As we start out, or even when entering a new stage of our careers, we realize the need to be connected to a professional community. For people in very large organizations there may be internal communities of practice to fulfill this need, but maybe for them and definitely the wider majority there will be a need to work across a broader community.
This is a common goal in all industries and professions. However, there is much more heterogeneity in InfoSec / Cyber. If you’re a lawyer there’s a well defined community that serves all your needs with perhaps sub-communities for particular locations or specialisms. It’s similar for accountants and financial risk managers, and so on among the classic professions. For the more formal types of engineering (mechanical, electrical, civil, chemical and so on) there are well defined professional societies and local chapters that fulfill this function as well as defining professional standards, codes of conduct and qualifications. Some industries require such professional engineering status as a minimum entry requirement for any significant project or activity.
InfoSec / Cyber (and most of IT in general) isn’t like this. Yes, there’s some nascent organizations like the UK’s Chartered Institute of Information Security Professionals and the less formal associations like ISACA and ISC2 driven from their certification schemes. The IEEE, ACM and BCS also have served some purposes in IT / engineering with chapters and groups for InfoSec / Cyber.
But, for InfoSec / Cyber in general, unlike the other professions there is a massive spread of unaligned subdisciplines with the consequent result that it is much harder to get involved in the right way and takes a lot more self-reliance than the more apprenticeship or mentoring oriented models of other professions. To give one example, I became a Chartered Engineer a long time ago. This involved not just having the right qualifications but also required maintaining a work log for several years which was regularly signed-off by a current and long-tenured Chartered Engineer. It also encouraged participation in the professional society that sponsored your candidacy, in my case the UK’s Institute of Electrical Engineers (now known as the IET), later with the BCS. In both cases these had well structured hierarchies of membership, training, vetting and a final interview / panel to determine if you were ready to be granted the designation of Chartered Engineer. All of this meant you had to participate, to network, to grow professionally and feel a sense of belonging in a community of professionals akin to accountants, doctors, lawyers and such.
Given you are unlikely, in most countries, to experience this in InfoSec / Cyber we need to self-create such a structure at any level of your career. It’s best to start early but it’s never too late. The recipe for doing this has 5 steps:
1.Develop a Shortlist
As mentioned, InfoSec / Cyber has a vast and unwieldy number of things you could get involved in (see the list further down in this post) and so you’ll need to select a few to get close to, and leave vast amounts more on the back burner. My rule of thumb is stick with 2-3 maximum to be closely involved in and maybe 2-3 to sign up to for their publications and perhaps be involved as particular opportunities arise. So, some guidance on how to pick these:
Talk to your colleagues. In your organization and in your particular field there will be specific organizations that your peers (or leaders) are involved in that will be more beneficial to your career. This is especially true if your role is InfoSec / Cyber in a wider engineering discipline. For example, if you’re in Tech then the IEEE, ACM or similar groups would be useful, if you’re in aerospace then being in / around where your aeronautical engineering colleagues are might be useful. Even in finance, it’s useful to knock-around some of the financial risk management professional groups.
Align with your work. If you’re deeply into a specific technical discipline in InfoSec / Cyber then find the community that is more useful for that, but don’t neglect some of the broader communities. It’s not a great career enhancer to be so narrow at the expense of some broad knowledge that you become too dogmatic about your own sub-discipline and thus dismiss the need for wider community work.
Assess the need for qualifications / certification. If you are at a point in your career where one or more qualifications or certifications are needed, then align to those associations or communities that support that.
Need for mentoring. If you want mentoring, coaching or to be able to hang around with some “industry veterans” (overall or in your discipline) then pick the ones that best fit that.
Stretch yourself and be helpful. It might be that the best bet is to do something very different and get involved in another community that is tangential to your interests but where you think you might be able to be extraordinarily helpful. For example, imagine joining an industry specific engineering association that has some adjacent need for cyber work then you could be more connected and likely find many opportunities, perhaps more by being the “big fish in a small(er) pond.”
2.Join Up
Yes, a big statement of the obvious. But reading a few articles and sitting in the back at a few events might get some benefit but it is not being involved in a way that you can truly benefit from, or more altruistically, that the community can benefit from you. So sign up, get involved and perhaps even put yourself on the track to getting the qualifications, certifications or other professional designation. For example signing up to the ACM to read the excellent Communications of the ACM is useful, but really getting involved to be on a path to be an actual full Member of the ACM is another thing entirely. Doing this definitely means being selective and focused.
3. Do the Work
Once you’ve joined some community and got your bearings then figure out how you can be useful. Volunteer to assist in some work streams, actively participate in activities and maybe generate some ideas for new efforts. The main thing to remember is to put the work in. If you decide the only way you want to be involved is by chairing a working group or running some major program then unless you are already held in some professional regard you are likely not going to be selected. So, for most people early in their careers it's best to join in groups and do the leg work, build a reputation and then be selected for more and more significant roles. This can progress you quite quickly. Don’t just confine this to the technical work. Some of the most needed work in some groups and even professional associations is to help with event logistics, staffing and administrative tasks. Most of the community and association leaders I know got to be that by not just being a leader of some technical workstream but, rather, by many years of the hard yards of running a conference, helping with membership, managing the accounts and so on.
