Take your career to the next level with CompTIA and Infosec Skills

Chris Sienko: Welcome to another episode of the Cyber Work with Infosec Podcast, the podcast in which I talk to a variety of industry thought leaders to discuss the latest cybersecurity trends, how those trends are affecting the work of Infosec professionals, and offer tips for those trying to break in or move up the ladder in the cybersecurity industry. Today's episode is the audio component of a webinar we recorded in September of 2019 entitled CompTIA Career Paths, Which Certification is Right for You. This is one for listeners who are thinking about which cybersecurity certifications they wanna focus on next. If you're looking into certs from CompTIA, you're gonna wanna listen to this episode before making any decisions. We'll be talking today to Patrick Lane, CompTIA Director of Products, and Jeff Peters, Product Marketing Manager for Infosec for this on-demand webinar. In today's webinar, Patrick and Jeff will provide you with a CompTIA career pathway as well as digging deeper into various cybersecurity roles and their associated certifications including core cybersecurity skills that any cyber professional should have, roles and certification needs for red team versus blue team operations, as well as certs to focus on in technical versus managerial career tracks. By the end of this episode, you'll be able to chart your own personal path of cybersecurity certification based on your specific career aspirations. And if you don't know what your career track is that you're interested in just yet, this episode can help you figure out what you do like to do and what that says about the type of cybersecurity career that would give you the most personal and professional satisfaction. And now I'll turn you over to Patrick Lane of CompTIA and Jeff Peters of Infosec for our webinar, CompTIA career paths: which certification is right for you.

Hunter Reed: So I just wanna thank everyone for joining us on today's webinar with CompTIA. My name is Hunter Reed, and I'll be helping moderate the webinar today. So we're excited to have Patrick Lane, Director of Products at CompTIA, here with us today. Patrick Lane directs IT workforce skills certifications for CompTIA including Security+, PenTest+, CySA+, and CASP+. He has assisted the US National Cybersecurity Alliance to create the Lock Down Your Login campaign through multifactor authentication nationwide. He's also implemented a wide variety of IT projects including an internet and help desk for 11,000 end users. Patrick is an Armed Force Communications and Electronics Association lifetime member, born and raised on US military bases, and has authored and co-authored multiple books including "Hack Proofing Linux: "A Guide to Open Source Security." And he's also joined by Jeff Peters, Infosec's Product Marketing Manager for Training, who will be providing a demo of Infosec's new training product, Infosec Skills, at the end of the webinar. Alright, and with that, I will pass it off to Jeff.

Jeff Peters: Thank you, Hunter. I'm just gonna take a minute to provide a brief overview of what you guys can expect on this webinar. So as I mentioned, Patrick will be doing most of the speaking, talking to you about all the different CompTIA certifications and careers and different pathways out there. We've been working with CompTIA closely as a partner for many years, and we wanted to bring Patrick in to speak to you guys directly. So he's going to cover the CompTIA Career Pathway, talk about the certifications and roles, starting with Security+ going through like the red team and blue team certs that they have, and some of the more advanced certifications. And then towards the end of the webinar, once Patrick has presented, I'm going to just take a few minutes to cover some of the skill and certification training that we offer here at Infosec, and then show you guys a demo of Infosec Skills which is our new training platform that we have. And then just after that short demo, we will open it up for Q and A for any questions that you guys have. So with that, I will turn it over to Patrick.

