Security Mentoring
In January I reviewed Mike Rothman's Pragmatic CSO. Related to that book I saw my name mentioned in a post by Cutaway. He writes:
I am, however, more concerned about Mike’s approach to young security professionals. “Buy my book, it is a good approach for dealing with executive management” is not, in my honest opinion, an effective way of approaching our next generation. Sure, he has made the information available to the public, but security professionals are pummeled with literature almost on a daily basis. His book might be on the list of top purchases but where is the actual teacher to help with the interpretation to assist with the evolution of the concepts within an individual?
I understand Cutaway's concerns, but I think his request is unrealistic. I have plenty of experience with mentorship, starting as a cadet and continuing during my officer years in the Air Force. In my experience it is difficult for the mentoree to obtain mentorship (of any type) even when mentorship is a job requirement for the supervisor. In fact, my last commander asked me for job advice when I was leaving, rather than try to convince me to stay!
I wholeheartedly support Mike Rothman's recommendations for people to read his book. Does anyone think technical authors write books to make money? Almost no one can make a living being a technical author, unless you have very modest needs, no family, and have multiple books in print simultaneously and constantly.
So why write? Technical authors (and many others) write to share their ideas. One of the main reasons I wrote Tao was the desire to not have to repeat the same material whenever I trained a new analyst. Instead I could say "read my book, and then we'll talk." I think writing a good book has the capability to do far more good for the community at large than a one-on-one relationship. Books certainly scale better than people.
Speaking of people, those who you would probably want as mentors are most likely the busiest people you'll ever meet. Mike is running his own company. I'm running my own company. I regularly receive emails from students and others asking for help with their PhD topics and other issues. If I have the time to help I usually respond in the form of a blog post or a CC to a mailing list so what I say can be shared.
If you really want a human mentor I recommend joining a security association like ISSA, hanging out in an IRC channel with people you respect, and/or joining a company or organization to work for someone you want to emulate. I've done all three at various stages of my career.
I am, however, more concerned about Mike’s approach to young security professionals. “Buy my book, it is a good approach for dealing with executive management” is not, in my honest opinion, an effective way of approaching our next generation. Sure, he has made the information available to the public, but security professionals are pummeled with literature almost on a daily basis. His book might be on the list of top purchases but where is the actual teacher to help with the interpretation to assist with the evolution of the concepts within an individual?
I understand Cutaway's concerns, but I think his request is unrealistic. I have plenty of experience with mentorship, starting as a cadet and continuing during my officer years in the Air Force. In my experience it is difficult for the mentoree to obtain mentorship (of any type) even when mentorship is a job requirement for the supervisor. In fact, my last commander asked me for job advice when I was leaving, rather than try to convince me to stay!
I wholeheartedly support Mike Rothman's recommendations for people to read his book. Does anyone think technical authors write books to make money? Almost no one can make a living being a technical author, unless you have very modest needs, no family, and have multiple books in print simultaneously and constantly.
So why write? Technical authors (and many others) write to share their ideas. One of the main reasons I wrote Tao was the desire to not have to repeat the same material whenever I trained a new analyst. Instead I could say "read my book, and then we'll talk." I think writing a good book has the capability to do far more good for the community at large than a one-on-one relationship. Books certainly scale better than people.
Speaking of people, those who you would probably want as mentors are most likely the busiest people you'll ever meet. Mike is running his own company. I'm running my own company. I regularly receive emails from students and others asking for help with their PhD topics and other issues. If I have the time to help I usually respond in the form of a blog post or a CC to a mailing list so what I say can be shared.
If you really want a human mentor I recommend joining a security association like ISSA, hanging out in an IRC channel with people you respect, and/or joining a company or organization to work for someone you want to emulate. I've done all three at various stages of my career.
Comments
Thank you for your input. I do understand your and Mike's position. I also recognize that both of you have made yourselves more than available for questions and leadership. I respect you both for the time and effort you have been putting into the community.
I had a feeling that there would be challenges to the mentoring model in the form of time and cost effectiveness. From the receiving end I am sure it is especially challenging for persons who are particularly adept in a subject which you and Mike have proven to be. But just because mentoring has been a challenge to you (or it was something that you out grew of) does not mean it is beneficial to other individuals.
Certainly, the time you, and many other leaders I will not mention for space, are very busy with your projects that will benefit the community. Many of you provide education in your excellent courses and conference presentations. But there are other leaders out there who may have time to devote to upcoming professionals. Those are the experienced professionals I was aiming for in my post. Mike's post merely spurred this thought in me.
Again, thank you for your input and leadership.
Cutaway
But a mentoring relationship is not one that can be forced. It needs to develop and result from a mutually beneficial agreement between the two parties. As you pointed out, it's not something that can be mandated.
I've mentored many analysts and security professionals through the years and gotten great personal satisfaction from it. I continue to mentor quite a few marketing folks and I really enjoy that, even though I don't have daily marketing responsibilities anymore.
If the opportunity arises, I look forward to mentoring other folks as as appropriate. But it's not something I can put on my to-do list, it's kind of something that just happens.
Thanks again for your thoughts and continued contributions to the cause. And beers are on me next time I'm in VA.
I see what you're saying, your point of view, and I have to say that something like this cannot necessarily be generalized. I believe that if someone such as yourself were to decide to do so, you could be a mentor.
As a technical author myself, I fully agree with your points in that area. Technical authors do not make money, and even though these books are published, one cannot write about every possible situation or scenario that someone could encounter. Sometimes it takes some personal interaction to demonstrate how to address certain situations.
I also agree that those most would want as mentors are most often the busiest folks. However, I also feel that if it were a priority...such as writing a book...then the two could work out a schedule that suited them both.
Mentoring can take many forms, and in a field such as ours, I can definitely see how it would be extremely important and beneficial. To Kim's comment about giving back to the community...sometimes this (and mentoring) can easily be done, if people would just ask the questions that are burning on their minds.
Harlan
http://windowsir.blogspot.com