A smart person knows everything about a single topic. An intelligent person knows as much as possible about more than one topic. Both have great value, and depending on the industry, some organizations value one more than the other. In general, though, smart people fill entry-level jobs, who then become intelligent people to move up the ladder1. A robust personal development strategy will help you go from the former to the latter.
Effective personal development takes a lot of time and effort. To make this less complex, I broke it up into a four-step process. I also included several resources to get you started.
- Choose topics to study. Your profession may dictate that you focus on certain things. As a Soldier, you must learn military history and tactics; as a cyber Soldier, add technical topics to that list. After the things you have to study, look at your own interests to round it out: if you like programming, learn about it, too; if you like woodworking, include it.
- Find reliable resources from which to learn. Once you know what you want to study, start searching for quality resources. You might not have any choice but to take a formal class, but do not discount the value a peer or supervisor can bring to the table. Most experts love to share knowledge. Many people at the top of their fields also like to write online, so do not discount the viability of an online course or even a personal website.
- Learn. Once you know what you want to study and how you want to study it, do it. Real learning — the type that stays with you, and that you can use to become more intelligent — takes effort, as any type of growth does. Make a deliberate learning plan, then make a concerted effort to execute it.
- Use that knowledge. Most people forget the last step in a solid personal development strategy, “Use that knowledge”. If you do not learn something and then put it to good use, you will forget it — and in losing what you worked so hard to gain, you waste all that time, effort, and money. Do not make this mistake. If you learn a new skill, use it; if you learn something new, teach someone else. Just don’t lose it.
These steps outline a process for personal development that will help you stay relevant in an ever-changing, ever-advancing domain. Take it to heart, implement it, and you will find yourself far ahead of your peers. I designed the list below, and chose the resources it comprises, with an audience of cyber Soldiers in mind. I plan to update it as I find new and worthwhile books, articles, and project ideas. I will also update the list as better resources surface, and take away the things that prove useless. Like my morning and evening reads, this is a living document — a reflection of the best knowledge I have on this subject to date.
As a cyber Soldier, you must divide your personal development time between military, professional, and personal education. I call this a “one-third” model. Those unencumbered by the demands of the military may use a “one-half” model, where they split their time between personal and professional education. As a cyber Soldier, I divided the list below between those three areas, and further divide it into books and articles you can read, topics you can study, and projects you can try.
1/3 - Military Education #
Military leaders must read, understand, and live doctrine. These documents govern every aspect of military life, both on and off the battlefield. All soldiers should read the following Field Manuals (FM). For more information, some have Army Doctrine Publication (ADP) versions, or Army Doctrine Reference Publication (ADRP) versions. These tend to consist of similar information presented in different ways, which can sometimes prove useful. Most Soldiers will read many FMs throughout the course of their military careers, but start with these “books”.
- FM 3-12, Cyberspace and Electronic Warfare Operations. Most jobs have their own manual; read it. As of this writing, the current FM 3-12 focuses on tactical operations rather than offensive or defensive cyber. I recommend Soldiers read JP 3-12 instead. This document identifies the cyber forces the Nation has at its disposal, and their different mission sets.
- United States Army War College Strategic Cyberspace Operations Guide. Written to help U.S. Army War College students to understand design, planning, and execution of cyberspace operations, this document approaches cyber from a different perspective than FM/JP 3-12. Although there is a lot of overlap, the Strategic Cyberspace Operations Guide has a few worthwhile nuggets.
- FM 6-22, Leader Development. If you plan to go beyond the junior enlisted ranks, you should plan to spend a lot of time studying leadership. In particular, study the Army’s take on leadership. You will find no shortage of books, articles, and speeches on this subject, but start here. This will give you a solid foundation to build upon.
- TC 3-21.76, Ranger Handbook. Every Soldier must maintain both technical and tactical proficiency, which — for cyber Soldiers — means at least understanding basic tactics. Don’t treat it like the Bible, but rather as a more concise version of FM/ATP 3-21.8: The Infantry Rifle Platoon and Squad. I like to take a laminated, pocket-sized version of the Ranger Handbook with me to the field.