Patrick Lane: Hello everyone. And thank you very much for those introductions. I'm the Director of Products for CompTIA Cybersecurity Certifications, and as was mentioned, that's Security+, CySA+, PenTest+, and CASP+. And so I've been in the industry for about over 20 years. I started out in the 90s working as an MCSE, doing networking for corporations and installing networks, and was involved up until about 2010 with that. At that point then I turned more towards cybersecurity and became a consultant and then began working at CompTIA. And so I've been passionate about certifications and careers for IT professionals. And I've spent my career working with the industry to try to standardize workforce skills throughout the globe. And CompTIA is a big part of this. We focus mostly on vendor neutral skills. So the certifications I'm gonna be talking about today can be applied to any vendor products. In other words if I were to talk about Security+, that is a job role certification. So it's really addressing the skills someone should have at two years, the tasks, the knowledge, the abilities that they would be able to do. And so those are called KSAs, knowledge, skills, and abilities. So all of our certifications, they're built around job roles. So that's how we're gonna be approaching it today. And they're vendor neutral. What that means is you can learn about the theory and concepts and even hands-on experience with open source firewalls, you can learn how to use a router with open source routers. Once you learn these concepts, you can apply those to Cisco routers, to Check Point routers or Check Point firewalls. I mean, do you see what I'm saying? Anything you learn in a CompTIA cert would be applied to a vendor-specific product. And so that is how we go about looking at skills overall. So we're vendor neutral. And what we're trying to do is create a common knowledge and skills throughout the globe so cybersecurity workers could communicate better. We use the same language, both the government and corporate environments around the globe. And so what this is to do is just to make the entire globe a safer and more secure place. So we've done research. We've been in business since early 80s doing research, IT association research. We are not for-profit. So we are doing this for the industry good, we are trying to identify skills gaps in the industry and create assessments around them. So each of these certifications would be an exam that you would take at a Pearson VUE testing center. It would be performance-based and multiple choice-based. So this is gonna be common to all the certs I talk about today. You go to a Pearson VUE center, you take that exam. If you pass it, it would recognize you as having those skills by 80% of employers. The reason is our research shows 80% of hiring managers, whether they're IT hiring managers, HR people who don't know anything about IT, they're looking for certifications, that's what they want. So if you get certifications, you can get a better job, whether it be a promotion in your current job, whether it be new skills you needed for your current job, and maybe you can even get a pay raise. I mean there's a lot of benefits around certifications. Last thing I wanted to say is that because a lot of the job roles I'm gonna be talking about today in the certs, these job roles, there are huge shortages, nationwide and across the globe in the areas I'm gonna be talking about today. And that is the main goal of these certifications is that with these skills gaps, if people go out and take these assessments, we are helping fulfill the skills gap throughout the IT industry in these particular job roles. And so as we look at the industry, I'm gonna be telling you with each of these certs as we look at them, how they're filling a gap in the industry, how there are a lot of jobs available to you, well-paying jobs, and these are skills that are needed. And so in your current job, if you find that you lack skills in specific areas, you need to look at certifications because companies are now looking at certifications instead of college degrees for specific jobs in cybersecurity. The reason is is because four years is gonna take you too long to learn the skills. You need to learn them within a week, within a few months depending on the program. And so Apple, Apple computer just put out an article about six months ago that said for the first time they will hire someone without a bachelor degree for specific cybersecurity and programming jobs. That is a huge C change. And we are really happy about that. Now, is a bachelor degree better? Yes. If you can have a bachelor degree and a certification, you're in the best position possible. But without that bachelor degree, you need to get the skills because you'll be able to get a job now without that bachelor degree for cybersecurity. So pay close attention today. I'm gonna be telling you about the hairiest that CompTIA has certifications, as well as the skills gaps in those areas. And I'm gonna tell you about how those job roles are currently changing as cybersecurity is becoming more complex. So let's take a look. CompTIA includes all of our certifications in a CompTIA Career Pathway. So we are focusing on education. And we're focusing on people like you who may be joining this call who may have over five years of cybersecurity experience, maybe you have over 10 years. But there may be people on this call who don't have any experience in cybersecurity and may be interested in a cybersecurity career. So let me explain the CompTIA Career Pathway quickly. This represents zero to 10 years of cybersecurity KSAs. Remember before I mentioned, knowledge, skills, and abilities. KSAs have been used in education for centuries, however, with cybersecurity, we're just noticing them changing a lot quicker than in any other industry. And so lucky you, you're all here. You've chosen this industry possibly by choice. It's great though. There's a lot of employment. And that's one thing. You get a nice steady career, good steady paycheck. So let's take a look. It starts on the left for someone who has no experience where you see core skills certifications. First course, IT Fundamentals. That is really a survey certification. And so that is actually used in high schools, in community colleges for workforce retraining programs, because ITF, that's what we call it, ITF+ is its acronym, ITF+ is used to determine if you want to go into an IT career. So there's like three main sections when I saw it. For instance, it will teach you about programming. Do some basic programming, see if you like that. It'll also show you networking. You can try infrastructure skills. Do you like setting up mail servers? Do you like setting up proxy servers? Do you like setting up active directories? You'd know if that is going to be of any interest to you. And it'll also teach you some basic skills in cybersecurity. From getting a sampling of actual tasks, hands-on skills, involved in those areas, it's a ideal place for students to start. And that course is very popular because of that. So, let's say someone then chooses, I want an IT career. They would then go into A+. A+, it's about help desk skills, support desk skills, supporting devices that are connected to the internet. And so most people will be in a help desk situation or support desk. We probably all called support desk. Well, there's a lot of jobs available in that area. And support desk is not about supporting PCs. This is not the A+ that your parents took. This is the A+ now that focuses on devices, any device hooked up to the internet, and supporting that device. So we're talking cellphones, we're talking IoT devices, we're talking laptops, and we're talking PCs and the servers. Or actually servers, you would probably not be supporting those, but you'd be supporting the end user devices. And so that job is huge. There's even communication involved with it, so you have to learn how you would take a call, how do the ticket systems work. But from that, you will learn about bring your own device. How does that impact companies? And so it gives you a really good level of IT support skills that someone that had been working in the industry for nine months would have. So think of A+ as a snapshot of someone in IT who's been working for about nine months at a help desk. That's how it works. And so if you go to take the exam, the exam is really just the different skills, it's testing the different skills and tasks that someone would do in that job role on a day-to-day basis. So if you look at the exam objectives for A+, you pretty much have the blueprint for an IT support desk employee. So, after A+, now that you've been working with these devices hooked up to the network, the big question is, well, how does the network work, right? You need to know how all these devices are interconnecting with one another. And so there's a little bit of networking in A+, but the next step in a career would be going into networking. And so now you understand how the network works that all those devices are connected to. And so Network+ is a snapshot at the 18-month level. 