Get started in cybersecurity: Beginner tips, certifications and career paths

Chris Sienko: Hello and welcome to this week's episode of CyberSpeak with InfoSec Institute podcast. This week's episode is a rebroadcast of a webinar hosted by InfoSec entitled Getting Started in Cybersecurity: Beginner Tips, Certifications, and Career Paths. Today's presenter is longtime InfoSec instructor and superstar cybersecurity professional Keatron Evans. Keatron will share tips for individuals first starting out in the cybersecurity industry or looking to change their career path.

His tips include actions you can take now to prepare for a cybersecurity career, entry-level certifications that can boost your career, the skills and mindsets that make a successful cybersecurity professional, and more. Just as a reminder, if you'd also like to see the webinar as it unfolds, including presentation slides, you can find it on our YouTube page by searching InfoSec Institute and visiting our YouTube channel. This webinar's about an hour long. So, without further ado here along with moderator Camille DuPuis is Keatron Evans.

Camille: Really great to have you with us, Keatron. A little bit about him. He is regularly engaged in training, consulting, penetration testing, and incident response for government, Fortune 500s, small businesses, and everything in between. In addition to being the lead author on a bestselling book Chained Exploits: Advanced Hacking Attacks from Start to Finish, you'll see Keatron on major news outlets such as CNN, Fox News, and others on a regular basis. And he's a featured analyst on a lot of those concerning cybersecurity events and issues.

For years Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity as well as attack development. Keatron also provides world class training to some of the top organizations in the industry. So, as I said, great to have you with us, Keatron. Really a knowledgeable person that's going to help us out through this, and just help us dive into all things cybersecurity career paths. So, thanks for being available, Keatron.

Camille: Why don't we go ahead and get started kind of talking about high level look at jobs in the cybersecurity field. Numerous studies have indicated that there are not enough qualified professionals to fill all the open positions, and that problem is expected to grow in the coming years. So, although that's bad news for organizations, good news for anyone interested in the cybersecurity career. So, if you want to get us started on that Keatron, that would be great.

Keatron: Yeah, absolutely. Camille, thank you for the introduction. This is definitely, an area that we've seen some concern in. And a lot of the customers that I have are actively recruiting a cybersecurity people. Because of the fact that we do consulting for them, they look to us when they're looking to staff up and things like that. And I see that being a bigger and bigger concern in organizations where they're looking to bring in staff that already have some cybersecurity skills. And that's taken a change over the last 10 or 15 years or so. Whereas before, when we teach classes, for example, when I get a chance to do that 10 years ago, I would have a class of 20 people, and 15 of them would have five plus years experience.

Now, I'm lucky if I have at least one student that's got more than a year's worth of experience in anything security related. So, that just shows you that there's an influx of people trying to fill the roles. We've been busier than ever, but at the same time, the roles are still not being filled. There's still a huge shortage and it's obviously going to grow. So, I think this is right on point.

Camille: Now, Keatron why do you think there's such a skills gap there where we don't have these workers that we need? And why is it continuing to grow despite talking about this through the recent years?

Keatron: I think it's a combination of a lot of things. One, we were processing more data, using more electronics, doing more things across the internet, using social media and things like that for business, more than we ever have. So, because of that, we leave a bigger data footprint. We require more processing power, more compute, which means more resources, more devices, which means more things that need to be secured. Also, we have a very quick, and I like to say agile media cycle now. So, if you're an organization that gets breached, it only take minutes before the whole world has knowledge of that breach because of Facebook, and LinkedIn, and Twitter, and those things like that.

So, that's caused a lot of organizations to actually have to step up and do something about whatever security problems they may have. So, as a result of that, again, they're looking to hire people. They're looking to even get people inside the organization trained up. I would say that more than half of the people that I've trained over the years to do cyber were people that were doing other IT related jobs and they got forced into or pushed into doing security or doing cyber. So, I think it's a combination of those things. We're using more data than ever. We're doing more computing than ever. And because of that, there are more roles being opened up to handle, that increased dependency on data and computing.

Camille:  Sure. So, that makes sense. And want to talk about these people that we need to do the jobs. How do you become someone in the cybersecurity world? And the different stages of working towards that profession can vary for a lot of people. So, can you describe what you can do now to start getting into the cybersecurity field, and if you're not already enrolled in any courses or certifications or anything like that. Just give us an overview of how you think someone would commonly get started.

Keatron: Well, so that's the good thing about it. I think you can start from pretty much any point. I don't think there's a designated you have to go this pathway to get into it because my path is pretty well documented. I've written about it, and people read it. So, my path into cybersecurity definitely was not a traditional path. For example, I didn't come from a computer science background. I didn't major in computer science per se, that wasn't really how I got into it. I was doing some computer aided drafting stuff, and got into some civil engineering, and that got me into computers more.