- ADP 1-02, Terms and Military Symbols. Coming up in the Cyber branch, I thought traditional military thinking had no place in the fifth domain. The military had evolved over thousands of years to control physical terrain, after all, and the fifth domain was almost entirely logical. No one ever bothered to correct me, but operational experience wasted no time in doing so. Relating these seemingly disparate fields requires a thorough understanding of both, not a willingness to undertake an exercise in futility. It is imperative that cyber Soldiers understand military science and apply it to cyber operations.
- FM 3-90.1, Offense and Defense, Volume 1. To help meld cyber warfare and with traditional doctrine, also see FM 3-90.1. This field manual explains offensive and defensive tactical tasks and their graphical representations, which helps translate cyber operations to traditional doctrine.
- FM 3-90.2, Reconnaissance, Security, and Tactical Enabling Tasks, Volume 2. FM 3-90.2 explains tactical enabling tasks and their graphical representations, for the same purpose as the manuals cited above.
- The Warrior Ethos, by Steven Pressfield.
- Left of Bang, by Patrick van Horne.
- The Mission, The Men, and Me, by Pete Blaber.
- Gates of Fire, by Steven Pressfield.
- On Killing, by Dave Grossman. The Profession of Arms exists to provide nations with soldiers to fight and win their wars. This comes down to individuals from one nation destroying those who intend to do the same for their homeland. In On Killing, Dave Grossman takes a deep dive into this complex subject.
Look to unofficial sources for military education as well. Some people like to put doctrine on a pedestal, above all other sources of institutional knowledge, but humans write both. Find the good in each and learn from it.
- A Message to Garcia, by Elbert Hubbard. This short essay from 1899 does a nice job of introducing Mission Command, or the idea that leaders ought to describe an end state and then allow their subordinates to use sound judgement and accept prudent risk to accomplish it.
- Auftragstaktik: A Case for Decentralized Battle, by John T. Nelsen II. Here, John Nelsen opens with the conditions that lead the German Army to develop the Mission Command philosophy, and the steps it took to encourage junior leaders to exercise it. He then examines the state of Mission Command in the modern U.S. Army, and identifies the barriers that keep leaders from exercising it today.
- Defense of Duffer’s Drift, by Major General Sir Ernest Swinton. Set during the Boer War, this work of fiction follows Lieutenant Backsight Forethought and his platoon’s defense of a natural river crossing. Over the course of six dreams, he learns to use critical thinking and strategy to hold his position until reinforcements arrive.
- Defense of Battle Position Duffer. CAC required. A modern-day adaptation of the Defense of Duffer’s Drift, this version follows an Armor Brigade Combat Team through a similar scenario to illustrate the importance of the cyberspace domain alongside the traditional land, sea, air, and space domains.
- It Takes a Network. General Stanley McChrystal wrote an interesting retrospective on his time commanding U.S. forces in Afghanistan, and the shift in thinking that had to occur to combat the insurgency there. Adopting Mission Command revolutionized warfare a century ago, and should this network-based approach take hold, perhaps it will revolutionize warfare for the next century.
- F3EAD: Ops/Intel Fusion “Feeds” The SOF Targeting Process. The Find, Fix, Finish, Exploit, Analyze, and Disseminate (F3EAD) framework blends intelligence and operations to enable rapid decision making at the tactical level.
- Coming soon: Army topics to study.
- Build an SOP. In an organization as new as CYBERCOM, there’s a good chance your team doesn’t have one; on the off chance it does, you can at least add to, improve, or update it. Codify the things your team does right, and identify areas in need.
- Create a class. Find something your team is not good at, find the person in your organization who does that best, and get them to teach you so you can teach your team.
1/3 - Professional Education #
The Army expects all Soldiers to maintain both technical and tactical proficiency; industry expects civilians to stay near the front of their fields. Professional education will help make that happen for both. In general, pursue classes and certifications related to your field, and stay up to date on current events related to your domain. For cyber Soldiers in particular, I suggest studying these books, articles, and topics, and working on these projects:
- The Cyber Defense Review. Although not a physical book, these book-length compilations from the Army Cyber Institute at West Point cover topics ranging from the technical to the philosophical.
