Sometimes when I lay in bed at night, I gaze into the abyss (ceiling), and ponder on just how much more there is to learn in cyber. 

It’s nuts. 

The learning never stops. 

It’s constant. It’s real-time. It’s insane. 

24 hours a day, 7 days a week, you must: 

ABL
(Always Be Learnin’)

When it comes to cybersecurity, there is an overwhelming amount of information. It can be easy to get lost in it all and feel like your mind is spinning 24/7.

The more you learn, the more you realize how much you don’t know.

For example, let’s say you spend a lot of time and effort to pass a tough exam. You finally take the exam and you’ve passed. You feel amazing, confident, and proud.

However, after this short-lived honeymoon phase, your mind has been stretched out and expanded from all your learning. You become hyper-aware of all the skills or knowledge gaps you have (“conscious incompetence”; read about it here and here). You understand how important it is to acquire these new skills and knowledge as a security professional. The learning process starts all over again in this stage and you’re back at “Day 1”.

The cybersecurity wheel of learning and knowledge can feel heavy and daunting. It’s normal to feel like you’re making progress sometimes and feel overwhelmed or discouraged other times. What’s not helpful or productive is fixating on negative thoughts or feelings and allowing them to hijack your thinking and compromise your mind’s operating system. 

When you ponder on the vastness of the cybersecurity universe, it’s easy to feel like you’re in over your head. It’s also easy to fall into the “I don’t know enough” or “I’m not good enough” trap, or to start doubting your abilities (imposter syndrome anyone?). However, it’s important to remember that these thoughts are detrimental to your performance, learning, and success. You need to work on resolving and remediating these issues so that you can perform at your best.

If you’re feeling overwhelmed or discouraged in your cybersecurity journey, here are four pieces of advice to help you get back on track:

1. Don’t underestimate (or forget) the power of accumulated knowledge, or what’s referred to as “the compound effect.” 

The compound effect is the idea that small, seemingly insignificant actions can lead to huge results over time. You don’t need to do anything dramatic or drastic to achieve your goals – just learn a little bit everyday, make a few small changes daily and you will see the radical difference. 

When I first started, things moved slowly. It wasn’t until I was consistent for a while that I realized how much I had improved and how much knowledge I had accumulated. I didn’t feel that way during the day-to-day, it took months or even years to get to that point.

During the day-to-days however, I [still] feel like I’m always just “trying to catch up” because the field is so ever-changing and fast-paced. The feeling of feeling behind. Keeping up with the latest threats, tools, tactics, techniques, procedures, frameworks, threat indicators, methodologies — it’s nonstop. And it’s also completely normal. 

So remember, you might always feel like you’re moving slowly in your development, during the day-to-day, week-to-week, month-to-month. Learn to be comfortable with this feeling. It’s the nature of the beast. Don’t let it deter you. Because with consistency, resilience, and stick-to-itiveness, you will one day wake up and feel like an expert in your particular domain. Which leads me to my next piece of advice.

2. Decide to become an expert.

Becoming an expert starts with making a decision. Don’t wait for the day to come. Instead, make that decision today that you will become an expert. After you’ve made the decision to become an expert in your particular domain or sector, you need to start behaving like one. This may mean taking on a new role before you feel completely comfortable or ready. Making this decision requires a level of commitment – you can’t half-ass it. Make a real decision.

Once you’ve made the decision to become an expert, stepping into that role will force you to be the best at what you do. It will affect all that you do from how you think, how you study, how you spend and manage your time, the decisions you make, the thoughts you have, etc. It’s a bit of a mind game, but as humans we seek to be congruent with who we think we are. 

So if you claim to be an expert, you will almost always subconsciously and consistently look for ways to improve your skills at a much higher level, so you actually become more congruent with expert status. This is 1,000% more empowering, beneficial, resourceful and valuable to your success.

Where your attention goes, energy flows. Our brains are wired to seek out what we focus on, so if we set our sights on becoming an expert, our reticular activating system will lead us to the information, people, and resources that will support that expert status. We will find the path to get there.

3. Remember: The Learning Never Stops

It cannot, will not, and should not. 

That’s just the nature of the beast.

One of the key reasons I was drawn to cybersecurity in the first place was because it is a field that is constantly changing and evolving. I am always learning something new, and that is one of the things I love about it. Cybersecurity is one of the best fields for highly curious and hyperactive minds. (ADHD anyone?)