And then from that point I just decided that I wanted to do this. And I literally just made a spreadsheet of all of the different knowledge areas that I would have to conquer to be good at cyber. And I've just started to knock those knowledge areas out slowly. And it started with certifications actually. I got into an A plus certification type of a course. And after that I jumped into a network plus, and then I went off on the Microsoft rabbit trail of doing all the Microsoft certifications. So, the certifications introduced me to systems and more importantly taking those classes, I got to network with other people that were already doing those jobs.

So, it gave me opportunities, not just to get job interviews but also just to see what people were asking for. Because it's one thing to look at a job application or a job ad that HR posts on the internet, but to talk to an individual that's working on that team, that may be the actual person that's doing the hiring, it's a different perspective to hear what they're looking for in someone that they're going to hire. Because if you look at like the job ads, mostly what you get is like, "Here's their minimal ... This is what HR is looking for but if you have these things, you're going to stick out a lot more."

You really get that insight from talking to the individual. So, I think that just starting anywhere, if you're coming right out of high school, don't feel like you have to go get a four year college degree in computer science to get into cyber. You can literally come right out of high school, jump into the right certifications, start networking, going to some of these conferences and things like that, and you can find yourself in a very nice entry level cybersecurity role right out of high school.

Camille: Now, thinking about ... You said that sometimes people don't have college degrees or something to get into the cybersecurity field. And thinking about that, let's say someone is still in high school or still really early on in their career, are there any classes or things that they should look for to get into the industry maybe without getting that degree?

Keatron: Yeah, absolutely. So, there's a lot of free material out there that you can find. Just the biggest thing is research. One of the things that I find most interesting and surprising is when for example, if I teach a certified ethical hacker course, I'm always amazed when I get a student in who's done zero research. Like they didn't even know they were going to get a certification out of it, they just show up for class. So, one of the things I like to encourage is before you take any class, especially one that you pay for, do some of your own research on the topic area because that might tell you whether or not you want to even spend the time or invest the time in that class or in learning that particular skillset. So, absolutely, looking at where to come in, I think that's a good place to start is definitely the entry level certs and the free classes.

I encourage everyone, the classes I teach for different organizations throughout the world, all those classes cost money. But look at some free stuff. Before you spend money look at some of the free stuff out there. It's not going to give you nearly the same quality level. You're not going to have the reputation, for example, I've got a lot of years of experience. It's going to be hard to get someone with that much experience in front of you just looking at stuff on the internet. At least in a package way to tell you specifically the things you need to know.

So, look at the free stuff research and find out what the certifications are about, what the knowledge area is about. And then from that you can essentially go ahead and then pick what you want to spend your money on so to speak.

Camille: Sure. And so, people that do choose to get a bachelor's degree to accompany their cybersecurity studies. What are some of the most common titles? Is that going to be computer science degrees or what do you usually see in that realm?

Keatron: Well, it used to be computer science degree, management of information systems, business information systems. Those are like some of the older terms. Now we're seeing software engineering, software development, or some of the degrees that are coming out. And believe it or not, a lot of the colleges are now are shifting to cyber focused degrees. I know Penn State has a pretty extensive cyber program. The University of Auburn has their cybersecurity school of excellence. They have an entire four year track dedicated really to cybersecurity. So, we're seeing more and more colleges beef up their cyber security offerings, and starting to actually offer degrees that have the word cybersecurity in it.

So, it used to be primarily comp sci, network engineering, system engineering, software engineering. But now that's transitioning. We're seeing more and more roles where people are coming out with degrees that are more cyber focused. And that touches on another point that we're going to get to here in the next slide or so, which is you don't have to start out with anything computer science-related to come out of college and get a good position in cyber. And we'll talk about that in just a second.

Camille: Sure. So, let's move on, and talk about in lieu of necessarily a full degree or something in cyber certifications. So, I know that's an area where you have a lot of expertise and knowledge, and some certifications of your own, I believe. But when you're looking at certifications, there are a lot to choose from. I know at InfoSec Institute here we offer over 100 different courses. But let's talk about how important our certifications, particularly, for those just starting out and looking to either land their first job or transition into security.

Keatron: Absolutely. So, that's an interesting, and a very good question because the thing about it is you have really two lines of thinking in the whole IT security, cybersecurity industry. Whereas you have these group of people that slam certification and say it's not worth it. It's a waste of time. It's not useful. And then you have on the other side, people that swear only by certifications and they try to collect as many as they can. But what I would say to that is, so if you take, for example, my foray into it, I remember when I was taking the MCSC version 2000, 2001, something like that for the MCSC certification track, and there was something that Microsoft introduced with that track, which was something called volume shadow copy services.