- Blue Team Field Manual, by Alan White and Ben Clark. Think of this book as a physical cheat sheet for common defender or incident responder actions like mapping a network, checking for unusual user login events, and capturing network traffic. If you have to work without a reliable internet connection, or just don’t went to sift through Stack Overflow questions often, consider this instead. You may also find value here in novel tactics, techniques, or procedures.
- Red Team Field Manual, by Ben Clark. The same type of book except written for the attacker rather than the defender, I suggest checking this out regardless of the side on which you work. Defensive measures do not have to be a shot in the dark: understand the ways an adversary might attempt to break in so you can close off those likely avenues of approach.
- Threat Hunting Maturity Model. Understand the factors that determine threat hunting maturity. Also understand the five levels of the hunting maturity model, where most organizations fit in and why, and where yours fits in and why. Think of concrete steps your organization could take to move up the ladder.
- TaHiTI Threat Hunting Methodology. The Dutch Payments Association developed a well thought-out threat hunting methodology, and then created an in-depth writeup to go along with it. For an idea as to what right looks like, start here. This document also includes links to a wealth of other great resources.
- Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin highlight the importance of integrating intelligence into defensive cyber operations, particularly when dealing with Advanced Persistent Threats.
- I Have a Fever, and the Only Cure for It Is More Feedback. In this great Splunk blog post, John Stoner explains a key component of successful threat hunting processes: acting on the bad we discover. This is a key step to maturing your organization’s ability to hunt well.
- Threat Intelligence framework in Splunk ES. Splunk, a popular big data analysis platform, also runs a great blog with a lot of good threat hunting information. Once you understand the importance of advancing to the point where you can focus on threat hunting, start here for some concrete examples of how to do that. See the next two links as well, which talk about threat hunting, the importance of threat intelligence, and how to use it.
- Threat Intel and Splunk Enterprise Security Part 1 - What’s The Point of Threat Intel in ES?.
- Threat Intel and Splunk Enterprise Security Part 2 - Adding Local Intel to Enterprise Security.
- ATT&CK-ing the Adversary: Episode 1 - A New Hope. Everyone likes to talk about the MITRE ATT&CK matrix, but few understand it well. This piece, and the two below it, form a helpful three-part series that will teach you about this useful tool, and show you practical examples of how to use it in your organization.
- ATT&CK-ing the Adversary: Episode 2 - Hunting with ATT&CK in Splunk.
- ATT&CK-ing the Adversary: Episode 3 – Operationalizing ATT&CK with Splunk.
- Simple Systems Have Less Downtime. Few take the time to architect secure systems from the start. This leads to the messes we then have to fix, once the patchwork of legacy systems that they cobbled together over a decade leads to an inevitable compromise. Here, Greg Kogan makes case for simple systems instead — a case we should make as well, and strive to implement as much as possible.
- Software Architecture is Overrated. The larger point Gergely Orosz makes here, that leaders should focus on developing a plan that all can understand and execute rather than a certain one according to supposed best practices, is something everyone should keep in mind. I have seen many approach projects by building out a plan according to a certain model, which just slowed down the process. Best practices exist for a reason, but blind adherence to them does no one any good.
- A New Approach to Enterprise Security. In our capacity as incident responders, we seldom have the opportunity to re-architect networks post-compromise. Fortunately, though, we often get this chance later on. This 2014 article from Google on its implementation of zero trust networks should serve as a guide. The old model of castles and moats is insufficient: the adversary will cross the moat, breach the walls, and with free reign inside wreak havoc. This zero trust networking strategy makes each step in that process much more difficult — which, in this domain, is the best we can do.
- Hypermodeling Hyperproperties. Programming, and a great deal of cybersecurity, involves hyperproperties: ensuring good things always happen, and that bad things never do. Hillel Wayne wrote a nice introduction to this concept. Even if the code samples don’t help, his explanation, examples, and resources will make you better at both.
- On architecture, urban planning and software construction. On the topic of programming, Tomas Petricek has an interesting idea for moving the computer science discipline forward: drawing lessons from architecture and urban planning. The observations he presents here are a good start.
