Personal Development

A smart person knows everything about a single topic. An intelligent person knows as much as possible about more than one topic. Both have great value, and depending on the industry, some organizations value one more than the other. In general, though, smart people fill entry-level jobs, who then become intelligent people to move up the ladder¹. A robust personal development strategy will help you go from the former to the latter.

Effective personal development takes a lot of time and effort. To make this less complex, I broke it up into a four-step process. I also included several resources to get you started.

1. Choose topics to study. Your profession may dictate that you focus on certain things. As a Soldier, you must learn military history and tactics; as a cyber Soldier, add technical topics to that list. After the things you have to study, look at your own interests to round it out: if you like programming, learn about it, too; if you like woodworking, include it.
2. Find reliable resources from which to learn. Once you know what you want to study, start searching for quality resources. You might not have any choice but to take a formal class, but do not discount the value a peer or supervisor can bring to the table. Most experts love to share knowledge. Many people at the top of their fields also like to write online, so do not discount the viability of an online course or even a personal website.
3. Learn. Once you know what you want to study and how you want to study it, do it. Real learning — the type that stays with you, and that you can use to become more intelligent — takes effort, as any type of growth does. Make a deliberate learning plan, then make a concerted effort to execute it.
4. Use that knowledge. Most people forget the last step in a solid personal development strategy, “Use that knowledge”. Gian Segato in, How to Learn Better in the Digital Age, and David Heinemeier Hansson in, Wisdom is not what you know, have discussed this at length. If you do not learn something and then put it to good use, you will forget it — and in losing what you worked so hard to gain, you waste all that time, effort, and money. Do not make this mistake. If you learn a new skill, use it; if you learn something new, teach someone else. Just don’t lose it.

These steps outline a process for personal development that will help you stay relevant in an ever-changing, ever-advancing domain. Take it to heart, implement it, and you will find yourself far ahead of your peers. I designed the list below, and chose the resources it comprises, with an audience of cyber soldiers in mind. I plan to update it as I find new and worthwhile books, articles, project ideas, and other resources. I will also update the list as better resources surface, and take away the things that prove useless. Like my morning and evening reads, this is a living document — a reflection of the best knowledge I have on this subject to date.

As a cyber Soldier, you must divide your personal development time between military, professional, and personal education. I call this a “one-third” model. Those unencumbered by the demands of the military may use a “one-half” model, where they split their time between personal and professional education. As a cyber Soldier, I divided the list below between those three areas, and further divide it into books and articles you can read, topics you can study, and projects you can try. Some sections include others areas, such as newsletters or podcasts.

The vast and complex nature of the fifth domain offers practitioners an easy excuse for ignoring adjacent fields and their place within any sort of a broader context. While this document features many resources that will aid in your technical development, it does not neglect those other topics. As David Heinemeier Hansson said in Programmings should stop celebrating incompetence, “You can’t become an expert at everything, and it’s fine to accept your boundaries. But it’s not fine to think you shouldn’t be on some paths towards mastery.” You do not have to master every topic here, but you should become familiar with all of them on your road to mastery of your chosen niche.

1/3 - Military Education #

“Professional readings and study are not solely the responsibility of military schools. Individuals cannot afford to wait for attendance at a military school to begin a course of self-directed study. Military professionalism demands that individuals and units find time to increase their professional knowledge through professional reading, professional military education classes, and individual study.” Marine Corps Doctrinal Publication 1-3: Tactics. Enough said.

Books #

Military leaders must read, understand, and live doctrine. These documents govern every aspect of military life, both on and off the battlefield. All soldiers should read the following Field Manuals (FM) and books. For more information, some have Army Doctrine Publication (ADP) versions, or Army Doctrine Reference Publication (ADRP) versions. These tend to consist of similar information presented in different ways, which can sometimes aid in the understanding of a difficult topic. Most soldiers will read many FMs throughout the course of their military careers, but start with these manuals. This list also contains several books worth studying in the course of one’s military development.

