Three foundational cybersecurity certifications

[00:00:00] Chris Sienko: Today on Cyber Work, InfoSec’s Skills author, Mike Meyers of Total Seminars joins me to discuss three foundational certifications that will start you on just about any path you want to go. I’m talking about CompTIA’s A+, Network+ and Security+ certification. On the show, Mike dispenses tough love for people who wants someone else to map out their careers for them. He talks about the benefit of vendor neutral certs, and he totally blew my mind by comparing certs with car windshield wipers. If you’re intrigued, you should be. That is all today on Cyber Work.

[00:00:37] CS: Welcome to this week’s episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. As you probably hopefully already know, InfoSec skills is kind of a big deal these days. Our interactive learning platform boasts 500 plus cybersecurity courses featuring cloud hosted cyber ranges, hands-on projects, customizable certification, practice exams, skills assessments and other features.

Our guest today, Mike Myers is a course creator for InfoSec Skills, and he wrote the course for one of our most popular, and most requested course reqs, the Security+ certification from CompTIA. We’re going to talk about his skills course for Security+, as well as his Network+ and A+ paths, and the way that these three learning paths will provide an incredible base on which to springboard to all sorts of different cybersecurity and related careers.

Mike, thank you for joining us today on Cyber Work. Hello?

[00:01:38] Mike Meyers: Chris, can you hear me?

[00:01:40] CS: I can hear you, Mike. You are coming through loud and clear.

[00:01:43] MM: The problem with these Zoom meetings is that, I lean very heavily on whose face is being highlighted at any given moment. I wasn’t being highlighted, so I thought I was going blank there for a minute.

[00:01:57] CS: You are groovy. Welcome aboard.

[00:02:02] MM: Thanks. Always good to see you, Chris.

[00:02:04] CS: So yeah. To start with, I want to sort of talk to you about your own cybersecurity journey. You’ve earned your own education company, Total Seminars for over 25 years now. How did you get interested in –

[00:02:13] MM: Isn’t that terrifying?

[00:02:15] CS: I know.

[00:02:15] MM: Good God.

[00:02:15] CS: Yeah, 25 years. What were we all doing 25 years ago? We were –

[00:02:19] MM: I had a lot more hair.

[00:02:20] CS: We were more mere children. Yeah. How did you get interested in cybersecurity as an area of study? What caused you to want to teach it?

[00:02:28] MM: Well, you got to keep in mind, that Chris, I was doing basics of IT way before I was doing cybersecurity. I mean, let’s be realistic. When I got started in IT, it depends on how you want to argue this. My first computer was an S100 unit in 1979. But that was back when computers were made out of steel.

[00:02:49] CS: Yeah, I know. Hit them with a hammer, and it wouldn’t do anything to it.

[00:02:52] MM: I thought, maybe by motivation for security, which is primarily Security+ started, I guess a little over 10 years ago. CompTIA had started pushing Security+ and I’ve always thought of myself as the guy who gets people through the basics so that they’re ready for security, right? When CompTIA rolled out the Security+, they’re like. “You know, Mike. It’d be great if we –” they’re always looking to get more people to write books and do videos. And yeah, that’s how CompTIA works and that is a good thing. But my main push, and this is over 10 years ago, God, was that, well, I’m not really a security guy. I’m a basics guy, and my job is to get people understand the basics. When we start learning about DNSSEC. They know enough about DNS and we don’t have to handle to do that.

That’s really what developed my motivation on Security+. And then, I mean, there’s plenty of security certifications that have been out there for a while. CEH is one that sticks to mind. But there’s so many certifications out there, Chris, so a big part of my learning process coming up to speed, yeah, this is over a decade ago, was there’s a lot of certifications out there. How is the Security+ going to fit in? I’m blessed that I got people at CompTIA who listen to me

[00:04:27] CS: what did they specifically – what are they giving you that other places have not in terms of freedom –

[00:04:34] MM: They give me nothing. It’s what they take from me, Chris. I’m fearless and yell constantly, so – It’s pretty much a one-way street. I want to stress very upfront right now, I don’t get any special information that anybody else gets.

[00:04:56] CS: But in terms of general freedom, you sound like you were very sort of enthused about CompTIA in that regard. What is it about them specifically that you –

[00:05:04] MM: They’re vendor neutral.

[00:05:06] CS: Okay, sure.

[00:05:07] MM: And it just kills me to start teaching people about security from a Cisco point of view or start talking about security from a Microsoft point of view. You get a bias, and that’s the nature of the beast. Microsoft does an amazing job with DNS servers, but I would never use that as the primary way to learn about DNS. All DNS for lookup zones are active directory integrated. Well, that might be a little bit more than most people want to pick up on their first swipe their DNS, right? Cisco and VLANs alone with Cisco, I find irritating. But Cisco does a great job, but you have to learn the Cisco way. I tell everybody, if you’re going to be in the network, and you will become a Cisco person, that’s just going to happen.