And what that means if you set that up, you can now right click any file or folder on your desktop or on your computer, and you'll see a previous versions tab. And if you click that tab, you can actually roll back to previous versions of that document that you might've been working on. Like, keep in mind, this was a huge, huge, huge thing because I knew people whose job it was basically just to go get backup tapes, and restore word documents that the CEO had inadvertently destroyed or added something to that he didn't want to, and didn't want to go back and undo all the work. So, this was a huge thing.

And I got introduced to that actually taking an official Microsoft certification course. This was something that completely changed the way that I architected systems and things of that nature. And it's something that I probably wouldn't have known about if I hadn't jumped into that certification course. I wouldn't have known about it as quickly as I did. So, what I would say to that is first of all, don't make it your goal to go out and get as many certifications as you can, as quickly as you can because there is some value to taking your time, and actually learning this stuff versus just nailing down search, taking these brain dumps, and things like that, and getting yourself the certifications really fast.

Or even if you take a bunch of classes back to back to back to back. If you looking me at an interview and I'm looking to hire someone, I'm going to look at the fact that you got 12 certifications in a year. And on the plus I'm going to say, "Well that shows some motivation, and some serious dedication to trying to get into this industry." And that will weigh heavily on my decision. But at the same time, I'm going to question the experience because if you've only been out of college a year, or if you've only been chasing the cyber dream for a year, and you got all the top certifications within that year, then it just tells me that you did like a very quick sprint to get these things.

And it might not translate the to hands-on skills, which is what's really lacking in the industry is people that can actually sit down to the keyboard and do things. So, look at the certifications that are technical. Look at the ones that force you to sit in the seat, put your hands on the keyboard and do things because that is where the biggest deficit is in the industry as far as what I see. So, A plus, net plus, these are good ones to get your feet wet in the industry to start with ... To just see what it is you want to do. And another thing that I often tell people to do is even if you're don't meet the qualifications to get the certification, go look at the CISSP, look at the track, look at the subject areas and even download some books, and things like that, and read up on that topic.

Because what CISSP is for me or what it did for me, it was one of my first certifications in security, is it gave me a very broad look at a lot of different cyber avenues, right? Like there's management, there's secure software development, there's network and communication security. There's cryptography, there's all these different areas. And the CISSP was like the one that gave me the biggest view of all that. So, from that I chose to go into technical cybersecurity, which would pin testing, and incident response, and those things. So, traditionally the recommendation is do CISSP last because it's lack the granddaddy of certifications. Look, I'm going to challenge that flip that line of thinking on its head a little bit here.

And I've said this for years, if you go back and look at some of the tech exam articles that I wrote years ago, go ahead and look at that first because it is a cybersecurity management certification, which means it gives you a very narrow or very shallow, wide view of all the different things cyber. So, with the A plus, with the network plus, with the CCNA, which are all entry level, add that as something that you might want to look at because you want to take the technical stuff and figure out which avenue you want to take with it, is how I would look at that.

Camille: So Keatron, going off of talking about the experience and the knowledge you need to take some of these certifications, for anyone looking at taking, I would say, a variety of certifications, whether it be those real entry-level ones that we have listed on the screen there or something a little bit more advanced like CISSP what is the base knowledge you need to really understand the course?

Keatron: So, I would say the base knowledge for things like A plus, net plus, CCNA, some of the Microsoft entry-level courses is you just need one, just be a little bit above what an average end user would have. Right? Like if I were to say, "Hey, tell me your Windows IP address." You should be able to do that without me having to give you step-by-steps. I should just be able to say, "Hey, what's your Windows IP address?" And you should be able to look that up, run IP config and get that IP address. I shouldn't have to say, "Click, start, click run, type CMD, hit enter, now type IP config/all." I should just be able to say, "What's your IP address?" And you should be able to tell me that.

Also if I said, "Ping google.com." You should know how to open a command prompt in Windows and ping google.com. To me that's like where you need to be coming in. If I asked you, "Hey Camille, reset your Windows password to be Keatron." You should know what the steps are to reset your password or at least be able to within a minute or so Google the instructions and figure out how to do it from that. To me, that's where you need to set yourself as a starting point.

And then after that, you can build from that, having that basic skill level. So, I would say nowhere near as much as what like I said desktop support technician would know because you're trying to get into the industry, but somewhere between that, and your average desktop user because you have to have a clipping point to start with. Otherwise, a lot of things just might be too far over your head.

Camille: Sure. And so, we have some people asking, "I don't necessarily have those skills or I don't know how to get to the starting point where I'm ready to take a certification to learn more." Have any ideas for resources, or ways you can just advance your basic computer, and overall, security technology learning so that you're ready to take some of these?

Keatron: Mm-hmm. Yeah. So, there's a lot of I would say some things that you can write down that you should go look at is instead of looking at how do I get into cyber security? Because you came here for that. So, we're telling you that. So, what that really means, if I could quantitate that for you, one thing is start looking at things like how do I learn Linux command line? How do I learn Windows command line? How do I learn Windows PowerShell? Like start looking for those tangibles because those are the entry-level and basic things that are going to set you up for A plus, net plus, and any security search that you might do after that.

