I was already on pole, and I just kept going. Suddenly I was nearly two seconds faster than anybody else, including my team mate with the same car. And suddenly I realised that I was no longer driving the car consciously. I was driving it by a kind of instinct, only I was in a different dimension. It was like I was in a tunnel

~ F1 (Senna)

I want to tell you a story (not long) before I'm going to ask you to think critically about the penetration testers, grads or students you have, will or want to hire.

It was early 2015, and I had recently pitched the concept of a Capture-The-Flag hacking competition to my University's faculty governing IT Security. I had just the weekend to build something that I wanted to share to young high schoolers from across Australia. My hope was that I'd connect with those who had a passion for hacking, and spark something in those that didn't. Between the Friday afternoon and Sunday morning at 3:30am, I achieved a total state of flow.

My work involved setting up deliberately vulnerable servers and software; building web applications and writing tutorials, implementing design flows, narrative story telling and gamification concepts. All of this was completely uninterrupted. Facebook did not exist. Gaming and videos did not occur to me, hunger and thirst was something I almost barely noticed. My entire life existed around this goal, and it was a challenge I'd like to think would take weeks if not months outside of flow.

The result was incredible - while I felt accomplished about what I had created, my state of flow empowered high-schoolers' to sit for up to 5 hours at a time tinkering around vulnerable challenges with their waiting parents. This was an open day that was planned for 10 minute drop-in sessions. Some were so persistent with the task at hand they completely ignored their parents requests to visit other Universities holding open days. Through my work and research, I was able to establish a state of 'flow' in some of these students.

The concept of 'flow' is often referred to as the complete absorption in one's task at hand, and deeply enjoying the process of the activity. Csikszentmihályi researched the concept of flow thoroughly pointed out the hallmark feeling of flow is "spontaneous joy, even rapture, while performing the task." This isn't your average day of focus or concentration at work - this is what is commonly referred to as 'in the zone', or 'wired in.' When software developers are intrinsically motivated in their undistracted state, getting a 'feel' for the code, jumping between thousands of lines and knowing exactly where everything is. Traders facing high volume days with hundreds of market corrections often claim to be in a state of trance, their mind facing complex numbers and decisions but deeply enjoying their ability to be involved in such a process.

'C' observes that people flourish as their achievements grow, and with that the development of their emotional, cognitive and social complexity. These achievements can be mentally installed in someone who is facing challenges that slightly stretch one's skills. Someone who's not challenged at work is going to be bored, someone who's set a complex challenge with sufficient difficulty is going to search and try and do and try and search and.... their mind is going to form a map of what works, what doesn't. These tie in with some of 'C's basic elements of the 'Flow' experience.

  1. Immediate feedback
  2. Feeling that you have the potential to succeed
  3. Feeling so engrossed in the experience, that other needs become negligible

Now, I could go on all day about my research into these elements and how they are fundamentally embedded into CTF's, but it stands true for our work as penetration testers. By nature, many infosec individuals came into the field with their great sense of curiosity. We cannot lose that intrinsic motivation, and we should nurture it and allow the younger generation to experience it in order to become thought and action leaders within this industry. One could even argue that with the recent media and recruitment blitz on the infosec shortage, many more young people will breaking into the sector without that deep sense of drive.

I believe more needs to be done about empowering young cyber security students to love their work, and love it with a passion that compels them to learn the necessary skills and know in their heart they're in the right sector. I know 'flow' aids people in developing an active passion for their work, I've seen it build fires in people's hearts and motivate others to get out of bed in the morning.

You too can establish activities and environments that are conducive to flow. You'll see morale improve in the workplace, people happy and feeling accomplished, and the resulting increase in performance. Sometimes, when working on a complex math problem, the solution only reveals itself 3 hours after you almost gave up and left.

  • Encourage 'hack' days or a few straight hours of team wargaming
  • Delegate someone to notify Capture-The-Flag competitions and support a team effort in participation - reward this with incentives
  • For recruiters, look for people with a passion for CTFs, wargames, vulnerable VMs and ask them about a time when they spent hours on something. Usually, this resulted in a 'light-bulb' moment or similar.

Would you like to speed up the process of learning for that junior pentest role? You can aid their focus and inner enjoyment of tasks by setting them challenging, yet do-able tasks by ensuring that:

  • One must be involved in an activity with a clear set of goals and progress. This adds direction and structure to the task
  • The task at hand must have clear and immediate feedback. This helps the person negotiate any changing demands and allows them to adjust their performance to maintain the flow state.
  • One must have confidence in one's ability to complete the task at hand. Strike a balance between opportunity and capacity.

There is copious amounts of research on flow, the short and long term benefits of it, and how much of it contributes to the gamified experience of Capture-The-Flag. Giving employees tasks that involve flow will give you hours of productivity, provide them with powerful skills and prompt an inner passion within them both in and out of the workplace. If you ever want to have a more in-depth chat about it, shoot me a message!


Extra: Just a few items explaining flow, and suggesting metrics to achieve it. These items can work wonders in the workplace and prevent idle hands. You're giving the person a set goal similar to an video game - keeping them both enthusiastic and challenged at the task.

Some more detailed flow conditions:

  • Knowing what to do
  • Knowing how to do it
  • Knowing how well you are doing
  • Knowing where to go (if navigation is involved)
  • High perceived challenges
  • High perceived skills
  • Freedom from distractions