• FM 6-22: Leader Development. If you plan to go beyond the junior enlisted ranks, you should plan to spend a lot of time studying leadership. In particular, study the Army’s take on leadership. You will find no shortage of books, articles, and speeches on this subject, but start here. This will give you a solid foundation upon which to build.
• TC 3-21.76: Ranger Handbook. Every Soldier must maintain both technical and tactical proficiency, which — for cyber soldiers — means at least understanding basic tactics. Don’t treat it like the Bible, but rather as a more concise version of FM/ATP 3-21.8: The Infantry Rifle Platoon and Squad. I like to take a laminated, pocket-sized version of the Ranger Handbook with me to the field. An understanding of basic military tactics is also important for cyber forces to bridge the gap between the fifth domain and kinetic ones.
• ADP 1-02: Terms and Military Symbols. Coming up in the Cyber branch, I thought traditional military thinking had no place in the fifth domain. The military had evolved over thousands of years to control physical terrain, after all, and the fifth domain was almost entirely logical. No one ever bothered to correct me, but operational experience wasted no time in doing so. Relating these seemingly disparate fields requires a thorough understanding of both, not a willingness to undertake an exercise in futility. It is imperative that cyber soldiers understand military science and apply it to cyber operations.
• FM 3-90.1: Offense and Defense, Volume 1. To help meld cyber warfare and with traditional doctrine, also see FM 3-90.1. This field manual explains offensive and defensive tactical tasks and their graphical representations, which helps translate cyber operations to traditional doctrine.
• FM 3-90.2: Reconnaissance, Security, and Tactical Enabling Tasks, Volume 2. FM 3-90.2 explains tactical enabling tasks and their graphical representations, for the same purpose as the manuals cited above.
• The Art of War, by Sun Tzu. Every military reading list has this book on it for a reason, and this list will, too: Sun Tzu’s insightful observations on war and proven suggestions for its successful conduct have proven timeless. This short book takes just a few hours to read, yet its lessons will continue enduring for centuries.
• Left of Bang, by Patrick van Horne. The paradigm-shifting Combat Hunter Program saved lives and increased the effectiveness of counter-insurgent operations. Defensive cyberspace operations forces must take a similar approach by not inspecting individual data points but rather looking at the entire picture to identify subtle clues indicative of malicious intent.
• The Mission, The Men, and Me, by Pete Blaber. Come for the war stories, stay for the lessons in leadership and professionalism. Throughout this book, Pete Blaber shares several valuable philosophies learned throughout his decorated Army career.
• Gates of Fire, by Steven Pressfield. A fictional retelling of the Spartan’s stand at Thermopylae, this inspiring book paints a vivid picture of what it means to call oneself a warrior.
• The Warrior Ethos, by Steven Pressfield. After many works of fiction featuring warriors across time and cultures, Steven Pressfield explores what it means to be a warrior, and what it takes to call yourself one. The military drills its ethoses into soldiers, but this handbook explains where those edicts come from and their importance in this profession.
• On Killing, by Dave Grossman. The profession of arms exists to provide nations with soldiers to fight and win their wars. This comes down to individuals from one nation destroying those who intend to do the same for their homeland. In On Killing, Dave Grossman takes a deep dive into this complex subject. Although given this document’s target audience of cyber soldiers this is not something most readers will ever encounter, understanding this is key to understanding the military profession.
• Mission Command Insights and Best Practices Focus Paper. Many preach mission command but few understand it well. This brief paper describes the tenets of this crucial philsophy interspersed with anecdotes from senior leaders from across the military.

Articles #

Look to unofficial sources for military education as well. Some people like to put doctrine on a pedestal, above all other sources of institutional knowledge, but humans write both. Find the good in each and learn from it.

• A Message to Garcia, by Elbert Hubbard. This short essay from 1899 does a nice job of introducing Mission Command, or the idea that leaders ought to describe an end state and then allow their subordinates to use sound judgement and accept prudent risk to accomplish it.
• Auftragstaktik: A Case for Decentralized Battle, by John T. Nelsen II. Here, John Nelsen opens with the conditions that lead the German Army to develop the Mission Command philosophy, and the steps it took to encourage junior leaders to exercise it. He then examines the state of Mission Command in the modern U.S. Army, and identifies the barriers that keep leaders from exercising it today.
• Defense of Duffer’s Drift, by Major General Sir Ernest Swinton. Set during the Boer War, this work of fiction follows Lieutenant Backsight Forethought and his platoon’s defense of a natural river crossing. Over the course of six dreams, he learns to use critical thinking and strategy to hold his position until reinforcements arrive.
• Defense of Battle Position Duffer. CAC required. A modern-day adaptation of the Defense of Duffer’s Drift, this version follows an Armor Brigade Combat Team through a similar scenario to illustrate the importance of the cyberspace domain alongside the traditional land, sea, air, and space domains.
• It Takes a Network. General Stanley McChrystal wrote an interesting retrospective on his time commanding U.S. forces in Afghanistan, and the shift in thinking that had to occur to combat the insurgency there. Adopting Mission Command revolutionized warfare a century ago, and should this network-based approach take hold, perhaps it will revolutionize warfare for the next century.
• F3EAD: Ops/Intel Fusion “Feeds” The SOF Targeting Process. The Find, Fix, Finish, Exploit, Analyze, and Disseminate (F3EAD) framework blends intelligence and operations to enable rapid decision making at the tactical level.
• Trigger-Happy, Autonomous, and Disobedient: Nordbat 2 and Mission Command in Bosnia. This story provides a glimpse of just how effective true mission command can be. It also shows us that fostering an environment conducive to decentralized initiative requires more than just leaders who pay lip service to the ideal.
• A Fractal of Lies. Military leaders must understand the disconnect between reality and the feedback they receive. As their rank increases, their direct knowledge of all situations decreases; they rely on staffs to paint an accurate picture for them, who — as David explains in this article — seldom do. Even attempts to mitigate this have fallen short: just read any pseudo-anonymous social media thread on command climate surveys, sensing sessions, and after action reviews: they are plagued by mid-level leaders either explicitly directing participants not to provide “unproductive” or “inflammatory” (read: honest) feedback, or the subjects have become so disillusioned by these ineffectual processes that they no longer bother to participate. The more senior the leader, the less likely the feedback they receive accurately reflects the situation on the ground — but by acknowledging that disconnect, they can take steps to mitigate it. Uri explained a similar phenomenon in Carrot Problems, where he discussed the tendency to attribute positive outcomes to irrelevant factors rather than the true causes of success. Related to this phenomenon, from the other perspective, is Mel Brooks’ advice for dealing with bosses who have bad ideas, which Austin Kleon discusses in his article Say yes and never do it. As Ram Charan explains in Conquering a Culture of Indecision, this is ultimately a cultural issue the organization’s leader must address.
• Educating the Force. War on the Rocks, a fantastic source of news on national security topics and current events, maintains a strong list of professional military education material.
• What Is a Cyber Warrior? The Emergence of U.S. Military Cyber Expertise, 1967–2018 - Rebecca Slayton’s historical recount of information security programs in the department of defense, up to and including the formation of U.S. Cyber Command, helps explain why things are the way they are today. While that dark past may provide little comfort to those dealing with this mess today, understanding it does help contextualize many of the seemingly nonsensical policies and constructs operations struggle against to this day. Sarah White’s The Organizational Determinants of Military Doctrine: A History of Army Information Operations provides interesting insight into the history of the broader information operatins field from which the cyber branch originated.
• A Sailor’s Take on Multi-Domain Operations. Naval Lt. Cmdr. Will Spears provides an appropriately skeptical overview of the multi-domain operation concept, to include its history, present state, and likely future. For all soldiers, but for cyber operations soldiers in particular who are expected to play an important role in multi-domain operations, this is a good introduction to the concept — and some of the issues facing it.
• Why Cyber Dogs Have Yet to Bark Loudly in Russia’s Invasion of Ukraine. Dr. Nadiya Kostyuk and Dr. Erik Gartzke use the conspicuous lack of cyber operations in the Russo-Ukrainian war as a jumping off point to dissect theories purporting to explain the interplay between cyber and conventional operations. This remains an open debate, and will likely remain so for years.
• Definition of ‘Decisive’ Depends on Context. Contrary to the typical, narrow definition of “decisive”, Lt. Gen. James Dubik explains that the use of this term should depend on the context.
• Your First Week as a New Lieutenant. As I closed in on my promotion to Captain, mentorship became an increasingly important part of my job. After several similar conversations with new officers, I decided to answer a common question in this article: “What do I do as a new lieutenant?” This advice should generalize well; if you follow it during your first week, you will put yourself in a good spot at the beginning of your assignment and set you up for success in the long run.
• Advice to New Lieutenants. After several conversations with new lieutenants eager for professional development as officers and military development as warfighters, I decided to turn some of those discussion points into a post. Whereas Your First Week as a New Lieutenant provides specific advice for new lieutenants reporting to a new unit, this article contains more general advice, observations, and lessons learned based on my first four years in the Army.
• Millennium Challenge: The Real Story of a Corrupted Military Exercise and its Legacy. Using the boondoggle of an exercise Millennium Challenge 2002 as a case study, Micah Zenko explains the danger of failing to adequately test theoretical concepts.
• The Commander’s Path to Victory: Communication without Comms. In an age where Mission Command has become more of a slogan than a practice, this article is an important reality check that challenges the pernicious micromanagement of the status quo.
• Making Sound Strategy: Back to the Basics of Ends, Ways, and Means - Military Strategy Magazine. Giles Moon makes the case that strategies ought to be sound before implementation, after which they may then be evaluated for efficacy. Many, unfortunately, skip the first criterion and hope the latter shakes out in their favor.
• The Operational Level Of War Does Not Exist. Based on his experiences during Operation Iraqi Freedom and Operation Enduring Freedom, Col Vohr shares some thoughts on the traditional theory of tactical, operational, and strategic levels of war.
• Perfectionism is optimizing at the wrong scale. An important facet of mission command is accepting that others may not achieve a goal in the same way that you do. This article talks about this challenge through the lens of balacing perfectionism at the micro and macro level.