 So, start with the basics. Even if you're completely coming from a non-technology field, let's say sales. All right, let's just say a salesperson the only technical experience that you got is using Salesforce, and email. I would say start off with, "Hey, let me go look up the fundamentals of computers. How do computers work?" And I know that sounds basic, but literally Google that, how do computers work? And there's some good stuff on core. There's some good stuff on Stack Exchange that you can look at. Just little articles on how computers actually work. And then from that point, start getting under the hood just a little bit.

 Well, what is the Windows command line? How do I use that? What is the Linux command line? How do I use that? And more and more I'm finding myself recommending what is cloud services? How do I use cloud services? Right now you guys can do this right this second, open your browser, go to aws.amazon.com, or azure.microsoft.com, or cloud.google.com, and set yourself up a cloud service. Now, you can set the service up for free and it's very extremely basic as it tells you how to set the service up. But set that service up. Start learning how to build yourself virtual machines inside that service, and look, just trust me on it. I know that sounds complex hen I say, "Go set up a Microsoft Azure account, or go set up a AWS account, and start building virtual machines in a cloud environment."

 That sounds like I'm saying brain surgery, but it really is extremely basic, and all of these organizations have very, very good tutorials on how to get started, just setting up those basic environments because it does two things for you. One is it already puts you ahead of the curve because now not only have you heard of cloud services, you're actually utilizing it right away. And then secondly, it gives you the flexibility with almost no cost. If you do it right, no cost, you can create a Linux environment, and create a Windows environment that's not on your machine that you can practice in.

 You can break things, you tear things up without the fear of any adverse reactions or things happening to your actual computer by doing that. So, to me that's ... I've streamlined my advice for that question over the years and that's what it's come to now. Start off with how do computers work? Google that, look at some of the articles. And then start looking at how does powershell work? How does Windows command line work? How does Linux command line work? And pair that with cloud services. If you just take those things, and spend the next six months or so working on refining those things, you will put yourself exactly where you need to be. And I would say even a little bit ahead of most people that are successfully coming into this industry now.

Camille: And so when people, when they finally grasp this knowledge that they need to understand how to take these certifications, when they are preparing for the actual certification, and the one they've researched, and the one they choose, would you recommend going with self-study materials? Have you seen success with that, or do you compare it to taking a course, a bootcamp or a training where you're really diving into this specific certification? What do you think about that?

Keatron: Yeah, and that's a good question. And it's a tough question because I provide training for InfoSec and for other places, and let me just tell you my take on the value, and the difference. So, you can do most of these certifications or a lot of these certifications via self-study. But the difference is is that when you take a course, number one, the course is geared towards preparing you for that certification. So, you're going to be told exactly what you need to know to successfully conquer that certification exam. Secondly, you will be able to draw from the experiences and the interpretations of other people in the class.

 And one of the most fascinating things that I observed early in my career of teaching was sometimes the best questions like how you get your best answers is from questions that other people ask. For example, if you and Jeff are in the class, Jeff might have a question, but his question actually asks the question that you had in a way better way than you could have ever asked that question. So, sometimes just being in a group environment, in a structured environment where there are other people trying to achieve the same goal, you will get insights, you'll get phrasings of questions, and the way questions are presented, and answered that will stimulate your brain, and make you absorb the material in a way that you just won't get from self-study.

 So, that's one side of it. The other side is most certification courses, and most trainings will offer you some type of free reset, or something like that if you don't pass the certification. In other words, some type of a certification guarantee. So, if you're self-studying, and doing it on your own and you go and you don't pass that exam, well you're out there on your own to pay for that research, and to pay to go back and learn that material again. So, I would look at self-study as something that you should do. Maybe, look at it as a precursor to taking a bootcamp or something like that. Because there's two lines of thinking with bootcamps. One is come in knowing nothing and we're going to get you ready by the end of the week.

 Well that happens more often than not, and we're definitely equipped to do that, but it's less stressful on you as the student, or as the individual coming into it. If you use yourself study time ahead of coming into a course. So, where when you come into the course, you have some idea of what to expect and you can absorb the information a little bit better. If there's 10 things that you need to know, and you come in knowing none, well that means you have to learn a lot more things in that five days than someone that came to that course knowing three of the 10 things already, if you want to look at it that way. So, that's my advice on that.

Camille: And I think that ties in nicely to your point about, "Oh, you can go back to back to back to getting all these certifications, and then, look really impressive with all of these letters after your name. Right? CCNA, and CISSP, all that." But looking at the value of really taking the time to absorb these skills, and communicate with one another in a class environment will help you per se to like I said, absorb that knowledge, and really have the hands-on skills to do that.

