The Impact of a Practitioner's Mindset
Massively increase your career prospects, confidence, and productivity
Let’s start at the top - What is a Practitioner’s Mindset?
The way I would explain this is a focus on direct application of knowledge, skills, and persistence to achieve an outcome. “Direct” meaning a hands-on approach over a theoretical one. A hands-on approach means focusing on skill acquisition, applying those skills toward solving a problem, assessing the attempted solution, and then iterating by identifying what improvement, in which skill will create an even better solution.
Why is this important? Personally, I believe the cybersecurity industry, and our economy at large, is at the beginning stages of a rapid shift towards this mindset. Obviously, we’ve always needed “do-ers” who can get things done, but typically, that’s also been accompanied by large corporate structures with lots of people working “around the problem” but not directly on it. And I don’t mean to denigrate the value of those roles, it takes a team to solve big problems. But, as technology and the tools available continue to mature, people can be significantly more productive than before. Not just the new hotness of LLM’s (though, a significant factor) but also a plethora of other tools. Think of all the software that has hit the market that make things like project management, policy creation, documentation, communication, etc., much simpler than ever before.
A lot of people have made a lot of predictions about the impact of AI on the future of work, and I don’t want to dwell too long on this, but there are some important factors to consider. As LLM’s have shown us in 2023, they are incredibly adept at helping humans. While I don’t believe they will ever replace humans, I do think they will dramatically change how people work going forward. They will help supercharge productivity and dramatically improve technical skill development. It will not reduce the need for technical skill though. I believe it will put an even bigger premium on these skills. Now, anyone can generate a python script or SQL query in an instant but if you don’t thoroughly understand what you’re trying accomplish in the first place, you’re still going to go in the wrong direction, but much faster! The underlying knowledge and skill of what you are employing will be crucial.
The impact of lack
In the earlier parts of my career, I worked in several environments that severely lacked people employing a practitioners mindset. There was no shortage of people who would be fast to share their knowledge of how things “should be” but could not articulate a realistic plan to meet this objective. Why is that? Because when you use a theoretical mindset to solve problems, by definition, you are not working with reality. It can be so easy to tell people how things should be, but if you don’t know the reality of how they really are, you’re missing the most important part of the puzzle.
Leading a team of people performing a job without having done that job is an example of this. If you have done the job before leading a team, it becomes significantly easier to understand the reality of the problems the team faces. Leading a team in a job you haven’t done before is not impossible, but I believe puts you at a massive disadvantage. You can make this up with superb management skills and hiring top talent, but once you hire them, you’ll need to be able to trust them to a very high degree. Not to say a practitioner manager shouldn’t trust their team, but having first hand experience in the role you are managing means you can mentor and teach them to acquire the skills required. Which is an underrated skill itself. At times, it can be very difficult to know what skills are needed to overcome not just the problems of today, but in the future as well.
Regarding the future, practitioner’s are much more likely to accurately predict the future of their field than someone who is working only with theory. Again, it can be really easy to fall into the trap of identifying how things “should be”, completely missing key details that would inform why problems came to be in the first place.
People who wish to build careers in specific fields but want to jump directly to “strategic” type roles put themselves in a difficult position right off the bat. Think of it this way - if you were an athlete, would you want to be coached by someone who merely studied the game, or someone who played the game (at least at some level) AND studied it? Being hands-on in the field gives you a much stronger ability to empathize with and understand the struggles of your team, once you’re leading them. You need to spend at least some time in the trenches of your field to maximize your ability to strategize and be an effective leader. Jumping directly to strategic roles may be much harder in the future, as skilled practitioners begin ascending in their careers.
Building the mindset
It has never been easier to acquire the skills needed to build. The friction to learn to code has never been lower. There is an endless number of tutorials to learn your programming language of choice. There are many languages specifically designed to be relatively easy to pick up. We have chat bots that can give you direct and hands on tutoring. We have Copilots that will code along side of you. We have public cloud offerings that are made to make deploying applications less complicated. Want to learn to hack? There are hundreds of resources that cover dozens of niches of hacking, discord servers filled with people who love to help others, and no shortage of targets to test your skills on (legally, of course). This also applies to other fields, including more careers operating in the “real world”. Want to learn woodworking? There are probably hundreds of YouTube videos that will get you started from the very first steps. All the resources you need are out there, you just need to look for them!
