CompTIA Data+ certification: Is it a good fit for your career?

[00:00:00] Chris Sienko: Is Cinderella a social engineer? That terrifying monster trying to break into the office? Or did he just forget his badge again? Find out with Work Bytes, a new Security Awareness Training series from InfoSec.

This series features a colorful array of fantastical characters including vampires, pirates, aliens, and zombies as they interact in the workplace and encounter today's most common cybersecurity threats. InfoSec created Work Bytes to help organizations empower employees by delivering short, entertaining and impactful training to teach them how to recognize and keep the company secure from cyber threats.

Compelling stories and likeable characters mean that the lessons will stick. So, go to infosecinstitute.com/free to learn more about the series and explore a number of other free cybersecurity training resources we assembled for Cyber Work listeners just like you. Again, go to infosecinstitute.com/free and grab all of your free cybersecurity training and resources today.

Today on Cyber Work, James Stanger, the Chief Technology Evangelist at CompTIA walks me through their new Data+certification. InfoSec is proud to provide bootcamp and course training for a range of CompTIA certs, and James helpfully breaks down the basics of data analytics, the type of learning that you'll engage in the pass, and why security professionals have a lot more data analyst in their job role than they might think. All that and a little bit of geeking out about the humanities, today on Cyber Work.

[00:01:31] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

My guest today, Dr. James Stanger consults with organizations worldwide about security, data analytics, open source web development, and workforce development. These organizations include the Japan Ministry of Defense, NCSA Thailand, Oxford University, AstraZeneca, and the US Department of Defense. He is a member of the AFCEA Cybersecurity Committee and is the chair of the C3, the Consortium of Leading Global Cybersecurity Certifications.

James is an award-winning author, blogger, and educator. He has designed globally recognized education certification and badging programs in topics as diverse as security analytics, Linux, web developing, kayaking, and British Romantic literature. These are a few of my favorite things. He is currently chief technology evangelist for CompTIA. James, thanks for joining me today. Welcome to Cyber Work.

[00:02:37] James Stanger: It's good to be here, man. How have you been?

[00:02:39] CS: I'm good. I'm good. I had a slip of the tongue there. Do you say CompTIA? Or do you say CompTIA?

[00:02:46] JS: It's CompTIA. I'm glad you brought that up. There are a lot of people call it CompTIA. It's funny, you can always tell. It's kind of like it was World War Two where they're like, what's the password? Or the Brooklyn Dodgers back when they were the Brooklyn Dodgers and all that. You know who's in. You're in crowd, it's CompTIA.

[00:03:03] CS: CompTIA. Yes, exactly. And yeah, I was going to say the, the abbreviations every single time, I'm going to say something different.

[00:03:12] JS: I know what you mean. I always joke about it. I always call it CompTIA,

[00:03:17] CS: CompTIA. I like that.

[00:03:20] JS: It’s whatever Trade Industry Association. We do a tremendous amount of work with managed service providers around the world with very large companies and very small companies. So, whoever's watching or listening today, there's probably one of our partners just down the road, and they had us get into education a long time ago, and that's where we have A+ and Network+ and Data+, things like that.

[00:03:39] CS: Yes. And we are going to get into several of those today, especially Data+, that is the theme of today's episode. But before we do, let's start a little bit by talking about your origin story. So, James, where did you first get interested in computers and tech? What was the initial draw for you?

[00:03:55] JS: The first tech that I was interested in was my parents’ stereo, which I kept. They'd walk into the room, and they just see little Jamie and that's what they knew me back then as, and I'd be dismantling the stereo. It was very expensive. I kept doing it. They bought me my own little stereo. After a while, I was just really – I did the same thing with the TV's, and they said, “James, you can't break into TVs because there are capacitors in there that will hurt you and things like that.”

So, I've always been interested in how things work. First time, I really got into the computer scene, though, was very late in life, really, because it was in when I was in college. I realized that, wow, instead of typing, I could actually get – I was a lousy type of stem. I'm a very good one now. But I got into it, because I needed to write my papers. I was an English major then, and I just realized that I could create a whole database of thoughts and papers and things like that. And the big thing, I could get over my mistakes. I'm a big fan of do overs. That is what learning is all about, and computers helped me with my do over mentality.

[00:04:57] CS: I love that. Yeah, I'm always excited by people who start in one area, and then they find out that the computer component of the area they're interested in, it takes over for them. So, I mean, to that end, looking at your educational background, I noticed something uncommon about our guests, by looking through your background. We said in the intro, like me, your educational background is in the humanities, and not in computer science. You have a Master’s and a Doctorate in English Literature, which means that we're automatically friends.

It also means, though, that there was a hinge point, apparently, in which you went from teaching composition and literature at the University of California, Riverside, to designing courses for ProSoft, the LPI Advisory Council for Linux Professional Institute for 11 years, before moving into certification architect positions with both ProSoft, and later, certification partner. Can you tell me if this was a major shift in your career? Or if literature and IT were running parallel tracks all the time?

[00:05:53] JS: I ran parallel. It was definitely – let's put it this way. It was a major shift. But I did run parallel for several years. I would do a bunch of work with firewalls and databases and web development. And then during the day, and then early, early in the morning, like six, seven in the morning, believe it or not, I would be teaching composition classes. I did that because I had bills I had to pay. Student loans I had to pay.

