Disclaimer: I am not an expert on mentoring, this originally started as a philosophical rant that ended with a caffeine fueled research binge. It is a topic I feel passionately about and wanted to share my views on it. This does not in any way reflect the views of my employers — past, present or future.
Not enough people in security
Security is an ever evolving and growing industry, with data breaches becoming a major concern companies are keen to hire security professionals. But… there aren’t enough qualified people to meet the demand. (ISC)2’s 2018 Cybersecurity Workforce Study found that there is a gap of almost 3 million security jobs globally. To make matters worse, most entry level positions require two or more years of experience and/or demonstrable security expertise. Assuming there are openings which relax the job experience requirement, how does one gain the required security skills? If this question was posted on Infosec Twitter, it would be met with a barrage of options — internships, higher education, research, CTFs, blogs, bug bounties, certifications, online courses, and so on. While formal education programs exist for security, most professionals are self-taught. As evidenced in H1’s 2019 Hacker Report, where 81% of the bug bounty researchers stated that they learnt through blogs and self-directed educational materials.
Given the over-abundance of resources, the ability to find the right one for the topic becomes important. Noticing the need for curation, the community has spun up awesome hacking lists. These are a great way to get started, but what happens when you hit a wall? It can be exceptionally frustrating, especially when you have put in the time but can’t seem to make progress. While a well-phrased question posted on forums like r/asknetsec or Infosec Stackexchange could help arrive at the answer, it isn’t the same as asking someone you know. Talking to a person with more experience on the topic, gives us the opportunity to pick their brains and learn their approach. Having this guidance and support on an on-going basis is the foundation of mentoring. Unfortunately, the majority of security professionals prefer working alone or having limited interactions, this is echoed by h1’s hacker report where 24.4% work alone, 8.7% regularly work with others and only 9.9% were involved in mentoring (as mentee / mentor).
While toxicity exists in certain communities, it often has loud voices that reach disproportionately far and wide. This can be in the form of gatekeeping (“I made it here the hard way, you should too”), putting others down for trying, all of which perpetuate the misconception that there isn’t room for everyone to succeed. As a community, we should not entertain such negativity and need to call it out. We ought to adapt the lessons we have learned to pave the way for those yet to come. Security is an ever changing landscape filled with ambiguous problems, and guidance from an experienced person could very well be the support and encouragement they need to grow in the field.
Benefits of mentoring
Mentors help mentees with career development, learning new skills, increasing self confidence and making new professional connections. Most mentors are motivated by the satisfaction of helping someone and seeing them grow, but the benefits don’t end there. They also get to improve their leadership skills, gain exposure to new perspectives, build a long lasting relationship and increase their knowledge through teaching. Mentors can use mentorships as a mechanism to force introspection of their strengths and weaknesses, allowing them to make the journey from self-awareness to self-actualization. As time goes by, the support and learning becomes bi-directional. So, are all mentorships successful? Unfortunately, no. Negative experiences can stem from mismatch of mentor-mentee, lack of mentor expertise, distancing behavior, manipulative behavior and general dysfunctionality . Mentorships are not a binding contract, at any point in time if either party is unhappy they should walk away from it without regrets.
Successful mentor / mentee pairings
The most obvious requirement is matching mentees with mentors who can help achieve their goals. As humans we gravitate towards others that are similar to us, so would mentor/mentee pairings based on race or gender help people connect better? Ensher et al. found that attitudinal similarities (outlook, values, thought process) were more important than race or gender similarity for mentee satisfaction. Mentors who see themselves in their mentee are more likely to form a connection. A casual meet and greet to test compatibility would be a good starting point.
If you can’t find a mentor within your company, you can try local meetups, conferences or online forums. You can also check out Tanya Janca’s (@shehackspurple) hashtag #mentoringmonday which helps bring together people who are offering mentoring and those seeking it.
A good mentor
There are people who are already good mentors, those who will grow to be one and those who won’t. Given that mentoring is a voluntary activity, most people from the third category will self select themselves out. Those in the second category can be trained to be good mentors, either through coaching or shadowing others. The main characteristics that need to be cultivated are active listening, good interpersonal skills, flexibility and ability to give constructive feedback. If you are a mentor / are interested in becoming one, I recommend checking out “Mentoring guide — A guide for mentors”, which outlines key mentoring skills and various stages of mentoring relationships.