Keatron: Yeah, absolutely. And I don't want to be some hypocritical here because I have about 100 certifications myself but to be clear, some of those certifications I got over years and then some of them were requirements, right? Like sometimes you're in a job or you have a specific contract that requires you to possess certain technical certifications to be on that contract or have that job. So, I have a lot of certifications. I'm definitely not saying don't do it, it's just that make sure you do it in a structured way. And the most important thing is actually challenge yourself to do a lot more than is required to get into the industry or be in that job role. And I see so much of that where you get all these people that are coming in and they all have the exact same skillset.

 They've got this cookbook definition of what they think it takes to be in cyber, and they all have that skillset. But you know what? Set yourself apart because I had to do that again. When I came into the industry, I didn't come from a traditional comp side background. So, coming into it was a little tough because I was around people that had a lot of experience. I would have guys saying, "Oh, well you know I worked on the Cray supercomputer, I worked on IBM this, this, this and that back in the day. And I was using punch cards. Just making you feel like you don't know anything because you just got into it.

 And at the same time I had younger people that had just taken like a five year computer science course or degree program come and I say, "Oh, I can code this and I can code that, and I can code circles around this. And make this application do that." And it wasn't until one day that happened, I said, "Oh, well look at this, I can hack into this bank account without any login credentials." And then that's when I realized, "Oh yeah, this is a skillset in of itself." The programming background helps, but it's definitely not a requirement. And you definitely want to focus on setting yourself apart by learning more things than is required.

 For example, I gave the recommendation to go set up an AWS account. Well, don't just do that. Like on your own, go ahead, and shoot for the AWS technical certifications, like dive into it all the way, make yourself the total package. Like don't come into the industry with a basic skillset that checks all the marks, and expect to be treated like you're something special because you're not, if you come in and your skillset matches everybody else's.

 One of the things I tell even when I teach classes, my students is, "Look, I can tell you about SSL, I can tell you about how exploits work. I can explain to you exactly what happened to Equifax, how they got breached with the Apache Struts vulnerability. But you know what? I can sit down, fire up a VM within two minutes, and I can demonstrate to you the Apache Struts exploit and how that organization got exploited. And that's where you should strive to be. Even if you don't have a role that requires you to do hacking or pin testing. If you're in an advisory role, why not challenge yourself to say, "You know what? I'm going to set myself aside as a CSO, or as a manager, or as an entry-level person. And then I'm an entry level person that can actually demonstrate what an attack looks like."

 In other words, I'm just saying challenge yourself to be a lot more than just what it requires to get into the industry. Getting into the industry, honestly, the best way is being a lot more than what it requires to get into the industry. And I'm trying to give you a roadmap as to how to do that.

Camille: So wrapping up here, talking about we've built up the steps to how to get into the industry, what you need to do to prepare yourself for a certification, how to move into taking that certification. But what the ultimate goal is here is to then get into a career. Right? So, can you go over talking about if you have any high demand areas that you see or really growing in the future that people might want to strongly think about considering as a facet of the cyber realm?

Keatron: For sure. So, the areas that we come up short in application security, and I mean technical app sec people that can write secure apps, can test applications to see if they're secure, can pin test applications. So, that's still a field that's very, very underserved. Incident response, that's probably one of the biggest growing things. As organizations get breached, as the breach cycle, the life cycle of an organization getting hacked, and then how they respond to it, the whole media cycle. That's becoming a field in and of itself to be able to go into an organization, and help them deal with that or in your organization be able to deal with that.

Because in my practice, and my business, that's the area that's grown the fastest. I've got service more RFPs for that this year than just about anything else because our pin testing is automatic. We have clients, we get new clients, we know what that cycle is. But the thing that's showing the most growth for me and my practice is the incident response, and I mean technical incident response. Where we'll go in, after an organization that's been breached and walk them through what they need to do all the way from hands on the keyboard to dealing with HR, PR, legal. We just come in and take over the whole process, and hand it off to the team and do knowledge transfer. So, definitely app sec, information, or incident response are some areas.

Reverse engineering is still a big area. It's very niche, but it's also growing a lot because if you take organizations like FireEye in Palo Alto, and some of these others that have these huge teams are reverse engineers, they're constantly hiring. The FireEye job ad for a hiring reverse engineers to work on their flare team, and some of the other teams, that thing has been a constant, we need people. Like for the last three years it's not been not advertises we need people. So, application security, reverse engineering, incident response, and even pin testing. I still say pin testing because for one it is a great way to start a technical cybersecurity career.

Keatron: Because you will have to learn some forensics, you'll have to learn some hacking, you have to learn some recording, and it gives you a good place to launch into other directions from, which is exactly what happened to me.