I always tell people, it's an old joke for me. But I always tell people, I got my PhD and unemployment. I had two and three-quarter kids at the time when I graduated in the late nineties with my PhD, and I'd already shifted over to being a technical editor. The big shift for me, it started really in the early 1990s. I don't know when you started working on the Internet. I started working on databases on the Internet in 1992. I started because I was really into, obviously, English literature. I was getting my master's at the University of California, there at Riverside. And I worked for something called the English short title catalogue, and that was down in the basement of the library working for a guy named Henry Schneider, who is not a knight, because he's a US citizen, but he got effectively, effectively knighted a few years before he passed away. Because he basically was able to turn a book and a whole bunch of non-book, how should I put this non-recorded texts from the beginning of the hand press period, all the way through to about 1804, when the actual printing presses started really doing their thing, on an industrial basis.

Long story short, my job was to help enter those texts from the British Library or wherever, into a database. So, I learned about databases. And after that, I learned about HTML. So, I remember, by 1995 or something, somebody very cynically, frankly, asked me in a job interview. “So, do you know anything about databases?” And I'm like, “Relational databases, SQL, do you want to know?” I said, “I know much about databases.” Well, I was creating those back in 1992 on the Internet, back when most people weren't. They didn’t what it was.

Windows 95. So, I go back ways there. The big shift, I worked with a guy who is now I believe he's CISO of the of Mandiant. I think he's CISO there. He was the chief personnel over security over Target until a couple of years ago. Anyway, in 1998 or so maybe ’99, I walked in, and they said, “James, here's a really good writer. Here's a really good security person.” I just started asking him questions about security, because I helped him create a course. He had the course all created. I helped him write it down. And then I got a job as a pen tester, where they said, “James, you're going to be doing a lot of travels through London and Hong Kong, breaking into banks. You're going to write up the reports, because we hate writing up reports.” So, there's a quick overview.

[00:08:55] CS: So many of our guests have emphasized the report angle, and if I were, heaven forbid, I love doing this job. But if I wanted to move over into security areas, it would definitely be something that involves writing, because I am also an English communication veteran here before. And similarly, started out in chemistry got smacked in the face by calculus-based physics, and made the pivot into literature land. Yeah, that's a great story, and I'm really glad to find out that it was not just sort of like – it wasn't really like a midlife crisis or anything like that. You were doing both of these things already, and it was just this one –

[00:09:41] JS: It was habitual to have a midlife crisis. That showed up later, I think.

[00:09:44] CS: Okay, yeah. It has its own contours to it. So, from here, you moved on to one of the titans of our industry, CompTIA. I said it right, this time. First senior director in product development and have now been the Chief Technology Evangelist at CompTIA for nearly six years. I'm always a little confused about the job description. Can you tell me about the work of tech evangelist? What are your primary responsibilities or your weekly or daily tasks?

[00:10:12] JS: The whole idea of about a tech evangelist, it kind of started in the development world. You'll see a lot of – you see it also, for any organizations, such as IBM that offers various types of platforms, whether it be database platforms, or in Oracle, Java platforms, things like that. I'm a consensus builder. I work a lot with hiring managers. I work a lot with students. I do a lot of teaching and training. And the main thing is, you call it a marketing function, I do a tremendous amount of business development.

So, the idea is to get the word out, that's where that evangelist comes from. It's not a particularly religious thing, although sometimes, it kind of feels that way.

[00:10:51] CS: To kind of fervor, yes.

[00:10:53] JS: That's right. That's right. And the idea is to get out and talk with people as much as possible. So, I like to see myself either as a liaison or a consensus builder, between people who are hiring people in the workforce, and people who are joining the workforce.

[00:11:06] CS: Okay. That almost sounds like, maybe not, but almost like a lobbyist or something like that. You're trying to sort of clarify points to people in a high-pressure situation.

[00:11:17] JS: Back in the day, until a few years, about four or five years ago, now, I guess it is, we did have a lobbying function in Washington, DC, and I would work with that group fairly often. Having said that, I was just at the Pentagon here about a month ago, talking to people about some of the changes they're making in their education programs, 8140, for example, CMMC 2.0. I won't call it lobbying, but I certainly talked to a lot of people who are used to working with lobbyists.

[00:11:45] CS: Again, I guess, to sort of talk about the skill sets that are involved, like you said, ability to write reports and so forth was a big part of your old job. But evangelist definitely has sort of – you need to have elements of communication skills, especially spoken. Also, some degree of I would imagine, sort of persuasion or argumentation skills, not arguing. But, an argument.

[00:12:13] JS: The idea of being suasive, as they call it. Being persuasive and creating appeals and knowing when to be quiet, and knowing when to succinct, believe it or not. Sometimes I fail at that. I think the other day, I handed over a report that was more of a stream of consciousness than it was an actual decent report. That it was a very subtle hint, it's like, “Gee, a couple of bullet points would have been nice.”

So, I know what you mean. It's something that as far as the skill sets and things like that. First of all, you got to be pretty technical in what your knowledge is, and technology evangelist is in there. It's not just technical say about security or about data, and things like that, that's fine. But technical in the understanding of having a strong enough foundation so that you can pivot, to steal a word from you, and for the pen testing industry, to pivot from one element to another and to explain things that aren't clear, that do have a muddled, if not muddled, murky kind of past, and clarify things in such a way that the audience cares and understands.