Framework for sessions
During the first session, the mentee shares their goals and the mentor brainstorms ways to achieve it. Once the two settle on a rough plan, each party shares the type of support they need / can offer, availability and what they expect from the other person. For example, the mentor might expect the mentee to read through resources they share, complete tasks in a timely manner or put in the work before turning to them. Setting clear expectations will help prevent disappointments and disagreements. Both parties should actively seek feedback on a periodic basis to identify and address gaps. For instance, mentees can share examples where the mentor’s guidance was ineffective and mentors can identify areas of improvement in the mentee’s problem solving approach.
Getting the most out of mentoring
There isn’t a one size fits all solution for everyone, sometimes the needs of a mentee cannot be addressed by a single mentor. If the mentee is looking to improve their leadership skills and learn web security, they could seek multiple mentors. They can go a step further and seek mentors from multiple sources (within organization, within industry or outside industry). Individuals with multiple sources of mentors had more success in their career than those with single sources or no mentors. This was particularly true for people in earlier stages of their career, helping them grow their network and exposing them to different perspectives. Another important lesson to keep in mind is, it is OK to change mentors. If your needs change or you have learnt everything you can from your current mentor then finding a new mentor is a natural course of action. Mentorship will organically develop or decay with time, changing mentors isn’t “breaking up” with the mentor, the bond will still remain.
How can organizations help?
Organizations cannot limit their hiring to people with prior experience or expertise, this isn’t sustainable, they need to be willing to hire people with potential and grow their skills through training and mentoring. Mentoring has been shown to increase career commitment, job satisfaction, workplace diversity and reduce turnover intentions.
Organizations can set up formal mentoring programs with clear program objectives, matchmaking, defined roles for mentor / mentee and periodic oversight. The key factor which determines the success of the program is the matching process, which requires,
(1) having a large, diverse pool of mentors
(2) comprehensive information on the mentor’s strengths and mentee’s needs
To increase the mentor pool, managers or peers can nominate candidates who will then be invited to participate. It is important that involvement in the program be kept voluntary, since it requires commitment and interest, forcing people to participate in the program would only introduce negativity and cynicism. Once a mentor signs-up they will undergo training, which includes opportunities to shadow experienced mentors and thorough instructions to initiate, build, and maintain the relationship. The matching can be done by a program coordinator, who manually reviews the information provided by the mentors and mentees. Once paired, the first few sessions will focus on ensuring that the pair is comfortable with each other with an option to try another round of matching.
As an incentive for the mentors, recognition and rewards can come from mapping mentoring into an existing performance metric such as leadership, tying this kind of organizational support into promotions or compensation. This isn’t to say mentoring is required to demonstrate leadership, but it is one of the ways to do so.
Once the program is up and running, the coordinators need to spin up channels for support and feedback. This can include a direct channel to raise concerns, particularly behavioral ones (abusive language, harassment and manipulation). As for feedback, surveys can be administered at the start, midpoint, and end of the program, providing an opportunity to collect input that can be used to improve the overall program.
As we continue to grow as an industry, we need to make it more welcoming to newcomers. Support and encouragement from more experienced members helps reduce stress and sets them up for success. We all appreciate guidance when we receive it, now it’s our turn to provide it. If you are interested in mentoring use #mentoringmonday (and add the tag #iamamentor) with a short blurb of what you have to offer. If you are a manager in an organization, you can help set up a formal mentoring program and push for hiring junior talent. Let’s go forth and bring more people into security!
 Eby, Lillian T., and Tammy D. Allen. “Further investigation of protégés’ negative mentoring experiences: Patterns and outcomes.” Group & Organization Management 27.4 (2002): 456–479.
 Ensher, Ellen A., Elisa J. Grant‐Vallone, and William D. Marelich. “Effects of perceived attitudinal and demographic similarity on protégés’ support and satisfaction gained from their mentoring relationships.” Journal of Applied Social Psychology 32.7 (2002): 1407–1430.
 an Eck Peluchette, Joy, and Sandy Jeanquart. “Professionals’ use of different mentor sources at various career stages: Implications for career success.” The Journal of Social Psychology 140.5 (2000): 549–564.
 Allen, Tammy & Eby, Lillian & Poteet, Mark & Lentz, Elizabeth & Lima, Lizzette. (2004). Career Benefits Associated With Mentoring for Proteges: A Meta-Analysis.. The Journal of applied psychology. 89. 127–36. 10.1037/0021–9010.89.1.127.
 Chao, Georgia T. “Formal mentoring: Lessons learned from past practice.” Professional Psychology: Research and Practice 40.3 (2009): 314.