Competence-in-Depth: A Working Model

Monday, February 14, 2011

Brad Bemis


Several years ago I responded to a rather heated debate regarding the role of certifications in defining what it means to be a “Security Professional”.

Okay, to be fair it was a bit of a rant, but you should have seen the other comments that were being posted... I’ve included a copy of my original post HERE for those that are curious.

Anyway, something interesting did come out of it (at least in my opinion). I introduced the term “Competence-in-Depth”.



Now this is not a new concept by any means whatsoever. In fact it is an obvious (and purposeful) rip-off of the Defense-in-Depth model. There is an important parallel to be drawn between the two subjects though – especially for anyone wanting to enter into or progress in the field of information security.

As I stated in the original post, “How many times have you been told (or even said yourself) that there is no panacea for information security?” This means that there is no “silver Bullet”, no singular magic solution to the challenges we face in this profession. The exact same thing applies in terms of establishing and maintaining professional competence in this field.

At this point I am going to borrow directly from the original post, and then dive into a bit more discussion on the subject.

From the original post:

Yes, demonstrated experience on the front lines, above all other things, stands the best chance of differentiating between varying levels of skill, but let’s not forget some of the other elements that compose the foundation for what I will now refer to as security “competence-in-depth”. I think you will find that there are many of us (probably a vast majority) that would much rather denote competence through a series of activities rather than a singular focus.

I see it as a lifecycle process (yet another concept that we within the security community should be intimately familiar with as a critical success factor in most of our endeavors) consisting of (in no particular order because they should all be continual processes):

• Formal Education (school)
• Professional Education (courses)
• Hands on Learning (daily exposure)
• Experience (long-term exposure)
• Reading (self-learning)
• Writing (sharing your experiences)
• Involvement (professional associations)
• Teaching (course instruction)
• Certification (milestones)
• Recognition (awards)
• Again, and
• Again, and
• Again

If I were posting the same message today, I’d probably make some minor adjustments. However, it’s largely on target.

With a few slight modifications, let’s jump into what each of these means.

Formal Education: Go to school. Earning an undergraduate degree in a technology discipline, or some other complementary field, will serve as an excellent foundation for many of the competencies that professionals in almost every field must demonstrate.

Additionally, because we are in a field where college degrees are often optional (and there is nothing wrong with that), the fact that you have a degree will help establish your credentials as someone who is serious about going the distance.

Better yet, round out your formal education with a post-graduate or even doctoral program. This may be a bit more difficult to do, but the payoff is rewarding – why? Because it’s difficult to do, and people know that! It also arms you with additional skills and knowledge that many of your contemporaries may not possess. Besides, school is fun (assuming you can afford it).

Professional Education
: Take classes and attend conferences. While some may feel the need to title this as “training”, we are considering it in a broader context. Professional education encompasses all of the opportunities you create for yourself where you can sit in a class or participate in some sort of training activity on a topic that is relevant to your career.

This includes bootcamps, specialized training courses, conference sessions, webinars, etc. It doesn’t matter if it’s a certificate program, a week long hands-on technology-centric course, or a class on time management. The goal here is to take your education from the realm of theory and models (which is largely what your formal education will cover), and move into the realm of truth.

Reality can be harsh, and professional education opportunities will teach you how to deal with the kinds of situations that present themselves on a recurring basis.

Hands-On Learning
: Do stuff. No amount of education or training is going to fully prepare you for the work you’ll be doing as a security professional. Hands-on learning fills in the gaps with real-world experience in day to day situations. You can also think of this as on-the-job training.

Some people will frown at this statement, but this is where you are free to make mistakes and to learn from them. Let me curb that advice with a recommendation to help turn that frown upside down – even though you are in a learning mode, do your best to avoid making mistakes. It’s just that when they do happen, really and truly pay attention to what happens and use it as a learning opportunity. Not just for yourself, but for the people around you as well.

Something else you’ll notice here – the magnitude of your mistakes will have a direct correlation to the depth of the lesson learned, and the length of time that lesson is remembered. I still turn a bit red in the face when I think about the first time I sat down at a unix box and erased the .etc directory on a live network server.

Hey, it happens. I can tell you I’ve never made that particular mistake again; others yes, but I learned from them to.

Experience: Keep doing stuff. Over time, you’ll discover that your mistakes are fewer and less painful, while your confidence level slowly rises. One day you’ll wake up and realize you may have actually mastered some aspect of your work. Eventually, you’ll master several skills and become a force to be reckoned with.

A word of caution here though – to think you’ve really mastered something and can maintain your edge without renewing your skills through further training and experience is foolhardy. The field of information security simply moves too fast for anyone to be an expert in any one thing for too long, without continually revisiting the subject.

At the same time however, if you develop experience in a certain aspect of security, and then step away from it for a while, you’ll still be able to draw on your past experiences to help you bridge the knowledge/skill gap if you encounter that same aspect of security again later on down the road.

I consider these the “big four” when it comes to building competence, but they are by no means the only steps you can take to grow your expertise. There are many other tools available in your professional development arsenal to draw upon.

Now let's go a bit deeper and look at other important ways to broaden your horizons and increase your value.