- Classic Mistakes. Best practices tend to apply across industries. Steve McConnell’s examination of worst practices in software development also applies across industries. Things like “Abandoning planning under pressure” and “Overly aggressive schedules” can drag any team down, so learn to identify these so that you can avoid them.
- Complexity Has to Live Somewhere. A great deal of work, even in this organization, goes toward reducing complexity — or trying to, at least. As Fred Herbert explains here, though, complexity never actually disappears, it just gets shifted around until “with nowhere to go, it has to roam everywhere in your system, both in your code and in people’s heads. And as people shift around and leave, our understanding of it erodes.” I believe in building systems as simple as possible, but no simpler. Understand the limits of this pursuit, and the real cost of taking it to the extreme.
- Write a brag document. Everyone gets evaluated. In the Army, those take the form of regular counsellings. To make your supervisor’s job easier, and to make you look great, keep a list of things you did since your last evaluation. I do my best to keep track of everything my Soldiers do, but this has proven much more effective.
- Computers can be understood. Modern computers have gotten so complex that the prospect of trying to understand them intimidates a lot of people. Unfortunately, many use that fear as an excuse not to even try. As professionals, though, we have a responsibility to develop this expertise. Nelson Elhage has some good advice for tackling this gargantuan task.
- Understanding Rigor in Information Analysis. Daniel Zelik, Emily Patterson, and David Woods discuss the challenge of executing rigorous analysis in increasingly complex fields. Their assessment — and their conclusions — are particularly relevant to Analysts in the Fifth Domain.
Windows Active Directory #
- Understand forests, trees, and domains. Learn their differences, how they can interact, and what they consist of.
- Understand the five classes of services Active Directory provides.
- Understand Group Policy.
Authentication Methods #
- Understand Kerberos at a step-by-step level, and explain the difference between a ticket-granting ticket and a ticket-granting service.
- Understand Kerberos vulnerabilities. I like The Bible of Kerberos Attacks as a starting point. Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory – Active Directory Security is a good resource as well.
- Understand NTLM at a step-by-step level.
- Understand NTLM vulnerabilities, and learn the advantages of Kerberos over it.
- Learn about common Windows services that use Kerberos and NTLM. Know which they prefer, and what they fall back on and the circumstances under which they do.
- Coming soon: Professional development projects.
1/3 - Personal Education #
No matter how much you love your job, I encourage you to read, write, develop personal projects, and pursue your own interests — especially if they lie outside the cyber domain. Technical people in particular seem to have a tendency to work in front of a screen all day, then do the same at home. Find something to do with your hands — or, if you work with your hands all day, think about switching it up at home. I recommend reading these books and articles, and working on these projects.
- How to Win Friends and Influence People, by Dale Carnegie. Many like to make fun of this book, but whether leading a team or building a professional network, relationships become more important the more your career progresses. Learn to craft them well, now.
- Extreme Ownership, by Jocko Willink. The best book on leadership I have ever read. It informs my leadership philosophy to this day. Jocko goes into even more depth on his excellent podcast, so check that out as well. He also wrote a similar “field manual”, Discipline Equals Freedom, that you may find interesting, too. Many of his lessons apply to life in general, so I cannot recommend these enough.
- The Elements of Style, by Strunk & White. Good writing takes a lot of time and energy. Becoming a good writer takes an immense amount of both, and so most never get there. In this classic, William Strunk and E.B. White explain some simple ways to write well. Becoming a good writer is one of the most significant steps a person can take to better themselves, and this book will help.
- On Writing Well, by William Zinsser. For those looking to move beyond the simple steps in The Elements of Style, William Zinsser has some fantastic advice about how to become a good writer, and how to approach becoming a good writer.
- The Problem of the Problem. Framed as an explanation of the function and value of academic writing, I almost ignored this short book by Larry McEnerney. I have made my distaste for academia no secret. I gave it a try, though, and I walked away glad that I did: In The Problem of the Problem, Larry highlights the importance of identifying the value a written work provides and then offers concrete suggestions for making that clear. This prompted me to make some much-needed edits across several documents.