18 months, at that point, networking would be the next logical skill. Networking has the job roles of network administrator is probably by far the most popular, also systems administrator. And those two positions are probably a core position across every single organization across the globe. And so network is critical because networking is how the internet works. If you don't understand how the network works, you'll never know how to secure it. It's like an engine of a car that you have to understand. Once you understand that concept, how it works, how the open system interconnect reference model works, and those seven OSI/RM layers, you have to master that. Because once you learn how networking works, you will understand how bad actors manipulate networking in order to hack systems. It will explain the why behind everything you do. Next is Security+. Now Security+ far and away is the most popular cybersecurity certification from CompTIA, and it's also the first cybersecurity certification from CompTIA, and it represents two years of knowledge, skills, and abilities, and tasks in an IT career. Now IT careers are going into cybersecurity faster than ever. So what you want to do, now that you've learned how the network works, you need to secure it, because we always say you can't secure a network unless you know how the network works. So you shouldn't be taking the Security+ unless you know your networking skills. So that is why networking is in front of Security+. You have to have networking skills if you want to be good at cybersecurity. We have a lot of evidence, we have a lot of proof, and we have a lot of even pass rates that we have seen. Students that take Security+ who don't have Network+ or networking fundamental skills, they actually have lower pass rates. And as someone who's been working in IT for a quarter of a century and works with IT companies around the world, both government and corporate, I can tell you the evidence supports this. And so that is just a very important skill or task or prerequisite I wanted to talk about. So Security+, you know how to secure a network. However, what has happened is Security+ teaches perimeter security, how to set up a firewall, it teaches antivirus. But now as of five years ago, we now have to also look at our internal networks to try to find bad actors or bad behavior on our internal networks too. So that's the big difference. Security+ used to just be about perimeter security. In fact perimeter security worked in IT for decades where you are a fort, you had your walls around your fort, and you were protected. But as of 2013 and 2014 with the Target hacks, what happened is we no longer were able to assume our internal networks were safe, and they're not. And so now what we have to do is the new Security+, that's been including these objectives over the years, is now including things like junior pen-tester in that position. So Security+ would be a security administrator, but it would also still be the network administrator and the systems administrator. They are the ones who usually takes Security+, so they then have the skills to secure their networks. However, we can't stop there anymore. Before we could. Cybersecurity used to be a lot easier until the Target hack, but it's not anymore. And so I would like you to look down the path now at the Cybersecurity Pathway. Now you'll see PenTest+, CySA+, and CASP which is now CASP+. It's important to note that PenTest+ and CySA+ are at the three to four-year level of knowledge, skills, and abilities. So it would be the logical next step after Security+ if you wish to pursue a specialized career in cybersecurity. And these two job roles are extremely fast-growing. In fact if you look at CySA+, that is the fastest-growing job in the history of the US Bureau of Labor Statistics. In the first three months after we had the target hack and all of the other hacks that really changed everything, the first three months of 2016, there was an 8% increase in security analyst jobs. That is the largest increase in the history of the United States for any job role. So we are living in interesting times. And that is how important this job role is. In fact the Target Corporation came to CompTIA via the new lead who was fixing their networks after the hacks and told us you need to create a certification in security analyst, because if we have a security analyst at Target in 2013-2014 that was properly trained that knew how to use FireEye, they probably would not have been hacked. And so right there, that's the reason to take CySA+, and that is why it's also CompTIA's fastest-growing certification in our history. So those are at the three to four-year level, and I'm gonna talk about them in just a moment quickly. And then lastly would be CASP+, and CASP+ is for a security architect, that's the five to 10-year level of knowledge, skills, and abilities, and I'll talk a bit more about that job role as well. CASP+ is covering security architects. So what I'm gonna do then over the next 10 minutes, I'm going to talk about in detail about what PenTest+ is, what CySA+ is, and I'm also gonna cover a little bit of CASP+. But of course I'm going to start the conversation out with the flagship product which is Security+. So let's take a look. CompTIA's Security+. This is our flagship product. It teaches our core cybersecurity skills. This certification is listed in 10% of all cybersecurity jobs ads in the United States. It is CompTIA's, as I already said, it's just a very popular exam because it just hit 500,000 certifications, and it's growing in over 30% a year. It's really amazing to see how these skills are needed in the industry. Why are people taking Security+? Here's the reason. First of all it's vendor neutral, so employers feel if someone takes this, they could send someone that'll learn how to configure a firewall, that'll learn all of the basics of just securing a network, hardening a network, making sure it's secure as possible. That's what Security+ is gonna be able to teach you. So if you're a network administrator, this is for you. If you're a systems administrator, this is for you. And if you wanna go into a cybersecurity career path, you have to start here. It's gonna focus a lot on threats, vulnerabilities which are key. In fact our recent research shows that at this level which is at the two-year level of your IT career, we're finding that the two most important skills are actually threats and vulnerabilities, knowing about them, because they are proliferating right now out on the internet. And so there are so many more threats out there you've got to be aware of them, and you've got to be able to know how you can manage those threats as well. And so you've got to know threat intelligence now at a earlier stage in your career, whereas you didn't have to know that just even five years ago at this level. Another area we're seeing that's impacting Security+ is cloud security. And what that means is that the cloud is becoming more popular. So what is happening is Security+ skills are needed to be applied to multiple network environments. So Security+ can be applied to a local area network, securing that. It can be applied to the cloud and securing that. It can be applied to hybrid networks that are in the cloud and on the ground. Because what we have found is that cybersecurity skills are similar. It's just the environment that changes. And what happens when you change to that environment, you're impacted mostly by the creating new rules. It's really a matter of writing new security controls for the new environment. For example, if you want to access resources in the cloud, you can't just access them necessarily directly, you may have to get permission. So we found that actually 70% of the changes to an organization when they move to the cloud are around policy. 70% are just policy changes. The tasks themselves haven't changed. But now you may have to go through an extra permissions step, and you may have to talk to a data protection officer at one of these companies. Especially if you're working with some privacy laws like GDPR if you're working in the cloud in the United Kingdom for example, you would have to understand that if you're gonna do certain tasks that you don't have basic permission for in the policy that you're initially given, you have to know who to contact. And in many cases you have to get on the phone with a data protection officer, and it's just no fun. And so it's really important to understand how you are impacted out in the industry because it's just getting more complicated. That's what we're seeing. So Security+ right now, what we're seeing is the workforce at this level is starting to work in the cloud more, and so there's more cloud security in Security+ than there ever was before because we are always following the industry and making these a representation of those job roles in the industry. These latest trends are fascinating. If you look at the latest job rules in the lower right-hand corner, see, Security+, it covers the junior IT auditor and penetration tester job role now which is a newer job role, because the core job roles for this by far, and these are, I mean, the majority of IT jobs are these jobs in the world, systems administrator, network administrator, and security administrator, because why? The most basic level of cybersecurity is making sure your network is secured, and essentially that's what this teaches. So we consider this a core cybersecurity skill certification that really anyone who is in IT should have. Programmers don't need it as much, but I can tell you, the fourth largest audience taking Security+ is the software development industry. Just got that research back actually over the summer. And that was a surprise. And what they're doing is the software development industry is now taking Security+ because they need application testing, and that's what that junior IT auditor penetration tester job role is. So if you've got Security+, you could do some basic software testing. That's why we see these software