How to Find an InfoSec Mentor

BB King //

We got an email from a fan today asking how best to find a mentor in information security. Maybe you’re looking for a mentor too. It’s a great question.

Much of the advice you see for people looking to make their start in infosec is something like, “Work at the helpdesk or in system administration for a while.” This gives you a chance to see computer systems and networks at work in the real world, and to experience their limitations first-hand. It’s good advice. The only problem with it is that there is no clear signal telling you when you’re ready to move on. Systems administration is a career in itself. We need these people! But if you want to use it as a stepping-stone to other things, how do you know when you’ve learned enough?

There are careers with a clear path of advancement. In the trades (carpenter, electrician, plumber, etc) it’s apprentice, journeyman, master. For the true professions, (doctor, lawyer, accountant, etc) there’s higher education, internships, exams, an oath, and acceptance in a professional society. It seems like “a career” is what you end up with after you’ve completed some third-party validated set of requirements.

In information security, we don’t have that, and sometimes it feels like it’s missing. Maybe a mentor could take the place of all the structure and clarity we don’t have built-in. If so, then “finding a mentor” seems like just the thing to fill the gap between “No accepted formal path,” and “…but I don’t know enough yet!”

Or perhaps not.

“Mentor” implies a deep and long-lasting relationship, and invites a heavy influence on you. Consider some lighter-weight options:

  • Maybe you want a partner to work on a project.
  • Maybe you want a peer to talk with over lunches.
  • Maybe you want a friend or a coach to help you set goals and hold you accountable for progress.
  • Maybe you want a place where helpful people hang around.
  • Maybe this “mentor” doesn’t have to be a single person at all.

The path to entering one of the true professions can be attractive because it’s so clear. But there are lots of paths to a career in information security. Don’t be too quick to accept someone else’s path as the right one for you.

Before you decide that a mentor is what you need, first decide what you expect out of the relationship – on both sides. Be clear in your own mind so you can be clear when you pop the question. Then look for someone local to you. Approach someone you already know or whose path crosses yours regularly. Find a more senior security person at your company or someone in a local security-related meetup. Describe the role you have in mind for a mentor, how you plan to fill your complementing role and ask them if they’d be willing to build a relationship like that with you.

Whichever route you choose, there’s one thing you can do that can help you develop your reputation and consolidate what you learn: Share what you’re working on. Blogging is still the best outlet. Your blog will be a body of work you can point to that says, “Look at this: I’m doing the best I can, in these particular areas. I’m doing better now than I was six months ago.” Produce something that proves you’re not only willing to do to the hard work (because lots of people say that), but that you’re already doing it. Post whatever you did on your project this week, even if it feels like a series of failures. If you spun up a Digital Ocean droplet, installed some software, and got your blog running there, then that’s your first post: “How I Set Up My Blog and Why I Chose What I Chose.” Show your thought process.

A good mentoring relationship can get you guidance and encouragement that you can’t get anywhere else. But you may find that you don’t really need something so heavy and involved as a “mentor” after all. Maybe you just need a little bit of focused interaction with others now and then as you learn for yourself that we’re all just making it up as we go, and you can make stuff up, too…



We think BB is pretty cool …but we might be biased.

Why not find out for yourself and take a class with him?

Modern WebApp Pentesting

Available live/virtual and on-demand