4.Lead and Connect
Once you’ve established yourself and built something of a reputation then start to lead more. Create new and needed initiatives, connect existing initiatives within that community. But, more importantly, start to use your involvement in multiple communities to connect them together. Some of what I think is the most useful work I’ve ever done is to connect one activity I’m involved in with another to make 1+1 > 2.
5.Figure Out What Next
Having done a few years of this participation, leading and connecting in the communities you focused on, it's time to set your sights higher on some specific task forces, government or other advisory boards. You might not even have to plan this. More likely than not, if you’ve put in the work and maintained a professional / collaborative approach in all the other steps above then you’ve likely built a solid network of people who will be recommending you to join other things. But, for whatever reason, if not then you can still use that network to ask for help to get involved with what you want next. For example, a few years ago I decided I’d like to be a member of the CFR (Council on Foreign Relations). It’s a topic I’m interested in. They have fascinating education programs and do a lot of work in technology policy and cybersecurity. As with other similar organizations it is quite hard to become a full member and the selection process needs sponsorship and letters of recommendation from existing CFR members and a means of representing a body of work. For the latter I was quite well covered (see earlier steps). For the rest I had to use the network of people who were CFR members I knew from other communities as well as my own employer at the time - in other words, it was in the end relatively straightforward to join but only because of the 15+ years of prior work in other communities.
_____________________________________________
Now you have the steps, let’s examine all the various parts of the InfoSec / Cyber community. I have a good vantage point in the industry so I think this is a pretty good list but I recognize I might be missing others so please feel free to comment in the social channels what I need to add here. Also, in each item below I list a few examples of typical organizations - these are not meant to be complete. Clearly, there are a myriad of examples in each category.
Open Source. There’s a range of opportunities in various large and small open source projects and the communities around them. Some, like Kubernetes, have a whole series of communities and conferences and some sub-groups on security. More broadly there are opportunities to engage at the Linux Foundation level and, for security, with the Open Source Security Foundation. Admittedly some of these may require engagement or membership of your employer but many also have individual / volunteer options.
Industry Associations. There are a large number of industry associations that develop standards, frameworks and run community services. These are often staffed by volunteers from member organizations as well as offering individual volunteer opportunities at national, local chapter or working group levels. If you find out who your company’s contact is for each of these then they’re likely to be overjoyed at someone volunteering to help. Similarly, many of the associations love individual volunteers that can do work without corporate or other affiliation. Some examples of these are the Center for Internet Security and the Cloud Security Alliance.
Training Associations. There are many not-for-profit organizations focused on developing training material particularly to advance cybersecurity skills in underrepresented communities and across the industry in general. These are often relatively under-resourced and are always looking for volunteer help on content, mentoring and other community support. One example here is Cyversity, but there are many others.
Education and Certification Bodies. Love them or not, there are many organizations (for profit and not for profit) that develop certifications, accreditation schemes and other training. These also bring plenty of opportunities for collaboration and engagement through national work and especially through local chapter meetings. These include ISC2, ISACA, GIAC and many others.
Sector / Domain Specific Sharing Organizations. In each of the critical infrastructure sectors, and more broadly, there are so called Information Sharing and Analysis Organizations (ISAOs) including the more established sector specific Information Sharing and Analysis Centers (ISACs). Similarly, in the US, there are other sector specific organizations called Sector Coordinating Councils, for example in financial services. Some of the leading ISACs like finance, health, electricity, multi-state and more have large numbers of members, significant working group activity, extensive operations and frequent meetings and conferences. There’s also a national council of ISACS. All of this, again typically through your employer, represents a wealth of opportunities for career development, networking and community contribution. Finding out who your corporate contact is and offering your help will usually result in engagement. Also, if your company is not an ISAC member then work to sign them up. Even if you’re a smaller organization of limited resources there are often free or very cheap tiers of membership to get you connected.
Industry Specific Trade and Professional Associations. I find a lot of people neglect to think of the opportunities in their trade specific groups. These are organizations focused on your business (or government) sector around issues that advance the sector and profession as a whole. They often have sub-groups focused on risk, technology and many have groups focused on InfoSec / Cyber. The best thing about these organizations is the work you can do for them gets you plugged into a range of business interests that will benefit your career and will network you with executives in your sector from different fields. There are literally 100’s of these organizations, across sectors and geographies, for example just in the US in finance you could be engaged in very important cross-industry cyber work in The American Bankers Association, SIFMA, IIF and the Global Association of Risk Professionals to name just a small number. If you’re in a larger organization then some of your senior InfoSec leaders will likely be already engaged and might appreciate some volunteer help. If not and you don’t know how to get involved then contact these organizations and ask who your organization’s contact might be. It might be your CEO or CFO, but don’t let that put you off, reaching out to your CEO saying you’d like to help will likely be welcomed.