[00:13:22] CS: Okay, so now to contextualize that in the other direction, because it sounded at first, like, okay, as long as you're a good speaker, a good communicator, like someone will give you the talking points, and then you sort of bring them to the masses. But it also sounds like you need to actually know all this stuff, which means you should have, like you said, you were a pen tester before. You have the hard tech background. This is not just – you’re not just a convention speaker. You are someone –

[00:13:48] JS: Yes, a really good point.

[00:13:49] CS: So, can you talk about how much of your position is client facing versus how much is research and sort of keeping up with trends and sort of staying on top of the tech?

[00:14:00] JS: It's a good question. I do work for the research department at CompTIA. I work for a gentleman named Tim Herbert who is our Senior Executive VP over research, fantastic, incredible research department. It's really neat to watch them. A lot customer facing. I’m more customer facing than in doing the research.

Having said that, the reason they bring me in, I think to all of these things is because we do a tremendous amount of research where we bring thousands of people and get tens of thousands of people and get tremendous insights about that. But what's kind of fun is that in my work that I've done with databases, that work that I've done with data analytics as a pen tester, as a web developer, things like that. All of these different areas. You could call it kind of four pillars. Seth Robinson came up, who works for research department with me, came up with the idea of four pillars.

You got data, right? Data search, you can call it, and then security, and then infrastructure, things like cloud and servers, and all that fun stuff. And then development, how you create this stuff, programming, right? So, you’d to have strong areas in there. If you want to speak with authority, you have to have done this stuff. If you know what I’m trying to say.

So, it's been interesting over the decades, that there are oftentimes where I'll hear people go, “Oh, I'm not technical.” They'll say, right? Sometimes they're not technical, which does make me wonder why what they're doing. Other times when they say they're not technical, they're being humble. There are people a lot more technical than they let on or even realize.

[00:15:36] CS: Just because they can't dismantle and reassemble a TI99 computer in 12 seconds, it doesn't mean that they're – yes.

[00:15:45] JS: It’s funny, people think they need to be programmers to get into IT or whatever. You don’t. You don't need a four year – you don't need a lot of the things that people think you need.

[00:15:53] CS: Yes, I guess that's kind of my point. Because at this point, I think your guest number 210 or something, 220 or whatever. We've pretty much sort of mapped out the landscape in some ways. Obviously, you're going to be a pen tester or an architect, you need to know your tech. But if you're going to be someone, like a risk manager, or a compliance officer, or a threat modeler, you don't really need to know that much tech. You need to know your machinery, but you're really entering the space. It's kind of like, I guess, in the military. Someone's got to fill up the vending machines on the battleship, and it's like –

[00:16:32] JS: There's something interesting that you bring up. I was talking to a lady. Her name is Julie in Atlanta. Up until a year and a half ago, she was a school teacher, elementary school teacher, okay. She's now a compliance analyst. Okay, to bring up your point about the idea of governance and compliance.

Basically, what she does is she goes into a room and kind of corrals a bunch of IT folks, business leaders, et cetera, which she says is often a little more challenging, even then – not actually she says it's usually not as challenging as corralling and –

[00:17:06] CS: Rallying in.

[00:17:07] JS: But she's very good at like, well, here are the objectives that we're supposed to reach. So, she has leveraged that previous experience in working with folks and saying, “Well, here's the standard. Where are we? Where are the deltas there?” So, just less than a year and a half ago, she started working full time as a security compliance. So sorry, you kind of triggered that.

[00:17:27] CS: That’s 100% what I was wanting to lean toward, because while the position that we're talking about here absolutely requires you to know the holistic whole of the tech experience, we also are – obviously, everyone talks about the skills gap, and part of it is like we need to fill the spaces with everybody, and not just people who have been feel stripping a computer since they were six.

So, always worth mentioning. But yeah, I appreciate the sort of well-rounded discussion of the evangelist role. To get started on the main topic, regarding Cyber Work today, because it looks like 2023 is going to be the year of CompTIA. So, three of CompTIA has introductory certifications, obviously are some of the foundations of our educational mission here. They got the A+ certification, which prepares those certified to understand the ins and outs of computer's operating systems, mobile devices, and more. I'm actually studying for that right now myself. The Network+ or Net+ provides a solid foundation in the essentials of creating and maintaining computer networks. And then you have the Security+ or Sec+, which locks it all down, teaching you the building blocks of the security fundamentals needing to make sure that all your devices and networks are secured against threats.

So, with all three of those certs in your pocket, as well as the newest Cloud+ certification for cloud practitioners, you have a ton of options of where to go to next. Now, with CompTIA’s help, you'll have three new paths to try out in 2023. This year, we'll also see the rollout of an infrastructure certification, a cybersecurity specific certification. And today's topic, the all new Data+. Tell us first about Data+. I know I threw a lot at you there. But what are the parameters of this certification? Who's it for? And what will learning the certification allow you to do within the field of data analytics?

[00:19:13] JS: You bet. At CompTIA, let me take a step back just for a second. At CompTIA, we've traditionally focused on things such as infrastructure, meaning things like the cloud or servers, or like you mentioned, with A+ endpoints and technical support. When I say endpoints, I mean, like your mobile phone. The PCs we're using right now, all that sort of thing.