[00:05:58] CS: Yeah. So I think that’s worth noting is that, from your perspective, it’s best to start vendor neutral, learn the foundations that will apply everywhere. Then the sort of specialization comes when you either go into Microsoft, you go into Cisco, and you already have –

[00:06:13] MM: Or IMC Squared or Osaka or GIAC, however, you want to look at that those different paths. I mean, that was a big part of it for me, was realizing that Security+ is just – if all knowledge that is IT security is a perfectly round six-foot coffee table. Okay? Then stick your fingers into some pepper and grab just a little bit of pepper, and then throw it on top of that table and those little spots where it lands. that’s Security+, right? I mean, Security+ touches governance. Security touches audit. Security+ touches forensics. I mean, I can keep going. incident response, business, which are really important thing, in fact. And here’s the one critique I’m going to make. The current Security+ is in my opinion too technical, because – well, because I think the one thing that CompTIA did really well with Security+ is really made it almost like a survey of IT security. I think it gives, especially people are trying to punch into the wonderful world of IT security, some sense of the scope of what’s going on out there. I feel that CompTIA made it more technical almost made it more like a pre-CASP is my opinion on that, still a great cert.

Trust me, Chris. If there’s one thing – I know that InfoSec counts on me to tell y’all is that, if something isn’t good, I’m going to be the first one to stand up and say it. I think Security+ – the most eye-opening certification you can get from CompTIA is Network+, because most of us know or at least think we know what an IP address is, or what DHCP is, or we’ve all punched it a 192 168 address and we’ve set up our home routers. Oh boy! That would get me – I got a whole other topic area we got to cover sometime, Chris. Which is called the assumed knowledge of the entry level earner. But let’s not do that right now, Chris.

[00:08:31] CS: Okay. Stay on target.

[00:08:33] MM: It’s impossible. Come on, Chris. You cool. You invited me. But where was I? Oh, yeah. So Network+ is probably the biggest bang for buck, the eureka moments, but Security+ is a very very close second. Like for years, I always told people, Security+ is not going to get you a job. That is not true. I do not like to push the get a cert and get a job thing. It sounds like 1990 all over again. But in this case, it’s pretty true. I mean, if you possess some degree of bilateral symmetry, and can speak, you can – it’s not that hard to get a job in IT security right now. Now granted, it’s not a very exciting job. You don’t mind working for MSP running the midnight till eight shift watching 400 customers in case an intrusion kicks in.

[00:09:35] CS: Right. You’re going to be cannon fodder for a little while there, yeah.

[00:09:39] MM: Yeah. But that is the one place where we really do see a lot of interest at Security+ and Security+ will – I don’t want to say any cert will get you a job. But I will say that, here, I tell people there’s only reason to get any form of certification and you’re getting a certification for your next job. That’s what you’re doing. You’re putting a badge on your chest, so that employers, and customers and whatever it might be can look at you and say, “Okay. That’s Mike Meyers. He’s got X.” Okay? Yeah, my mind is in a million places today, Chris, I apologize.

[00:10:23] CS: That’s all right.

[00:10:25] MM: One more time. Where was I at? In my classes, Chris, I literally tell my students, “I go look, I might get on a roll from time to time, and then I’ll suddenly stop. And I’ll say to you guys, what was the last thing I said?” And the entire class is like, they’re laughing, but it works. I’m not capable of original creative thought, Chris. I stand on the shoulders of giants, and I steal with attribution.

[00:10:56] CS: There you go. Love it.

[00:10:57] MM: Which is kind of like – I asked for forgiveness, not permission. Unless it’s graphics for my book, and then poor, McGraw Hill makes me cite everything 18 times.

[00:11:07] CS: Oh, yeah. I worked in – I worked in image clearance. I know all about that. That moves perfectly into my next question. I mean, you said it yourself, but we say on the show all the time that certification study should be a tool that furthers a specific plan for your career. Don’t buy a tool without knowing what you’re going to plan to build with it. On the other hand, I think it would be hard to deny that a person studying A+, Network+ and Security+ would have such a thorough grasp of every aspect of the fundamentals of security and networking, that it would allow them to move in a lot of different directions in their career. Do you think that being conversant in all of these different types of basics is going to help novice cybersecurity pros in their career?

[00:11:46] MM: It’s not going to help. It’s required. You have to have it. People are like, “Oh! I could teach you how to become a security analyst in three weeks.” It’s like, well, that’s not going to happen. Not realistically. But there are courses out there that maybe not in three weeks, but in a matter of a few months. It just – the demand is so high. I can’t – a lot of people want to give these boot camp turns. These are not boot camps. It’s a whole other genre of education that we’re starting to see pop up. And these folks tend to do really, really, really good work. I’m pleased with how they do. There’s a number of them out there.

[00:12:35] CS: Yeah. I want to start at the very – very rudiments of this because we want to not assume that people already sort of know what these certifications are. We’ve had enough people who tell us that they come to these videos with zero tech, or security or networking knowledge. Can you sort of tell me what each of the three learning paths we mentioned, A+ Network+, Security+ brings to the table for students who want to start their career journey. What are you going to learn with an A+? What are you going to learn with the Network+? What are you going to learn with an Security+?

[00:13:06] MM: Sure, I got you. Before I answer that, Chris, I want to make sure people understand, in the world of IT, certifications are kind of our way of letting other people know what we know. Okay? Rarely, our certifications absolutely straight up require – well, I’m not going to say rarely. The minority, where they say you absolutely must have an A+ cert. I’ll see some stuff like much higher certifications. Folks, there’s over 1100 certifications out there. Okay? There’s no way I can name them all. There is no legal ordered by which you take them, there is no law –

[00:13:47] CS: Any path you make is going to be a path of your own making.

