Mind the Gap: Leveraging mind maps & self-assessments to develop a personal training plan
This blog is a written version of a talk I was blessed to give at The Diana Initiative (TDI2021) conference. Thanks to the amazing organizers, speakers, and volunteers for putting on an amazing event and for letting me be a small part of it!
Here’s the video of the talk!
Information security is a growing career field with many niche roles and ever-expanding knowledgebase of articles, labs, and training opportunities. How do you know what to learn next? What training will have the best benefit for your career path? From n00bs to SMEs, career planning and personal development can be very overwhelming.
At least for me, I struggled initially to figure out where I wanted to with my infosec career. Once I started as a threat analyst, I felt like a complete imposter because I could barely understand the tech stuff when I talked to other teams in infosec. I would go home every day with pages of notes and a drive to learn-all-the-things. That wasn’t the healthiest approach and I struggled to find a focus for my training plan. That was at least until I saw the NICE framework.
Officially, it is the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, which was created by the National Institute of Standards and Technology, NIST. Yep, NIST created NICE, and I’m a huge fan.
But let’s back up for a second in case you haven’t quite found what you want to be when you grow up. This is where some handy career maps can help a bit. There are a lot of different roles in cybersecurity, and it takes a village to protect a network.
Let’s be clear here: there is a place for everyone and every skillset in cybersecurity.
MITRE is another organization that provides us all with a lot of cool & free resources. You’ve probably already heard of both ATT&CK and D3FEND — don’t worry, we won’t talk about that here. Instead, I’ll point to their earlier work, an amazing free book titled “Ten Strategies of a World-Class Cybersecurity Operations Center.” Seriously, this should be required reading for all blue-teamers, especially management types. For our purposes, we’re looking at page number 103 (PDF page 114), figure 16: “Typical Career Paths Through the SOC.” (NOTE THIS LINK LEADS STRAIGHT TO THE PDF).
In this one image, we see a number of roles to consider. We can research the individual roles and learn a bit more about the type of tools, tasks, and responsibilities for each of them. This free PDF is a good start, and a little Google-Fu will lead to some additional reading about those types of roles.
Another amazing resource is Henry Jiang’s “Map of Cybersecurity Domains,” which provides a cool visual of the different domains of cybersecurity. I like this visual because it helps tie together a whole bunch of industry terms and helps put them in buckets. It can help you identify areas you should study up on if you plan to go towards a specific domain.
PRO TIP: If you want to learn about the day-to-day life of various infosec careers, BSidesNoVA 2021 hosted multiple career panels that are worth checking out.
Alright, back to the NICE framework. I like the NICE framework for many, many reasons. I think more companies should map to it and I would love to see the industry give NIST some feedback on the types of roles and descriptions that are missing or not quite right for corporate purposes. To me, the NICE framework is a little too military-centric, but it is still a great foundation for baselining the knowledge, skills, and abilities (KSAs) for specific roles.
The first thing to know about the NICE framework is that CISA hosts a really cool online tool that lets us browse through the various roles. We can use this page as a text version of an infosec-careers map by reading through the various descriptions of jobs and figuring out what sounds interesting to us. This framework buckets 52 work roles into 33 specialty areas that are grouped into the following 7 categories:
- Analyze
- Collect and Operate
- Investigate
- Operation and Maintain
- Oversee and Govern
- Protect and Defend
- Securely Provision
For our purposes, we’ll click on the Work Roles link at the top of the page.
We can use the dropdown menu to select the role that we’re interested in learning more about. For today’s purposes, I’ll stick to what I know and select my role “Threat/Warning Analyst” and hit Apply. The website updates and shows the Knowledge, Skills, and Abilities (KSAs) required of a Threat/Warning Analyst.
If we scroll down further, we can also see a list of tasks normally associated with this role. Below that list, we see a career progression chart with the types of training, education, and skills that are expected for various stages of one’s career in this role.
As you can see, this is a great tool for understanding the expectations of various role types in infosec. The NICE framework can also serve as the basis for conducting a self-assessment to figure out our stronger and weaker areas. Let’s take a look at that method a bit more.
That’s a NICE Self-Assessment You Got There!
The first thing we need to do is jump over to the NICE framework’s resources page and download their supplemental Excel document. (NOTE: THIS HYPERLINK DOWNLOADS THE EXCEL FILE) This beast of a workbook includes a tab for every role in the NICE framework with some super complex lookups and links so you can easily navigate from a Table of Contents to the pages that you want to see.
Once we download the file, we’ll follow these steps to create our self-assessment too:
- Click the “Click to view KSAs” hyperlink for our role on the Table of Contents page.
- Copy the entire KSA page.
- Open a blank workbook.
- Paste (plaintext) into the blank workbook.
- Navigate back to the supplemental workbook and copy the Tasks page for your role.
- Paste the Tasks as plaintext at the bottom of the page where you pasted the KSAs.
- You should now have the KSAs and Tasks in one long spreadsheet.
- Delete the extra lines and section titles between each category. For example, delete the blue line that says “Abilities” at the top of the abilities section.
- Insert a blank column and title it “Score.”