We've really been into that. We've also been in the security side of things very strongly. There's, you mentioned Security+ things like that. But the two areas that we found that require a lot of needle moving, right? We feel that we've helped move the needle in the infrastructure space in the security space, trying to move the needle in data and in development. So, let's talk about the data, because that's our third – we have the infrastructure, we have security, then you have the data and search pathway. You can call it pillar if you want. But the pathway and the development.

But let's talk about Data+. So, the ideas that we found for years, people asking us, “Look, we need more data analysts. And we need – even if the word analysts or data or information isn't even in the title of the worker, we just more and more need people who can turn data into actionable information.” That's why we created Data+. It really does represent a new factory door for us as it were, or a new track. Because Data+ is not necessarily just for IT professionals.

The data analytics is something that somebody who obviously uses technology, but it's not necessarily going to be reporting to a manager of IT, or what have you. Now, there are obviously IT jobs that require data analytics. For example, pen testing, sure. But I would take a look at instead of the red team and the pen tester, the blue team, or the person who actually listens for the pen tester or listens for the attacks. They gather datasets all day long. And when it comes to Data+, it's really all about gathering data sets, cleaning them up, making them searchable, and then visualizing it and telling a story.

Have you ever played Legos? Play with Legos? Did you play with Legos as a kid?

[00:21:25] CS: Of course. Oh, absolutely.

[00:21:26] JS: I didn't have Legos as a kid for whatever reason. I don't remember this. So, I remember now that I have grandkids, I steal their Legos and I play with them. The reason I bring up Legos here, and this is – I don't know what I have here. I stole this from my back here. But I like to look at data in terms of Legos, right? Because you've had Legos kind of strewn all over the floor, which is what happens with me, right? And then what you can do, you can start organizing them a bit by, well, let's put the green ones together, and the black ones here and the yellow ones, right? And then you can start – so that's kind of like taking random bits of data or whatever, and then you start organizing it a bit. And then you can like, well, I can start making shapes. After a while, you can visualize it and tell a story. I think this is supposed to be some sort of spaceship.

[00:22:13] CS: Yeah, I would imagine like a hover craft or something. It looks good.

[00:22:16] JS: Okay, enough with the analysis. Sorry, the whole idea behind Data+ is to get people to understand that data life cycle, and to really differentiate themselves and get those skills there. Because we see people who are completely outside of information technology. For example, I know a guy named Tim, Tim Niles. He works for Cisco. And you're thinking immediately, “Well, they're an IT company.” But he works in the in the HR department.

But he did start years and years ago as A+, Network+, but very, kind of slowly, but surely, he found himself over in the data side. He has not worked for the HR department. Excuse me, the IT department. He worked for the HR department gathering information about the welfare of workers, about the interests of partners, and they can start crunching data and coming together with really cool insights, teasing insights out of this random data about how people are working, and it makes changes to their HR policies. It makes people more engaged. It makes them happier. Changes in benefits. So, instead of going on somebody's idea, you can actually focus on information.

The research department often tells the joke to itself. Well, in the absence of data, we'll go with my opinion. Frankly, doesn't get companies as far as is it used to.

[00:23:35] CS: No. For sure. That's interesting, too. Because I think a lot of us have had that experience of the HR mandated happiness, employee happiness survey that comes out. This really, really helps us to understand what the concerns are, and all this kind of stuff. There's always that sort of feeling that the inboxes just been set on fire and thrown in the back alley or whatever. But with the idea of actually being able to – I like your use of the term of, sort of create a narrative, because I think that's really important, especially as we go from data to big data. I know it's already an old term at this point. But as we talked about these massive datasets, that is ultimately we're not just bucketing things just for our own health, it's to sort of tell a story and ultimately, to make, I guess, find a story right. It's not like make a story, but find a story.

[00:24:34] JS: Yes. It's to find a story and also to ask the right questions. This may not make sense, but I hope it does. There's an, the Hitchhiker's Guide to the Galaxy, old series. One of the –

[00:24:49] CS: Listeners know it, yes.

[00:24:51] JS: Remember, they're waiting for the computer to read out the life to ultimate, the life –

[00:24:57] CS: Yes. Life of the universe and everything.

[00:24:59] JS: And it comes out with 42 as the answer. Remember what the deep thought was, it was a deep thought that said – the computer said, “Well, the answer is 42. But you guys are asking the wrong question. That's why the answer doesn't make any sense.” The reason I tell that story is a lot of good data analysts whether like Tim Niles, who works for the HR department, or somebody I know Robin Hunt who has done tremendous amount of work as a data analyst, formerly, for the army and various things. They're really good at saying, “Okay, here's the question that you might want to start asking.” So, it really is a major pivot from just finding the right answers to the right question or the or to the wrong question of actually, I call it a heuristic process, where you come up with different questions and different answers.

[00:25:47] CS: Yes. Because, again, as you said before, in the absence of data, or in this case, the absence of a data narrative, we'll just go with with my idea or whatever. It's real easy to go and make the data, conform to your idea if you're not asking the right question, or you don't know how ask the right question.

So, for listeners, and you sort of talked about this. But for listeners who are laser focused on the cybersecurity part of the business and don't see the utility in the certification, can you talk them through why Data+ can be a specifically, a crucial link in the chain, even for cybersecurity professionals?