[00:13:50] MM: Right. That’s a big thing that I try to do. Please remember the word path when I’m done talking about Security+, Chris here. Anyway, so the idea is you want to get in IT. Well, good for you. Let’s get you on some basic certs that understand the basics. I really do like CompTIA. CompTIA being vendor neutral. It’s a nonprofit. They keep their nose to the grindstone and try to determine what does the industry actually need in terms of skill set? CompTIA works very hard at that. I’m not saying that private areas don’t. I just know that CompTIA does.

[00:14:26] CS: Yeah, it’s a good place to start.

[00:14:29] MM: CompTIA has a number of certificates, probably north of 30 certifications over the years. But what I call their big three is the CompTIA A+, the CompTIA Network+ and the CompTIA Security+. The CompTIA A+ is, you have to prove that you have the skills of somebody with about six months experience who’s been working on systems. So you can break open a desktop system and replace a power supply. You can go over to a laptop and reconfigure the wireless You can reset a phone to factory. These are pretty basic skills. But the CompTIA A+ covers those.

[00:15:08] CS: And it’s worth noting, a lot of people know how to do that stuff. But they know how to do it because they they’ve been like huffing, and puffing and swearing through like tutorials and they can do a little bit. But here’s your systemized, like this is – you have to know how to do it.

[00:15:20] MM: Yeah, that’s the problem, because they don’t understand what’s running underneath it. They do the what I call, if you see the light, press the blue button.

[00:15:30] CS: Yeah. Right. Right.

[00:15:31] MM: That’s not – that’s fine for people with one-time problems.

[00:15:35] CS: Yeah. I mentioned that only because I think that people look at the, what A+ covers. and they think, “Oh! I don’t need that. I already know how to do that stuff.” But I think there is a lot of benefit to having it sort of foundational and knowing the theory behind it, because there’s so much security of people who don’t advance in their careers know how to push the button, but they don’t, like you said, they don’t know what what happens behind the scenes.

[00:15:57] MM: And worse, they’re what I call Swiss cheesers, a lot of cheese, lot of holes.

[00:16:03] CS: Lot of holes.

[00:16:04] MM: We’ll work on that. But so, if somebody knows all this, then great. Look, in order to pass any certification, not even any IT certification, you’re going to need three things. You’re going to need instruction. Now, that could be a classroom instructor, that could be a great video, but you’re going to need some kind of instruction. Second, you’re going to need reference. That usually manifests as a book. A lot of people say, “I don’t need a book.” I say you need a book, and I’ve been doing this longer than you, so get a book.

[00:16:33] CS: Get a book, absolutely.

[00:16:33] MM: And then the third one is practice questions. You have to have some form of practice questions. The better the practice questions are towards emulating the actual test, you’re going to be sitting on taking. That’s how you get a certification folks, you sit down at a computer and you take a test. All right? Those are the three pieces you absolutely have to have in order to pass anything like that. The trick comes back to is, let’s just go through the different certs.

The second one is going to be Network+, and with Network+ – Network+ covers creating a local area network and then connecting it to larger local area networks. With an A+, you take a system and connect it to a local area network. That’s what you learn. But with Network+, you’re building your own local area network and connecting it however you might want to do it. Network+ really gets – first time, people really start talking about PD use, IP packets versus ethernet frame, versus TCP IP datagrams, all that kind of stuff. But those are the core pieces of networking that people will need later down the road.

The best example of that is the third of these, which is going to be Security+. Security+ is literally all over the place in IT security. There can be one – like you want to use my book as an example. I got one chapter on forensics. I got another chapter on – it’s been a while. It’s not been that long, I’m going – I should have had a book in front of me. What other chapters? Cryptography. There you go. These two topics have nothing to do with each other, not really, but that’s what the Security+ is all about. I got to tell you, the biggest sales pitch I have for Security+ is that when you come out the other end of the Security+, you have a real grasp of what the IT security industry is like. That’s one of the things.

Chris, when I write any kind of trade material, there’s four reasons to put something in there. Number one is going to make them a better tech. Number two is going to help them pass a certification, or a license, whatever it is. Number three is, because it’s cool, because sometimes you got to put things in because it’s cool. Number four is, if I don’t teach you, the question is burning in your mind and you’ll be angry. I have a great example of that. Are you ready?

[00:19:10] CS: Okay. Please.

[00:19:11] MM: AES cryptography since we said cryptography earlier. Are you really curious to know how AES works to encrypt 64/128 bits of data?

[00:19:27] CS: Are you talking to me?

[00:19:28] MM: Yes, I’m going to talk to you in this particular situation, Chris. Because people, they want to know.

[00:19:34] CS: I’m theoretically fascinated. Yes, please.

[00:19:37] MM: I’ve got in fact, probably one of my most favorite videos at my Security+, is I’ve got this thing says, “Okay. You want to watch? Here you go.” And it just goes through. There’s a character that goes to the chart table, start doing [inaudible 00:19:49]. It’s two minutes, so it’s very accurate. But after about 90 seconds you’re like, “Hmm, okay.” Well, as technician, the thing that’s very important – in IT security, they’re all technicians as far as I’m concerned. When you need to learn something, there’s a certain point where the knowledge goes to what I call the black box. That is, I can go deeper than this, but it’s not going to meet any of the four criteria. That make sense?