Podcasts #

• The Jocko Podcast. This podcast is the preeminent resource for leadership and military development. If you take just one resource and ignore every single other recommendation in this post, make it this podcast. From the informative personal experiences Jocko and his guests share to the exhaustive literary and historical reviews they conduct, the only thing that could make these hundreds of hours of audio more valuable would be more of them. Also check out the Jocko Unraveling podcast, which focuses on current events, and the Jocko Underground podcast, where he fields questions and answers.
• Hardcore History. Dan Carlin’s ability to research, prepare, and tell a story is unmatched. His lessons in history are some of the best I have ever encountered. Also check out Common Sense with Dan Carlin as well.
• Martyr Made. Darryl Cooper’s podcast also draws from a variety of sources to paint a vivid picture of days long past. He is a close second to Dan Carlin in terms of research, preparation, and storytelling ability.
• Modern War Institue. West Point’s Modern War Institute also publishes a good podcast that covers military topics. Why Military Cohesion Matters is a great introduction to the show on an important topic for leaders building teams.
• Subs and Cyber - The Phoenix Cast. Hosts John, Rich, and Kyle are joined by Paul Schreiner to talk about lessons learned leading highly technical submariners and how similar conclusions apply to cyber formations. This episode is full of helpful and insightful advice for those in charge of technical personnel.

Movies #

Nothing can replace first-hand experience, but by listening to the stories of those who came before us, we may benefit from their hard-learned lessons in war. Movies like these have valuable lessons to teach soldiers about leadership and the conduct of war.

• Saving Private Ryan.
• Band of Brothers.

Projects #

• Build an SOP. In an organization as new as USCYBERCOM, there’s a good chance your team doesn’t have one; on the off chance it does, you can at least add to, improve, or update it. Codify the things your team does right, and identify areas in need.
• Create a class. Find something your team is not good at, find the person in your organization who does that best, and get them to teach you so you can teach your team.

Newsletters #

• The Early Bird Brief. This daily email delivers military-specific news. The Early Bird Brief is one of the best resource for keeping up with current events in this space.
• The Center of Junior Officers (CJO). The CJO is a phenomenal resource not just for new lieutenants, but especially for new lieutenants. It has great advice for handling many of the challenges junior officers face, and even offers helpful tips and templates for many of the classic 2LT challenges. Need advice on counseling an NCO? The CJO has it. Need a formal letter of introduction? The CJO has it. This is a severely underrated and underused resource that all company grade officers — and even some field grade officers — could benefit from.