[00:26:19] JS: Happy to do that. You bet. Any security professional works with some form of dataset. That dataset could be a packet capture. Wireshark, there's your dataset, right? Intrusion detection logs, there's a data set, right? So increasingly, it's all about figuring out how to visualize data. That's why you have a security operations center, because what does the security operations center do? Well, there's a lot of things that it does. One, there’s tools, there are tools there, whether it be Splunk, or Security Onion, or whatever tool you use, QRadar, to gather information from – I will use the phrase myriad resources. That means, lots of places, of your router logs, from endpoint logs, from emails. I mean, just from anything, to where you can gather information.

Then, you have to have tools that put it together and more and more that is not really automated yet. If it does get automated, you need a security analyst, emphasis on analyst, to go in there and say, “Here's how we can train that artificial intelligence to automate. Here's how we can put together the right data set and get rid of duplicate things.” One of my favorite examples, I think, applies here is my name is James Stanger. So, how would James Stanger be represented in a database or in a security thing?

Well, that could be James Stanger. That could be james.stanger. Stanger, James. Well, so how many permutations of that name can you come up with? Still represents one person. Instead of 50,000 people got hacked, or 50 people got hacked. It's like, “Well, no, we think James Stanger is probably –there's hopefully, only one.” We can normalize that and rationalize that down in there.

It's those kinds of activities that are there. And it doesn't take a rocket scientist to be able to do that. It's a few scripts, things like that. I am no programmer. I've talked about how I've done web development. I’m a lousy developer, but I'm pretty good at telling where developers do things right, and when they do wrong. I can come up with a few scripts here and there to do that. So, from a security perspective, that person, first time that somebody ever brought up the idea of security analysts to me.

They said, “James”, and this was years ago. Golly, this was six, seven years ago. So, “James, imagine taking all that stuff that you know about, about the hacker lifecycle and about intrusion detection, and imagine applying big data to it.” That was the term they use then. We don't use the term big data anymore. I’m like, “Wow, that was the dumbest thing I've ever heard or the smartest thing I've ever heard.” Turned out, it was a really smart thing that I heard. So, that is a major growing job role, still, the idea of the security analyst.

You also find outside of the security operations center, security analysts, you have compliance analysts, you have governance, people who spend time all day long working with a dataset, for example, the NIST CSF, Cybersecurity Framework, for example. The ISO 27,000 standards. There's data sets, and then you get – there's a standard, then you have data that tells you, “Well, how good or bad are we in compliance with that?” There's something called CMMC 2.0. Increasingly, a data analyst is not just somebody who works at a SOC. An analyst is somebody who takes a look at various forms of information and data, and really tries to figure out what that narrative is. So, from a security perspective, it will be a more and more important. It's not just, I sit in front of things and watch pretty pictures and, “Oh, look at that.”

[00:29:58] CS: That's that looks bad over there.

[00:30:01] JS: We're not playing old video games here. We're gathering datasets and then coming up with recommendations.

[00:30:09] CS: Yeah. And I think, as we – I feel like my goal here is always to sort of take away the uncertainty and the personal concerns about sort of entering this industry. What if I'm doing it wrong? What if I don't learn enough? I think one of the things that people worry about in their first kind of hands on job is, I know, all the things that you're supposed to do without necessarily knowing why I'm doing them. I think this is a really crucial point beyond, well, I ran the scanners. I did the threat reports and all that kind of stuff. But something still got through and I don't know why.

So, I think this is really interesting in terms of – a past guest said, “If you want to move up in your position, automate yourself out of business.” If you can create something that does your job intuitively, and I think sounds like Data+ would be the kind of knowledge that would allow you to sort of move that up to that next step.

[00:31:07] JS: Well put. That's very well put. I think, one thing that's really interesting about the idea of analytics is the idea of, look, my job is to gather information, and then to point the way to where the attacker is. You want to put on a security hat here. It used to be, well, defense in depth. And defense in depth was the idea that we put antivirus and firewall and intrusion detection, all these different bits in there to see that if the bad guy gets through, that person gets through, we have depth of coverage and all that.

That really doesn't work particularly well. The answer is, where can we apply an analytical mindset so that we can identify where the hacker has pivoted, where the hacker has gone? Because usually, the hacker, they're going to find their way into the application into things like databases, because that's where the information, that’s where the money is, for ransomware or for whatever.

This idea of, imagine if you can follow the data and pinpoint to a specific attack, that is something that is promises, if it's done right, to be far better than the typical defense in depth thing, because you're now instead of boiling the ocean and spending a ton of time and money wherever, you're focusing right where the attack is. That's the promise of it. I'm not saying defense in depth is all dead, but it's mostly dead.

[00:32:26] CS: Yes. And pays to be on the part of the process that's going forward rather than stagnating.

Speaking to experience with certifications, as I said, the A+, obviously, you can just kind of walk in and start doing that. Other ones require a little bit of prior knowledge. But what prior experience or certs, if any do you need to start studying for and taking the Data+? Is this a cert that requires no prior knowledge and you can start learning from page one and follow along?

[00:32:57] JS: We see Data+ as kind of a mid-career, early to mid-career thing. There's some things that, as far as prerequisites, we never really have prerequisites for any of our service, but we do have recommendation. The first thing is, to get into Data+, it's really a good idea to understand what a database is. Do you have to be a database administrator? Heavens, no. But you should understand. Have you ever messed around with, if not a MySQL database, something in Microsoft Office putting that together?

