CISSP, cloud security, computer security, Cybersecurity, information assurance, information security, Infosec, isc2.org, ISSEP, mentor, network security, NOC, routers, SANS.org, SOC, virtualization, yber security
NOTE: Remember to look at previous and more current postings for other topics.
For this paper, you should read it in chunks and not at one sitting; I will cover the following topics and sub-topics:
An Opinions example
Getting into Cyber Security
Reading / Courses
Headhunter / Recruiters
Where to make a move to
Areas of Certifications
Other Pertinent fields
Over the past several years, I have been asked by folks for advice on two different areas – Intelligence and Cyber Security.
As a result, I wound up creating a basic outline for both areas: Intelligence & Analysis & Thinking at: https://patrick642.wordpress.com/2013/12/01/advice-intelligence-analysis-thinking/
— as well as this one on Cyber Security.
For this write up, individuals have approached me from various parts of the country seeking advice on what they would need to do in order to move into the world of Cyber Security. This paper attempts to be that genesis for those folks who are serious about making such a move.
When I began my Computer Security career, I was already in the computer field as were many of my colleagues. Many of us wound up becoming the de facto security person because of our interest and curiosity in the field. We ended up knowing and using a great deal of security because it was not as expansive as it is today. And it truly is a much expanded field, many of us had to realistically let some of our security certifications lapse due to the growing complexities and specialties cropping up.
You will hear this security arena described in various manners but just know that years ago it started off as Computer Security. Then it became Information Security, with another offshoot coming called Information Assurance and now we have Cyber Security. I expand on the terms at the end.
It all boils down to protecting digital information, making it secure as it lies at rest, while in transit as well as when that data is being processed.
Any training you endeavor to undertake ‘may’ be boring, monotonous and take some commitment from you to complete. By commitments I mean, sacrificing your personal time after work hours to do what is necessary to do any training.
It is going to take some time, patience and dealing with drudgery in going through any requisite training. You will at times think you already know the material but I would suggest you just go through it rather than skipping any material, which may become pertinent later on… Nonetheless, it will still be worthwhile later as you grow.
You WILL have to spend time in maintaining your certifications – and if you have a family (partner, young children), it will be a test for many people of dividing their time between family and professional education upkeep…
Today, there are so many areas to specialize in and become an expert on – you have to seriously sit down and consider what you are interested in today and what will continue to be a growth industry for the long term. You have to think strategically.
And be forewarned, gaining certifications can become expensive initially, which you will and should recoup later. Many companies and federal entities today will want you to agree to staying on with them for one – two years if they pay for your certification. Some of them wound up being burned in the 1990’s and early 2000’s because so many greedy employees would get the training and then immediately go somewhere else for the increased pay.
When I say greedy, I don’t really mean it in such a negative way but do not know how to say it otherwise.
As a result, if the company pays for your education today, they want you to stay with them. But, if you should leave that company early, they will dock your pay for the cost of that training/education. This is why I pay for my own training, which is what I’m currently doing today. I do not want to be tied down to an organization who only thinks about their bottom line.
If an organization is going to be successful, they should also be looking at continuous training for their employees. This will in turn cause many employees to stay with that firm, if they see the company cares about them.
(I am borrowing this section from my writing on Advice: Intelligence & Analysis & Thinking because it is applicable here as well.)
Be forewarned, multiple people have multiple opinions on Cyber Security. Your primary task is to filter out the chafe and go for the good stuff. You have to do your own reading, studying, ‘thinking’ and ‘analysis’ ultimately on your own.
You should dig up information on your own, find a quiet space and contemplate things in your head – let things stew and marinate some of that content you’ve been learning / reading / investigating.
Just because a person is an expert, self-proclaimed or otherwise, that person may not know everything, they just believe they do. And, some of these folks will discount anything someone else with a different slant or knowledge that could be better. That ‘expert’ may give lip service and pretend they are taking it under serious advisement but they are just throwing that info into the mental trash heap. There are far too many of these kinds of individuals around – DO NOT become like that, there is too much info out there today for any one person to be aware of. Sooo…. please, become a person who is very knowledgeable that everyone can respect, not the ‘expert’ who thinks that they know everything and is insufferable.
An Opinions example
Here, take Malcolm Gladwell, author of “The Tipping Point” and “Blink” book successes. Some people in the intelligence circles have poo-pooed his books as being too glib or too superficial or too ‘duh…’
The thing is there is good info in his books. Not all of the content may be relevant but a good portion of the content DOES give pause to thinking in a different manner. People may say “duh….” after they read some of the content, but they did not think much about certain aspects ‘before’ they read those sections. Yes, they are clear after you read them. The people I am referring to saying “duh….” are those experts who believe they do not require input from others…
Ultimately, you, yourself, have to form your own opinion and not just rely totally on someone else’s opinion.