Topics #

• History. As members of the organization tasked with imposing this nation’s will onto others, it is helpful to understand the historical context for the decisions made today. I prefer to study this topic not through books, but rather podcasts. Shows like Dan Carlin’s Hardcore History and Darryl Cooper’s Martyr Made draw from a variety of sources to paint a vivid picture of days long past. Also check out Common Sense with Dan Carlin as well. I cannot recommend these shows highly enough.

1/3 - Professional Education #

The Army expects all soldiers to maintain both technical and tactical proficiency; industry expects civilians to stay near the front of their fields. Professional education will help make that happen for both. In general, pursue classes and certifications related to your field, and stay up to date on current events related to your domain. For cyber soldiers in particular, I suggest studying these books, articles, and topics, and working on these projects.

Rather than maintain duplicate lists, this section includes few books or articles related to cyberspace operations. I spent a great deal of time reviewing such resources for my book Handbook for Defensive Cyberspace Operations, in which I devote an entire chapter to this subject. Members of USCYBERCOM and its subordinate units may request a copy by sending a message to my work email, available in the global address list.

Books #

• The Phoenix Project, by Gene Kim. I have only ever read two books twice: The Phoenix Project and its sequel, The Unicorn Project. These are also the only books I have ever bookmarked, highlighted, and taken notes in — they taught me that much. Although ostensibly about DevOps and software development, these books are masterclasses in solving complex problems. Their descriptions of systemic issues at Parts Unlimited hit close to home, and their eventual solutions offer hope for a brighter future.
• JP/FM 3-12: Cyberspace and Electronic Warfare Operations. Most jobs have their own manual; read it. As of this writing, the current FM 3-12 focuses on tactical effects rather than offensive or defensive cyber. I recommend soldiers review JP 3-12 for an overview of the cyber forces the Nation has at its disposal, and their different mission sets, but do not invest a great deal of time in either of these publications. They have not yet caught up to the operational reality.
• CWP 3-33.4: Cyber Protection Team (CPT) Organization, Functions, and Employment. CAC required. This manual explains what cyber protection teams bring to the fight. Although written for combatant command commanders and their staffs, analysts at the lowest levels should also understand their intended purpose in the strategic picture.
• Handbook for Defensive Cyberspace Operations. This document is for the junior officers forever filling company-grade positions as Mission Element Leaders, who must direct their analysts in the detection of the most sophisticated hackers in the world; and for the Host, Network, and Intelligence Analysts arrayed against those actors, who must consistently combine world-class domain expertise with sound methodologies in the conduct of rigorous analysis. This document explains defensive cyberspace operations at their level, at the tactical edge.
• The Checklist Manifesto, by Atul Gawande. Many professionals overestimate their own abilities and underestimate the impact basic improvements can have on their work. In The Checklist Manifesto, renowned surgeon Atul Gawande explains how the simple adoption of a checklist drastically improved patient care. A similar approach could be applied in other fields, and in cyberspace operations in particular, to similarly significant results.
• 2034: A Novel of the Next World War, by Elliot Ackerman and Admiral James Stavridis. This fictional recount of a great power conflict between the United States and China provides a possible glimpse into a likely future. Although many hold up Ghost Fleet by P.W. Singer and August Cole as the book on World War III and the role of cyberspace operations in it, 2034 does a better job of describing both.