But even more than databases, do you know what a spreadsheet is? Have you ever played with one and read one and understand some of the basic function? Those would be very useful things. Do you have to be a genius programmer? No. You're going to have to learn a little bit about how to use scripting, for example. Maybe using say something like Python. But don't let that intimidate you too much.

Let me tell you a quick story. Because I remember going, “Okay, here we go.” I mean, have to dust off my lousy Python knowledge. This won't be that much fun. Because what I did is I downloaded a little tool called Jupyter Notebook. It's misspelled, as things always are in IT. It’s J-U-P-Y-T-E-R Notebook, and it’s basically a tool that data analysts can use. It's an open source tool. You can Google it and download it. And then I downloaded something called the Titanic dataset. And the Titanic dataset, it's a dataset of all of the information that we have about people who were on the Titanic when it sank. Their names, how much they paid for the ticket, gender, where they were berth, that's the term, where they were put in the ship, where they slept.

[00:34:42] CS: Berth. Yes.

[00:34:44] JS: What is it? B-E-R-T-H, right? The berthing. Sorry, where they were sitting or sleeping, when the Titanic hit that iceberg. You can actually start crunching that data a little bit. And that's how I got my fingers wet or my hands, whatever, where I got a little bit more an understanding of how you can start to visualize things. I actually started asking questions, very simple questions, using very simple Python things that, trust me, it sounds intimidating. Once you work at it, it's not that hard, and I was able to actually visualize, and I could say, “Oh, look at that people who were sleeping in the certain area of the Titanic, they got out and most of them.” A larger number of those people survived.

[00:35:30] CS: Interesting.

[00:35:30] JS: It is because they paid more? Partly. Was it kind of luck of the draw? Partly. A lot of males died, because I think there were a lot of chivalry that went on. A lot of rich people ladies survived, things like that, that tells you a lot.

[00:35:48] CS: Yeah. That’s a really, I think it's a really good tip to know, especially even if you're not sure whether you want to get into the Data+ or whatever. I think there's a benefit to being comfortable with the idea of taking a sort of harmless, shall we say, “dataset” and taking it apart and put it back together. It's like you said, with your turntables and TVs back in the day and stuff like that, in a safe space. We hear about that with forensics and downloading certain things and having a home lab and being able to sort of pick it apart without any –

[00:36:22] JS: That’s the way it works for me, yeah. Making your own pen testing labs, so you can go as wild style as you want, and it doesn't – it's not going to like hurt your job, or you're plans, or anything like that. So yeah, that's interesting to hear too.

[00:36:35] CS: And if you don't want to get depressed with the Titanic data set, I suppose that's a real harmless data, harmful dataset, you can look up the – you can download the iris dataset, which is a dataset of all sorts of different forms of iris. Genetically, they've been manipulating things for decades, and you can take a look and do that.

My point with this is that as I got the Data+ objectives, I was like, “Oh, my gosh, how hard is this for somebody to learn?” As an evangelist, my job is to really talk about things in real terms. And right away, I'm like, “Oh, so that's how you get rid of duplicates.” Three simple steps. That's how you generate visualized things, or you generate confidence using something called, what is it, chi value? C-H-I, chi value and things like that. My point is, I noticed right away that while it's not something like, “Hey, if you don't know anything about data or whatever, you can be up to speed in two weeks.”

No, it would take you longer, but it's not insurmountable at all. You can start with ITF+, for example, which teaches you about all these different pathways in a very light way. And then as you go down the data route, you can say, “Oh, so that's how Google works.” Or, “Oh, they crunched all that free search that we do.” They crunch all that information. And then they learn a lot about you and me. right?

[00:38:02] CS: Yes.

[00:38:03] JS: The CEO of Google will say, “Well, we probably know in some ways more about your habits than you even realize just by crunching that data.” Google has been doing that. But people now in the healthcare industry do that. People in various interesting manufacturing, and in farming. Believe it or not, John Deere, you know, the tractor people. They're better at data analytics in that sector, probably than most other sectors. If you asked me, I would love to go in and find out back in the day when Google – where did they steal their ideas from? And I'm kidding. Everybody learns from everybody. I'll bet you they went in and probably had a bunch of people consulting in from John Deere and various things. Because farming, trust me, those folks have been crunching data and doing amazing things.

[00:38:54] CS: Yes. You said John Deere and my mind immediately went to the Farmer’s Almanac and I'm like, “I bet there is some” –

[00:39:00] JS: Well, the Farmer’s Almanac was not just all superstition or whatever. They were crunching serious data, and that's why they knew, we think this is probably going to be a warmer year because all of the indicators are for that.

[00:39:13] CS: Yes. It's not like my big toe hurts or like, well, we haven't had a warm winter in a while.

[00:39:16] JS: Yes. So, it must be a cold one.

[00:39:19] CS: Here we go. Here we go. Yes.

[00:39:21] JS: It's kind of like weather. I remember, weather forecasting, when I was a kid, I thought was a bit of a joke. I grew up in Southern Oregon, where it’s the joke, if you don't like the weather, wait 20 minutes. But it's interesting to see how good folks have gotten at that kind of weather prediction. We're just looking at the indicators, where the barometer is, and that tells you a lot.

