I went ahead and counted all the information security resources I have hoarded over the years of learning it and the numbers are staggering:
- 96 courses saved on LinkedIn Learning, most of which I haven’t even started
- 40 e-books that were purchased from bundles on Humble Bundle that I’ve never read
- 6 more hardcopy books lying around my house that I haven’t finished
- 6 Udemy courses that were purchased, but never finished
- 3 months of CodeAcademy Pro that I got for free and have barely used
- 1 free month of Pluralsight that I haven’t used at all
The list goes on, but you get the idea. Am I just a terrible student? Perhaps, but I did end up learning something, so maybe it’s not that simple. I am sure many of you can relate to what I just described - hoarding learning resources, but never using them. The sole fact that you are hoarding learning resources is indicative of the fact that you have the motivation to learn. If you were disinterested in learning or lacked the motivation to, you wouldn’t be saving learning resources for later, you wouldn’t be looking for them at all, so perhaps the issue is not lack of motivation? For now it’s not, but if you don’t get your learning habits under control, it may lead to a lack of motivation.
There are hundreds of learning resources that I have bookmarked and never used, but don’t get it twisted, there’s also a whole bunch that I’ve read cover to cover multiple times. Video courses and books are incredibly useful sources of information, but there’s something you need to realize: you can’t continue learning from them solely forever. At some point the benefits of reading a book or watching a course are outweighed by the downsides of that kind of learning. Can you really blame yourself for slacking off of studying material that you find boring? Turns out yes you can, you can tell yourself that you have to, you can try forcing yourself to, but is it really worth it in the long run if you do? It’s not, let me tell you why.
If there is something I really want, I won’t be able to get it out of my mind day and night. My first discovery of this as it relates to learning came in 2018, when I was studying for the Security+ exam. During that time I have rewatched Mike Chapple’s Security+ video course 3 times, I have reviewed port number flashcards tens of times and re-read a book about it twice, all while working part-time and being a full-time student. I might have started that learning project enthusiastically, but by the end of it I had to force myself to continue, beating myself up for not reviewing and rewatching materials. I passed the test and I did well, but I was so burnt out by the time I did, I fell out of my learning routine for several months. Cybersecurity is a topic I am very passionate about, but I just couldn’t stomach even the thought of learning at that pace again. When my burnout finally went away, I came back to study for the Cybersecurity Analyst exam and this time I tripled the efforts. I couldn’t sleep at night, because I was worrying about the score I’ll get so much. I passed the exam with 845/900, a score that is incredible for someone with no experience on an exam that is supposed to be for professionals in the field, yet I felt terrible. I was so tired and burnt out on the topic again, that I didn’t study it at all for half a year. Now that’s almost a year worth of time combined that could have been used to learn something, but was instead lost due to burnout.
Is there a better way to learn? Yes, there is. I’ve been on a quest to find a cure for my two worst ailments - burnout and procrastination, and I believe I have at least found the right direction, and I’d like to share it with you. One interesting observation that I’ve made about myself while studying the field of information security is that I can sit down for 10 hours straight and try to find ways to solve CTF challenges, but if I start reading a book or watching a course about it, I get bored beyond belief in less than 2 hours. The reason for that is that it’s active project-based learning and simply reading is not. You are responsible for solving the challenges yourself, and you are responsible for learning how to yourself. When you google a vulnerability or a piece of technology that you encounter during the CTF, which you haven’t before, you are learning something that is directly related to your current project at hand. One problem college education has is transfer. Transfer is how well what you learned in class transfers to real work and spoiler alert: most of the time it does very poorly. CTF’s are a total opposite of that, because you are trying to learn something that is directly connected to what you are trying to solve and it just happens that what you are trying to solve is also a real system, so your transfer will be much higher from doing CTF’s. I recommend that you read the book called Ultra Learning by Scott H. Young if you want to learn more about transfer, but the big takeaway for me from that book was that active project-based studying is much more conducive to learning, than following a rigid curriculum and passively watching a video course or reading a book while your mind wanders about.
So does that mean that passive learning is useless? Hell no, if you don’t know what vulnerabilities exist, how are you going to complete a project where you have to find them? You can’t. You need a certain fundamental base to go off of. It may sound abstract, but consider this: the more you know about a topic, the less benefit you get from passively learning about it. If you know and recognize Cross-Site-Scripting vulnerabilities, you won’t benefit from reading a book about Blind Cross-Site-Scripting vulnerabilities as much as someone who has never heard the term XSS. This is a relatively mild example, but in the extreme case, the boredom of finishing a learning resource may sometimes outweigh the learning benefits from it. I’ve been recently beating myself up to finish a Web Application Hacking course on Udemy, but i’ve realized that the reason I am so reluctant to finish it is because it’s very basic and introductory. I have already seen all the vulnerabilities described in CTF’s and the boredom outweighs the learning. I would rather work on challenges on HackTheBox.
So what should be the course of action?
- Stop beating yourself up for not finishing a learning resource
- Don’t force yourself to finish a book or a video course you have saved, it’s just not worth it in the long run
- Go to CTF Time right now and register for an upcoming event. If you already have the basics, you’ll learn more from it