Articles #

• Simple Systems Have Less Downtime. Few take the time to architect secure systems from the start. This leads to the messes we then have to fix, once the patchwork of legacy systems that they cobbled together over a decade leads to an inevitable compromise. Here, Greg Kogan makes case for simple systems instead — a case we should make as well, and strive to implement as much as possible.
• Software Architecture is Overrated. The larger point Gergely Orosz makes here, that leaders should focus on developing a plan that all can understand and execute rather than a certain one according to supposed best practices, is something everyone should keep in mind. I have seen many approach projects by building out a plan according to a certain model, which just slowed down the process. Best practices exist for a reason, but blind adherence to them does no one any good.
• A New Approach to Enterprise Security. In our capacity as incident responders, we seldom have the opportunity to re-architect networks post-compromise. Fortunately, though, we often get this chance later on. This 2014 article from Google on its implementation of zero trust networks should serve as a guide. The old model of castles and moats is insufficient: the adversary will cross the moat, breach the walls, and with free reign inside wreak havoc. This zero trust networking strategy makes each step in that process much more difficult — which, in this domain, is the best we can do.
• Hypermodeling Hyperproperties. Programming, and a great deal of cybersecurity, involves hyperproperties: ensuring good things always happen, and that bad things never do. Hillel Wayne wrote a nice introduction to this concept. Even if the code samples don’t help, his explanation, examples, and resources will make you better at both.
• On architecture, urban planning and software construction. On the topic of programming, Tomas Petricek has an interesting idea for moving the computer science discipline forward: drawing lessons from architecture and urban planning. The observations he presents here are a good start.
• Classic Mistakes. Best practices tend to apply across industries. Steve McConnell’s examination of worst practices in software development also applies across industries. Things like “Abandoning planning under pressure” and “Overly aggressive schedules” can drag any team down, so learn to identify these so that you can avoid them.
• Complexity Has to Live Somewhere. A great deal of work, even in this organization, goes toward reducing complexity — or trying to, at least. As Fred Herbert explains here, though, complexity never actually disappears, it just gets shifted around until “with nowhere to go, it has to roam everywhere in your system, both in your code and in people’s heads. And as people shift around and leave, our understanding of it erodes.” I believe in building systems as simple as possible, but no simpler. Understand the limits of this pursuit, and the real cost of taking it to the extreme.
• Write a brag document. Everyone gets evaluated. In the Army, those take the form of regular counsellings. To make your supervisor’s job easier, and to make you look great, keep a list of things you did since your last evaluation. I do my best to keep track of everything my soldiers do, but this has proven much more effective. Julia Evans offers some more great career advice along these same lines in Things your manager might not know.
• Computers can be understood. Modern computers have gotten so complex that the prospect of trying to understand them intimidates a lot of people. Unfortunately, many use that fear as an excuse not to even try. As professionals, though, we have a responsibility to develop this expertise. Nelson Elhage has some good advice for tackling this gargantuan task.
• They don’t even know the fundamentals. Here the author argues that “the fundamentals” are knowable but not necessary for everyone: “one man’s fundamentals are another man’s trivia.” This is a nice counterpoint to Computers Can be Understood, which makes the case for developing that broad expertise.
• Operators, EDR Sensors, and OODA Loops. This article not only explains John Boyd’s OODA as it applies to operators in the fifth domain, Jackson also walks through its practical application to cyberspace operations. This is a fantastic read, and one of the rare works that bridges the gap between conventional military knowledge and cyber.
• Career Longevity & “The Don’t Fire Me Chart”. Phil Venables explains the importance of leaders understanding that time and competence often lead to the situation appearing worse before it gets better, but that perseverence leads to true improvement. Phil applies a similar model to cybersecurity in The Uncanny Valley of Security.
• Tuckman’s Stages of Group Development. It is helpful to know the stages of group development so that you may understand the situation into which you have entered, so that you may then choose the right approach to achieve your goals as Michael Watkins recommends in Picking the Right Transition Strategy.
• Characterizing Tech Debt. Here, Justin Blank explains several varying definitions of “technical debt.” This is an interesting read from a technical point of view, but also from an organizational one.
• The Wrong Abstraction. Although about code abstraction specifically, Sandi Metz’s words apply equally well to organizational inertia and the desire to maintain the (failing) status quo thanks to the sunk cost fallacy: “Existing code exerts a powerful influence. Its very presence argues that it is both correct and necessary. We know that code represents effort expended, and we are very motivated to preserve the value of this effort. And, unfortunately, the sad truth is that the more complicated and incomprehensible the code, i.e. the deeper the investment in creating it, the more we feel pressure to retain it (the ‘sunk cost fallacy’). It’s as if our unconscious tell us ‘Goodness, that’s so confusing, it must have taken ages to get right. Surely it’s really, really important. It would be a sin to let all that effort go to waste.’”
• Work / Life Balance. Phil Venables shares some insightful wisdom on the oft-quoted but seldom-achieved “work/life balance.”
• Breaking the Inertia of Mediocrity. David Heinemier Hansson shares some profound insight on the organizational impact of inertia. To paraphrase David: “Bad decisions, processes, or even people seldom sink an organization. It’s the accumulation and inertia of the mediocre ones that do. Dealing with the truly bad is easy; it’s much harder to find the will to act when the danger lurks in inadequate urgency, cumbersome collaboration, or just a missing spark. The insidious nature of inertia is in its ability to compound the cost of action as time goes on.” Individual contributors are especially sensitive to inertia, and it is the job of their leaders to ensure it does not stagnate.
• What do we Owe our Teams?. Here, Richard Mironov offers some sound, brief advice for how team leaders ought to enable their teams to do good work.
• Notes for New Hires. I love the advice Clinton Blackburn gives here. I include many of these points in my one-on-one counseling during on-boarding.
• The Sixz Dumbest Ideas in Computer Security. Written in 2005, these observations are just as apt today as they were decades ago.
• Surfacing Required Knowledge. Fred makes the observation that few build expertise nowadays in favor of externalizing it, and offers suggestions for building a culture where deep knowledge and expertise is developed and conveyed.
• Design Your Organization to Match Your Strategy. Ron Carucci and Jarrod Shappell explain the impact of structure on an organization’s ability to achieve it’s long-term goals. Even in the military there are many opportunities to task organize around a problem, and this article offers helpful advice for doing so well.

Podcasts #

• Detection: Challenging Paradigms. Jared Atkinson and Jonathan Johnson, and their guests, have a lot of interesting thoughts on the theory behind threat hunting and incident response. Their fascinating discussions have taught me a great deal about this field.
• Ctrl Alt Armt. West Point’s Modern War Institute began publishing Ctrl Alt Army in 2024 to focus specifically on cyber topics in the military.

Topics #

Windows Active Directory #

• Understand forests, trees, and domains. Learn their differences, how they can interact, and what they consist of.
• Understand the five classes of services Active Directory provides.
• Understand Group Policy.

Authentication Methods #

• Understand Kerberos at a step-by-step level, and explain the difference between a ticket-granting ticket and a ticket-granting service.
• Understand Kerberos vulnerabilities. I like The Bible of Kerberos Attacks as a starting point. Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory – Active Directory Security is a good resource as well.
• Understand NTLM at a step-by-step level.
• Understand NTLM vulnerabilities, and learn the advantages of Kerberos over it.
• Learn about common Windows services that use Kerberos and NTLM. Know which they prefer, and what they fall back on and the circumstances under which they do.

Projects #

• Build a SIEM. One of the best projects for the professional development of cyber soldiers is the construction of a security incident and event management platform, or SIEM. Understanding not just how to use their tools, but how to administer them as well, is an important step in an analyst’s maturation.
• Build a homelab. Creating a lab environment — or homelab — for testing new technologies, validating defensive techniques against a simulated adversary, and experimenting with influencing the operating environment is another valuable project for cyber soldiers. Mission-critical networks are not the appropriate environment for experimentation; a homelab is.

