InfoSec is a lot like Stand-up Comedy

I have been in InfoSec since 2008. I started extensively presenting at conferences and events from 2014 or so (when I felt I had something to say). It wasn’t that I had nothing much to say before then, but I constantly felt weird about “not researching enough”, or “Who’s going to want to listen to me?” and so on. Somehow, in 2014, I decided to abandon a lot of doubts that I had and started to put more of my work “out there”.

That’s been the best decision I have made so far

Since 2014, I have spoken at several international events. Trained at several conferences and private events, architected a product with my team at we45 and developed an open-source tool, ThreatPlaybook that I am proud of. And I owe all of that to my experiences with speaking or more generally “putting my work out there”.

I love stand-up comedy, and I read a lot about them. Comedians like George Carlin, Jerry Seinfeld and Dave Chappelle are comedians that I greatly admire. I am in awe of the fact that they have to go out on stage and elicit laughs from the minute they are on. They need their material to work, their comic timing to be on point, relate to the audience, stay current and stay away from/walk that razor’s edge, where they have edgy material. They truly are a window to the human condition. Although it seems far-fetched, I see them as researchers. Researchers, who constantly address the subjects they research day-in-and-day-out. Stand up comedians also embrace the “iterative lifestyle” where they present sets at smaller comedy clubs all over, constantly perfecting their set, till they present at massive venues with thousands of people in the audience. We usually get to see that massive show on Netflix, etc but we don’t get to see the innumerable number of good and bad shows that they have at smaller comedy clubs and open mic nights.

I see similar trends playing out in information security. In a field like information security, you invariably have to be a “researcher”. Overall, the field is so new and so dynamically evolving, that you need to constantly read, practice and deliver Proof of concepts of your work, either inside your organisation or publicly. Several Infosec folks are in a position, where they need to get endorsements and sponsorships from management for their security initiatives, which requires not only a good grasp of the (technical) security concept, but an equal grasp of business priorities, RoI and related concepts. So regardless of your role, your job, your position or overall path, you are a security researcher. If you are a good security professional, you probably already see it that way. If you want to be a good InfoSec professional, you should consider seeing your profession this way.

So if you are already a researcher, don’t you think you should do it right?

Let’s look at some ways you should approach this, for your own career and for the benefit of the organization you represent.

Embrace the “Open mic night”

I have found tremendous value in “putting work out there”. This could be in the form of speaking, writing, whatever. This not only forces me to do my homework, but also constantly gives me ideas. Especially when I meet new people at events or hear from readers of my blogs and tools. But you might think…

I am really terrible at public speaking. How do I manage? And I am not some established author. Why would anyone care to read my work?

Well, you don’t need to have a Churchillian gift-of-gab or have Hemingway’s writing flair. You need to just put your work out there.

It probably will be mediocre at first. But with persistence, you will get better. Without exception.

Thankfully information security is a relatively casual and chilled out community that doesn’t require you to have amazing oratory skills or even great language skills. Your content matters. That’s it.

Start writing on Medium or speaking at local meet-ups, which are always starved for speakers. All this while, you can apply to present at your Dream Conference, and you’ll possibly get selected, based on your content and an existing track record. Lot of conferences have great spots for first-time speakers (BSides) and you will be more than welcome even at ones which don’t explicitly have such policies. InfoSec is a small and welcoming community. You should leverage that to the hilt.

This is very similar to stand-up comedy where comedians perfect their set (research) over time at smaller venues before going big. You’ll have to do this throughout your career, which gives you a great opportunity to meet and learn from interesting people.

Feedback Loop

One of the great things about putting your work out there is that you get feedback. For a stand-up comedian, that feedback mostly comes in the form of laughs.

For you, it should come in the form of discussions at events, GitHub pull requests. Blog comments, or even something like size of an audience to hear you speak. It can come quite extensively in the form of rejected submissions to be a speaker at conferences.

I get rejected for talks constantly. I also get selected constantly. I learn from the rejection, and tune my message or research.

With feedback, you also get a sense of where the industry is going and where you stand in relation to that.

This is invaluable. I am fortunate that I work at a security services and product company where I get to meet different clients and solve different problems. However, you might be working at an organization where you are executing a standard set of tasks for that organization. This limits your view of the overall industry. Feedback from outside is not only refreshing, but is invaluable to your career in the long run.

Real Researchers don’t (write articles/speak at events)

I have heard several folks in this industry repeat this phrase or something close to it.

Real researchers just do the work. They don’t showboat by speaking at conferences and writing blogs.

I personally don’t agree with this philosophy. Not one bit. While that’s a personal opinion. I don’t see how someone can do their best work, without having that work being showcased/used outside. While it may not be a talk/blogpost(s), it could be tools, methodologies, etc.

Conclusion

InfoSec, like any other industry, is about doing good work and showcasing that work. If you don’t put your work out there, you are unlikely to make any impact. All of us can learn a thing or two from stand-up comics by embracing some of their best qualities.