[00:39:44] CS: I have terrible news for you, James. People from Michigan also use that phrase. People from Illinois also use that phrase. People from Wisconsin also use that phrase. We're all waiting five minutes for our weather to change.

[00:39:56] JS: I think I stole that from somebody in Washington DC.

[00:40:00] CS: Okay. Yes. It is widespread.

All right, so I want to, I guess, drill a little deeper. And you talked a little bit about it, but what types of concepts will you learn with Data+? Can you walk me through the major areas of focus, even maybe just point by point of like the domains and some of the real-world application?

[00:40:18] JS: You'll learn about different types of ways to store information, spreadsheets, flat file databases, a little bit of MySQL databases, and things like that. So, where it's gathered, and where you get your data sources from. That's the first thing. I mentioned, data lifecycle. So, that's the first area.

The second domain basically talks about how you can get rid of duplications and basically, come up with a dataset that you feel is sound. Then you make it searchable. By making it searchable, you basically learn about ways in which you can organize that information into say, a database, and things like that. Use scripts there.

There's also governance. The idea of, okay, let's say you've gathered dataset, and you've got it stored. Hopefully, you better have it encrypted. Have access. That's what I mean, kind of mean by governance. But also, there's a certain element of once you've gathered that data and turned it into information, you better keep that personally identifiable information. The PII secure. So, there's that. What are the rules for using that data? If you got a data set from a certain tainted source that is somehow, “Hey, you probably shouldn't have gotten in there”, and it works its way in to your larger dataset, that's kind of a poison well or a poisoned tree, I think we use the term. So, you have to make sure that what is allowed in is truly allowed in. Otherwise, you will be in a world of hurt, ethically, legally, et cetera.

Those are certain elements and other tools that you might use, people will hear tools, about tools like Tableau, or tools such as Power BI, right? These are data analytics tools. But what we find is that in the same way, as I think we've all used Microsoft Word before, right? Or a word processor. Just because you can type into a word processor doesn't mean you know how to write, right? A word processor can suggest grammatical things. Sometimes it can suggest certain things. But it doesn't really write for you. It doesn't talk about coherence, or cohesion and things like that. In the same way, you can use Power BI or Tableau, or Jupyter Notebook, which is an open source thing.

But if you don't know the concepts behind it, they're not going to do data analytics for you. If they could, why would they hire you? Why would anybody hire you? Trust me, there are tons of people hiring right now for data analysts, or whatever news you're hearing about, layoffs in the tech sector. Don't worry about that. We need data analysts, we need techies as well. A lot of that noise you hear is from Silicon Valley type companies, usually with funny names. That's noise in the sector.

I think it's really important understand that people with serious skills, a little bit of scripting, a little bit of database, a little bit of spreadsheet, those are people who – and understanding of this data lifecycle. You can look at that in the Data+ objective. You can actually Google it. Google CompTIA Data+ and you can download these objectives. There's five domains. Five domains, and you can take a look at those objectives. And that's just not James's opinion, or a few people at CompTIA, or some professors somewhere. It's literally thousands. Thousands and thousands of working data professionals who said, “Yeah, this is important. This is not.” It allows you to not waste your time. To me, that's the key.

[00:43:52] CS: Yeah, perfect transition to my next question here. So, InfoSec is a primary partner of CompTIA, and is more than happy and proud to be offering boot camp and of course trading for Data+. So, can you talk about some of the training materials you've seen and what types of exercises and quizzes students can look forward to during their studies?

[00:44:09] JS: The first thing is, you learn by doing so it's time to get very hands on about it. So, you will be working mainly with some sort of application. But you have to be the dog that wags that tail. Don't let the application wag you. The tail wags the dog. The second thing is the learning element is so important. You need a good mentor. I would argue that the mentoring starts with a good body of knowledge. So, we effectively put together a database as it were of what's important. That's the objectives for Data+.

But now you need somebody to bring it alive. You can do that through online learning. You can do that through education, through our partnership with you, instructors who can mentor you. That's the human connection that's so important here. In our labs through CompTIA learning for example, we have a ton of lab. We have videos where I've been lucky enough, they bring me in every once – well, they bring me in a lot. I'll talk with working data professionals, people who they're working every day, as okay, I'm a data analyst. Or I have a job where I do data analytics, and we interview them. So, these resources, as you learn about a concept, we have labs that allow you to actually implement it, and then you can watch a video where you can actually – somebody say, “Here's what I do.” And you're like, “Oh, my gosh, I just did that in a lab.” So, it really come alive, and it makes data come to life. It makes data really human.

[00:45:38] CS: Yeah. Again, your primary responsibility is kind of refining your ability to sort of find the narrative, not just the sort of day to day raw work of cleaning a database, which you could do while you're listening to a podcast or whatever. It's going to help to have a teacher where you can bounce ideas. What if I process it this way and that way? You're not just starting off with bad information.

[00:46:05] JS: That's a great way to put it, because, too often things can become – as you're learning, things become so abstract so quickly. And the great thing is, when you have an instructor, who can show you where the rich resources are, that this stuff isn't just an abstract, and that it's not just random data, that there's a learning narrative for you, and there are next steps.

