DFIR Training Blog



Get out of learning mode!  aka: Break Your Groundhog Day cycle

I was speaking to someone at Infosec Europe last week about ‘getting into this field of infosec’.  I kept answering all questions with the same answer of telling the guy to get started and do something.  But the future DFIR’r kept telling me about all the training and schooling that he had completed, the training and schooling that he is planning to do, and what to do next. I was quite impressed with how much training already done, including earning a degree and having taken a dozen vendor courses.  I was disappointed in how much more he was planning to do before ever starting work in the field that he has spent years in learning, but not doing.

In short, I told him to stop his training and education right now and make this conference his last until he puts to work what he has learned so far.

He was stuck in learning mode, repeating courses and conferences over and over again with the expectation that competence will come to him. This is a terrible mistake. There is a point where you have enough training and education to start, where you can do the most basic of job tasks, and where you can apply what you already know to learn more through experience. To be stuck in learning mode is to never know what you can through practical applications.  Testing, theories, and essays are only part of the equation in becoming competent.

Don’t get stuck in learning mode. This applies even if you are competent in your field with experience. At some point, which is different for everyone, spending more time in education isn’t going to propel you farther than if you are actually doing the work, practicing that what you know, and discovering what is not being taught in class.  Avoid the point of diminishing returns on “learning” when you have more than enough to be “applying” what you have already learned. 

I’m not advocating to never attend a conference or training course, or not to get an advanced degree.  And I am not saying that experience is better than education.  I am saying that there is a balance needed between education and experience. Having a balanced portfolio of experience, education, and continuing learning builds your competence base much better than focusing solely on the academic or solely on the experience aspect of DFIR or any field for that matter.

When I say, “Get out of the learning mode!” , I am saying that in the manner of take what you have learned formally and put it to use physically.  You will still be learning, but you will be learning differently, and learning things you won’t learn in a formal training atmosphere. You will learn by doing, which will make your future formal learning that much more effective because you have had your hands on the things being talked about in a classroom.  

I used to sarcastically joke in my police days that some cops seem to be in training every other week and had taken so many training courses that the only training left was underwater handcuffing classes. Training and formal education, much like training wheels on a bicycle, is to get you up to speed to start working on your own where you can excel well past what any training wheels can do for you.

Break the Groundhog Day cycle. Put your knowledge to work and complete the path to competence by learning AND doing.


Written by :Brett Shavers

{rscomments option="com_rsblog" id="25"}