Camille: And so following up with a question from one of the audience members, what do you see in the world of digital forensics? Is that moving forward or where are we at with that?

Keatron: Well, it is, and that's a great question by the way. Whoever asked it, thank you for that question. So, what's happening with DFIR or Digital Forensics and Incident Responses is you can see an industry, you're seeing it being referred to as Digital Forensics Incident Response or DFIR. And that's because a lot of the forensics is being merged under incident response. Because if you look at most of the forensics effort now, a lot of it is being driven towards responding to hacks or events that happened inside of the organization. And when you look at most hackers, they have developed a pretty good skillset of not leaving behind.

The evidence is specifically on a hard drive. When you look at a data breach, when you look at things of that nature, sometimes the best evidence is going to exist in memory and in traffic. And hard drives are usually the least fruitful place to look for that. So, digital forensics I think is making that transition to where the importance on hard-drive forensics is going down for the simple fact that, number one, look at how little information we're storing on our actual computer hard drives now? We're all moving to the cloud. We're all computing online. Even when we do child exploitation investigations, which we still assist with a lot of those, a lot of the information, and a lot of the evidence is coming from cloud services, and things like that.

 Simply because a lot of these guys know not to download videos now they just stream them, right? So, there's a different way to look for that evidence. A lot of organizations, even if you still host your data onsite, you've put a lot of it inside virtual machines. And so, when you look at it from that perspective, there really is no physical hard drive. You can't go to Amazon and say, "Give me Infosec's physical hard drive their web servers running on." Because it doesn't exist. It's all a big virtualized environment. There is hard drives that you could try to image, but go to Amazon and ask for that, and let me know what response you get back.

 So, I think the forensics is definitely growing, but it's growing into being a necessary part of incident response, right? So, it's one of those things that's being more and more attached and aligned with that and in just about anything else. And when we say incident response, it doesn't necessarily have to be a hack, right? Like inside your organization, when there's a need for forensics, a lot of times it's because of an incident, and it could be an internal incident where someone did something internally that they shouldn't have done, that usually equates to being an incident as well, which is why if you look at, most of the forensics things out there, it's paired now with incident response.

Camille: And so, talking about all of these different roles that you said are up and coming, what would be some of the job titles that people would be looking for in organizations when they're looking to get into some of these facets that you outlined as up and coming?

Keatron: Some of the job titles you said?

Camille: Yeah. Maybe just help them have an idea of what they'd be doing day-to-day from the job title listed.

Keatron: Yeah, absolutely. I mean, you'll see titles like information security analysts, entry level security analysts, entry level SOC analysts, junior SOC analysts, junior pin tester. And even a lot of times just going into a non-technical security role just so you can get your feet in the door to where you can observe those technical roles and learn about it is a preferred way of doing it as well. So, things like documentation specialists, or someone that comes into an organization and is responsible for incident management because a lot of times incident management does not require a technical skillset.

 You're just managing the incident, managing communication, managing who's doing what. Almost like project management for incidents is what incident management is. So, it's not necessarily technical, but you can jump into a role like that without really a lot of technical skills and then use that to budge your way into a technical role. So, those are just some of the ones that are coming out there. And look, one of the slides you had earlier said, "Don't fear pivoting from your job to a new career." Still things like entry-level network support technician, desktop support technician. These are still great pivot points for you to get into, and then move from that point into a cyber career.

If you're already in those roles, then just start to beef up your cyber skills, your technical cyber skills. Start adding that stuff to your skillset and start advertising it. Go to meetups, go to the OAS meetings, go to the ISACA meetings, go to the ISSA meetings. Go to the Entry Guard meetings, and talk to people, tell them that you're interested in cyber. And have some skills when you go, that's the number one thing. Because at the end of the day, if I'm speaking at OAS or something, and you meet me, and you say, "Hey, I'm entry-level. I'm looking to get into cyber." I'll probably offer you, "Hey, well let's do a two hour Saturday Skype meeting." Or something like that.

Or, "Hey, let's meet at the Starbucks on Saturday for an hour and let me see where you are. And if I can help you, I will." And look at, if you've heard this webinar, and then you come to me six months from now, and you say that, and then I sit you down, and you have not learned anything technical, you can't show me anything, then that means you're not really driven towards actually trying to accomplish these things. So, make sure that don't look for roles that actually have the word security in necessarily, if you can find those entry-level junior, those are good. But also don't underestimate the value of roles that aren't necessarily security related.

Look for security consulting organizations that do security consulting and then look for some of the roles that they have. And a lot of people will go into those roles, and then bud themselves into one of the security consultants in that organization. So, I wouldn't focus even so much on looking for specific job titles. Just as is the case with all jobs, research the organization, make sure they're doing what you want to do. And then find a way to get in there whether it be through some other job role or not.