1/3 - Personal Education #

No matter how much you love your job, I encourage you to read, write, develop personal projects, and pursue your own interests — especially if they lie outside the cyber domain. Technical people in particular seem to have a tendency to work in front of a screen all day, then do the same at home. Find something to do with your hands — or, if you work with your hands all day, think about switching it up at home. I recommend reading these books and articles, studying these topics, and working on these projects.

Books #

• Slack: Getting Past Burnout, Busywork, and the Myth of Total Efficiency, by Tom DeMarco. In this short book, Tom DeMarco examines the consequences of over-optimization and discusses its remedy, slack. As the cancerous growth of bureaucracy continues to hobble this and many other organizations, it is more important now than ever that military leaders understand the consequences of their misguided actions.
• How to Win Friends and Influence People, by Dale Carnegie. Many like to make fun of this book, but whether leading a team or building a professional network, relationships become more important the more your career progresses. Learn to craft them well, now.
• Extreme Ownership, by Jocko Willink. The best book on leadership I have ever read. It informs my leadership philosophy to this day. Jocko goes into even more depth on his excellent podcast, so check that out as well. He also wrote a similar “field manual”, Discipline Equals Freedom, that you may find interesting, too. Many of his lessons apply to life in general, so I cannot recommend these enough.
• The Elements of Style, by Strunk & White. Good writing takes a lot of time and energy. Becoming a good writer takes an immense amount of both, and so most never get there. In this classic, William Strunk and E.B. White explain some simple ways to write well. Becoming a good writer is one of the most significant steps a person can take to better themselves, and this book will help.
• On Writing Well, by William Zinsser. For those looking to move beyond the simple steps in The Elements of Style, William Zinsser has some fantastic advice about how to become a good writer, and how to approach becoming a good writer.