[00:46:28] CS: Nice. So, to get to the end of the line there, no matter how prepared anyone is, everyone comes into their final exam, with a few butterflies in their stomach. So, can you give our listeners any tips or advice for taking the final Data+ certification test?

[00:46:43] JS: A couple of things. First of all, make sure you understand those objectives. They're broken into domains and understand them, so if there's anything that's kind of confusing, or you haven't gotten as hands on as humanly possible, there's something to think about. You also have – we kind of broken it down at CompTIA into kind of three areas.

One, we have Cert Master Learn. And two, we have Cert Master Labs. Three, we have Cert Master Practice. The Cert Master Learn, basically, there's a lot of the body of knowledge that will be brought to you in video form and PDF form. Some reading and some videos. The labs, get hands on. So, there's learn it, you then really learn it with the labs, right? And then the third element is a Cert Master Practice, which can simulate the examined buyer on a big time, what is it, test? I've tested for, oh, my gosh, many, many, many times. But I have serious anxiety with it. I always have. That helps me manage it. That helps me understand.

Okay, I see the environment that I'm in. I can see where the questions are coming to me. A lot of those questions are going to be performance based, where instead of saying A, B, C, D, it'll be, a tool will come up and say, what I need you – ask, here's a data set. What are some of the steps that you can do to get rid of some of that duplication? Here's a data set, what are some of the steps that you can do to – what would be most useful here? A pie chart or a bar chart? That's what I mean by visualization.

So, that's three steps of learning, reinforcement with the labs. And personally, I tend to go move forward with the labs. I’m a kinesthetic learner.

[00:48:26] CS: Yes, just keep –

[00:48:29] JS: There's some hints there. And then talk it over with folks. I found that I never truly learned something unless I taught it to somebody else.

[00:48:36] CS: Yes. Oh, yeah. Yeah, I get completely. Richard Fineman agrees with you.

[00:48:41] JS: Richard, good old Mr. Fineman. That’s probably where I stole that idea from. My kids are so tired of me teaching them stuff that either they already know, or just for my own benefit. Helps me get through it.

[00:48:54] CS: Yes. All right. So, we are about at time here. But as we wrap up today, can we talk some more about some of the other certification or learning paths or whatever, coming from CompTIA later this year? What's the schedule for delivery of these? What do you want our listeners to know about them?

[00:49:09] JS: We've got so many things coming up. First of all, we have the Data Manager Certification coming out. The database, sort of gets really deep in the database. That's really cool. That's coming out mid-year. We have CYSA+. CYSA+ our cyber security. There's the C-Y. And then S-A is the security analyst. So, it's our security analytics cert, and that's coming out. Let's say, I want to say, end of summer timeframe. We also have Security+, the refresh coming out. When I say, CYSA+, the analytics one, it's been around a long time but the refresh.

[00:49:45] CS: I was going to say –

[00:49:47] JS: I'm sorry, I kind of said that wrong.

[00:49:49] CS: That’s fine.

[00:49:50] JS: So, the brand new one is the brand-new database cert, I call the database. So that's brand new. We're refreshing CYSA+, and then we're refreshing Security+, I want to say, October timeframe. November timeframe. So that's coming out. It's really exciting to see those things happen.

[00:50:08] CS: Nice. All right. So, I will let you go here for now. But one final question. If our listeners want to know more about James Stanger, or any of the stuff we talked about at CompTIA, where should they go online?

[00:50:21] JS: You can type in CompTIA, James Stanger and then blog. There is a blog that I will regularly contribute to, where I'm talking lately to hiring managers. But sometimes it's about data analytics. Sometimes it's about the cloud or a lot about security. Another thing you could do is feel free to look me up on LinkedIn. Social media has its purposes. I think LinkedIn can be can be really cool, because it helps that networking. That's how you get a mentor. That's how you can bounce ideas off of each other. So, I'm big at networking, not only TCP/IP or whatever, and networking.

[00:50:58] CS: Well, good, because several of our past guests have said that numerous Cyber Work listeners will get in touch with them after the episode drops. So hopefully, yeah, check your inbox, you might have some new friends.

[00:51:07] JS: Looking forward to it. Ready to connect with data pros, IT pros and tech pros all around the world.

[00:51:16] CS: Fabulous, James. Well, thanks for joining us today. I'm really looking forward to listeners reactions to the certification and I know I learned a heck of a lot today.

[00:51:24] JS: It's been a lot of fun. Thank you so much for your time, man, everybody.

[00:51:29] CS: My pleasure.

[00:51:29] CS: As always, I'd like to thank all of you who have been listening to and watching to Cyber Work podcast on a massive scale. We're so glad to have you all along for the ride as the numbers just keep going up here.

But before you go, I want to invite you to visit infosecinstitute.com/free, to get a whole bunch of free stuff for Cyber Work listeners. Our new Security Awareness Training series, Work Bytes, features a host of fantastical employees, including a zombie, a vampire, a princess and a pirate, making security mistakes and hopefully learning from them.

Also visit infosecinstitute.com/free for your free cybersecurity talent development eBook. It's got in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. Lots to see, lots to do, once you get to infosecinstitute.com/free. And yes, the link is in the description below.

Work Bytes. Talent Book. It's all here. infosecinstitute.com/free.

Thank you, once again, to James Stanger and CompTIA, and thank you all so much for watching and listening. Until then, we will speak to you next week.