+ + + Info here in this piece is simply my opinion and advice coming from a guy you do not know at all.
But note, no matter what I write here, it is only the tip of the iceberg, there is a lot more info out there on getting into and growing in Cyber Security.
My ‘stuff’ here is only compendium of multiple thoughts from previous learnings and experiences, hopefully in a decent order, for your reading, to tickle your fancy to go further in your own knowledge journey.
I mentioned finding a quiet spot, if you can; because many work place environments have gone back to the bull pen open air arrangements, not even cubicle walls. Some of these settings are not conducive to good solid thinking. Many of these settings are chaotic and those settings do cause loss of efficient thought processes. And if you do manage to have that laser focus on what you’re thinking about, you’re draining the heck out of your body and your mind. You go home too enervated to enjoy your off-hours.
Getting into Cyber Security
This will really depend on where you are now. Do you work in a company that has:
- Good to GREAT multiple career paths available?
- Can you make a lateral move to the IT Security team or Cyber security team, whatever it is called at your firm?
- Would you need to gain some preliminary training up front before they will accept you?
- Poor career path options?
- As in, you would have to leave that place of employment to get into the security field somewhere else…
The thing is, you will have to make a tough decision about this. Some places are good to their employees in making a lateral move, especially if they see that you have spent some significant time prepping / training in several security classes. As well as having spent some of your own money in preparing for a move – this would be the route I would take.
But if you can make a move to work in cyber security where you are, you can try getting on to the NOC team. That NOC team deals with monitoring, troubleshooting and resolving network issues such as router, and/or switch problems. The NOC team may do more or they may do less.
After working there for a time (say 8 – 12 months), try to see if you can make a move to the SOC team. Once there, you can make additional advanced moves in the future. That SOC team works on issues pertaining to router security, firewall configurations.
— Note: Some organizations combine the NOC and SOC making it into a SNOC, so, it is going to vary from firm to firm around the country.
Reading / Courses
This is where you need to get down to the nitty-gritty.
You can buy books with CBT (computer based training) study courses or exams on CDs in the back of the book or take multiple courses at SANS.org (which you or your company will have to pay for). The SANS courses will take you from a basic level to intermediate to near expert level but they can be time extensive (gotta study).
I would suggest getting some online training, or CBT (such as through Boson.com), or books with enclosed CDs/DVDs that you can use for practice – then when you feel confident enough, take the appropriate test at one of the testing centers I mention in the next section.
Boson.com has multiple courses you can buy that are not as expensive as SANS.org and there are other reputable sites that offer similar CBT test courses.
I would also do all the studying and testing I can and first see about getting into cyber security where you already work, that might be an easier move.
Headhunter / Recruiters
Talk to some headhunters about your current and future plans of moving into the cyber security field. Some headhunters will work with you; again, especially if they see evidence that you are working on making that kind of move and that you are very serious about it.
Where to make a move to
As to where to go and which is the best area – that is a very large question. Right now, it’s a real state of flux about who wants what and where, with a lot of companies not hiring as in the past (many are waiting on the economy to improve) and threats of more government sequestration, which WILL affect companies doing work for government agencies.
Getting several certifications is the better start, even if they are the basic ones – because they are more immediate and can pay off sooner.
As you know, degrees take, ahhhh, a bit more time to complete and may not gain you the specific knowledge you might need.
Although, most organizations do prefer degrees, because it shows that the applicant is serious enough to put in more time (and money) to gain all around knowledge.
As for what private company or government agency to look at for entry to mid-level that is another tough one right now. It is really is topsy-turvy for some people, in some areas and in some cities.
Making that start in studying for and completing training and certification will go a long way.
I would lean towards private / commercial companies but contracting companies also allow their folks to learn additional courses from their company educational system (some companies have a decent educational library but many do not).
Up front, the more cyber security training and certification you can gain, the better it will be for you financially – that is, if you can do so and maintain them…
While I do not know you and am not aware of how much you already know about cyber security, I would start with these certifications:
- Network + (this is needed to become more fluent in overall technology)
- Security + (this is needed to become more fluent in basic & intermediate security)
- Security Essentials
- SSCP (Systems Security Certified Practitioner – from (ISC)2 [isc2.org] – a primer/stepping stone to the CISSP cert)
(ISC)2 is a premier international organization that oversees the certification and continued maintenance of some of the most sought after security certifications (www.ISC2.org). They offer the CISSP and sub-concentrations as well as the basic SSCP for starting.