companies, that I've never seen before, coming to certifications, taking Security+, and they're the fourth largest audience now of Security+. Now that is something we would have never expected before. And the reason is as networks across the globe become more secure, think about it, the last five years we've invested billions as an industry into cybersecurity. You would hope that the networks would be more secure. Well, guess what? They are, and we are overwhelmingly getting that feedback that the networks are becoming more secure, but now the software is becoming the problem. And the problem is is they're releasing, is software development companies are releasing software on the network and not testing it. It's that simple. Because if you were to put new software on a network, you've got to test it, you've got to make sure that there aren't open ports for example that you could then, you've got to make sure that for example a remote desktop protocol, RDP, is not activated. Like in a Linux kernel, by default, that may be open with the administrator password. So at the very least you would want to harden that system before putting it out on an IoT device for example. Remember the old baby monitor problems we were having a while ago? Well, the reason that happened is because a software development company created their software, their baby monitor software, they wanted to put it on the baby monitor, but they needed a operating system. So they chose the cheapest, i.e., free one they could find which was an open source Linux kernel. They then put their software on top of that default open Linux, open source Linux kernel, put it on the baby monitor, sent it out. So maybe their application was secure, but guess what? That Linux kernel they just put it on and then loaded onto the baby monitor wasn't. In fact by default in the old days, Linux had the RDP port that you could go into it and be an administrator and remotely log in to that device. And then you could control it simply because you're now in control of the operating system underneath the application. That is a fatal flaw in the software development industry and they realized that now. And so they're all moving toward trying to be more responsible, and they're now testing the software before they send it out and release it on the internet. And so this is being policed much more carefully than it was in the past. In fact there's a new concept that's come to town, and this town, this new concept is a landing zone, a landing zone before you install your software on a network. The landing zone is used by cloud companies. So if you have a new application and you're ready to release it, by the way on the cloud now, you can do devops very quickly and you can release your software very quickly. So we have a much quicker software development life cycle than we used to because of the cloud. And so as the software is going up into the cloud, it goes into a landing zone. It's an area where everything is tested before the cloud provider allows it to be released. So you put your software in as your landing zone, you then work to make sure that it's safe, the cloud provider also runs some basic test to make sure it's safe. Once the software is approved, it will then be released onto the cloud. We're seeing more landing zones pop up, and we should continue to see more pop up, because this is a major issue and the software development industry is now aware of it. So we're using devops move to SecDevOps which means secure devops. Albeit that is a symbolic move because we're finding most devops programs are now putting security in them by default. But some of them are called SecDevOps just to show everyone that they're implementing security from the beginning. The other is DevSecOps. So you might see it SecDevOps or DevSecOps. But it's important that any devops program is focusing first and foremost on cybersecurity from the beginning to the end. That's a new concept just over the last five years, but now we're realizing it's become a major problem. As I said networks are becoming safer, now software is a problem. So all of us in cybersecurity need to focus our efforts towards not only the network itself, but also the software. Next slide please. So what we did, we had to fill this gap. Remember I told you Security+ is at the two-year level? Well, the next two are at the three to four-year level. So once you've gotten Security+, you've been a security administrator, network administrator, the next logical step is to go into penetration testing and security analytics. These are considered red team and blue team skills, and they are used on networks for training as well as for testing. And so let me explain a little bit to you. So CompTIA PenTest+ was created in this post-2013 world we found ourselves in where we realized now we had to test our internal networks and try to find bad actors on our own networks. And the other concept was we have to go proactive on our networks. We have to find the vulnerabilities and the weaknesses in our network before the bad actors do, hence, PenTest+. The whole idea of this is it's a certification for intermediate level cybersecurity pros who are tasked with hands-on penetration testing, also called ethical hacking, to identify, exploit, report, and manage vulnerabilities on the network. So their goal is to attack the network and report the weaknesses they find so those weaknesses can be fixed. And those weaknesses could be fixed by a number of people, usually a Security+ administrator could probably fix it. But how do you know what's attacking you? How do you know where your vulnerabilities are unless you attack your own network? And so that is through a process that considers planning and scoping to make sure it's legal that you're doing this test, then gathering information that you find through scoping, and then figuring out which attack you're gonna use based on the vulnerability you found, and pick a tool, and there's many different tools that you can use to attack something. Probably the most popular in pen-testing is something called Metasploit. And then reporting and communicating the problems that you find, and managing that problem, and managing the problem is half the battle. Let's go to the next slide. So that was called a red team skill. Now the next cert, CySA+, that's also at the three to four-year level, but this one's more about defense versus offense. So CySA+, well, guess what that's about? That's about trying to find threats that are coming into your network. And so blue team is really defense. They've set up this system in many cases called a security information and event management system, and that's a tool that is used to try to find those anomalies, and those anomalies could be from a pen-tester that's legally pen-testing your network. You should be able to find them and see that they're doing that just as you should be able to find and see a hacker who's hacking your network. Well, these tools are all about accepting logs from all kinds of systems on your network, and analyzing those logs and trying to find anomalies in them. So this CompTIA's Cybersecurity Analyst, CySA+, it applies behavioral analytics to greatly improve network threat visibility. As attackers have learned to evade traditional signature-based solutions which would be things like anti-virus software and rules-based solutions such as firewalls, we realized now we have to use analytics, in other words, we have to sift through mountains of logs. But these are of course log files that come in from all the devices on your network, and try to find anomalies in those logs. That's essentially the basic skill of a security analyst, and it's called the blue team skill, and this is the fastest-growing job role in history for the United States. Next slide. Alright, the last one, this is the most advanced cert we have. It's five years plus in cybersecurity skills. This focuses on the architecture role. There's a position called the cybersecurity architect, and essentially that is the ones who would be in charge of the design of the network. They would be the ones who, if your CISO or your C level at the company decides they wish to implement something. Like let's say they want to implement the PCI DSS regulatory requirements which means payment card industry data security standard. And what that means is you just have to basically encrypt credit card numbers when they're on the internet. So what you would have to do then is if you were given that task from the C level, you would have to say, okay, what point of sale system am I gonna use? What encryption level am I gonna use for data at rest? What encryption am I gonna use for data in motion? How am I gonna set that up within our existing network? There are many, there's a lot of research, and then you've gotta figure out the solution and then implement that solution from an IT perspective. This is an amazing job, and the people I know who have it like it a lot. And so if you consider yourself an engineer, if you love risk management, this is probably the job for you. And especially if you like technical integration of enterprise security and research and development, this is for you. And so that really concludes the certs that I wanted to talk about. As you see I've talked about the four main certs in the CyberSecurity Career Pathway, the ones that specifically focus on cybersecurity. And so if any of you have questions, I'll be here at the end of the call. And in the meantime I'm gonna turn it over, I'm gonna turn it over to our host, and so they can tell you about some of their products.