- Work is Work. Understanding how large organizations work, and the things that actually make them succeed or fail, is immeasurably valuable. I consider this piece from Coda Hale the seminal article on the subject of organizational theory. Use this knowledge to better navigate, and effect meaningful change in, your place of work. I found the section “Hell is Other People” particularly enlightening in a place that loves meetings, as someone who does not. I encourage all to try to better their organization, and consider it imperative that leaders — and Officers in particular — do all in their power to optimize their environment for success.
- How to Write Usefully. One of the most important and impactful things you will do in any organization is communicate, often in writing. Paul Graham offers some great advice for writing well here. In a related article, Snir David makes a good case that most communication should take place this way.
- Don’t Call Yourself A Programmer, And Other Career Advice. Out of all of Patrick McKenzie’s great work, if you read just one article, read this one. He has some fantastic advice for those just starting their careers that even senior Soldiers entering the civilian workforce will find helpful.
- Growth hacks: coffee with an experienced engineer you don’t know. Find a way to have smart conversations with smart people. You will both learn a lot, and talking through whatever challenges you both face will help you work through them.
- What do executives do, anyway?. Substitute “executives” for “leaders”, and this becomes an explanation of the role senior leaders play and a cautionary tale for the consequences when they fail to do that job well. Understand both and use this knowledge to help inform your career goals.
- Becoming a Better Developer. As a counterpoint to a piece by Jason Rudolph, Rick Hickey shares his thoughts on becoming a better developer. Where Jason believes many varied experiences lead to mastery, a belief the Army shares in its “up or out” model, Rick argues that depth — rather than breadth — will get you there. I tend to agree with Rick when it comes to technical fields, although Jason has the right idea for generalists. Understand the different approaches, and the different results they achieve, so you can 1) reach your goals, and 2) recognize when someone puts you on the wrong path. It takes six to ten years of focused effort to become a master (although some disagree, do not trust those who tell you otherwise. “master” is not necessarily the same as “Master”. See also: The Shortcut Is: There is no Shortcut.
- The dark shadow in the injunction to ‘do what you love’. Maslow’s Hierarchy of Needs purported to give managers a roadmap to employee buy-in. In this piece, Kira Lussier explores Maslow’s theory, its implications, and its (unintentional) consequences.
- You don’t need to work on hard problems. The Cyber branch as a serious retention problem. There are a lot of reasons for this. Setting aside the well-justified complaints of those stuck doing non-technical work, though, I disagree with one of the most common reasons Soldiers leave: they want to solve “hard” problems. In this piece, Ben Kuhn makes the case that you, like him, might actually have a different goal — and that with some introspection, you might discover it and find newfound meaning in your job.
- How to waste your career, one comfortable year at a time. Apoorva Govind argues that when it comes to your career, complacency is cancer. I have met many Soldiers, Officers and Enlisted alike, who complain that they don’t get to work on cool things; every time they got an opportunity to excel, go above and beyond, or take on additional duties, though, they declined. Their complacency first killed their motivation, and then their careers.
- Advice to my young self: to succeed in your career, forget side projects and focus on your job. Manuel Darcemont argues that excelling at your actual job, rather than doing mediocre work with a lot of (interesting) side projects, is the key to a successful career. While I agree, I also believe that those side projects are the key to moving from where you are to where you want to be. To go back to the example of the Soldiers stuck in uninteresting jobs, step #1 toward getting to those cool jobs is crushing your day job; step #2 is showing an aptitude for those cool jobs with the things you work on at night and on the weekends. Be so good that they can’t ignore you, and they won’t.
- Focusing on the Goal . The mission comes first, and accomplishing the mission in austere and rapidly changing environments means adapting and overcoming obstacles quickly and efficiently.
- Procrastination. Independent full-time blogger Shawn Blanc talks about the insidious nature of procrastination, its false promises, and some concrete strategies for combating it.
- How to Collaborate with People You Don’t Like. The unfortunate reality of the situation is this: you will come across many people in your career that you do not like, and you will have to work with many of them. Mark Nevins offers some concrete advice to make sure this unpleasant process goes well; I encourage you to take it.
- The Fucks and How We Give Them. On the topic of having to do things you will not like, here Patrick Rhone talks about managing the one aspect of your life completely within your control: yourself. Take his advice: care about the things you must, and stop investing emotion in things you do not have to, or over which you have no control.