SANS.org is another organization that is an internationally known steward of various security certifications, from a junior level to advanced levels.
If you do SANS.org courses, they will tell you who to register with (i.e. Pearson Vue, Prometric and CompTia).
If you go through (ISC)2, they will give you options of what days in what cities to go to for their exams (ISC2 proctored exams).
Areas of Certifications
It is going to depend on where you want to go, what you wish to do in order for you to make a decision of which way to move. Here are other more focused areas:
- Routers (Cisco in particular for Basic, Design or Admin certs) (starting with the basic CCNA and moving up) – keep in mind that there is significant movement in the router world as it is currently a lot of physical hardware in place but the area of software defined routers is picking up steam
- Firewalls (Checkpoint admin, but there are others) (CCNE is the goal here)
- SEIM (Security Event & Information Management) or you may see it as SIEM (interchangeable)
There are other security areas you should look at and consider:
- Forensics (digital) – a big field as it extends across many domains – Finance, Mobile, Computing, etc.
- CEH (Certified Ethical Hacking) – another big field
- IPv6 – a rising field as we leave the IPv4 world behind, or in the dust
- Cloud Security (a still growing field)
- Database Security
- Network security (voice and data communication) – including Network Monitoring
for Routers, Switches, VPNs, PBXs, etc.
- Intrusion Detection (IDS) and Intrusion Prevention (Intrusion Prevention System)
- VoIP (Voice over IP)
- Penetration Testing (to test the network’s vulnerabilities)
- Coding – Software/Firmware (IOS security coding if you know and like writing code)
- Management (for security)
- Auditing (for security)
- Compliance (GRC – Governance, Risk & Compliance)
- C & A – (Certification & Accreditation)
- ISO 27001 – a standard that appears to be picking up steam, so you might want to take a look at this area as well to become familiar, knowledgeable or expert on because more U.S. firms are starting to comply with this standard
Next, there are other senior level security certifications that take time to work up to because they require time in the security field from (ISC)2 perspective:
- CISSP (3 – 5 years’ experience to gain this cert – getting the SSCP first will help)
- ISSEP (or ISSAP or ISSMP) (concentrations on top of and after gaining the CISSP)
- Health Care (such as ISC2’s latest security certification)
Other Pertinent fields
- Social Media – Social Network Analysis
- Mobile Communication
- Mobile Communication Security
- there really are many, many more…
So it boils down to deciding which area you wanted to go into after you read up on the various areas – I would go through the SANS courses offerings first to know what is what.
You should definitely start going to ISSA (International System Security Assoc – ISSA.org) meetings in your area and making connections through that venue. There are multiple locations in each state with meetings held once a month.
There is an annual fee (for the local chapter and the international host). At some of the meetings, they should, from time to time also be discussing job openings and can aide in your start.
After starting some kind of training and gotten one or two or three certifications completed (and maybe working on one or two more), craft a resume (lot of resources out there for this one) and go to Monster.com, Dice or CareerJobs and put up a profile/resume as well as searching their sites because they will have a number of openings for entry level for you to make a springboard attempt.
You probably already know about all three sites and others…
These sites will have contractor, private and government openings you can peruse on these sites.
- And if you ‘are’ working on more certifications, make it known that you are doing so
- Make sure you include that you can help whatever company you are applying to and let them know that you can help their bottom line by helping to make your team more effective and successful (this is what most companies want primarily)
Then, wherever you go, put in eight months to a year and make very serious efforts to learn and use what you learn and you should be good to grow after that.
Terms (keep in mind, these are just basic terms and you can and will find these and variations of these terms everywhere)
- Computer Security
(aka – IT Security) techniques for ensuring that data stored in a computer cannot be read or compromised by any individuals without authorization – basically it is information security as applied to computers and networks or the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction
- Cyber Security
technologies and processes designed to protect computers, networks and data from unauthorized access, vulnerabilities and attacks delivered via the Internet by cyber criminals
- Information Assurance
(or IA) practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form.
- Information Security
(or InfoSec) the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc…) – basically, it is the act of ensuring that data is not lost or compromised when critical issues arise
- ISO 27001 (International Standards Org.) a Standard that provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System
- Network Security
A specialized field in computer networking that involves securing a computer network infrastructure, which typically relies on layers of protection and consists of multiple components including networking monitoring and security software in addition to hardware and appliances. All components work together to increase the overall security of the computer network – boiling down to Defense in Depth (DiD)
Network Operations Center – one or more locations from which network monitoring and control, or network management, is exercised over a computer, telecommunication or satellite network
Security Operations Center – a centralized unit in an organization that deals with security issues, on an organizational and technical level