Jeff: Sure, thanks Patrick. Hope you guys all learned a lot there. I know I did. I'm not gonna take too long covering the training side of things. I think a lot of people at most are probably familiar with Infosec already 'cause we've done training with you guys in the past. So just again take a few minutes here to talk about the two products that we offer. I'm gonna do a demo of our new product, Infosec Skills. So Infosec Flex is the traditional boot camp training that a lot of people are familiar with. So if you wanted to get one of the CompTIA certifications that we're talking about like Security+ for example, that's one of the most popular boot camps that we offer here 'cause it's one of the most popular certifications, you can come either to a location or we do onsite training, or the way most people get their certifications now, they just do the livestream option, and that's pretty traditional intense training, whether it's three days or five days or a full week of training. The one thing I always like to point out about the Infosec Flex boot camps is we really try to make it a little more than a boot camp. So for example with Security+ or those different certifications, we actually have a pre-study course so you can train and watch videos and kind of prepare for the boot camp before it starts. And then after the bootcamp, the nice thing about being online now is we can record everything, so you get 90 days of access to all those materials and recordings and additional stuff. We've kinda moved that beyond just the couple days of training. So that's how most of you guys I would imagine are familiar with Infosec. But in April we launched a new product called Infosec Skills. And the reason we developed that was largely based on what Infosec professionals like you have been asking for. So we did a survey in January, and one of the interesting stats from that was we found that 60% of Infosec professionals said they're spending at least a few hours every single week learning new skills, and I believe it was 92% are spending at least a few hours a month. So I mean boot camps are great. It's great to come in, get your Security+ certification, get your CASP+ certification, whatever it is you're working for. But obviously you need that that year-round training and it's clear that more than 90% of professionals, they're really training year-round. So on my mind these products kinda complement each other. If you wanna come in, get that intense experience, work towards that career milestone, we have Infosec Flex boot camps. And then if you want that year-round training, we have Infosec Skills. And that's what we're gonna talk about here just for a few minutes before we open it up to questions. So I'll do a brief demo here in a second, but just to kinda set the stage what Infosec Skills is, as I mentioned it's a on-demand training platform, so we have more than 50 learning paths in there. So we have the CompTIA learning paths as Patrick talked about where A+, Network+, Security+, CySA+, PenTest+, all of those are in there, and then as well as learning paths from different vendors, some of them are certification paths, but about half of them are just skill-based paths, like for example if you just wanna learn ethical hacking but you're not really worried about training for the certification, we have those. We just have the secure coding and network traffic analysis, two different skills paths we just added this week. So these learning paths are made up of a variety of content. So we have individual courses in there with different videos, we have hands-on projects in there, cyber ranges and labs, all sorts of things you can find. But I can actually show you, just maybe take five minutes, do a quick demo here. Yeah, so that's it for the demo. We can go over now to any questions that you guys have. Happy to answer them, either Patrick or myself.

