Sierra Ward //
Last year I listened to a podcast* from Freakonomics that has stuck with me – in fact, I think it’s changed the way I think – powerful stuff from one measly podcast.
The episode was about the three hardest words in the English language. Take a stab at what those might be. Nope. They’re not “I love you.” They’re not even “I forgive you.” Though we can probably all attest to the difficulty of saying those particular phrases. In fact, the three hardest words are, “I don’t know.” On the surface, they don’t really seem that difficult, but in order to say them, we need to dig down to the darkest parts of our egos and admit what might seem like a failure. It makes us feel vulnerable in the worst way possible – especially when it comes to our job/survival.
What is it they say, “When you stop growing, you die?” I associate growing to learning, because life at its core requires learning: learning how to not get burned by fire, how to not be attacked by vicious beasts and other instances of extreme danger, and where to find food. The moment we give up on learning is the moment we curl into the fetal position and freeze to death. That sounds dire because it is. Learning is the most important aspect of being human. But there’s something important that has to happen before we can learn – we have to admit we don’t know, and that there are still things left to learn.
We’ve all been around teenagers. They’re sometimes obnoxious (we can be judgey because we were all once in their ranks!) mostly because they think and act like they know everything (annoying to those of us who realize there’s so much left to learn!). Perhaps this is an innate safety mechanism that propelled us into life, which if we had realized how scary and daunting it really is, they would be paralyzed by fear. On the other hand, most people escape those fraught and traumatic years to enter into a phase of life where they realize just how ignorant they really are. When you learn more about anything you realize just how much you don’t know!
I think I can safely say from my conversations with some of our pentesters that what they really enjoy about this career is that no job is the same. There’s always something to learn, something different, and our pentesters get to utilize different methods to accomplish the job for each different client, even within the same industry. No day is the same, there’s always something to new to do. I guess then I’m assuming that there’s always an opportunity to say, “I don’t know.” But is that okay to say in your job? Will a boss fire you if we admit we don’t know how to do every single aspect of our jobs?
John (our boss) has always put a huge emphasis on education. He spends a large percentage of his time teaching, both within SANS (504 woot!) and also doing educational ventures outside of that – our webcasts are almost always educational and most recently he’s helping to teach a kids Python class in the office. He’s worked tirelessly to build a culture within the IT community where we can learn from each other and grow in the InfoSec industry.
But you know what a culture of education and training means? We all need to admit both when we don’t know and make this echo chamber a good place to learn – which means people feel comfortable admitting they don’t know something. We were all there once – naive, ignorant. My own experience in this industry (to which I’m brand new) has been a great one. I ask our staff for help with things I’m sure they consider super “dumb,” but that’s okay. They’re always willing to explain and I’m willing to learn. And I have learned a TON!
Do we expect anything less of the companies we do business with? Is it okay to do business with a company that will say, “Hey, I don’t know the answer to that, but I’ll find out and get back to you?” I really appreciate it when a company I’m doing business with can be frank and honest. Maybe it’s my own bias, but I realize companies are just made out of people, and people can’t possibly have all the answers all the time. I appreciate helpfulness and a willingness to approach each new problem with gusto to find the solution. BHIS isn’t any different. We come up against problems we’re not sure how to solve all the time – it’s why we love our jobs – because they’re always evolving (the InfoSec industry is changing daily) and giving us a chance to learn new things.
In conclusion, I’d like to leave you with this challenge: try to admit out loud to another person when you don’t know something. It can take a lot of courage to be that vulnerable, but just like everything else, it gets easier with practice. And on the flip side: listen when people are willing to admit that to you, recognizing that they are showing you a lot of trust. Then ask yourself this: how we can foster a culture of education? A culture where it’s okay to admit we don’t know but want to?