Articles #

• Work is Work. Understanding how large organizations work, and the things that actually make them succeed or fail, is immeasurably valuable. I consider this piece from Coda Hale the seminal article on the subject of organizational theory. Use this knowledge to better navigate, and effect meaningful change in, your place of work. I found the section “Hell is Other People” particularly enlightening in a place that loves meetings, as someone who does not. I encourage all to try to better their organization, and consider it imperative that leaders — and Officers in particular — do all in their power to optimize their environment for success. Ryan Donovan’s article for the Stack Overflow blog, Are meetings making you less productive? does a nice job of examining both sides of the issue, and even provides helpful guidance for minimizing time spent in meetings and optimizing those that still must occur.
• Embrace Complexity, Tighten Your Feedback Loops. Here, Fred Hebert hammers home a criticall important point for organizational leaders: that they likely understand their institutions much less than they think they do, and work is very different than they imagine. Understanding this is key to mitigating the underlying problems and problematic results. I consider this article another very important teacher of organizational theory. Fred ultimately has no silver bullet fixes, but in enabling an understanding of the problem, he brings us one step closer to realizing the solutions.
• Organizational Politics. As a good complement to Work is Work, here Phil Venables explains several techniques for understanding, navigating, and taking advantage of organizational politics.
• When Everything is Important But Nothing is Getting Done. Roman Kudryashov describes a situation familiar to anyone in the military: everything is important, but nothing gets done. Here he details a step-by-step guide to fixing that, similar to the approach described in The Phoenix Project and The Unicorn Project by Gene Kim. Knowing how to fix something may only be (a small) part of the battle, but it is a part of the battle.
• Embrace the Grind. Jacob Kaplan-Moss with a good reminder on the importance of doing things the hard way.
• How to Write Usefully. One of the most important and impactful things you will do in any organization is communicate, often in writing. Paul Graham offers some great advice for writing well here. In a related article, Snir David makes a good case that most communication should take place this way.
• Don’t Call Yourself A Programmer, And Other Career Advice. Out of all of Patrick McKenzie’s great work, if you read just one article, read this one. He has some fantastic advice for those just starting their careers that even senior soldiers entering the civilian workforce will find helpful.
• How to Ask for Feedback. Sam Julien offers some advice for asking for feedback.
• Growth hacks: coffee with an experienced engineer you don’t know. Find a way to have smart conversations with smart people. You will both learn a lot, and talking through whatever challenges you both face will help you work through them.
• What do executives do, anyway?. Substitute “executives” for “leaders”, and this becomes an explanation of the role senior leaders play and a cautionary tale for the consequences when they fail to do that job well. Understand both and use this knowledge to help inform your career goals.
• Becoming a Better Developer. As a counterpoint to a piece by Jason Rudolph, Rick Hickey shares his thoughts on becoming a better developer. Where Jason believes many varied experiences lead to mastery, a belief the Army shares in its “up or out” model, Rick argues that depth — rather than breadth — will get you there. I tend to agree with Rick when it comes to technical fields, although Jason has the right idea for generalists. Understand the different approaches, and the different results they achieve, so you can 1) reach your goals, and 2) recognize when someone puts you on the wrong path. It takes six to ten years of focused effort to become a master (although some disagree, do not trust those who tell you otherwise. “master” is not necessarily the same as “Master”. See also: The Shortcut Is: There is no Shortcut.
• The dark shadow in the injunction to ‘do what you love’. Maslow’s Hierarchy of Needs purported to give managers a roadmap to employee buy-in. In this piece, Kira Lussier explores Maslow’s theory, its implications, and its (unintentional) consequences.
• You don’t need to work on hard problems. The Cyber branch as a serious retention problem. There are a lot of reasons for this. Setting aside the well-justified complaints of those stuck doing non-technical work, though, I disagree with one of the most common reasons soldiers leave: they want to solve “hard” problems. In this piece, Ben Kuhn makes the case that you, like him, might actually have a different goal — and that with some introspection, you might discover it and find newfound meaning in your job. See also David Heinemeier Hansson’s article Try hard not to solve hard problems, and Phil Venables’s article Grand Challenges or Grind Challenges.
• How to waste your career, one comfortable year at a time. Apoorva Govind argues that when it comes to your career, complacency is cancer. I have met many soldiers, Officers and Enlisted alike, who complain that they don’t get to work on cool things; every time they got an opportunity to excel, go above and beyond, or take on additional duties, though, they declined. Their complacency first killed their motivation, and then their careers. See also David Heinemeier Hansson’s article Move the Needle or Move On.
• A Stroke of Genius: Striving for Greatness in All You Do. R.W. Hamming explains what it takes to achieve greatness. As others in this list have said, it takes a lot of hard work — but also choosing the right problem at the right time, and depends on several other factors, many of which we control.
• Advice to my young self: to succeed in your career, forget side projects and focus on your job. Manuel Darcemont argues that excelling at your actual job, rather than doing mediocre work with a lot of (interesting) side projects, is the key to a successful career. While I agree, I also believe that those side projects are the key to moving from where you are to where you want to be. To go back to the example of the soldiers stuck in uninteresting jobs, step #1 toward getting to those cool jobs is crushing your day job; step #2 is showing an aptitude for those cool jobs with the things you work on at night and on the weekends. Be so good that they can’t ignore you, and they won’t.
• How to Work Hard. I hear this most often about feats of strength, but also about other traits like intelligence and work ethic — “That person can do it, but I can’t.” The idea that success comes down to a simple question of innate ability is a comforting one. You have it, or you don’t. What better way to excuse mediocrity? But as Paul Graham explains here, success requires at least two of these traits: natural ability, practice, and effort. Don’t take yourself out of the running just because you don’t have all three.
• Beyond Smart. Paul Graham argues that intelligence, what many consider an end in and of itself, is actually a necessary but insufficient requirement for discovery — the truly meaningful goal. It’s an interesting idea, and he makes sound recommendations for areas of self-improvement to reach that goal.
• Willingness to Look Stupid. Dan Luu’s willingness to look stupid has served him remarkably well, and in the context of this document on personal, professional, and military development, his advice is especially important. Early in their careers, many make a speed run of climbing Dunning-Kruger’s first peak — “Mount Stupid”; it takes most people years to overcome their insecurities, accept the complexities of their field, and begin the long climb to excellence. It does not have to.
• Focusing on the Goal. The mission comes first, and accomplishing the mission in austere and rapidly changing environments means adapting and overcoming obstacles quickly and efficiently.
• Procrastination. Independent full-time blogger Shawn Blanc talks about the insidious nature of procrastination, its false promises, and some concrete strategies for combating it.
• How to Collaborate with People You Don’t Like. The unfortunate reality of the situation is this: you will come across many people in your career that you do not like, and you will have to work with many of them. Mark Nevins offers some concrete advice to make sure this unpleasant process goes well; I encourage you to take it.
• The Fucks and How We Give Them. On the topic of having to do things you will not like, here Patrick Rhone talks about managing the one aspect of your life completely within your control: yourself. Take his advice: care about the things you must, and stop investing emotion in things you do not have to, or over which you have no control.
• On National and Enterprise Outsourcing. Bert Hubert makes the case that outsourcing has obvious short-term benefits but serious long-term downsides, regardless of whether it takes place in a company or at the national level, and I tend to agree. As a nation, for the most part we have just seen the former; in the coming years, we can look forward to the pain of the latter as the payment for this far too widespread and pervasive practice comes due. There is also a dangerous point to be made about the cost of outsourcing a great deal of the capability development in this organization to defense contractors, but I will leave that for you to discover. Note: Bert accidentally published a draft of this post, which I read for this entry, that he then took down; the finished post may not be available yet.
• Out-Sourced Profits: The Cornerstone of Successful Subcontracting. In a 2001 study written for Boeing, Dr. L. J. Hart-Smith takes a hard look at the true value of outsourcing and comes to a similar conclusion as Bert Hubert in the article above. I encourage you to read Work is Work, to best understand Dr. Hart-Smith’s point that while outsourcing may appear to lower monetary costs, the organizational cost is remarkable. Incidentally, as Marie Carpenter and William Lazonick explain in, Losing Out in Critical Technologies: Cisco Systems and Financialization, it seems Cisco had made the same mistake. In Boeing and the Dark Age of American Manufacturing, Jerry Useem makes a similar case for Boeing.
• Build versus buy. The last two articles talk about the downsides of outsourcing; in this one, Will Larson talks about a straightforward process for weighing outsourcing’s costs against its benefits.
• Reshoring Supply Chains: A Practical Policy Agenda. David Adler and Dan Breznitz, in the American Affairs Journal, discuss the issue of enterprise outsourcing in America and offer some concrete policy suggestions for fixing it. I find this issue fascinating and applicable at a much lower level than strategic national security: I see outsourcing take place even amongst my team, to similar effects.
• All the best engineering advice I stole from non-technical people. Marianne Bellotti’s describes five insightful statements and how they impacted her work as a manager of engineers.
• How to build silos and decrease collaboration (on purpose). Jade Rubick’s fantastically interesting take on silos and collaboration challenges the widespread assumption that the former are inherently bad and the latter is inherently good. I consider this a must-read for anyone entering mid- or upper-level management. Jim Nielson echoed similar thoughts in What “Work” Looks Like.
• Farnam Street. Perhaps the single greatest source of lessons in personal development, Farnam Street topics range from the OODA loop and other techniques for making sound decisions to the use of mental models for rapid and effective decision making to discussions of the value of feedback and how best to act on it. Start with those articles, or work your way through the site’s most popular posts. You cannot go wrong with this excellent resource.
• Individuals Matter. Dan Luu discusses the high costs of treating people as fungible. I found this especially interesting given my background in the military, which operates on the foundational assumption that people are commodities that can, should, and in fact must be moved around frequently. While the Army’s penchant for fungibility stems from the strategic leader initiative, private industry has no such excuse.
• Mental Models. Although ostensibly about mental models, this article also contains several brief explanations of useful concepts, too. This article will help you recognize biased (in yourself and others) and support the development of knowledge structures key to becoming an expert in your chosen field.
• Publishing your work increases your luck. Aaron Francis makes a great case that putting yourself out there leads to all sorts of benefits. If you feel like you might have something to contribute, publish it: worst case scenario, you learn from it — but best case scenario, it opens up new opportunities. This is one of the reasons I continue to maintain this website.
• Keeping Up with Current Events. Back in 2019, as a precursor to this project, I sat down to catalog all the websites I visit every day to keep up with current events. I update this living document as I find new sources, or stop paying attention to old ones. Those of you who want to stay well-informed, but do not know where to start, may find this article helpful.
• My Evening Reads. I visit the handful of high-volume websites in Keeping Up with Current Events a few times a day; this article catalogs the much larger number of lower-volume, mostly independent websites I follow that post such high-quality content that I do not want to miss a single article. I also update this living document as I find new sources, or stop paying attention to old ones. I recommend using this list, in conjunction with the previous one, to start building a well-rounded and effective news aggregation strategy.
• How to Do Great Work. I found Paul Graham’s insight into the obstacles to achieving greatness, and his advice for overcoming them, hugely impactful. Most people have a natural tendency to assume greatness is unachievable, but as Tony Kulesa points out in a follow-up post to Paul’s, it is often a matter of “a relatively small amount of force applied at just the right place.” Paul has consistently applied that relatively small amount of force applied at just the right place, and How to Do Great Work is a fascinating study of how and why. Paul also talked about how success compounds in Superlinear Returns, another great piece. In a similar vein, Henrick Karlsson and Johanna Wiberg explored the state of mind necessary to create new and interesting ideas in their interesting article, Cultivating a state of mind where new ideas are born. See also On having more interesting ideas by Henrik Karlsson, too.
• Breaking Down Tasks. Part of his series on estimation, Jacob Kaplan-Moss talks about his process for breaking down projects into discrete tasks.
• Write for others but mostly for yourself. Jack Vanlightly talks about why he writes and offers the helpful advice that, “you don’t look at blog writing as just something people do to work on their “personal brand”. It can definitely help with that, but first and foremost it is a tool that people can use to up their game and take their knowledge and critical thinking to the next level.”
• How to think in writing, part 1: The thought behind the thought. Henrik Karlsson offers an insightful on the importance of writing and his approach to the writing process.
• A forty-year career. I love Will Larson’s banner graphic in A forty-year career. It shows how different jobs emphasize different dimensions of one’s life. The first job in the graph leads to a lot of learning, profit, and personal relationship development at a medium pace and without much prestige, while the second job has a lower pace and involves less learning in exchange for more money, more prestige, and more relationship development.

