Developing Cybersecurity Skills Through Deliberate Practice

Years of experience alone don't create expertise—improvement requires deliberate practice with immediate feedback and coaching. Security professionals should form peer relationships, identify mentors, pursue training, and find new areas of interest within the field to sustain motivation for continuous learning.

Which activities can turn information and cybersecurity professionals into experts? And how can you avoid getting bored and giving up while working to improve?

Years of Experience Is Not Enough

Common wisdom holds that to become an expert, one needs to practice for a certain number of years. However, extended experience doesn’t automatically lead to increased performance. You need deliberate effort to improve, as explained in the paper The Role of Deliberate Practice in the Acquisition of Expert Performance by Ericsson, Krampe, and Tesch-Romer. Though the paper focuses on musicians, its findings apply to other domains, including cybersecurity.

The researchers observed the strongest performance improvement among individuals who were instructed by teachers and coaches “to engage in practice activities that maximize improvement.” To accomplish this:

“The teacher designs practice activities that the individual can engage in between meetings with the teacher. We call these practice activities deliberate practice and distinguish them from other activities, such as playful interaction, paid work, and observation of others, that individuals can pursue in the domain.”

In other words, activities in which the professional engages could be mere busywork if they are not structured to reinforce the right skills.

The researchers also emphasized the need for practitioners to “receive immediate informative feedback and knowledge of results of their performance. … When these conditions are met, practice improves accuracy and speed of performance on cognitive, perceptual, and motor tasks.”

Practice Alone Is Also Insufficient

How can you stay motivated to dedicate the necessary hours to focused practice? The answer might lie in the elusive notion of having passion for your field. Angela Duckworth uses the term grit to refer to the intersection of passion and persistence in her book Grit: The Power of Passion and Perseverance. The effort you need to exert to improve your skills can be too painful and perhaps unattainable if you lack deep interest and curiosity in the subject.

What if you’re not lucky enough to have the passion necessary to motivate your professional development efforts? Angela explains that you might need to develop such interest without expecting that it will come to you on its own. In one interview she clarifies that the successful professionals she interviewed have extremely well-developed interests:

“They cultivate something which grabs their attention initially, but that they become familiar with enough, knowledgeable enough that they wake up the next day and the next day and the next year, and they’re still interested in this thing.

She acknowledges that people can easily get bored if they focus on the same kills for a long time.

High performers, in her opinion, are able to find new areas of interest without switching to another field. As she put it, if your goal is “to become expert in something, one of the skills is to learn to substitute nuance for novelty.”

Implications for Security Professionals

As you progress in your career as a cybersecurity professional, consider what skills you need to acquire. Understanding one or more domains is critical. Yet, depth of knowledge in IT is not enough. You also need to master communication skills and learn how to deal with internal corporate politics and influence others. Consider what project opportunities at work and at your own time are available to you for developing the kind of skills match the market’s demands and your interests. Work on those projects—not all in once, but according to a reasonable timeline. Remember that, as the research shows, you might not succeed on your own. Take steps to make sure that your practice is deliberate and includes feedback. What this entails depends upon your personality, learning style and opportunities available to you; it probably involves a combination of these options:

• Form a collaborative relationship with your peers, who can inspire you, offer critique, and share their experiences. These people can be your colleagues or members of your social network. This can be online and in your local community.
• Identify one or more mentors, who are more experienced than you, and are willing to share tips, offer feedback and make recommendations. The mentors can be at the office and outside of work.
• Participate in an academic program at a college or university to obtain the foundational knowledge and relevant skills. I touched upon the role that such education plays as part of an interview on TechRepublic.
• Pursue professional training through focused courses from organizations such as SANS Institute (where I teach malware analysis and writing techniques). Interactions with the instructor should provide the structure and feedback that encourages performance improvement.

As you invest thought and effort into your skills, consider whether the structure of your practice is “deliberate” and how it benefits from others’ guidance, which research has shown to maximize improvement. If you start getting bored of security, decide whether another aspect of the field might capture your interest. In that case, build upon the skills you’ve already acquired rather than starting from scratch in a completely unrelated area. Though cybersecurity seems like a niche field to outsiders, it has many subdomains that leave lots of room for professional growth.