Camille: Sure. So, wrapping up on that, we've got a lot of great questions and Keatron, you did a great job helping to answer a lot of the questions we have coming in. So, we're saving a few minutes here at the end. So, feel free to send us more questions. We're going to real quick talk about if you are interested in a certification, how to get started with doing that. And then we'll save time and go through the last questions that we have. So, looking at ... We talked about the differences of taking a certification course versus self-study, and if you are ready to have that immersive practice with other people training opportunity, I'm just wanting to let you know about Infosec's courses real quick here.

So, we have a few different ways that you can train and really great because they can meet any schedule. So, you can do Flex Pro, which is our most popular. And that's a bootcamp training format where you get award-winning training from us with the convenience of being able to train from anywhere using your favorite device. And then we offer a variety here that you see, of course. So, we do do some public training bootcamps. So, that's when you're live in class with an instructor. And those are hosted at different locations across the United States. And then we also offer a self-paced computer based course, called Flex Basic.

So, really a great few options to look into if you are thinking about taking a certification course. And as Keatron said, one of the great things that InfoSec Institute offers is that exam pass guarantee that you see on the bottom left side there. And so, what that means is that if you do not pass the certification for the course bootcamp that you're enrolled in, if you don't pass that certification test on the first time, we will pay for you to retake that for a second try. And then we also have some of the industry leading exam pass rates at 93%. So, a pretty good chance that you will pass that exam after taking a bootcamp course with us.

Looking at October special, you will have access to 90-day replays of your videos from your lessons, which is great for reabsorbing that knowledge and as Keatron said, taking time to soak some of that in. So, moving on, it looks like we have a few more questions streaming in. We saved a few minutes. So, if Keatron, let me look through the questions here and see if we can talk about some of these that we need to followup with. So, let's see. I think one interesting point here is somebody said, "A lot of these job requirements always require degrees." And we touched on that earlier is how a lot of people don't necessarily go for a degree before a certification, but what would you say about necessarily if there's a way to surpass that requirement via skills or talk to us about that?

Keatron: Yeah, I would say if you see a job that says, "Degree required." I would say go ahead and apply anyway. Say, "Look, I've got these technical skills." Because the very first security job I had was a job that required a degree that I did not have, but I just applied for it anyways and said like, "Hey, like I know you asked for a degree here, but like I've got some skills that really sound like exactly what you're looking for here. Maybe we can balance this out with those skills and with my experience." So, I would say go ahead and apply for it. Now, there might be some HR people in here saying, "Oh, well it's great you're giving us more work." Well, I mean, you know what? That's what your job is.

Part of your job is to take those applications and pass the ones on that same beneficial and discard the ones that don't. So, I want you to at least put your hands online, if it's a role that I really want. And the other thing too is if you look at a lot of the innovative, forward moving, and very progressive organizations and companies, that's becoming less and less of a requirement. Like even if you look at Google, and Apple and some of these places, they're more so focused on look like what can you do? Like we're going to sit you down in a room for an hour and we're going to see what you can actually do since you're applying for a technical job.

So, I would say look for those opportunities. Go ahead and apply for the ones that say you need a degree. If you're going to make mad or tick off the HR people, you know what? That's just part of it. But go ahead and apply, but try to seek out the roles that are more open to you not having a degree if that's something you're interested in. And the thing about it is ... And I have to say this too, make sure it's a role you actually want to be in, right? Like don't just apply for something. If you're changing careers, if you already solid in your career, and you looking to change now, don't rush it.

Take your time and try to get into a role that you're actually going to enjoy doing. Because my mind is boggled with a bunch of stories of where people want to apply for a job. They were told they're going to be doing pin testing, and then they get the job and they're sitting there doing IAA work where they're checking off checklists on vulnerability scans or something like that, which is totally not what they wanted to do. So, now they're less happy than they were in the job that they came from. You know?

So, I would say just make sure you take the time. If there's a job that they're so strict about the requirement of having a degree and that more than anything else, then maybe you don't want to work there anyways, or maybe you don't want to work for whoever put that job ad out there. So, consider those things. Look at it as a win. You might've died working somewhere that's a little bit too fundamental in their thinking to give you an exciting career that you're looking for.

Camille: Sure. And so, tying that in, sometimes the skills and experience that you have are maybe more valuable than that degree. And if you can have the opportunity to prove that to where you're applying, I think that's a great way to show how cybersecurity just with the amount it's growing and with the amount of open positions, it shows how it's transitioning and just where those pockets are of the skills that they need. And I think maybe people will be opening up a little bit more to, "Okay, maybe a degree necessarily isn't the right thing, but this skill is." So, I think that's a cool transition in the cybersecurity world.

So, let's see. We have another question. So, this person is currently a network engineer, and they want to move into the security realm. What advice do you have for someone making a transition where I think they probably as a network engineer have a lot of the skills that we talked about as far as computer skills but maybe talk about some of those security skills that they want to hone in on as well.