Professional Associations. Many of these are great and, unlike other groups on this list, are geared for individual professional and career development rather than representative corporate engagement. There are large numbers of these organizations in every country and many operate internationally with local, national and topic specific chapters and working groups. Examples include: IEEE, ACM, CIISec, BCS. There are also other professional associations in law, accounting, risk, engineering and other disciplines that have working groups on InfoSec and Cyber and may provide a different path to engagement particularly if you want to pursue some different education or industry qualifications alongside InfoSec. You can get a lot out of these associations and work with them but they can tend to be a bit hierarchical. I don’t mean that in a negative way, they’re structured to develop and mentor people through a professional hierarchy of experience and levels and if you approach these with some humility and patience you can learn a lot and develop some excellent industry specific executive formal and informal relationships.
Standards Bodies. Sometimes there is a bit of a blurred line between these and the professional associations who do standards work (like IEEE). But, these are also a great opportunity to engage in a community and contribute. They can be chapter / location oriented but are, of course, mainly geared toward the development or maintenance of specific standards. These include IETF, BSI and ANSI to name just a few. Similarly, there are a range of industry specific and technology specific standards groups that welcome engagement, for example: FinOS, Open Titan, and many others depending on your expertise and interest.
Government Standards Bodies and Associations. Similarly, there are national and jurisdictional standards groups that offer advisory opportunities or other types of meeting / collaboration and other engagement possibilities. Often these might be aligned to your employment but some also offer the ability to engage at a personal level. These include NIST, BSI, ENISA and many more. At a more senior level you can also, typically having put some work in at other levels, aspire to some of the higher level government advisory boards and councils.
Educational Establishments. Many Universities and other educational establishments have information security, cybersecurity or similar departments either focused on education and/or research. Depending on your level of experience and particular domain of expertise you will find opportunities to teach regularly, guest lecture or to help participate and shape research programs. Doing this is often as easy as just reaching out to any of the people in the relevant department. Another way is to actually go through some education program even if it’s just a short professional certificate program rather than a more substantial Associates, Bachelors, Masters or other degree program. Remember that most of the large Universities have multiple departments working on aspects of security and building a relationship with one is a path to connections with others. For example, I’ve long been involved with the NYU Tandon School of Engineering which led in part to a range of valuable and meaningful connections and work with the NYU Stern School of Business and NYU Law.
VC and PE Advisory Boards. Many venture capital and private equity companies have advisory boards. Some of these are excellent ways to network with peers, but are typically reserved for CISOs, other executives or security subdomain leaders (e.g. operations, application security, cloud security) from larger organizations.
Vendor Specific Customer Advisory Boards. These can also be very useful for networking with one’s peers - not just at CISO level but at subdomain level as well, especially if the vendor focuses beyond simply wanting input on their products and focuses on creating a wider educational experience. The same goes for vendor conferences and other events where there can be opportunities to be part of a conference steering committee. For example, the Mandiant mWise CISO Summit has an agenda set by the participants.
Conferences. There are large numbers of industry conferences like RSA, BlackHat, and DefCon including the various smaller meetup style conferences. There are plenty of opportunities to help out with these: steering sessions, running panels, helping select topics and so on. Although you clearly have to balance what you can get out of this vs. volunteering to help what are, naturally, primarily profit making enterprises. The same goes for various conferences for research organizations like Gartner (I still miss the original Burton Group conferences) and Forrester. Developer driven and open source related conferences such as KubeCon have growing areas of security focus. Newer conferences that bridge academia and defense techniques like the awesome Enigma Conference are great, with significant corporate sponsorships to fund attendance for under-represented communities. Practitioner and research oriented conferences, while academic focused, are very inclusive and accessible to professionals of all levels. The Workshop on the Economics of Information Security is a great example of this.
Public Policy Conferences. There are also a range of conferences that bridge government, public policy, business and academia. These include the Munich Security Conference and the associated Munich Cybersecurity Conference, various Aspen events, as well as Davos and others. These are typically invitation-only once you’ve established yourself as having some significant level of expertise, or courtesy of the role you have in a prominent organization. But, increasingly they have events and groups for people early in their careers.
Adjacent Professions. Finally, it’s worth mentioning some adjacent disciplines. Physical security, from facilities, executive protection and crisis management is a broad and vibrant profession in all types of organizations with many shared standards and professional communities. Business continuity, resilience and disaster recovery is, again, a rich field of professionals with a body of knowledge and associated accreditation schemes. Privacy is a long-standing professional field and there is some closer alignment between enterprise information security and the privacy community as more InfoSec and Privacy teams come together on control implementation. However, privacy as a professional field remains distinct and well-codified and ever more challenging.
Bottom line: sign up, join in, lead and connect. Start focused: choose 2-3 communities based on your interests, career goals, or current role. Join and engage: don't just lurk, instead volunteer, participate, and build relationships. Be helpful: offer your skills and knowledge to contribute to the community. Lead and connect: as you gain experience, take on leadership roles and bridge connections between communities. Level up: aim for higher-level involvement like task forces or advisory boards.