Topics #

• Coming soon: Personal development topics to study.

Projects #

• Woodworking. I love woodworking, and I think everyone should give it a try. Here’s why:
• Low startup costs. Start with a hammer, a saw, and some nails. For less than $50, you can decide if you like woodworking. Invest in a decent drill, too, and something like a patio pergola — which hovers around $1,000 retail — becomes doable for a fraction of the cost.
• Wood is cheap. A simple and sturdy shelf, eight feet long and three levels high, will set you back about $50. You can also dent, scrape, and trash these boards, and recover from anything except cutting one too short. This lowers the barrier to starting new projects, encourages experimentation, and puts the price of making a mistake — of learning — at about $3.
• If you can dream it, you can build it. I see a lot of people jump right to steel or aluminum, but for most projects, wood will work just as well. Using wood also means you can design exactly what you want, and since you finish it yourself, the product will end up looking much better.
• LEGO Robotics. If you have a bit more money to spend or kids in the house, or want some of the same benefits of woodworking from a more technical hobby, give LEGO robotics a try. It will cost more to get started, but less in the long term, and you can take on more technical projects at a smaller scale. I like to use LEGOs to test designs before I mock them up in SketchUp, on my way to building them with wood.

There’s a saying, “He not busy being born is busy dying.” Something similar applies in the cyber domain: “He not busy learning is not busy at all.” In a field based on complex technologies and full of remarkably smart people, the only way to stay relevant — to stay employed — is to become a lifelong learner. This habit takes a lifetime to build, but you can start by taking an active role in your personal development.

↩ Consider the best network administrator in the world. That skill alone does not generate revenue, so he or she must work for someone else. If, instead, this person sits at the top of the org chart in their own company, they have made themselves a generalist, with skills in other areas; that has come at the cost of being the best network administrator in the world, though. Someone else, who does nothing but administer networks, now has that title.