I have noticed that in Infosec there is a very unreflective, inaccessible culture around learning. We have adopted a “try harder” or “DFIU” attitude to people who are attempting new or challenging things. As an educator coming from a high school background, where encouragement and incentive are key, this concerns me. We know that the only way to learn is to ask questions. Yet the sector seems to mock those who do.
It is not a huge leap to extrapolate that the pipeline issue is borne out of these attitudes. People are pretending to know things. They are scared to admit gaps in knowledge. This leads to mistakes. But it also leads to gatekeeping: where mediocre people block those they fear might replace them. Or it means that only those within a closed support network will rise. Safe and protected by friends who advise or cover their errors or enable them to move roles after disasters.
This is counter to everything I do as a teacher. I am expected to encourage my students to overcome challenges. My lessons must be accessible to the needs of over 20 students. I look at the bulky printed material that I see provided at many security trainings and I wonder how much if any of it is differentiated? How much time is given to accessibility for dyslexic or ADHD learners? Can students use sketchnotes? Is the material fun and easy to read? Is it necessary to give students half their adult height in printed material for one five day course?
Even more striking to me is how my pay is performance related not only to their success, but also to my professional development. I am EXPECTED to be reflective in my practice. I do not see much evidence of this in infosec training. There is excellent practice out there, but are people respecting education as a profession? Are they seeking to improve and learn from each other? Are they even required to have qualifications in education or training? How do we ensure that our learning environment conditions students to have positive attitudes?
Above all: what are learners able to demand? Where are the guarantees of quality and excellence that they deserve? Are we valuing education and training and asking questions? Or are courses more use as magic tickets upwards than proof of deeper understanding?
What is reflective practice? Larrivee, 2000, (p.293) defines it as such:
“Unless teachers develop the practice of critical reflection, they stay trapped in unexamined judgments, interpretations, assumptions, and expectations. Approaching teaching as a reflective practitioner involves fusing personal beliefs and values into a professional identity”
I am writing this to emphasize the importance of reflective practice and how we need more of it in infosec training and education. We have two necessary actions: the first is to foster a better culture of learning and questioning. The second is to encourage reflection in those who train and create learning materials.
Finlay (2008) states that reflective practice is
“the bedrock of professional identity”
I believe that this is true. As trainers/ educators, we have a responsibility to teach, measure, evaluate and reshape what we do with our students. We cannot simply create a course and then never refine it. We also have to constantly be evaluating our own methods and performance. Atkins and Murphy (1993) broke this into a 3 stage process of discomfort-critical analysis – new perspective. In brief: to become aware of areas that could be improved, to evaluate and research and then to progress with new insight.
One of the easiest ways to do this via “reflection on action” (Schon 1983) is to observe other practitioners at work. It is also useful to invite observation of one’s own teaching. We can become stuck in our ways, uninspired or believing our way is the only way. My PGCE tutor told me that to be a guest in a classroom was a privilege and to use that time respectfully. I have always learned a great deal from observing fellow teachers, I go into their rooms with an open mind and respectful attitude: I am there not to gloat or criticise but to learn. Any feedback we offer each other must be constructive.
The best way to check if you have learned something is to try to explain it to someone else. I do not believe that this means we should assume we are all capable and suited to educating others. You can be an expert in your field but a terrible communicator. Managing a cohort of students of any age is half content, half social work: it is a deeply human role. If you are taught by someone who is unapproachable and cruel, you are likely to repeat that model with anyone you have to later educate.
In brief: there is a reason that teachers study and pass rigorous exams and courses. What I see in infosec is a sector that desperately needs a culture of learning and openness, but can’t get there and it is a time bomb.
If your trainers are not adequately qualified and reflective in their practice, despite any expertise, they will pass on bad culture. There is a huge gap between the necessary secrecy around the ways to “hack a box” on a platform and keeping questions and uncertainties quiet.
Challenge is one thing, it is how we learn and it is necessary.
Shame and fear is another.
You don’t need cheat codes for a box, you can work for that and learn the skills.
You absolutely do need to be able to ask questions during a course and at work.
So I am suggesting that we demand more from our training and workspaces. That we create environments that value neurodiversity. That we value questions and we make people valued for asking them. That we value educators for the skills they bring and we demand those skills- not just accept well paid experts who give lectures. If all our training was effective, we would not have super qualified people making mistakes today.
A really good example of this is the area I work on: consumer advice. There is a dearth of solid advice and for many issues there is simply nothing for non tech sector people to find. The average consumer has NO REAL SOURCE OF EDUCATION. It is noticeable that every time we have a privacy concern with an app or service, or security issue, huge swathes of infosec people make meme and jokes about it. They mock people worrying about simple things, whilst forgetting that is is very challenging to find the information.
I think this is the crux of the issue: people truly fear saying ” I don’t know”. My students know that they are fine to say, I am not sure but.. or I don’t know. My students in Japan would never answer unless they had the correct answer. Even if they did, often they did not want to “show off”. There are so many things that influence how we see learning and what is acceptable.
We do all need to try harder to ensure we are creating safe and welcoming spaces where people can learn and ask questions “noob” is an insult my son yells at his friends while gaming. Why are we hazing people? Learning is a lifelong thing. My performance reviews, to take me to the lofty heights of a 50k salary ( which is the price some trainers in infosec get for one week or one talk fyi) – those reviews are there to remind me I will always have room to improve and things to learn. Because of this self reflection and the collaboration with colleagues, my classrooms are spaces for questions and challenges. No one gets called stupid or told to try harder. Work hard, yes, but hey, use this tool, think of how you solved this… that is how you help people. Not try harder, but have you tried this..? If no one is asking questions, that generally does not mean they all grasped the concept. It probably means that they don’t feel able to ask. Remember that.