Domain Expertise in the Cybersecurity Field

Lately, Phase One employees have been hearing a lot about the subject of “Domain Expertise.” Specifically, in the core Competency Area (CA) in which we specialize, what are we doing to ensure that we are continually growing in and demonstrating our knowledge of our core areas of specialty?  Cybersecurity has been a rapidly growing competency area for Phase One, and for those of us in the cybersecurity field continually maintaining domain expertise is an extremely important part of our responsibilities.  
 
One of the things I love about working in the security industry is the never-ending challenge of new technology, new threats, new attacks and defenses.  Everything is constantly changing, and we must keep up or else risk being left behind.  If we don't know what’s happening in the field, then we cannot defend ourselves, much less help our clients.
 
The good news for security professionals is that there are myriad resources available to help us maintain our domain expertise.  There are news sites and blogs devoted to the latest security trends, technology, policy guidance, and events.  There are security conferences year-round, all over the world.  And there are numerous training opportunities for us to maintain our technical skills, or to learn new ones.  Best of all, many of these resources are free!
 
I'm occasionally asked by friends, family, coworkers, etc. for advice on security topics, or recommendations for resources.  The advice I give will vary depending on each person’s specific needs; but for those generally interested in maintaining a certain level of expertise in the security field, I believe there are a few things that will be helpful for everyone.  These are (in no particular order): keeping up with current events and analysis of those events; attending conferences and organizational meetings of fellow security professionals; and taking advantage of security training.
 
When it comes to keeping up with current events in security, there are quite literally thousands of blogs, news sites, mailing lists, etc.
 
For those involved in government security, the GovInfoSecurity site is a good one to keep tabs on: http://www.govinfosecurity.com/
 
Some of my other personal favorite* security blogs and news sites include:
Krebs on Security: http://krebsonsecurity.com/
Bruce Schneier: https://www.schneier.com/
NoVAInfosec: http://www.novainfosecportal.com/
Dark Reading: http://www.darkreading.com/
CSO Magazine Online: http://www.csoonline.com/
SC Magazine Online: http://www.scmagazine.com/
 
But this is by no means an exhaustive list, even of sites that I read regularly.  
 
*Note: Every blogger has their own opinions on numerous topics; the fact that I am linking to a blog does not imply my agreement with or endorsement of any particular viewpoints expressed by those authors.
 
Next, attending events where you can meet and interact with others in your industry can be a great learning experience.  You meet interesting people and build out your professional network, and can attend presentations on any number of topics of interest.  Security professionals love conferences (“cons”) and you can find one to attend pretty much anywhere in the world, wherever you happen to be.  Here is just one list of security conferences in 2014:
http://www.concise-courses.com/security/conferences-of-2014/
 
Even that list is not comprehensive.
 
In the Washington DC area, there are some upcoming events that may be of interest to those in the government security field.
 
Next week is (ISC)² CyberSecureGov, taking place June 2 & 3 in Crystal City (Arlington), VA:
https://www.isc2.org/EventDetails.aspx?id=11613&display=eventdetails
 
Also next week is the DC Metro Cyber Security Summit, taking place on June 5 in Tyson’s Corner, VA:  http://cybersummitusa.com/css_dc/
 
DC area professionals can also keep an eye on the calendar of events at NoVAInfosec:
https://www.novainfosec.com/full-calendar/
 
Finally, it is important for all security professionals to keep up to date with training.  Some of the best (though more expensive) security training can be found from SANS (http://www.sans.org/).  SANS has numerous courses on any number of security subjects, and they host training conferences all over the US (and the world).  The closest one to the DC area is coming up in July 2014:  http://www.sans.org/event/capital-city-2014
 
There is also one in Baltimore in late June:
http://www.sans.org/event/sansfire-2014
 
In addition, SANS hosts regular online webcasts on various security topics, and these are available for free:  https://www.sans.org/webcasts/
 
Other training vendors, on security and other IT topics, include Global Knowledge (http://www.globalknowledge.com/) and Learning Tree (http://www.learningtree.com/).  Online security-specific training is also available from organizations like eLearnSecurity (https://www.elearnsecurity.com/) and Offensive Security (http://www.offensive-security.com/).
 
Finally, if there’s any particular subject you are interested in, there is always Google and YouTube.  You'll be amazed how much free instruction is available online from fellow security professionals eager to share their knowledge.
 
There is much more out there, and this is just a brief introduction to available resources, but I hope this helps get you started.  Good luck!