- On National and Enterprise Outsourcing. Bert Hubert makes the case that outsourcing has obvious short-term benefits but serious long-term downsides, regardless of whether it takes place in a company or at the national level, and I tend to agree. As a nation, for the most part we have just seen the former; in the coming years, we can look forward to the pain of the latter as the payment for this far too widespread and pervasive practice comes due. There is also a dangerous point to be made about the cost of outsourcing a great deal of the capability development in this organization to defense contractors, but I will leave that for you to discover. Note: Bert accidentally published a draft of this post, which I read for this entry, that he then took down; the finished post may not be available yet.
- Out-Sourced Profits: The Cornerstone of Successful Subcontracting. In a 2001 study written for Boeing, Dr. L. J. Hart-Smith takes a hard look at the true value of outsourcing and comes to a similar conclusion as Bert Hubert in the article above. I encourage you to read Work is Work, to best understand Dr. Hart-Smith’s point that while outsourcing may appear to lower monetary costs, the organizational cost is remarkable.
- Build versus buy. The last two articles talk about the downsides of outsourcing; in this one, Will Larson talks about a straightforward process for weighing outsourcing’s costs against its benefits.
- Reshoring Supply Chains: A Practical Policy Agenda. David Adler and Dan Breznitz, in the American Affairs Journal, discuss the issue of enterprise outsourcing in America and offer some concrete policy suggestions for fixing it. I find this issue fascinating and applicable at a much lower level than strategic national security: I see outsourcing take place even amongst my team, to similar effects.
- Keeping Up with Current Events. Back in 2019, as a precursor to this project, I sat down to catalog all the websites I visit every day to keep up with current events. I update this living document as I find new sources, or stop paying attention to old ones. Those of you who want to stay well-informed, but do not know where to start, may find this article helpful.
- My Evening Reads. I visit the handful of high-volume websites in Keeping Up with Current Events a few times a day; this article catalogs the much larger number of lower-volume, mostly independent websites I follow that post such high-quality content that I do not want to miss a single article. I also update this living document as I find new sources, or stop paying attention to old ones. I recommend using this list, in conjunction with the previous one, to start building a well-rounded and effective news aggregation strategy.
- Coming soon: Personal development topics to study.
- Woodworking. I love woodworking, and I think everyone should give it a try. Here’s why:
- Low startup costs. Start with a hammer, a saw, and some nails. For less than $50, you can decide if you like woodworking. Invest in a decent drill, too, and something like a patio pergola — which hovers around $1,000 retail — becomes doable for a fraction of the cost.
- Wood is cheap. A simple and sturdy shelf, eight feet long and three levels high, will set you back about $50. You can also dent, scrape, and trash these boards, and recover from anything except cutting one too short. This lowers the barrier to starting new projects, encourages experimentation, and puts the price of making a mistake — of learning — at about $3.
- If you can dream it, you can build it. I see a lot of people jump right to steel or aluminum, but for most projects, wood will work just as well. Using wood also means you can design exactly what you want, and since you finish it yourself, the product will end up looking much better.
- LEGO Robotics. If you have a bit more money to spend or kids in the house, or want some of the same benefits of woodworking from a more technical hobby, give LEGO robotics a try. It will cost more to get started, but less in the long term, and you can take on more technical projects at a smaller scale. I like to use LEGOs to test designs before I mock them up in SketchUp, on my way to building them with wood.
There’s a saying, “He not busy being born is busy dying.” Something similar applies in the cyber domain: “He not busy learning is not busy at all.” In a field based on complex technologies and full of remarkably smart people, the only way to stay relevant — to stay employed — is to become a lifelong learner. This habit takes a lifetime to build, but you can start by taking an active role in your personal development.
↩ Consider the best network administrator in the world. That skill alone does not generate revenue, so he or she must work for someone else. If, instead, this person sits at the top of the org chart in their own company, they have made themselves a generalist, with skills in other areas; that has come at the cost of being the best network administrator in the world, though. Someone else, who does nothing but administer networks, now has that title.