In this post, I'm sharing my favorite resources to stay on top of all the things cloud, security, and self-improvement—because mental well-being is crucial to success.
Life has been hard the last two-plus years. The pandemic upended society with little assurance of returning to our old 'normal.'
Cybersecurity is a tough industry. For less-experienced folks, there's a surplus of topics and domains they're expected to be an expert in. As a starting point, entry-level cybersecurity analysts should be versed in network security, operating system administration, Python scripting, and cloud infrastructure. Today, the industry expectation is to compress what used to take years of knowledge acquisition into table stakes requirements to break into any cybersecurity role. As a result, veterans who've cut their teeth for years, even decades, find themselves needing to stay on top of all of the neverending flow of technology developments and vulnerability information.
Cybersecurity Burnout Is Real (and What to Do About It)
Whether you're a new employee or a seasoned one, one thing is for certain - burnout is real. As I mentioned earlier, cybersecurity is tough work - the hours can get long, it's constant gloom and doom, and attackers aren't taking time off. According to a Forrester study, SOC teams receive an average of over 11,000 daily alerts. As a result, anxiety, and stress are simply way too high.
"The burnout in security is primarily because we're in a field where at least if you're on the defensive side, you're constantly trying to prevent something bad from happening, so you have relatively fewer things to celebrate."
Jason Chan, former VP of Security at Netflix
(Cyber Therapy, Episode 10)
In turn, we continue to see a rise in security resource shortages globally, which ultimately connects back to increased risk for any company. If your companies don't fully staff security practitioners or experts, it's likely that issues like systems misconfigurations, unknowingly exposed cloud workloads, and more riddle your security posture.
"Okay ...tell me something I don't know ...."
...I got you, cybersecurity fam!
The constant stresses from zero-day vulnerabilities to misconfigured cloud workloads can quickly turn into employee overload with potentially dangerous consequences. So here's how I turn down the pressure:
- Be self-aware, and take note of your mental health. Reach out to your senior leadership and advocate for the types of resources, tools, support, or training you need to do your job well.
- Advocate for automation and tools that simplify your workflows. Find potential areas for automation and points where you can work smarter and align with the business. It will decrease your workload and stress in the long term. For example, all-in-one platforms like CAASM can streamline SecOps workloads and consolidate data.
- Leverage existing security resources to stay up to date. It's easy to get overwhelmed with the constant influx of new attacks and open vulnerabilities. How do you know which sources to trust? Which ones should inform your next steps to improve overall cybersecurity? To help cut through the noise, I've compiled a resources list vetted by a community of security experts.
13 Cybersecurity Resources for Your Everyday Cloud Security, SecOps, AppSec, and More ...
The following is how I stay up to date on the latest technologies, threats, developments, all while prioritizing self-growth and mental health. These resources provide actionable content and information that you can take back to your team and use immediately.
Note: (A indicates it's one of my favorite publications I subscribe to below.)
Technical Security Knowledge
Security technology changes every day—everything from emerging to legacy solutions matters and can impact your security strategy and workflows. Understanding the latest technical updates across every branch of security is a challenge but a necessity for the "Swiss Army knife" security professional.
CloudSecList (newsletter) and CloudSecDocs (repository): Marco, Staff Sec Eng @ GitLab, curates the weekly digest of the biggest happenings within cloud security, latest news headlines, the shiniest tooling, and security releases from the major cloud infrastructure vendors: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure. CloudSecDocs is an incredible trove of resources for leveling up knowledge within cloud security domains, such as containers, DevOps, and engineering.
Last Week in AWS and Last Week in AWS Security (newsletters): Corey, CTO/Chief Cloud Economist @ The Duckbill Group, is the de-facto AWS guru who helps thousands of technologists like us stay on top of the giant behemoth that is AWS. There are 200+ (and growing) distinct services that operate as their own startup within AWS; Corey stays on top of the latest and greatest, producing a weekly digest summary for the rest of us.
tl;dr sec (newsletter): Clint, Head of Security Research @ R2C, saves readers hours of weekly reading by pulling in the most relevant tools, blog posts, conference talks, and original research around AppSec, web security, cloud security, supply chain, container security, network security, blue and red teams, and much more.
Cloud Security Podcast (podcast/video): Ashish, Head of Security and Compliance @ PageUp, hosts weekly live interviews with cloud security leaders and practitioners from around the globe, covering regular focused series around cloud security, container and serverless security, AppSec, security engineering, DevSecOps, CISO and CSO perspectives, etc.