I think about the goals and targets I set for myself. Whether it’s a new certification I’m after, or reaching a certain level of competency or knowledge in a particular domain — I need to be constantly learning in order to stay ahead of the curve. 

In this world, the threat landscape is constantly changing. New vulnerabilities and new attacks are being developed all the time. As a result, we need to be on our A-game when it comes to learning.

Think of it like this: would you ever dream of running an old version of your computer’s operating system? Of course not! Doing so would leave you vulnerable to all sorts of security risks. The same is true for your brain and mind. If you don’t regularly update and patch your mind, you’ll find yourself vulnerable to all sorts of mental risks. By updating your knowledge and skills on a regular basis, you can ensure that you are able to effectively protect systems and data.

If you’re the kind of person like me who has an unrelenting curiosity about the world and how things work, then cybersecurity is the perfect field for you. Your curiosity will lead you to more questions, and ultimately more answers. However, sometimes there are no easy answers. That’s when your curiosity is really useful, because it drives you to find solutions to various security problems. For example, you might need to figure out how to hack into a web server during a penetration test, or research and analyze security events during an investigation. Or you might have to go through logs and IOCs to try to track down the source of a DDoS or phishing attack. Whatever the challenge, you always have to be at the top of your game, and always learning new things (ABL – Always Be Learning!). And that’s what I find so stimulating, fulfilling, and exciting.

To conclude, my final tip that has given me the most significant return on investment in this field…

4. Focus on one thing at a time.
   

There are a lot of different schools of thought when it comes to learning in cybersecurity. And with so many different options out there, it can be hard to know where to start. But if there’s one piece of advice I can give you, it’s this: don’t try to do it all at once.

I know you might be tempted to try and learn everything there is to know about cybersecurity all at once. But the truth is, that’s just not possible. And even if you could manage to do it, you wouldn’t be able to retain all of that information. You’d go nuts (take it from me lol). It is better to focus on one thing at a time so that you can retain the information and use it effectively.

So my advice is to start small and focus on one thing at a time.

If you want to learn pentesting, focus strictly on pentesting and put in your time.

If you want to learn incident response, focus strictly on incident response and put in your time.

If you want to learn digital forensics, focus strictly on digital forensics and investigations and put in your time.

If you want to learn effectively, you need to focus on your chosen field and immerse yourself in it. This is like when you’re playing a video game and you’re so into it that you don’t even hear people around you. You’re just focused on the game. That’s what you need to do with your chosen field.

Trying to learn too many things at once is like trying to protect yourself from all threats at once- it’s just not possible. Instead, focus on learning about one specific area of cybersecurity. By immersing yourself in that area, you’ll be better able to learn the ins and outs and eventually be able to protect yourself from all kinds of threats.

The best part is when you have learned one area well, you can move on to another and your knowledge and skills will carry over.

I can speak from experience when I say that learning pentesting first, then moving onto the blue team/defense side made a lot of sense and strengthened my understanding. Being a generalist isn’t a bad thing, but it’s good to have deep knowledge and skill in at least one area (see point #3 above about becoming an expert).

Whatever you do, don’t try to do too much all at once. Start small and focus on one thing at a time. By taking things slow and concentrating on one thing at a time, you’ll be able to retain the information better and eventually become an expert.

This makes me think of a quote a friend once told me, which I found to be true:

“Slowly is the fastest way to get to where you want to be.”

In conclusion, there is no silver bullet when it comes to learning in cybersecurity. The most crucial element is to have a passion for the subject and a willingness to learn. With that said, these 4 pieces of advice are some of my personal guidelines and tenets I try to live by. I am not perfect at following them, and I have difficulties as well, but it’s definitely my baseline that I always return to. I hope they can help you get started in the field or continue to develop your knowledge and skill.

1. 1. Persist. Always Be Learning. Keep going. You will become an expert if you never give up and always keep learning. The compounding effect is real, so trust the process and persist even when things move slowly or feel slow.
   2. Decide. Today is the day. Decide now to become an expert in one particular domain. It all starts with a choice.
   3. Remember. The learning never stops. It is constant and never-ending. This is one of the key reasons you were drawn into cybersecurity in the first place. It’s what keeps you on your toes and stimulates you.
   4. Focus. On one thing at a time. Don’t be like a machine gun aimlessly spraying all over the place. You want to be like a sniper (or good hacker): calculated, patient, zooming in on one target at a time. One cert at a time. One topic at a time. Get distracted and you will miss (or get caught).