Another great example is RAM, CPU caching. Level one, level two, level three caches. Chris, I can talk to you about three-way versus four-way set associative caching all day long. But unfortunately, the only people who are going to join is me, and you and maybe six other folks, right? Does not meet the four criteria. That’s the thing I have to be very, very careful about when I do that. That’s the thing. Whoa! I’ll finally get there. That’s the thing that I think CompTIA does a pretty good job of that. Security+ is a very tricky certification to administer, because, how do you as this new person wants to get into IT security? Where’s a launching point? Where is a good step off? I can’t imagine anybody who ever wants to get – I don’t care if you have a doctorate in IT security. I think there’s a strong – is there such thing as a doctor – probably somewhere.

[00:21:19] CS: I think so, yeah. I think we might have interviewed one here.

[00:21:22] MM: The CompTIA Security+, the survey of IT security, as I call it, is unmatched out there in terms of providing users with a basic understanding of what is IT security? So somebody – like Chris, you’re like, “Tell me what’s on the test.” I’m like, “No, I’m not going to.” There’s objective lists out there that you can read that, but I’m telling you something far more important. What I’m telling you is that the CompTIA Security+ will give you the knowledge to be able to understand where you want to go in IT security. There is no other tool that does that. Not that I’m aware of. It doesn’t – if you think about it, Chris, it wouldn’t even have to be a certification. Nobody’s out there.

The problem we run into here, Chris is, I got – Chris, do you want to get rich, like crazy rich?

[00:22:22] CS: Yes.

[00:22:23] MM: Okay. So I got this idea. All right. The idea is, like I’ve got this little townhouse in Houston and Houston’s a hot place, right? The waters come sometimes. We basically live in a swamp. I wanted to come up with all this energy efficiency stuff, right? I was like, “Okay. I want to energy efficiency. What am I going to do?” Oh! I’ve heard of solar powered hot water heaters.” I call up the solar powered hot water heaters, like, “Oh, yeah. You can save so much money.” I’m like, “Well, what if I just got a more efficient hot water heater?” “Wait! I don’t know anything about that.” “Like wait a minute. Wait. Wait.” Then I told the windows guy, “Can we get more efficient –?” “Oh my God. Yeah, we can manage that.” I’m like, “Well, what if I just put shades for a while? We don’t know anything about that.” That’s the problem we have.

If you want to make a lot of money, you’re ready, Chris? Come up with somebody that regular human beings can call, who will come to your house, survey your house and go, “Here are the 40 different completely unrelated things that you can do to make your house more energy efficient.” You know what the number one is, by the way, Chris? Weather stripping. Ain’t that funny?

[00:23:37] CS: Yeah, no, no.

[00:23:38] MM: Most houses – in terms of fun for the buck.

[00:23:40] CS: As someone who’s owned this house for three years, you are so talking my language right now. I’m dying for that guy, that person.

[00:23:47] MM: That’s what Security+ does. Security+ provides that one-stop place where you can look at all these different aspects of IT security. The problem is, so many people come in IT security and think they’re going to be pen testers.

[00:24:01] CS: Hmm. Okay.

[00:24:02] MM: Which is kind of interesting, but it’s also a kind of job where you live in a suitcase. It’s the kind of job where you have no social life. It’s the kind of job that tends to be very high pressure. I’m like, “Have you guys ever considered audit?”

[00:24:21] CS: Yeah. Well, yeah. I mean – go ahead. Sorry.

[00:24:25] MM: Let me just finish with that.

[00:24:27] CS: Please.

[00:24:28] MM: That’s what Security+ does. People don’t even know that audit exists as a separate thing until they take the Security+. The big challenge I have with people is after they take Security+, then what the heck are they going to do next? Right. I still don’t have a formalized thing on that. Maybe InfoSec could help me whip up a – so you got your Security+.

[00:24:53] CS: Now what. Yeah. All the paths leading from the one spot there?

[00:24:57] MM: Well, because it’s important because if you start marching up what person’s path, the other person isn’t going to like you. Certifying bodies do not have any cross certification. They do not speak to each other in restaurants. You know what I mean?

[00:25:12] CS: Yeah.

[00:25:14] MM: You can find yourself as a relatively newly minted IT security person and find yourself maybe going up a path that you didn’t think you wanted, because you thought pen testing is all there was, for example. Well, that can be wildly expensive, Chris, right? I mean, I know InfoSec provides training at very reasonable prices. But as you can imagine, as you get higher up and higher up into that, your market gets more vertical, so there are certifications there towards the top where many, many, many, many thousands of dollars are de rigueur to be spent. What a terrible thing, that was a mistake. That’s where Security+ can help.

[00:25:54] CS: Well, yeah. That’s a great place to jump to next because, again, I’m always –because I’m not very tech-focused myself personally, and I’m always sort of thinking for people like me. I think, within the cybersecurity space, especially on forms on LinkedIn, or Facebook or whatever, people, you get a lot of that inside baseball talk. I think it puts potential beginners off because they feel like, well, if I haven’t been doing this since I was five, if I’m not a computer science prodigy, if I haven’t done this, that or the other thing, there’s nothing out there for me. Like you said, there’s pen testing, but there’s also risk assessment, there’s also threat modeling, there’s also all these sort of non-technical but incredibly important things. Like you said, there’s analysts, there’s stuff you can do in your sleep, there’s stuff you can learn in three weeks.