Hunter: Yeah, so we have a question here. What trainings are the most popular both in the CompTIA realm and beyond as well?

Jeff: Sure, I can take that, I mean at least based on the Infosec view of things. I believe last I looked a couple weeks ago, if you look at like the past year of enrollment, Security+ was by far the most popular, and that's pretty common everywhere. As Patrick mentioned that's really the most popular cybersecurity certification in the world, so it makes sense that that's the most popular, specific organization as well. So, yeah, Security+ is number one. I think Ethical Hacking was number two. So we have an Ethical Hacking boot camp which actually includes two certifications. You can get your certified ethical hackers certification from EC-Council. And then we recently added the PenTest+ certification as well. We found that there's a little bit of overlap there, so I think it makes sense kinda to train for both at the same time, our instructors have found. Besides that, on the CompTIA side, Network+ was one that had, the Security+ and Ethical Hacking were definitely the most popular, but we've also had a few enrollments for Network+, Linux+. Looking outside of CompTIA, CISSP, that's another extremely popular certification from ISC 2. So a few of theirs like CISSP, CCSP, which is the cloud certification, CAP, and then like the Cisco CCNA, that's always a really popular one, and the Project Management Professional Certification as well is another one that's pretty common. But, yeah, Security+ is definitely the most popular.

Hunter: Nice, and then just a question that I have personally, Patrick. Being that employees are like already in the cybersecurity realm, how do you know where to go in your career pathway and know what certifications are best for you?