- Insert a blank column and title it “Category.”
- In the “Category” column, add the appropriate category (e.g. “Knowledge,” “Skills,” “Abilities,” and Task” for each line of the spreadsheet.
Your self-assessment tool is now ready and should look something like this:
Now we just go down the line rating ourselves. We want to be honest here. Here’s a basic 5-point scale that I use for my self-assessments.
- I’ve heard of this, but please don’t ask me to explain it
- I’m familiar with the topic and can explain it with a little more research / Google-fu
- I get this stuff and can do it on my own
- This is my jam. I can perform this task on my own and my teammates ask me for assistance with this sorta thing. I can also explain it to my non-technical friends and family
- I’m kind of a big deal. I can teach it to anyone and others call me a SME for this topic
Once I’m done with my self-assessment, I sort it from highest to lowest score and I celebrate my wins for a minute. This may include updating my resume with a few new bullets as I think through recent projects and accomplishments. For example, “Provide subject-matter expertise and support to planning/developmental forums and working groups as appropriate” might become a resume bullet like “Served as the threat intelligence subject-matter expert for a Microsoft 365 Security Project supporting over fifty thousand employees with cloud computing capabilities.”
Now for the real work, I sort the spreadsheet to show me my lowest scores. These are the areas I need to focus on for the next few months of training. In my mock self-assessment, I see that I have some pretty low scores for:
- Risk management
- Common networking protocols and fundamentals
- Attacker methods and techniques
I can use some of these key terms paired with the keywords “Exam Objectives” to find relevant training and certificate programs. This quick Google-Fu leads me to the Security+ exam objectives where I can see that the exam covers “threats, attacks, and vulnerabilities,” “technologies and tools,” and a few other areas that my self-assessment scores point towards needing work. It looks like I need to study up for the Security+. If my lowest scores weren’t all 1s, I might aim a little higher towards something like CySA+ or the CASP+.
Pro tip: You can study for a certificate and never need to take the actual test. While getting a certificate helps get your foot in the door for a new job, our focus today is gaining knowledge.
Of course, the NICE Resources Page includes a whole list of training vendors that have already done this type of role-to-certificate mapping exercise for us, including the CompTIA mapping below for “threat analysis.”
Putting it all together
So we decided we wanted to get into cybersecurity. We looked at a few career maps and decided that we want to be threat analysts. We realized that we have a LOT to learn to be a threat analyst and we completed a self-assessment of our cyber skillz to identify where to focus our training for the next few months.
It is very, very easy to get overwhelmed and distracted with the constant release of new infosec tools, talks, CTFs, labs, cons, blogs, videos, streams, and even those dank infosec memes. Using the NICE Self-Assessment approach is critical to overcoming imposter syndrome and focusing our learning efforts. Now, it’s time to dig in and get focused.
… And if you liked this talk/blog, you might also enjoy my Career Hacking talk/blog that I presented at BSidesNoVA2020.
Pro tip: Check out CyberInsight and Professor Messer on YouTube for thousands of hours of free training resources, including prep courses for many popular certificate programs.
Bonus Nerd Stuff
Hey if you like this approach and you like Excel formulas. I’ve included this bonus section to show how I create a quick dashboard for my self-assessment scores.
In my self-assessment workbook, I select my self-assessment data and click Format as Table on the Home ribbon of Excel. This makes the data look nicer, but it also tells Excel to create the column names as objects, which we can use in formulas. After that, I create a blank tab and name it “Dashboard.” I create four columns named:
- Category
- Average
- High
- Low
In the Category column, I list out:
- Task
- Knowledge
- Skills
- Abilities
If your dashboard table is in the same cells as mine, you can simply copy and paste the below formulas into your spreadsheet. For example, you’ll want to copy/paste the first formula into cell B3. This formula looks at the Category field on our self-assessment page and matches it against the value in A3, which is “task”. For every line of data on the self-assessment page that matches with a category match, this formula will average the score, giving us our average score for the Task category. Hopefully, that makes sense… The High and Low columns give us the highest and lowest scores for each category. This may tell us something like “hey you’re really smart (knowledge), but you need to practice (task, skills, or abilities)”.
- In B3, type =AVERAGEIF(Category, A3, Score)
- In B4, type =AVERAGEIF(Category, A4, Score)
- In B5, type =AVERAGEIF(Category, A5, Score)
- In B6, type =AVERAGEIF(Category, A6, Score)
- In C3, type =MAXIFS(Score, Category, A3)
- In C4, type =MAXIFS(Score, Category, A4)
- In C5, type =MAXIFS(Score, Category, A6)
- In C6, type =MAXIFS(Score, Category, A6)
- In D3, type = MINIFS(Score, Category, A3)
- In D4, type = MINIFS(Score, Category, A4)
- In D5, type = MINIFS(Score, Category, A5)
- In D6, type = MINIFS(Score, Category, A6)
Then if you really want to get nerdy, you can save these scores with a date of when you completed the assessment and compare them to a future assessment to measure your personal growth. Early in your career, you may consider taking this self-assessment every six months. It will ensure you stay on your path while also helping you see how far you’ve come in a short period.
