Tips for an Information Security Analyst/Pentester Career - Ep. 95 - BADHB - A Little-known Secret For Success in Info Sec

Do you want to know a simple but little-known secret to be successful in info sec and offensive security?
 
The secret is to BADHB: Be A Decent Human Being (in other words, don't be a jerk).
 
Most people think success in this industry is only a matter of technical skills, and you do need them to get hired.

Once you get the job, though, it's all a matter of soft skills and of knowing how to relate to other people the right way.

Some tips:  

    

v Say thank you when someone helps you, don't give other people's time for granted. If you want for clients and coworkers to respect your time, do start respecting theirs.

v Give people credit when they do right and demand credit when you do right.

v Be professional at all times, especially and above all when you're upset. Even when you're professional 99 times out of 100, people will only remember about that single time you messed up.

v Keep your manager in the loop, especially in difficult situations when you need help. Speak up immediately when issues arise that can cause holdups and hurt your project.

v Own mistakes publicly, learn from them and move on. Don't be afraid to make mistakes, as it's a learning process, but avoid repeating the same mistakes twice, as long as you can.

v In general, treat your team members with respect, and demand respect for yourself and your work.

v Create connections across the organization, not only with your direct team members, but also with other teams within the company.  New opportunities might come around that couldn't happen otherwise, and it might come a time when help from other teams is of the essence.

v Build your own brand. Make sure to get official feedback on your work, and to stand out for doing excellent work, not for messing up or being a troublemaker. Better be the talk of the company for standing out than for sucking.

v Be nice. Basic politeness goes a long way in info sec. Sadly, as Warren Buffett said once, busy is the new stupid now. Many people use that as an excuse not to get back with responses, not to deliver on promises, not to provide updates when they're expected to, and in general they feel this is a pass for them to be rude. Don't be like that. Info sec isn't unlike any other human activities under this point of view. People expect to be treated with respect, so they will look favorably at who does so, and will give them their respect in return. Apart being a winning strategy, this is how human beings are meant to treat each other.

v Be personable. Be comfortable with the client, don't see them as the enemy. They're not the enemy, and won't be when rapport is developed. Try to understand their needs, break the ice and slide in informal conversation topics. Meet any of their additional demands if the needed level of effort is tolerable and they don't cause major holdups. Make it clear you're on their side, as a business partner, and don't be confrontational, if you can help it. See yourself as an actor on a stage, when on a client call. Lines were memorized, it's no big deal, you're ready for whatever comes and will handle the unexpected. Experience makes it progressively easier, even though it's not always a walk in the park. There's always the occasional oddball client with weird, unheard-of demands.

v Choose what battles to fight for. When the client pushes back on some findings, has additional demands, or wants clarifications, make sure to carefully assess when it's worth fighting back and when it's not. Confronting the client head on is not always the right response, and might lead to customer dissatisfaction and escalations, which should be avoided like a plague. Much depends on what these situations imply, and on what the client attitude is. Sometimes, the client's requests are no big deal and they have valid reasons for them, so I have no problems accommodating them. For example, a client asked me for details on the hostnames associated with specific IPs affected by multiple SSL findings. They were struggling with remediation because they didn't own those IPs and, them being ephemeral, they couldn't find the affected hosts. Over testing for the related project, I had previously performed a Nessus scan on in-scope hostnames, so I simply provided the client with the related file. Result? Problem solved, client happy, PM happy, all happy. I could've said no, I wasn't exactly mandated to provide the client with that info, but what would that have done for me? I'd create a problem, and the client would provide negative feedback on my work. Instead, that client was happy with my work, and I could create rapport. The final result from my action is I worked with this client on multiple occasions, cause I know how to handle them. Of course, the situation is completely different when faced with client’s rude behaviors or unreasonable demands, such as demanding new work when no retest is in scope.

v Don't be afraid of (tough) conversations: Many people in this industry, myself included, are shy and don't like direct or in-person interactions. We feel much more at ease behind a keyboard, using email to solve issues. Unfortunately, written communication isn't always the solution, and it often creates more issues than it solves, because it's prone to ambiguity, errors and typos, especially over time-sensitive contexts. Plus, emails aren't very good at expressing nuances, and the final result of that can be disastrous. Often times, after sending an email, I feel I could've explained my point better and cut to the chase, and sometimes I can't seem to get my point across at all. When this happens, a phone call or a Zoom/Teams call is a way more effective solution to these issues. A voice tone is harder to misunderstand than a written sentence is. This is absolutely paramount when critical findings are discovered.

 

 Conclusions

 

The above considerations come from hard earned experience.

I'm not a preacher, and don't suggest things I haven't tried on myself first.

I don't know what you think about me (nor I care a lot, to be honest) but I can say for sure that no one gave me a thing for free.

All I have is what I earned working my butt off, and don't know any other way.

I don't believe in luck, but one can create the conditions for good things to happen. 

Try this out for 30 days, and you'll thank me later.

That's all for now.