[00:26:43] MM: Change management teams. The list goes on and on.

[00:26:45] CS: Yeah, DevSecOps. Yeah, any direction you want to go. Okay. I want to move from that to – this is probably an obvious question, but do you recommend – because we talked about then in the three order of like micro, macro, macro of A+ create the system, Net+ plus create the network, Security+ secure the system. Do you think that that that is an interact – like you have to do them in that order or does it vary depending on where you think you want your career to go?

[00:27:18] MM: A+ is kind of the wild one there. A lot of people who are going into IT security may not even need an A+ to be honest with you. I think it – I think they’ll need it some, but you could get around it. I call Network+ the most important certificate you’ll never need, because you don’t see a lot of call for, “I need Network+ certified.” But I would be hard pressed to imagine someone taking Security+ training without having the equivalent Network+ knowledge.

[00:27:58] CS: Yeah. It’s like learning Latin as a scientist or something. It’s like, you don’t use it, but you’re going to need it.

[00:28:04] MM: Well, even Cisco, like Cisco with their CCNA ICND1 was traditionally they had that – what did Cisco have, that internetworking? What was that, the little pre-CCNA thing? They may still have it.

[00:28:19] CS: That’s brand new, isn’t it? The whole thing. Okay.

[00:28:22] MM: It comes out with brand new iterations constantly. I have not looked into this in over a year, so I don’t want to start naming things and find myself either wrong or dated. All I’m trying to say is that even Cisco had preliminary courses. But to me, like Network+ is almost a CCNA. If you can pass Network+ and then take – give yourself 20% more time to learn the Cisco way to do it.

[00:28:52] CS: The specifics, yes.

[00:28:53] MM: In fact, iOS, I think you can easily get both of those certifications in the same shot.

[00:28:58] CS: Yeah. All right. Well, this is great. This sets a really nice table for having us talk about – let’s sort of like structure this around the absolute beginner’s guide to putting your first feet on the path here. Let’s talk about the people who weren’t born into computer science, who haven’t been hacking mainframe since they were five, who are interested in this field and know that there’s a lot of jobs to be had, and want to get in on it, but are a little intimidated by the tech. What do you recommend to sort of like put them on the path with your – where should they go? They get their skills subscription and they go to Mike Myers Skill Path. What classes within there do you think would get them excited, will start to sort of make the synapses pop a little bit and go, “Okay. I see how this connects with this and so forth.” Do you have any sort of like customized recipe where you’re like, “Okay. Try a little bit of Network+, and then jump over to security and you can see what’s going on here”?

[00:29:59] MM: No.

[00:30:00] CS: No? Okay.

[00:30:02] MM: Not, but don’t – it’s a wonderful question, Chris. I’m just going to grab your question by the hair and punch it a couple of times, if you don’t mind.

[00:30:10] CS: Sure.

[00:30:11] MM: The first, if I’ve met somebody like that, and I meet many every week on my AMA. The first thing I want to make sure that they have is passion. If you’re just looking to make money, seriously, you just want to make money right now, get into either plumbing, or electricians. Chris, you said you own your own home, right?

[00:30:38] CS: Yep.

[00:30:39] MM: Have you paid an electrician lately?

[00:30:41] CS: Nope. Not since we moved in, but yeah.

[00:30:44] MM: Well, knock on wood. I have a bad habit of buying old houses that need love. You’re getting into IT because you have a passion towards IT. Therefore, if you have some amount of passion towards IT, you’re already doing IT things. Now, when I say IT things, Chris, I’m not talking about, you’ve taken up Java programming for fun. That’s not what I mean. What I mean is, you have found yourself – we all have devices that we’re typing on, and they all fail from time to time. Do you find – here’s the big question? Do you find yourself on the initial attempt trying to fix it yourself, or do you instantly hand it to somebody and then cross your arms and wait? To me, that is a very clear criteria to define who might be successful and who might not. Now, there’s a lot of other things too. Are you into fine work? People do needlepoint or crochet tend to be pretty good nerds, especially – well, you don’t have to be – nerd dumb exists everywhere, Chris. It’s not just in IT.

When I was a little kid, we used to have a quilting party. This is back in the ’70s, okay? The ladies would quilt in the basement of this church, and make it into a – as a little boy, I was little enough to get under the quilt and tighten it, and I would get free Tootsie Rolls. The ladies really talked about the different ways of tightening this quilting table and what it meant. These are women in their 70s who are just about ready to start swinging at each other, because they’re nerding out on this technology.

Anybody who does something like that on a separate thing, they’re sports nerds, often show that they can have a – what’s the word I’m looking for? Yeah. I write books for living. Yeah, I’m a wordsmith. But they have a good aptitude. There we go.

[00:33:05] CS: Aptitude. There you go.

