I’ve been asked many times the question “which IT certificate, class, training, etc. should I take to start or improve my career in cyber security?”. I’m delivering a few high school talks this winter and sure I’ll hear this question at those sessions as well. This post will cover my personal thoughts on the training options available through certificate programs, college classes, online classes and reading. I’m not claiming to be the expert in developing career paths however I can speak to what I’ve seen over the years taking many exams, classes and now writing training material for Cisco press.
Specialize
The first piece of advice regarding a training path is to consider specializing verses general knowledge. The more specialized you become, the less people there are to compete with a specific job option. This also means the more valuable you become IE better pay and job security. For example, its critical to understand routing and switching however specializing in Firewalls or IPS technology would provide an edge as less people have that capability. You could later go deeper by learning how to write Snort IPS rules making you more specialized then somebody with general IPS administration experience.
My advice for those in a current role looking to increase their pay and advance their career is to pick a specific technology category to specialize in. Talk to your manager and develop a training path that includes hands on time, boot camps and reading material.
Certifications
There are many certification options that vary in difficulty and content. Vendors such as Cisco and Microsoft offer their own programs that are great for those looking to or currently work with that technology. Other options are investing time in offerings from IT organizations such as EC-Council, (ISC)2 and SANs who develop content based on industry topics verses a specific technology. What is key is considering what you are looking to accomplish. If you are looking at understanding security from a management or consulting viewpoint, something like the CISSP would be good for you. If you are looking to get an introduction to penetration testing and open source hacking, the CEH may be a good starting point. If you are looking for more advanced and hands on certifications, maybe a SAN course or Offensive Security’s OSCP course would be good for you. Certifications can be good if you spent the time to learn the material. Be careful of taking the easy way out using brain dump sources. I’ve interviewed people with certifications in technology they really didn’t know.
Here is a quick summary of some of the popular ones I’ve taken.
CISSP – This is a multiple choice test that covers the general security language and business impact understanding. This is good for managers, people looking to consult, check box for many government jobs, etc. This is not hands on and completely theory based.
Preparing for the CISSP – The exam will typically offer two really good answers, one decent answer and one obvious bad one. Many people with experience that don’t prepare properly will fail due to using their own opinion of the right answer verses what (ISC)2 believes is the right answer. My advice is to read one or two books and take as many practice exams as you can. The more questions you take, the more you will start to see how ISC wants you to think making you ready for the actual exam. Boot camps are ok but of all of the training options for this exam, practice tests are the best preparation in my opinion.
Certified Ethical Hacker (CEH) – Hacking exam that is concept focused with some hands on. Good as a introduction to penetration testing but will not make you field ready. Great starting point for pen testers, security assessment providers, people responsible for security and want to know how to test their own networks, etc. EC-Council offers more advanced courses that would follow this training.
Preparing for the CEH – I used a boot camp that was pretty solid years ago. Not all boot camp providers are created equally so be careful who you use. I found the hands on training and exam were two different areas of focus meaning the actual test requires training like any other paper exam with hints of configuration questions.
Cisco Security Certifications – Typically Cisco exams are a mix of product specific questions, understanding various protocols and cover how a solution fits into the overall network. These exams are for a career in Cisco, partner, or company that uses Cisco technology. Some of the latest exams coming out of Cisco are leaning towards industry topics such as the Cyber ops, which is different from the typical product focused exams. I have personally taken a lot of these for my career. Some were helpful while others were required for my company to have a few certified individuals forcing me to pursue the exam. My advice is start with the basic CCNA and spend the time to learn the fundamentals. Then specialize within the CCNA program along with similar technologies. For security, consider the CCNA security program, Cyber Ops and maybe a IPS based exam.
Preparing for Cisco exams – This varies based on the exam. The best advice is to check out the learning objectives found on the exam page and use a blend of reading, practice exam and training.
Offensive Security Certified Professional (OSCP) – This program is by the people behind kali Linux. The OCSP is a tough exam with lots of hands of requirements. You will get lots of street credit from those that know the exam but expect to work hard and learn a lot.
SANs / EC-Council Courses – SANs and EC-Council offer a ton of certification and training. These can be very useful if you know what you are looking to learn. My advise would be to speak with a SANs / EC-Council representative about what you are interested in learning as do the research before jumping into a program. I found some course really awesome while others a waste of time.
College Courses
Many classes tend to be theory based verses hands on. The program quality ranges from school and degree so typically it’s tough to know completing a specific line of courses will get you a job in cyber security. I have worked with people that are really smart, well paid and didn’t attend college. I also have worked with others that have PHD level education. Security jobs typically require you to prove what you know verses having to show a specific degree. Some jobs such as government offerings will not let you interview without a base level of degree but the average interview will focus on your current knowledge. Make sure you judge the cost and time required for a degree or course against some of the boot camp and other hands on options available.
Free Online Classes
There are a TON of free online classes and videos for just about anything. If you want to specialize in something, you probably can find a youtube video on how to do that. If you don’t know where to start, pick something like Kali Linux, download it for free and use youtube to learn all of the tools. If you want to start with a defense practice, download SNORT and use youtube to learn how to use it. If you want to study for a specific certification, search google for training and advice on the exam. For example if you want to learn about hacking with Raspberry Pis, google “hacking raspberry pi” and start learning. If you want to learn about security concepts, google should be your best friend. This approach is by far the best way to get a understanding of how things work and test if a area of focus is right for you. YOU MUST HOWEVER PUT IN THE TIME!!!! This is where most people fail.
Conferences
I go to a LOT of conferences. Many times I’m going to socialize when other professionals however sometimes its for the content. You don’t have to attend the expensive conferences to get value. Cost doesn’t always equal quality. For example, the Blackhat, DEF CON, B-Sides week in Las Vegas could be a few grand if you attend Blackhat and DEF CON. A much cheaper version costing a few hundred dollars would be attending B-Sides and DEF CON (B-Sides free and DEF CON 250 dollars). My suggestion for those on a budget is to check out Meetups and B-Sides events (free). Those with a company sponsoring them should either attend a few smaller shows such as DEF CON, Shmoocon, etc or a larger security event like RSA or Blackhat. It is very important to attend some events each year to stay up with the current trends. But you don’t need to drop large money to do so. Also it is important for those starting a career to speak with as many people as possible. You never know who you will meet at a free meetup. Most likely people creating free events are looking to recruit new blood.
Hope this high level overview helps with deciding on how you should tackle training.