Reading: Read everything! Well, within reason – there are after all only 24 hours in a given day, and you still have work to do. The obvious contender in this category is the vast library of books that have been written on the subject of information security.

For those of us who started our careers out in the early days, there was very little reference material available, and most of what we had was based on things that came out of the military and colleges. Books are only the tip of the iceberg though. Subscribe to magazines and periodicals, news letters, forums, rss feeds, blogs and anything else you can think of.

Be discriminating in what you choose to draw from at this stage, but be open to the plethora of insights and new ideas that you can take away from these resources.

Writing: Write every day! Writing will accomplish two things (more really, but we’ll just focus on two for now). First, it makes you a better writer. If there is one skill that will serve you more than any other in the field of information security, it’s the ability to write – and write well.

Writing also forces you to do research and consider your own position on a particular subject. It helps you to draw from your experiences, cultivate your ideas, and express them to others. That last part is important, because you should write with your audience in mind; expecting someone to read it at some point.

When you set your thoughts down in the written word, it gives other people the chance to share in your knowledge – not just by consuming the information, but by providing feedback that may help you give more substance to your original concept. There is simply no other way for me to fully convey the importance of writing – make it a priority and you’ll benefit greatly.

Teaching: Teach others what you’ve learned. What can possibly be better than writing as a means of personal and professional development? You guessed it - Teaching! While this particular option isn’t for everyone, it should still be considered at some point, and tried at least once.

There is a great deal of truth in the old adage that teaching is the best way to learn. Teaching others requires you to put even more thought into whatever it is you are trying to share, and forces you to explore different ways of communicating the material you plan to cover. Along the way, you’ll learn a few more things about the topic, about the process, about communicating, and about yourself – it’s almost a law of nature.

If you don’t think teaching is right for you, there are a few ways to get around that, but ultimately it comes down to competence, confidence, and communication. If you can bring these “3 C’s” together on any topic you know – then you’re ready to teach.

Involvement: Participate in the growth of your profession. It may be attending local security association meetings, taking part in a public works project, writing a book, giving a lecture at your children’s school, assisting in the development of a new standard, having coffee with someone interested in what you do, and so on. The range of options is nearly limitless because there are always opportunities available for contributing to the profession – you don’t even need to look very hard to find them.

Information security is an incredibly diverse field. It is also a relatively new profession if you discount its long history in government and academia. As a developing professional discipline there are a number of challenges we are struggling with – we still have a lot of growing up and getting smart to do. By actively participating in the security community and making a contribution, you’re doing your part to make life better and easier for all of us.

: Earn the respect and admiration of your peers. If you are doing everything outlined in this article (and doing it well) recognition will come in due time. It is not something that you should set out with as a goal though; it’s something that must be earned. As you do more and more to increase your knowledge and skills, share what you learn along the way, and make an active contribution to the profession, your peers will take notice.

While recognition does indeed serve as its own reward, there are other tangibles that may come with it – many professional associations and even a few security companies have formal awards they give out at certain times. If you really stand out as a pioneer in the field or demonstrate outstanding commitment to the profession, you may find yourself in the running for one of these awards.

Again - you should never start with the expectation that you’ll be an award winning expert in the field, but if you work hard enough and do the right things, it’s a perk to look forward to at some point down the road.

Certification: The dreaded “C” word. I left certification for last, and with good reason. Nothing stirs up debates on what it takes to be a security professional more than the subject of certifications.

As I mentioned in my original post (slightly modified here), “I for one believe that someone with the appropriate background, skills to demonstrate their expertise, and a desire to succeed would simply take the time to ante up and get certified as a professional responsibility”.

While I still believe that certifications are an important part of being a well-rounded security professional, I am not so sure I can support them as a professional responsibility any longer. There are a few (like the CISSP) that I would wholeheartedly recommend to enthusiastic individuals that want to pursue them, but for the most part there are simply too many to keep track of these days.

I’ll be addressing certifications in a separate article, but for now my parting words on the subject are: figure out the direction you want your career to grow in, research the certification programs that best support your goals, decide on one or two that really matter, and go get certified – it certainly can’t hurt.

Rinse and Repeat: Now for the last part – doing it all again, and again, and again. If there is one fundamental truth about being a security professional, it’s that things change every day. Sometime it’s literally minute by minute, second by second. If you can’t handle change, you simply won’t succeed in this profession no matter how many of the things from this list you decide to do.

Practice living in a state of continuous renewal, or “sharpening your saw” as Stephen Covey describes in his book ‘The 7 Habits of Highly Effective People’. It is essential to your long term career.

So there you have it – a fully defined (and slightly modified) working model for “Competence-in-Depth". Let’s recap:

Competence-in-depth is a professional development model that helps build well-rounded security practitioners capable of handling the many challenges we face in the digital age. It includes (in no particular order):

• Formal Education (school)
• Professional Education (training)
• Hands on Learning (daily exposure)
• Experience (long-term exposure)
• Reading (self-learning)
• Writing (sharing your experiences)
• Teaching (course instruction)
• Involvement (professional associations)
• Recognition (awards)
• Certification (milestones)
• Again, and
• Again, and
• Again

 The next steps are yours...

Cross-posted from

Possibly Related Articles:
Security Training
Certification Training Information Security Infosec Competence in Depth Professional
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.