[00:33:07] MM: Towards IT. Those would be some of the things I look about. Nobody gets up in the morning and says, “You know, I don’t like where I’m at. I’m 24 years old. I’m going to go in IT.” Or they say it a lot or someone says something to them and gets in there. Look, everybody wants a formula, Chris and there isn’t one. Especially when you talk about learning here. When people are like, “Well, Mike. Tell me how to do it. Oh, great, boo bah.” I’m like, “Get an A+ book, get my A+ videos, go to InfoSec, get some practice questions and just get A+ knocked out”

The reason I do that is because I need people to do their own searching. There is something very important about diagnostics in IT. If you don’t have a self-motivational aspect to it, you tend not to be successful. We always talk about, “Oh! This guy is such a great IT repair person” or “This gal is such a great auto mechanic.” It’s like, why? Well, the reason is, Chris, and I think I’ve said this to you before and I’m going to say it again. Chris, I own a Ford F250 Lariat. Okay? Chris, I have a question for you. Sir, could you get into my Ford F250 and run the windshield wipers?

[00:34:32] CS: I can, yeah. Yeah, I can figure it out.

[00:34:36] MM: What? Are you Ford certified? Did you take a course on windshield wiper manipulation? No. Why can you run the windshield wipers on my Ford F250, Chris? Go!

[00:34:50] CS: the windshield wipers work similarly in most cars, and with a minute or two of trial and error, I think it would be easy enough to figure out. If it doesn’t go this way, it goes that way. If it doesn’t go that way, it goes this way.

[00:35:03] MM: You’re willing to poke around. That already makes you potentially a great nerd, Chris.

[00:35:08] CS: Oh, wow! Oh, yeah. You don’t need to tell me.

[00:35:12] MM: When people just, “Oh! My car isn’t working right” and they walk away. “Oh, I don’t know how to make bread right”, they just walk away. So if you’re asking me what is it, this is really what I’m twisting your question to my own evil needs is, what are the attributes that I’m going to be looking for on somebody who’s coming out of the blocks, that they’re going to have to show to me? The ability to poke around for problems to look towards to find your own resolution, before running towards help is, in my opinion, one of the strongest attributes they can do. From there, in terms of, okay – now to try to answer your question the way you formed it originally. What do I do?

Okay, fine. I get that, “What do I do?” Like I said, buy some good A+ training and go take A+. The reason I tell them to take A+ is A+ is relatively easy in my opinion. It’s wide, but not deep. It proves to me that these people have some stick-to-itiveness. It’s the same thing with a four-year college degree. People always like, “Do I need a four-year degree?” I’m like, “Yes. You should get a four-year degree.” Well, I don’t want to.” “Okay. You should have started with that instead of saying, “Do I need one?” Okay. Now we understand that you don’t have the time, and or the money or proclivity to go for a four-year degree. Fine. Go look at a double A degree, look at a tech school. Even those schools, I’m pretty sure, Chris, you guys get tech schools who are customers of yours, right?

[00:36:47] CS: It’s true.

[00:36:48] MM: Yeah, and more than one. They like good training materials, man. They’re going to come to you guys every time.

[00:36:53] CS: Absolutely.

[00:36:54] MM: I can go on and on. It gets them pointed in the right direction by getting one certification. This industry is too easy to get into right now. In fact, it’s too easy, to be honest with you. Because what’s going to happen is the same thing happened back in 1990 with the – do you remember? Are you old enough to remember Sienese, Chris, certified novel engineers?

[00:37:22] CS: I remember the names. I remember those words. I wasn’t in tech at the time. But yes.

[00:37:26] MM: It was a beautiful time. It was –

[00:37:30] CS: I was a hand off my computer to other people at that point.

[00:37:33] MM: Got you. But that’s what’s taking place. The demand has reached a point where HR departments, and department heads and technical interviews are literally lowering the bar. That is very, very good for intense, motivated, ambitious, passionate people who may not necessarily have what was previously very, very high barriers to entrance. It’s bad, because we will find a certain percentage of what we call paper certificates back then we’re going to pop through. Unfortunately, Chris, there’s nothing you or I can do about that. You guys turn to my Security+ product because it helps people successfully get through that program, right? Well, there’s a lot of people out there are just really good at taking test.

[00:38:38] CS: Yeah. That’s their skill set. That’s the thing they like doing.

[00:38:42] MM: A guy who a senior in high school, he was our tight end on the football team, varsity football team. That boy is about as sharp as a sack of wet mice. He got a 1600 on the SAP, and he’s showing everybody. He goes, “Guys, I guessed.” That’s like, “Dude, you need to go to Atlantic City like right now because – that kind of stuff.”

[00:39:11] CS: Something else is happening there, yeah.

[00:39:13] MM: That’s really the state of where things are at right now. The other thing in terms of training is that everybody’s different in training. If you have your three big pieces, you’re a good instruction, you’re a book or some form of reference, and practice questions, you have the tools you need. The problem is, is everybody’s good with different tools in different ways. There’s people who are visual learners tend to do really well, watching videos or instructor-led training. There are people who read, they’re going to be obviously reading books. There are kinesthetics who need a screwdriver in their hand while they’re doing stuff. Everybody’s different. I’m not going to tell people how to do it. What I will tell people like for example, for A+, you need on average 220 study hours.

How do you get those study hours? That’s up to you. People are like, “Well, that mean I can only study one hour a week.” Then I go, “Fine, you’re going to take the exam in four years.” Right? In the front of my books, I try to give you some kind of template to help you guesstimate how much time it’s going to take. Because the other thing I tell everybody to do is, put your money down and sign up for that certificate.” Heat and pressure makes diamonds, man. And I’ll tell you, nothing works better to keep you from watching, Leave It to Beaver reruns on YouTube and get back on the book, more than knowing that in three and a half weeks. I’m sitting down to take the A+ 220-1101. Those are some pieces that I do, Chris, that kind of motivate people, but there is no perfect single path. I don’t know what your study habits are. I don’t know what your memory retention is. I don’t know what outside influences are distracting you.

