Many of us are drawn to security because it changes all the time and there is never a shortage of new findings. The upside, is also the downside, it changes all the time. I know I read something a few years ago that someone searched all the top infosec news sources and came to the conclusion that you could read all of them, every day, and you would literally not be enough hours in the day to do it. I can’t find the reference but even if it’s just an urban myth, I doubt any of us have the time to know everything, about everything, all the time. 

I know most of us aren’t crazy about the idea of named vulnerabilities, logos, website and general malware marketing. But, I doubt it’s just me, it does help get a lot more traction in getting things fixed at work. Telling another group their systems are vulnerable to CVE-2018-X might be ignored, but when their manager hears they are vulnerable to Spectre/Heartbleed/etc that they’ve heard about on the news, well now that sounds important and they’re willing to take action. 

A few years ago I was interviewing and got down to the final stage. A week before Shellshock was all over the news (see, malware marketing!). I sat down and the hiring manager said, “soo… anything interesting related to security that you’ve heard about lately?” I told him about what was going on and he breathed a huge sigh of relief. He shared with me that every other finalist they brought in didn’t have a clue what he was talking about. I’m not referring to just the nerd news either, this was all over major news networks and these people were all already working in infosec. The hiring manager felt that if the other candidates didn’t bother learning about big public security news they surely weren’t going to bother keeping informed if they worked there. 

I’ve asked this sort of question of every potential hire for our security department. I’m always surprised by how many people say they don’t bother following any websites, twitter or email lists at all. They just wait for a vendor to email them if there is a vulnerability, which seems crazy to me. I know not everyone is going to be a con presenter, but at least show interest in your profession. 

With that in mind, I’m always looking for ways to consolidate the news / alerts parts of my day. I do enjoy my work and check these things for fun too but like I said earlier, there are so many free hours in the day. Here are some of the ways that I do that: 

Podcasts – I have an old iPod in the car loaded with security podcasts. I know most people would probably just use their phone, it’s mostly habit and it’s always charged, I’ll get around to being more modern with that eventually. Every commute back and forth to work or just driving around town I have some nerdy learning sort of broadcast in the background. The specific ones are personal preference, but I typically get an extra hour+ a day of security info on commuting days. There are general security podcasts (Security Weekly has a few different flavors now and frequently has SANS instructors on there, very interesting), Offensive specific, social engineering specific, almost anything you might be interested in there is probably someone talking about it that you can learn from. 

Twitter – I’m a twitter lurker, I admit I almost never really interact there except for liking/sharing posts or emailing myself links to dig into later. But, you can bet when new things are breaking that a ton of security folks that I follow all start retweeting and it’s not long before it’s a notification on my phone. 

Websites / Forums – There are a ton of security news websites, this can be like a black hole. I highly suggest a news RSS reader, like feedly, you can add any site that interests you and check them all from one spot. That doesn’t exactly cut down the results but at least it centralizes it. For forums, I read a few but special shout out to reddit. I’ve seen many security topics break there, with great interaction from the readers, there is lots of junk there but if you focus on technical subreddits it’s very solid and totally worth your time. 

Email – I know getting news via email sounds weird if you’re thinking breaking news, but vendor announcements are typically done that way. I also get a daily email from the CyberWire, they consolidate a lot of the top security news stories for the day and give a quick couple paragraph breakdown for the overall news and links to all the trending stories. On days when I’m head down busy I still try to make time at the end of the day to scan that email to see if anything crazy happened that I missed. Highly recommended. 

So, sadly I can’t make the day longer than 24 hours, but at least try to use the time you do have productively.