Latest Industry News for Security Pros
Industry news is still important to your knowledge base. As security professionals, it behooves us to get out of our often-siloed world to stay on top of emerging trends and developments within security. Industry news matters because it can help frame the big picture context and help you understand how security interacts with the broader technology space, as security ultimately needs to support the business.
Techmeme (newsletter): Techmeme is a daily roundup of the biggest headlines in technology, regularly covering top global happenings, venture funding of the latest startups, mergers, acquisition activity, and related politics/current events. They put it simply, "knowing what's changing in technology is required to understand the cultural currents and business events reshaping the world."
1440 Daily Digest (newsletter): 1440 Daily Digest rounds up over 100+ sources each day, so we don't have to. Culture, science, sports, politics, business, and much more are covered each day in a 5-minute read to help us battle information overload, opinionated bias, and general clickbait. Everyone comes from different backgrounds, and it's impossible to be an expert in all of these things because time is finite. This daily newsletter aims to aggregate what's happening worldwide to empower us to become better informed to live more productive lives.
SecMoves (newsletter): Karl, Head of Cybersecurity Solutions/Services @ Stott and May, specializes in placing specifically cybersecurity talent at technology companies. His weekly newsletter rounds up 1) where executives have landed in their new roles and opportunities within the industry and 2) the latest funding rounds and mergers/acquisition activity. Karl's work is important as it's a fantastic way to stay on top of the cybersecurity industry's direction (e.g.cutting edge trends and technologies).
Benedict's Newsletter (newsletter): Benedict, perhaps best known for his stint as a Partner @ Andreessen Horowitz, has spent over two decades analyzing technology trends, "trying to work out what's going on, and what happens next." I follow his work and analysis of tech developments to calibrate better what the near-term and future hold for our society, e.g., "will sentient robots take all of our jobs away in the next decade?"
What's 🔥 in Enterprise IT/VC (newsletter): Ed, Founder @ boldstart ventures, captures thought-provoking themes particularly relevant to scaling venture-backed startups selling enterprise software. These themes include: trends, messaging/marketing, hiring/retention, go-to-market approaches, and anything else rolled into what it takes to grow a pre-seed startup into a post-IPO enterprise giant.
Mental Wellness for the Cybersecurity Pro
Two years into the pandemic, the challenges around remote working continue to take their toll across the entire business. What happens if we don't take care of our mental health as security practitioners and leaders? We'll likely make more bad tech security decisions, which ultimately increases risks from cyberattacks and data breaches. So let's take care of ourselves. Here are some resources that have helped me over the past two years.
Unsupervised Learning (newsletter/podcast): Daniel, Head of Vulnerability Management @ Robinhood, curates recent happenings re: breaches, vulnerabilities, patches, hacks, etc. But the reason I pay to subscribe to his premium tier isn't because of the security-related news, but everything else. Everything else usually covers "building a model of human flourishing, as well as frameworks for increasing it." Frequent topics include logic, rhetoric, history, politics, philosophy, and issues that generally provoke deep thought and discussion. Daniel's content frequently makes me consider my deeply held beliefs and understanding of existence.
The 3-2-1 Newsletter (newsletter): James is a best-selling author of Atomic Habits, authors by far and away the shortest publication on this list. In fact, he claims it'll be "[t]he most wisdom per word of any newsletter on the web." If you ask me, it lives up to its billing. Every newsletter comes with five interesting ideas and thoughts and one question for the reader to contemplate.. I look forward to Thursday afternoons, where I get to think about these terrific reminders and questions to answer.
The Weekend Briefing (newsletter): Kyle, Managing Partner @ Westway, his legal firm geared towards startups, selects the most interesting articles on society and innovation for your Saturday morning enjoyment.
Bonus Resource - Cyber Therapy (livestream): Here at JupiterOne, we recently launched a light-hearted talk show which dives into the human perspective of security. I think it's helpful to hear about the various journeys of those in the security profession - how they got their start, their struggles, and their triumphs. Recent interviews include industry luminaries such as Jason Chan (former VP of Security at Netflix), Caroline Wong (Chief of Strategy at Cobalt.io), Carlota Sage (vCISO at Fractional CISO), and more.
There you have it - these are the best ways I've figured out how to optimize the way I ingest, organize, and digest an overwhelming velocity and volume of information in this day and age. If you have any resources you think would be relevant, please share them with me - you can reach me at george.tang@jupiterone.com!