[00:41:02] CS: Yeah. Well, I want to jump back to something you said before about how it’s almost too easy to get in right now, and we’re getting these sorts of paper candidates and so forth. Do you think that there’s this is a bubble that’s going to burst? Where do you see this? Because I think it’s unavoidable that there’s –there’s such a demand right now that they’re – like you said, they’re grabbing people almost off the streets to do these jobs, and we’re constantly saying, like, “There’s so many jobs. There’s so many jobs.” It’s benefit for people who maybe aren’t in like geographic hotspots for tech. You have other options and so forth. But at the same time, like you said, you’re getting this sort of diluting of pool of passionate people. Can you use your sort of crystal ball to see like where this all goes?

[00:41:47] MM: Yeah. I mean, like 30 years ago, what will happen is that over the course of five or six years, we’ll start to get a more steady state. Wages will go up, or whatever it will take to get more and more people coming in. I don’t like to use the word bubble. It’s just high demand. The demand bar until that gets filled with enough people is going to be there. What will happen eventually, is that demand will slow down, they won’t die. You’re always going to need baby text. That’s never going to change. The people who are okay when things are tight are going to do just fine when things are easy. Does it makes sense to you?

[00:42:42] CS: Yeah, totally.

[00:42:45] MM: I don’t have any big panic about that. We ran into this. We ran into this 20 years ago with COBOL programmers, that suddenly a bunch of people – I think I inhaled some sneezing powder or something, Chris. Sorry. Suddenly, we’re out of COBOL programmers. People needed COBOL. We saw this 20 years ago during Y2K. I don’t like to say the word bubble, because it’s not a bubble. Bubbles are artificial. These are real. Does that make any difference?

[00:43:18] CS: That’s a good distinction, yeah, absolutely.

[00:43:21] MM: Did I answer your question?

[00:43:22] CS: Oh, yeah. Totally. Sorry. Okay, so yeah. I guess we should start sort of moving towards wrapping up things. But again, I guess, before I do, I kind of want to reiterate and see if you have any final thoughts on it. But again, because I’m trying to sort of speak the questions that we get all the time. We do live episodes of this, and people get live questions. When I asked things like that, like where do I start? Where do I move from here? These are the questions that I get all the time from people. How do I start? I think there’s that that absolute sort of crippling fear of going not from zero to 60, but even from zero to one. Where’s that starting point and so forth.

What’s a really good point is that, I think the way to sort of break through that inertia is to just sort of start. And then once you start feeling those muscles moving, like the A+ certification. “Oh! Now this does this. That’s interesting.” What can I do with that? And if you’re naturally interested, then something you learn even in something simple like the A+ is going to say, “Oh! I would like to sort of go deeper into that.” And the next thing you know, you’re on your net plus and you’re on your SEC plus. And you’re seeing the different little sort of twinkly bits that sort of like capture your attention. I think it’s not so much a matter of, “Here, tell me what to do next”, but it’s like just start and then sort of feel out – I know you kind of already said this but I just kind of wanted to read reiterate it in a good kind of wrap up sort of thing.

[00:44:52] MM: Yeah, no. It’s a great way to go. When people say, “Where do I start?” Remember, Chris, tell him to start by answering this question. Do you have a passion for this? Why are you here? I got to tell you right now, Chris. I love IT. I love IT. But I have another secret passion. You want to hear about it?

[00:45:23] CS: Please.

[00:45:23] MM: I love fine jewelry. I love it. I absolutely love it. I’m pretty good at it. I carry a loop with me. How crazy is that? Right?

[00:45:36] CS: I love it. I love to hear it.

[00:45:38] MM: The thing is, though, is, it’s because you have passion for it. See, it’s a thing. When people say, “Oh! Do what you love” and all this stuff. I’m saying, how could you not do what you love? I love IT. As soon as you and I stopped talking, what am I going to be doing today? Oh, I’m trying to come up with a virtual router that can handle routing protocols. Like BGP and stuff. It’s harder than you think. But anyway, it’s to have that passion. Don’t be afraid to throw that word at them a lot. Luckily, I can make money in it, because – you know how to make a small fortune in fine jewelry?

[00:46:29] CS: I start with a large fortune.

[00:46:30] MM: There you go. That’s it.

[00:46:33] CS: Oh, yeah. All of my passions make no money, I write about Avant Garde music, and I’ve never made a cent off if it, but I’ve been doing for 30 years now. You got to find some other passions that can also pay he checks.

[00:46:47] MM: You should work with more than one band called Avant Garde, man.

[00:46:54] CS: Hey! But no, yeah, I love hearing and that’s the thing is I love hearing that. Also jewelry, but jewelry doesn’t put food on the table necessarily. It’s a beauty in life, but IT is also a beauty in life and also keeps the roof over the head.

[00:47:14] MM: No, you can make plenty of money in jewelry, as long as you can dig it out of the ground yourself. That’s the trick.

[00:47:18] CS: Nah. Uh-huh. That’s a lot of other steps.

[00:47:21] MM: Also explains that big hole in my backyard.

