Developing Information Security Skills Through Deliberate Practice

What type of activities can turn information security professionals into experts at their craft? And how can we avoid getting bored and giving up while attempting to improve our skills?

Years of Experience Is Not Enough

Let’s start with a classic paper titled The Role of Deliberate Practice in the Acquisition of Expert Performance by Ericsson, Krampe, and Tesch-Romer, which outlines a framework for figuring this out. Though the paper focuses on musicians, its findings apply to other domains, including security.

Common wisdom holds that to become an expert, one needs to practice the skill for a certain number of years. However, we cannot assume that extended experience automatically leads to improved performance. According to the study, achieving improvement requires a deliberate effort to improve.

The researchers observed the strongest performance improvement among individuals who were instructed by teachers and coaches “to engage in practice activities that maximize improvement.” To accomplish this,

“The teacher designs practice activities that the individual can engage in between meetings with the teacher. We call these practice activities deliberate practice and distinguish them from other activities, such as playful interaction, paid work, and observation of others, that individuals can pursue in the domain.”

In other words, activities in which a professional engages could be mere busy work if they are not structured in a manner that reinforces the right skills.

The researchers also emphasized the need for the practitioners to “receive immediate informative feedback and knowledge of results of their performance. … When these conditions are met, practice improves accuracy and speed of performance on cognitive, perceptual, and motor tasks.”

Practice Alone Is Also Insufficient

How can one stay motivated to dedicate the necessary hours to focused practice? The answer might lie in the elusive notion of passion for the field within which the person works. Angela Duckworth uses the term grit to refer to the intersection of passion and persistence in her book Grit: The Power of Passion and Perseverance. The effort necessary to continue refining one’s skills is too painful, and perhaps unattainable, without having deep interest and curiosity in the subject matter.

What if you’re not lucky enough to have the passion necessary to motivate your professional development efforts? Angela explained that such profound interest often needs to be cultivated, without the expectation that it will come to you and thrive on its own. In one interview she clarified that the successful professionals she interviewed have extremely well-developed interests:

“They cultivate something which grabs their attention initially, but that they become familiar with enough, knowledgeable enough that they wake up the next day and the next day and the next year, and they’re still interested in this thing.

She acknowledged that people can easily get bored if they focus on the same set of skills for a long time. High performers, in her opinion, are able to find new facets to the area of their interest without switching to another field if they lost initial interest. As she put it, “if it’s a goal of yours to become expert in something, one of the skills is to learn to substitute nuance for novelty.”

Implications for Information Security Professionals

First, as you progress in your career as an information security professional, consider what skills you need to acquire. Understanding one or more infosec domain is critical. Yet, depth of knowledge in IT is not enough. You also need to master communication skills and learn how to deal with internal corporate politics and influence others.

Then, consider what project opportunities at work and at your own time are available to you for developing the kind of skills match the market’s demands and your interests. Work on those projects—not all in once, but according to a reasonable time line. But remember that, as the research I outlined above shows, you probably won’t succeed on your own.

Take steps to make sure that your practice is deliberate and includes feedback. What this entails depends upon your personality, learning style and the opportunities available to you; it probably involves a combination of these options:

  • Forming a collaborative relationship with your peers, who can inspire you, offer critique and share their experiences. These people can be your colleagues at the office or members of your social network at large. This can be on-line and in your local community.
  • Identifying one or more mentors, who are more experienced than you, and are willing to share tips, offer feedback and make recommendations. The mentors can be at the office and outside of work.
  • Participating in an academic program at a College or University to obtain the foundational knowledge and relevant skills. I touched upon the role that such education plays as part of an interview on TechRepublic.
  • Pursuing professional training through focused courses from organizations such as SANS Institute (where I teach malware analysis.) Interactions with the instructor should provide the structure and feedback that encourages performance improvement.

As you invest thought and effort into developing your information security skills, consider whether the structure of your practice is “deliberate” and how it benefits from the guidance that research has shown to maximize improvement.

If you start getting bored of information security, consider whether another aspect of the field might capture your interest. In this case, build upon the infosec skills you’ve already acquired rather than starting from scratch in a completely unrelated area. Though information security seems like a niche field to outsiders, it has many subdomains that leave lots of room for professional growth.


About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more