Patrick: Right, well, you can enter the cybersecurity career pathway at any point. It really depends on your experience and your career desires. And what I mean by that is there are some who will take Security+, and perhaps they are taking the Security+ because they're in infrastructure and they need to know how to secure their infrastructure. Security+ can teach them that skill. But it's possible they don't want to go into cybersecurity. I mean it's possible they don't want to, a life of reviewing logs with a SIM, and then responding to them, but it's actually a lot of excitement, but it's not for everybody. Some people would rather just stay and keep working in infrastructure, and that's why we have the Infrastructure Pathway, and so that covers Linux+ which is Linux Fundamental Skills, and then we have Cloud+ and that covers cloud and cloud security. Remember I was telling you cloud security seems to be becoming more and more important for obvious reasons as the industry evolves, and so that's why we have Cloud+, and that actually it's in the process of being approved by the DoD for 8570. So we expect the final letter of approval from them any day now which is wonderful news. And then there's also Server+ which is more of a data, it's more of a, if you work in a datacenter. Server+, it covers racks, it covers all of the tasks in maintaining that datacenter environment. So it's really applying networking skills to the datacenter, working in a larger environment. And so there's a lot of people that ask themselves the question where do I wanna go? And so a lot of that is personal decision that has to be made. For example, you mentioned CISSP. I cannot tell you how many people I've talked to that say they don't wanna go into cybersecurity management, but they wanna geek out at the keyboard for the rest of their lives. So what they do is they'll take CASP+ instead, because remember I mentioned that security architect is more technical than CISSP which I have myself. I'm also CISSP certified. And it covers, well, it's more about implementing regulations I suppose as opposed to making them.