[00:47:23] CS: Okay. That’s working out for you it sounds like.

[00:47:27] MM: In Houston, Texas, you get down four feet, you hit water. People think I’m putting in a pool.

[00:47:32] CS: Okay. You’ve pretty much already answered a lot of my questions regarding sort of self-directed training. Do you have any final thoughts on sort of using the skills platform? You said, obviously, set yourself, personal deadlines and so forth.

[00:47:49] MM: Remember, you have to be an adult, looking, preparing, training to get a job is exactly the same as getting a job. Get disciplined, get serious, keep your nose to the grindstone, hit your goals, hit your time frames, and you’ll live happily ever after. Too many people, like, “Oh! I kind of get halfway into this training, and then this happens and Corona, na, na, na.” You got you to fight. It’s an easy world right now, but that doesn’t mean you still don’t have – just because the barrier is lowered, that doesn’t mean there isn’t a substantial and good barrier. Because we don’t want people who don’t have the skills and the proclivities, and in my opinion, the passions to do these kinds of jobs.

[00:48:38] CS: Great. As we wrap up today, can you tell me a little bit of what’s next on the horizon for Mike Myers, either with InfoSec Skills or Total Seminars or your other endeavors?

[00:48:47] MM: There’s some very exciting things coming, but unfortunately, I’m so signed up with non-disclosures. I can’t share anything.

[00:48:57] CS: Can you pantomime them.

[00:48:59] MM: No, but I feel like I’m walking into the wind more so, more so.

[00:49:04] CS: Sure.

[00:49:07] MM: What’s happening out there? I think that we’re about to run into a big world of smart device security that has been – the problem is, we’re never sure who the bad guy is. Google is not a bad guy. Google is just big. They make sexy products that suck you in and they make good products, where if you sign those little – every time when you install something, and you look at those fine print, it scares you to death. I think that smart device security is going to be a big, big issue. Because I can make the ultimate smart device, and all I have to do is install Facebook Messenger and as though I’ve done no work, right? I think there’ll be an application rating system that’ll pop up in the not-too-distant future, where they literally decide the quality of an app. One of the things, criteria is going to be security. And keep in mind, when I say security, I’m not talking about some evil person with a wax mustache. I’m talking about what exactly is the telemetry that’s being pulled. I think that’s going to be a big issue. That’s my best guess, Chris.

[00:50:30] CS: Yeah. Do you want to talk a little bit about Total Seminars? Give a little plug. Tell what else you do with them.

[00:50:36] MM: Sure. Total Seminars, we’ve been around, we incorporated on the April Fool’s Day 1995, which I thought was yesterday, but I guess it was longer than that.

[00:50:44] CS: It’s been a while, yeah.

[00:50:46] MM: Celebrated our 25th, and a few more than that. Total Seminars, we’re a bunch of nerds who sit around all day and play with technology. We make videos, and we write books and generate practice questions, and we’re lucky enough to rent it to you guys, Chris, and you like our stuff enough and to be part of your family is always very, very much appreciated. That’s pretty much what we do.

[00:51:12] CS: All right. One last big question for all the marbles. If our listeners want to learn more about Mike Myers and Total Seminars, where can they go online?

[00:51:19] MM: Well, probably the best place I’d recommend people to go to is, I do an AMA on YouTube. It’s a great place. It was originally designed as a way for people to continue to study for Coronavirus. It’s kind of got its own life now. Anyway, it’s on YouTube. It’s at the TotalSeminarsChannel. That’s one word, TotalSeminarsChannel. Look that up. It’s 2:00 Central Standard Time, Monday and Wednesdays and on Fridays, we talk about Raspberry pies with my friend, Dave Rush. For the people, raspberry pies are cheap. Why buy a $2,000 computer when a $35 computer could do the same thing? Those are all great. It’s a great place, especially when you want to ask more detailed questions, that type of thing. But you guys also have some pretty good resources too for that type of stuff, right?

[00:52:15] CS: You know we do. I’ll be talking about it in just a moment here.

[00:52:17] MM: Oh, okay. That was your lead in. I was like –

[00:52:21] CS: Hey! Hey! We’re all plugging things here. All right. This has been great, Mik. Thank you for joining me today. This was so much fun and some really, really great insights for people who are ready to take the plunge, I think.

[00:52:35] MM: Very good. Chris, always good to see you guys.

[00:52:38] CS: My pleasure. So as always, thank you to everyone who is listening to and supporting the show. New episodes of the Cyber Work Podcast are available every Monday at 1:00 PM Central both on video on our YouTube page and on audio wherever you find podcasts are downloaded. I want to make sure you all know that we have a lot more than weekly interviews and cybersecurity careers to offer. You can actually learn cybersecurity for free on our InfoSec Skills platform. If you go to infosecskills.com/free and create an account, you can start learning right now.

We have 10 free cybersecurity foundation courses from podcast guests, Keatron Evans, six cybersecurity leadership courses from Cicero Chimbanda, 11 courses on digital forensics, 11 courses on incident response, seven courses on security architecture, plus courses in DevSecOps, Python for cybersecurity, JavaScript security, ICS and SCADA security fundamentals and more. Just go to infosecinstitute.com/free and get some learning today.

Thank you once again to Mike Myers and Total Seminars and thank you all again for watching and listening. We’ll speak to you next week. Bye.