Training and education of the offensive security team

This aspect is commonly under-invested into organizations. To build a strong offensive security program and attract talent, it's critical to have a clear path of education for team members to evolve both individual career aspirations and the program itself. This includes being able to attend security conferences to learn and network, but also to present their own research and get inspired by the work of others to come up with the next great idea or operation.

It's not uncommon to get stuck in continuous operational work and to forget about training. There is a great analogy a mentor once told me. As far as I know, the story is based on something Abraham Lincoln said.

There is a woodcutter who cuts wood all day long. Over the course of time, his ax loses its sharpness. He gradually becomes slower and slower at cutting wood. He is just too busy cutting wood to sharpen his ax! One day, a friend tells him, Hey man, I have been much more productive than you recently at cutting wood. I think you should sharpen your ax, you will be much faster again afterward! The reply from the woodcutter was simple and straightforward: I don't have time for that, I'm busy cutting wood!

The moral of this story? Don't lose sight of the big picture, especially as the leader of the offensive program. Encourage your team to get out and participate in the security community to learn and give knowledge back to others. This way, the security community in your organization and beyond can benefit and make sure that our data is secure and safely handled across organizations. We are all in it together!

Personally, I had some of my greatest ideas for writing tools after coming back from conferences such as Blackhat, Defcon , or the Chaos Communication Congress. The environment is very inspiring. It helps to sharpen the brain, get exposed to creative ideas, and come back to the office very motivated.