Security Mentoring

In January I reviewed Mike Rothman's Pragmatic CSO. Related to that book I saw my name mentioned in a post by Cutaway. He writes:

I am, however, more concerned about Mike’s approach to young security professionals. “Buy my book, it is a good approach for dealing with executive management” is not, in my honest opinion, an effective way of approaching our next generation. Sure, he has made the information available to the public, but security professionals are pummeled with literature almost on a daily basis. His book might be on the list of top purchases but where is the actual teacher to help with the interpretation to assist with the evolution of the concepts within an individual?

I understand Cutaway's concerns, but I think his request is unrealistic. I have plenty of experience with mentorship, starting as a cadet and continuing during my officer years in the Air Force. In my experience it is difficult for the mentoree to obtain mentorship (of any type) even when mentorship is a job requirement for the supervisor. In fact, my last commander asked me for job advice when I was leaving, rather than try to convince me to stay!

I wholeheartedly support Mike Rothman's recommendations for people to read his book. Does anyone think technical authors write books to make money? Almost no one can make a living being a technical author, unless you have very modest needs, no family, and have multiple books in print simultaneously and constantly.

So why write? Technical authors (and many others) write to share their ideas. One of the main reasons I wrote Tao was the desire to not have to repeat the same material whenever I trained a new analyst. Instead I could say "read my book, and then we'll talk." I think writing a good book has the capability to do far more good for the community at large than a one-on-one relationship. Books certainly scale better than people.

Speaking of people, those who you would probably want as mentors are most likely the busiest people you'll ever meet. Mike is running his own company. I'm running my own company. I regularly receive emails from students and others asking for help with their PhD topics and other issues. If I have the time to help I usually respond in the form of a blog post or a CC to a mailing list so what I say can be shared.

If you really want a human mentor I recommend joining a security association like ISSA, hanging out in an IRC channel with people you respect, and/or joining a company or organization to work for someone you want to emulate. I've done all three at various stages of my career.