Jeff: Yeah, and I'll just jump in real quick. One thing that I always tell people who are looking at different training options is you don't necessarily have to get the certification. It's not like you have to decide I wanna be a pen-tester so I'm gonna get the PenTest+. But CompTIA has tons of great resources out there about like the exam and all the different domains in there. Same on the Infosec website. You can go to the PenTest+ page that we have, and it has a nice course outline that you can view. Or if you have the free seven-day trial of the Infosec Skills, you can pop in there and you can go through our PenTest+ Learning Path for free, and maybe you find that that is really not your thing, and you can kind of poke around and you can try different things. But yeah, I always recommend people the great thing about certifications is they're fairly structured so there's a lot of great content out there about the different domains and the different things you need to learn. So you can do research without actually pursuing a certification if you're just trying to feel out what might be of interest to you, and then once you find that thing that's of interest, then you can kinda go down that route further.

Patrick: Hey, that's a really good idea. That's excellent, I like it.

Hunter: Alright, that looks like everything for questions. Any closing remarks, Jeff or Patrick?

Patrick: Oh, yes, I would like to just promote the fact of learning to this group, and that if you're in cybersecurity, you are gonna be forced to have to learn for the rest of your lives. And so be a career learner. That is my guidance to you.

Hunter: Definitely. Alright, well, thank you all for joining us on today's webinar. Thank you, Patrick and Jeff, and for hopping on this call today. We'll get you a recording of this webinar coming soon. But if you'd like more information right away, definitely check out infosecinstitute.com or CompTIA. And definitely, like Jeff said, I encourage you guys to check out Infosec Skills. Again there's a seven-day free trial. If you're starting out, you can definitely hop in the platform and see what it's all about. So we appreciate if you'd share your feedback on a survey following this webinar. It helps us make these webinars a little bit better. And yeah, again, thanks everyone for joining us today, and have a great rest of your day.

Patrick: Thank you.

Chris: I hope you enjoyed today's webinar. Just as a reminder, many of our podcasts also contain video components which can be found at our YouTube page. So go to to YouTube.com and type in Cyber Work with Infosec. Check out our collection of tutorials, interviews, and other webinars, including this one which does in fact have a video component in which we show you a walkthrough of our Skills platform. As ever, search Cyber Work with Infosec in your podcast app of choice for more episodes. Thanks once again to Patrick Lane and Jeff Peters. And thank you all for listening. We'll speak to you next week.