TLTR (too long to read): Brief Synopsis

• If you have been in or around information technology (IT) for a while, you know the importance of being able to learn new things as technology is constantly evolving. Being in information security goes beyond that, because you will often be required to learn new technology you have never experienced in order to secure it or work an incident.

• You will need the ability to learn on your own as companies will not always have the ability to send you to training before building safeguards for, troubleshooting problems with, or using and viewing logs from a new piece of technology to analyze and resolve an incident. On the same note, you may be the only information security engineer around and will be on your own when working an incident or assisting infrastructure teams troubleshoot a potential security issue.

• To be successful in information security, you should be a curious person. You will need to have the passion to figure out the who, what, when, and why in detail and not just look for the easiest, quickest way to explain something away. For an example, when responding to an incident, it is more important to get the answer right than it is to get an unproven answer, or guess, fast.

Detailed post:

Two of the most important characteristics for people to have in information security, cybersecurity or information technology in general is curiosity and the ability to learn on your own.

Curiosity is important to be great in information technology, but it is even more important to be successful in information security as you will often be called upon to build safeguards  (security) for or troubleshoot technology you have never had previous experience with. Likewise, you must have the desire to learn new things, discover why something is showing up in logs and continually search for ways to stay in front of not only external threats, but insider (internal) threats as well.  

If you are a person that looks for the easiest or quickest way to explain something away without researching, or not wanting to research/learn, why something is the way it is, you will not be successful in information security.  Unfortunately,  I've seen it way too often.  Someone sees something in the logs and has an answer in 2 minutes with little or no research of what actually caused the problem or to at least find evidence to prove their theory.  For example, the SIEM is reporting a brute force attempt from a developer's workstation to a server.  I've seen senior engineers say, "Oh, that's just a developer testing a script."  Really?!  Until you ask that developer and confirm its them, there's no way to know for sure.  Sure, the developer may have a script/process running and forgot to change the password, but it could be possible the developer downloaded a piece of malware or someone hacked their workstation and is using it to brute force thinking someone may just assume it's normal behavior.  You must have a curious nature and be driven to find out why the brute force is occurring.  Even if you have a theory that is completely feasible, work to prove it as being wrong could have dire consequences.  Reach out to the developer and make sure or use tools at your disposal to analyst their workstation. 

If you aren't curious enough to find the answer when you see something you can't explain, you will not be very successful in information security.  Being curious to the point where you want to rundown an alert to find out exactly why it's happening or curious enough to run tests to ensure a security configuration is working correctly and would trigger an alert might be the single most important trait required to be successful in information security.  

Another important trait is the ability to learn on your own.  There are people in information security willing to mentor/train others, such as myself, but there will be times when you are the only information security person available to handle an issue.  There may also be times when you are the senior member of the team, which means there are junior people looking to you for help and guidance.  There may also be times when the company doesn't have the budget to send you to training, but you are responsible for rolling out a new security tool.  You must be willing and motivated to find the answers on your own or learn how to configure security tools without previous experience or training by performing internet searches, watching YouTube videos, and/or building a lab at home to test things.  One of the greatest opportunities we have today, that I didn't have when I started, is the ability to download open source software and install it on cheap hardware.  You can take an old computer you have laying around, or purchased for cheap, and install Kali Linux.  Then watch videos or read instructions on how to use the tools within Kali Linux.  There are a myriad of opensource tools you can download and tons of videos or blog postings of people showing you how to use those tools.  The hardest part of the whole process is finding time to do it all, which unfortunately there's no answer to other than setting a schedule and committing.

Now for some real life examples of what I mean...

I remember I overheard a security engineer ask another security engineer, "How do you do such and such in PowerShell?"  I don't remember the exact content being asked, hence "such and such", but the other security engineer replied, "I only know a couple of things in PowerShell" and followed it up with, "You will need to search the internet for that, since I don't know."  The asking security engineer got extremely frustrated and lashed back with, "WELL, WHAT DO I SEARCH FOR!?"  We weren't talking about a junior engineer here.  I asked myself, "How does an IT person with over 18 years of experience not know how to search for something on the internet?"  The security engineer that lashed out wasn't a very pleasant person to work with, but I refrained from saying anything negative and offered to help.  I typed the question in to a search engine and used it as an opportunity to teach them how to find the answer to a question.

I think to be truly successful in information security, or information technology in general, you must be resourceful, have initiative, have the ability to learn on your own, and more importantly be curious.  Having a curious nature makes you want to know the answer to something or how something works, which leads you to do whatever it takes to get the answer.

When I started monitoring my first phishing mail box, I thought to myself how do I analyze an attachment in an obvious phishing attempt.  I hit the internet and found numerous tools such as Sysinternals, oledump, pdf-parser, REMnux, etc..  I also found other free tools using Cuckoo sandbox to analyze the attachments I was finding in phishing emails.  I then used the information I discovered using the tools provided and read every line output by the free sandboxing tools to learn all I could.  If I wasn't curious, resourceful, had the ability to learn on my own or had initiative, I would have never figured it out.  The company didn't have the budget to send me to training and there was no one else on staff to teach me, so I was on my own.  One word of caution though, be careful what you upload to those free sandboxing services or VirusTotal as you could be the reason data is compromised if it turns out the file you uploaded contained sensitive company or client information.

Being curious by nature has also helped me track down things I've seen in logs.  I saw something that looked extremely off to me one time in Splunk.  I went to the team responsible for what I was seeing and they said it wasn't anything and didn't seem interested in finding out more.  I knew someone was going through a lot of work to do what I was seeing in the logs and I knew they had to be getting something out of it.  No one would go through that much work for no gain.  I was curious and driven to find out what was going on.  To make a long story short, I ended catching thousands upon thousands of dollars in fraud.  If I wasn't curious by nature and would have accepted the first thing I was told, I wouldn't have discovered the fraud.  I impacted the bottom line of the company, because I was curious and in essence, didn't take no for an answer.  I don't want to go into details as it would give people inside tips on how to commit fraud, but I think you get the idea without the details.

When I interview people, one of the most important characteristics I look for in a candidate is curiosity.  I truly feel being curious is what sets a great infosec engineer apart.  Almost equally as important is the ability to learn on your own and again I think curiosity is a big factor that drives the ability or initiative to learn on your own.