wasn't an expert in the topic. I found my language ability failing me. But I wanted to share what I knew, recognizing that the outcome would ultimately be that *I* learned something. Nothing happens until something *happens*. You need to be an active participant if you want to learn. You need to introduce yourself if you want to be part of the community.

But all of this requires that you be able to communicate. Regardless of whether you use your native language, or your second (or third, or fourth...), it's imperative to hone your linguistic communication skills. You become hyper-aware of this issue when you live in a country that speaks a different language from your own. On one hand, you become painfully cognizant of your deficiency in your host country's tongue, yet you also begin to realize the true power that you wield in your native tongue. Communication is power. You can attack someone's argument; you can defend your own; you can convince; you can enlighten; you can garner trust and respect. It is a direct reflection of who you are and what you know.

Having command over both written and spoken language is absolutely essential because ultimately, the entire field of infosec deals with discovering, parsing, and advising on written and spoken communique.

Take a theoretical pentest of a Japanese software company. Information gathering would be practically impossible if you can't read Japanese names, addresses, or documents.

A great deal of your social engineering engagements wouldn't get too far if you didn't look and speak like a native Japanese. (Though playing the "helpless foreigner" role can give you a different avenue for access.)

Jump to the penetration phase of the assessment. You've discovered two software development servers hosting what seems to be only half of the company's key software. The servers are named "nobunaga" and "hideyoshi". You can't find the company's main assets. If your cultural knowledge were up to snuff, you'd presume that there also exists a server somewhere named "ieyasu". (Tokugawa Ieyasu did ultimately become the most powerful of the three warlords, so he'd rightfully be holding the crown jewels.)

Finally, good luck writing your Japanese. And giving your final briefing to the client's Japanese. And advising the company's IT Japanese. Your career depends on your ability to communicate effectively, yet it's hard to be authoritative about your knowledge if you can't eloquently express yourself.

This situation applies to any language, whether it's Spanish, Slovak, or Swahili. It even applies to English. Even if your entire infosec career never extends beyond your native language, you still have the task of eloquently expressing yourself to other people through written and spoken forms.

Being in infosec is a lot more than just the technology. Whether you've already got a mentor, or you are still crossing your fingers hoping that the program will send you that special email, it's still up to you to take initiative in your education. Your path as an infosec mentee starts even before you become one. Become involved in the community — even if that means that you have to be the one to create it. What you create locally will eventually make you connected globally. Lastly, always remember the power that you have to communicate. Never stop striving to polish your communication skills be it in your first language, or your second.

Make your passion drive your action.

No comments:

Post a Comment