I realise this may sound a little contradictory and I can’t guarantee that what works for me will work for you but these are my ramblings and nothing more!
In October 2018 I side stepped from my role as the longest serving (though by no means the most senior) member of the Security Engineering team to the newest and definitely least qualified member of the Security Architecture team. Not only was it a step up in my career but it was also my first new role since graduating that wasn’t just a change in job title. I felt completely out of my depth. Despite having a very friendly and supportive team around me, I was acutely aware of my lack of experience compared to my new peers.
Apparently I’m a sucker for punishment because 14 months later I left completely to join the mysterious world of contracting. Another massive step up for me and once again feeling well out of my depth, I fell back to this same mechanism to boost my confidence and self esteem. Proving that, at least for myself, it’s a valid and viable coping strategy.
What is my secret weapon? It’s simple: Cheat Sheets. The knowledge and wisdom of many, many more experienced professionals distilled into bullet point lists that are easy to refer to! For me as a Security Architect these Cheat Sheets were security focused, my primary go-to is the OWASP top 10.
Despite what you (as a Security Professional) might think, the OWASP top 10 is not ubiquitous. Even when it is, you as (a Security Professional) have a different interpretation of it than someone who’s job isn’t primarily security. This made it a great starting point for me, I distilled the Top 10 down into a ten point list on my phone that I could quickly refer to.
How do I use it? It can be really overwhelming to walk into a meeting where you’ll be consulting with a product team on their security requirements. Having a list of things that might be a risk, that you know are industry proven to be the top sources of vulnerabilities and hopefully that you know a little about really helps you be able to drive the conversation with confidence.
Another great resource is the SANS Securing Web Application Technologies (SWAT) checklist, it has so many good lists. For Cloud infrastructure the Cloud Security Top Ten is particularly helpful, if you cover all ten and don’t find anything to improve on you are working in an organisation with unbelievably good security.
Of course not everyone reading this will be in the security space, fear not weary internet traveler you too can benefit from Cheat Sheets! For anyone building modern web apps the Twelve Factor App factors are a must read, I’m aware there are some “alternative” views about the Twelve Factors but it’s a good start nonetheless. I’m sure whatever it is you’re getting into, there will be cheat sheets on the internet if you look hard enough.