Keatron: Well, that's a great question. The good thing is that's what my background is. That's where I came from as well, this network engineering. So, for the most part you definitely want to download Cali, or spin up Cali inside of cloud VM or something like that, and start working on things like scanning. How do I scan within map? You'll find lots of free tutorials out there on how to do that. But just start getting your hands on the tools because having a strong network engineering background puts about 20% of the stuff that we teach in, like for example, the certified ethical hacker course are things that you would already know as a network engineer.

So, having that background is actually a leg-up on most people that are coming into cyber because the first part of pin testing, or the first part of breaking into an organization is you have to be reconnaissance in scanning. Right? And to understand how scanning works, understand how looking at that network from the outside across the internet, how that works, you need a fundamental understanding of how networks work.

So, I would say from a network engineer role, just start working on getting yourself set up with the tools, and the techniques. We call it TTP, Tools, Techniques, and Procedures of how threat actors work. Like, just look at it from that perspective. Don't even look at it as, "I want to get into cybersecurity." Just look at it as, "I want to learn how hackers do what they do." And that will be a nice add on to your networking background.

Camille: Tie in those skills that you need to make that transition then?

Keatron: Yeah.

Camille: Sure. Looks like we have time for just a couple more questions before we wrap up here. But another one looks like it's another question about transitioning into an identity analyst position. They're currently a systems administrator. What would that transition look like?

Keatron: Identity analyst? Well, so that analyst title can be very tricky and just separate, because a lot of times it means you're literally just looking at logs, looking at people as they authenticate and identify themselves as they log into the systems and things. But sometimes it could be a more technical role where you're doing hands-on analysis work of that type of thing. So, it really depends on what the role is. But coming from ... What role was it? System administrator?

Camille: Yes, it looks like systems administrator.

Keatron: Yeah. I don't think it's going to be that big of a transition at all because you're really going to probably be starting off using some type of software packages and things like that, that are designed specifically to help you do that job. And I think the learning curve is something that's really baked into that role.

Camille: Sure. Keatron, what courses do you teach? And people are wondering more about what expertise ... Obviously, you have a lot of expertise with all your certifications and all your experience. Well, what courses do you focus on?

Keatron: So, certified ethical hacker, advanced contesting which is mostly exploit development. It's built around teaching you how to develop exploits from scratch. I do teach the incident response, mobile and web app pin testing, sometimes the mobile and computer forensics, I teach that from time to time as well. We have like a wasp course that InfoSec does, and I'll teach from time to time, usually on an as need basis. And the advanced malware reverse engineering. Those are the primary ones that I'll teach. And when I say that, like for example, some of those I haven't taught in like two years, but in my portfolio of the ones that I would teach, those are common ones.

 

I mean, again, different training organizations have different needs. So, I've done like CISSP, and CRISC, and system, and a lot of the management level search. But just to be quite honest with you, that's not my forte. Like I like to put my hands-on, I like the technical stuff. So, doing those, my CISSP classes are a lot more demo driven than most people in CISSP classes.

Camille: Right. Well thank you for that. It looks like we've got time for just about one more question before we end the hour here. So, we touched on this earlier, but as far as do you think skills are better than a certification? Are people going to require to see that certification or do you think it's acceptable that people demonstrate these skills but haven't necessarily been tested via a certification to get a position maybe?

Keatron: All right, so let's look at that from two perspectives. So, one, if you're coming to me to interview for a job, and you sit down in front of me, definitely I'm going to be more driven towards the skills than a certification. Okay?

Camille: Okay.

Keatron: But understand that in a lot of job roles, you've got to have the certification to even get in that chair to sit down to show me what your skills are. So, I think the way I look at that is certifications are primarily a door opener, and then certifications can get you the interview, the skills will get you the job. And sometimes the certification will actually get you the job, to be quite honest with you. In some organizations they have such a big requirement to have so many certified people that they are almost hire you just on the fact that you have the cert. But what keeps you the job role and what allows you to progress is having the skills that go with that certification.

But again, for me the biggest value of taking a certification course is the preparation, and the things that you learn in the course, and the networking connections that you make. So, it's not the cert, it's just the skillsets that you require preparing for that cert.

Chris: Thank you all for listening to this week's episode. For a list of our other podcast episodes, please visit infosecinstitute.com/cyberspeak for the full list. If you'd like to qualify for a free pair of headphones with a class signup podcast listeners can go to infosecinstitute.com/podcast for a free offer. If you'd like to try our free security IQ package, which includes phishing simulators you can use to fake phish, and then educate your colleagues, and friends on the ways of security awareness, visit Infosecinstitute.com/securityiq. Thanks once again to Keatron Evans, and thank you all again for watching and listening. We'll speak to you next week.