What a Teacher Wants InfoSec To Know, Pt. 1: Safety

Imagine this were Splunk or Metasploit 6 minute read Published: 2021-01-04

I would like to tell you this post is not inspired by Bean Dad. That's mostly true, although I'd be lying if I said he wasn't the inciting incident that made me tear down my website and rebuild it as a blog, finally moving off Medium. Anyway, welcome. Have a seat. We have some work to do.

Before I was a security analyst, I was an educator. More precisely, I was the Director of Technology for a number of schools, and before that an English teacher. I thought my entire career would be spent teaching children. Not so much, but that's a story for another time. Anyway, since my formal training is in fact in education, I wanted to discuss a few key concepts in the theory of teaching and learning that, for all the constant self-education in infosec, seem to have been missed. I am still learning my way through the technical forest of security, as well as the professional norms of this industry. Nevertheless, I'm hoping these kernels from my time in classrooms prove illuminating.

Let's start with the most important: safety. I'm not just talking about physical safety here—emotional, professional, really any and all definitions of safety apply. Nothing matters more, and without it, learning cannot occur. Put more simply:

You can't learn if you don't feel safe.

Whether that's, y'know, fear of hunger because your father won't show you how to use a can opener, or jerks on the internet telling you to "lol try harder n00b," or realizing you're the only person who identifies the way you do on your team, if you do not feel like you can try new things without some sort of reprisal, learning is just never gonna happen.

I learned this working as an English teacher for students who were either on their last stop before juvenile detention or the first stop after getting out. These were hurt kids, with a lot going on. Some were battling addiction, some abusive parents. I had students walk out of the building because of frustrations reading a graphic novel. Three attacked me with sharp objects. Here's the thing: these kids were, more often than not, brilliant. In particular, their bullshit detectors were so finely calibrated, they had no patience for the "game" of school. They knew what was actually important and what wasn't, and refused to play along with adults who were too part of the machine to call a spade a spade.

And yet, they also recognized that grades impacted their future,, so they wanted to play the game enough to get by. There was no making my kids care about poetry without promise of a good grade. It was only when I essentially abolished grades as we knew them that I got them to a place of authentic discovery. Even then, success was rare. So much of their precarity was out of our control. But at least, in my classroom, I hoped to give them a space to worry less about their worlds and find some measure of joy in the material before them.

I'm not auditioning for the remake of "Stand and Deliver." I'm recounting this chapter of my life to implore you, infosec professionals, to be aware of whether you and those in your charge are safe to learn. If they aren't, then whatever expectations we set for ourselves and others will go unrealized, replaced with angst and regret.

Creating Safety

Low risk is the most crucial component of a safe learning environment. Learners, regardless of age, need to feel capable of experimenting without punishment for failure. This is where traditional learning models often work against their own objectives, creating highly punitive consequences for failed attempts. Seymour Papert, who pioneered teaching computing programming as a revolutionary kind of pedagogy, describes the cost of fear in learning this way:

If people believe firmly enough that they cannot do math, they will usually succeed in preventing themselves from doing whatever they recognize as math. The consequences of such self sabotage is personal failure, and each failure reinforces the original belief. And such beliefs may be most insidious when held not only by individuals, but by our entire culture.

If not instilled at a young age, it takes tremendous effort to convince learners of the reality that failure is a necessary part of learning, not a terminal negative outcome. Systems that only highlight how learners are not (yet) succeeding will always come up short when measured against systems that afford learners the time to iterate their experiments. The latter results in vastly better outcomes over time, even if individual learners may take varied amounts of time to arrive at success. But that's what the safety is for.

And what is the teacher's/mentor's role in such an environment? It isn't directly providing information, aka "lecturing." Sometimes that's helpful, but more often it's important to guide learning with questions. But you have to know when to give a little nudge in the right direction, and uh, not let kids starve for 6 hours. Learners can't feel safe if they don't feel supported.

If you do things for a learner, they learn nothing. If you disengage, they won't feel supported. If you do things with a learner, they acquire the knowledge they seek and feel encouraged to progress.

Which is why, ultimately...

"Try Harder" Sucks as a Culture

I'm not trying to start a fight here, although I'm sure I'll have plenty of folks with 0x Twitter handles ready to come at me for this one. The much-revered mantra of the OSCP elite is little more than gatekeepy nonsense. Here's why.

If a self-directed learner doesn't know the right questions to ask, then no amount of persistence will allow them to progress. Sooner or later, this frustration will turn inward and become self-doubt. It's all too easy, once possessed of knowledge, to forget how hard it was to acquire it, and rather than seek to help those on the way behind you, posture as superior because you arrived before others. Enough of that kind of feedback, and it's no wonder learners turn away from the difficult path.

Don't get me wrong: learning should be a challenge. Trying hard is a requisite for building skill. But when a dedicated learner seeks help and is dismissed—or worse, mocked, we have a problem.

Instead, what if we had a culture of "Welcome! We know it's hard, but we're here to guide you to the right questions." The questions, mind you, not the answers.

Learning how to ask the right questions builds self-reliance and deeper learning. Being told to try harder results in, well, hungry little girls who just wanted a can of beans.