In order to get started, you also need to take personal responsibility for your learning. It’s not to say others won’t help you but there’s a saying I always come back to “People want to help people who help themselves”. Which on it’s face, sounds kind of ridiculous, but bare with me. Have you ever tried to mentor someone but they just don’t seem to take a lot of initiative? It’s a very frustrating experience. Some people merely want to be spoon fed and hand held through this journey of acquiring knowledge. The problem is, everyone’s path is a little different. Everyone’s knowledge acquisition works in slightly distinct ways. Everyone’s interests diverge in unique areas. It’s impossible (and very taxing) for a mentor to cover all these edges for you. You must be the one in the driver seat of your learning, with your mentor there to help you fill in the blanks or sometimes identify them!
Speaking from personal experience, one thing that I think keeps people from diving into learning the technical aspects of security, or other industries, is fear of the unknown and self doubt. It can be so easy to become overwhelmed, especially in today’s world of information overload. It’s easy to look at very mature solutions and think “I’ll never be able to get to that level of understanding and skill”. But, here’s the best part - you don’t need to. If you want to work in Security Operations but you’re intimidated to learn Python, the reality is that if you can just learn how to write Python well enough to call an API, gather some data, look for specific pieces of information in that data, and then take some action based on what you find, that is probably 80% of what you need to get started. That sounds like a lot, but once you actually do it, you’ll be surprised how uncomplicated it really is. You don’t need to know how to write full on algorithms to get started. Maybe one day it may make sense, but that is much further down the road for most.
Another force of resistance I’ve noted in myself and others who are getting started - overcomplication. When I was first learning to use Linux, I was convinced that if I didn’t have the most l33t setup, customized to my absolute perfection, it wasn’t good enough. If I didn’t have custom themes for my bash terminal, how could I be expected to code? What kind of hacker uses plain old base Kali VMs?
Ignore this noise and impulse. Some of the best engineers I know use the most basic setups possible. Why? Well, for one it takes less time to get into the actual work itself. But also, customization nearly always breaks and causes unexpected behavior. It just creates opportunity for endless distractions. I don’t want to speak for anyone else, but I realized that this was just a form of avoidance and procrastination. Creating cool setups is fun and I love seeing useful customization, but it cannot take priority over the work itself! Eventually, it may make sense to do these things, but not when you’re starting out. Let the problems emerge in your day to day workflow and solve them once they’ve become an obstacle.
A lot of people overestimate how much it will take to learn 80% of what is needed to get started in any venture. If you can just figure out your preferred way of learning (audio, visual, hands-on, etc.) and then apply that towards something that can help you solve a small but potentially impactful problem, you’ll be well on your way to becoming a practitioner.
It’s all about feedback and iteration. As you work more, you’ll encounter more problems, which will force you to learn a new skill, then you apply that skill and voila! You just improved and now have added to your practitioner toolbelt.
I believe this mindset is the ultimate hack to improving your career prospects, fulfillment in your job, improving confidence and so on. It feels good to be able to use your skills to solve a problem that is having a real impact on you or your team. It creates a lot of value for those around you. It creates feedback loops that will begin to compound your skills and subsequently the value you can bring.
So, go fourth and build! Or break, if that’s more your thing ;)
Shameless Plug
If you want to see a practitioner mindset in action, I have teamed up with my good friend Harrison Richardson to create Ars0n Security. We are offering all sorts of cybersecurity consulting services, by leveraging our experience securing the infrastructure of companies from large to small, but particularly specializing in modern SaaS businesses.
Because we are a small team with essentially zero overhead, we can offer our services at incredible prices. If you need help with a solid penetration test of your application/cloud environment or just need help building a new solution for the security of your business, please reach out!
Additionally, if you are currently working in security or you are interested in learning how to get into the industry, come check out our Discord server! We have hundreds of people from all ranges of experience focused on two things - improving our skills and helping others!