Chris Sienko: As you probably know, October is national cyber security awareness month. And to celebrate, Infosec is giving away a free month of it’s Infosec Skills platform. This is a subscription based skills training platform for cyber security experts. If you’d like to learn more, please go to infosecinstitute.com/podcast, and don’t forget to claim your free offer before October 31st. Hello and welcome to another episode of The Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader to discuss the latest cyber security trends and how those trends are affecting the work of infosec professionals, as well as tips for those trying to break in or move up the ladder in the cyber security industry. Our guest today is Jason Dion, who is an author with Infosec and who has created three learning paths on our new Infosec Skills site. Infosec Skills is a subscription based learning platform mapped to the NICE Cybersecurity Workforce Framework which contains entry, mid, and advanced cybersecurity roles backed by research into the actual skills required by employers. With InfoSec Skills in NICE, you have the roadmap necessary to identify what employers want and the tools needed to follow that career path, whether you’re brand new to information security or an established Infosec professional. Jason’s gonna be talking about the move toward subscription based skill training, his career as an educator, and he’s going to provide us with some optimal study and learning tips for people attempting to move their career into a new realm. Jason Dion is a former college professor and the lead instructor at Dion Training Solutions. With networking experience dating back to 1992, Jason has been a network engineer, deputy director of network operations center, and an information systems officer for large organizations around the globe. He holds a Masters of Science degree in information technology with a specialization in information assurance, a Masters of Arts and Religion in pastoral counseling, and a Bachelor of Science in human resources management. He lives in the greater Washington, DC, Baltimore, Maryland area with his wife and two children. Jason, thanks for joining us today.
Jason Dion: Thank you for having me.
Chris: So let’s start out with talking about your work with Infosec Skills, what type of classes have you created for the site and have you created other types of classwork or collateral like this in the past?
Jason: Yes, so for Infosec Skills, we’ve done three courses so far.
Jason: They’ve been focused on the CompTIA certification path, which aligns into the NICE framework. So we have the Security+ course, the CySA+ course, and the PenTest+ course for Infosec Skills. As far as doing it for other places, yes, before I started working with Infosec Skills, I’ve done a lot of coursework. Over the last three years, I’ve trained over 150,000 students in 190 countries on platforms such as Udemy, LinkedIn learning, and then my own site, diontraining.com.
Chris: Yeah, can you tell us a little bit about Dion Training?
Jason: Yeah, Dion Training is a site where we have all of our courses on there, and we have everything from Network+ on the CompTIA side, all the way up through PenTest+. We also have other certifications on there, like, ITIL, which is the ITIL, service management framework, as well as some project management stuff with PRINCE2 and PRINCE2 Agile courses.
Chris: Cool. So we’re gonna talk a little bit today about study strategies and get right into the nitty-gritty with students and potential students who might wanna know sort of where to start with these things. To lead things off, what recommendations do you have to help get people into cybersecurity who might have an interest but might not have any previous experience? Are there any skills or certs or experiences they should be working on first, to kind of get their foot in the door?
Jason: Yeah, so there’s basically two things you really need to do before you start going into cybersecurity. One is the soft skills, and that’s things you can do in your normal career before you even move into cybersecurity. Things like being able to work with people, being able to communicate effectively, being able to manage projects and time management, all of those type of things are things that are very valuable to employers, because there’s a lot of work to do, and people are gonna be spending 40 hours a week with you, they wanna be around somebody they know, like, and trust, right?
Jason: So I think that’s really important and often overlooked inside of our technical world. People tend to think, I’m gonna get this certification or this degree, and that’s gonna be my ticket in the door. And often, it’s the people you know, the people you’ve worked with in the past, and the connections you’ve made through those relationships. So I think that’s really important. As far as the technical side of things, I think one of the big misnomers that’s out there right now, and one of the reasons why we have such a cybersecurity skills gap, which I’m sure I’ll talk about more later–
Jason: –is the fact that everyone thinks that there’s these entry-level cybersecurity jobs, and they’re often classified like that or sold like that, and one of the big challenges is, there is no real entry-level cybersecurity job. Most people in cybersecurity came from another field. I started out in the help desk area, then I moved into networks, server administration, and eventually moved my way into cybersecurity.
Chris: I see.
Jason: I never had the traditional path that about 90% of people take. The other 10% I see are coming in from jobs in the military sector, and they’re applying that experience and their clearances into those entry-level cybersecurity jobs. So there’s not like a single certification; for instance, you can’t just say, I’m gonna get get my Security+, and now I’m gonna go get an entry-level cybersecurity job.
Jason: There’s steps you have to take to get yourself set up for that.
Chris: Okay, like what?
Jason: I think one of the big ones is not being afraid to start getting some IT experience in the help desk, in field services, in installations, in server management. Those are all skills that translate over into the cybersecurity side. As an employer, I wouldn’t want to hire somebody who is brand new to cybersecurity, who has never been assistant administrator before, or never been a network administrator before. Because they won’t even know what they’re looking at in the logs to know if it looks normal or not. So I think that’s one of the big fallacies that we see out there right now, with people trying to jump directly into cybersecurity, I almost equate it to somebody being like, hey, I wanna go be a neurosurgeon, but I don’t want to go get my primary care license as a doctor first. It’s an advanced skill set.
Chris: Right, okay, that makes sense. So there’s not, like, you know, a sign on the door saying “entry level cybersecurity position”, you’re doing a lot of things before you even get to the cybersecurity rung on the ladder.
Jason: Yeah, generally I see people who have at least two to three years of experience doing something else before they’re getting into the, quote, “entry level cybersecurity job.” And that’s one of the reasons why when you look at the pay scales, you’ll see that the help desk and field service, those things are paying somewhere in the $30-50,000 a year range, and entry-level cybersecurity jobs tend to be between $50-80,000 a year. And the reason they’re higher is because they expect you to already have that experience and you’re jumping into this new path.
Chris: Yeah, you’re not fresh out of college.
Jason: Yeah, exactly.
Chris: Okay, so, on sort of a granular level, in your opinion, what are the cybersecurity skills that are most in demand and which are most likely to accelerate your career? Are there certain skills people are overlooking in their studies and preparations?
Jason: Yeah, one of the big ones I see with students, everybody comes to me and tells me, “hey, I wanna go be a pen tester.” Pen testing is fun, it’s a cool field, everyone wants to be the hacker, but the problem is, there’s one job in pen testing for every four jobs on the defense side.
Chris: I see.
Jason: So the blue team side is not nearly as sexy or as interesting to many people, but that is where the bulk of the jobs are. Most companies have a security operations center. They need 50 or 100 defenders to help protect their networks. They might have four or five pen testers working on their red team. So when you start looking at those numbers, if you’re trying to get an entry-level job, being a pen tester is probably not it. And again, it goes back to that whole, hierarchy as you move through your career. Eventually, you’ll get to the pen test side, but those tend to be the higher-level paying jobs, the higher-level skill jobs, and most of the pen testers I know who are good at it, have 10 or 15 years of experience as a network defender first, and then move to the pen testing side.
Chris: Right, and I suppose also, even if you had the right degree or whatever, they’re gonna wanna have seen some experience in these industries.
Jason: Yeah, it really comes down to, you have to be a good defender before you can be a good attacker, right? So spending that time of being a network defender, and when I talk about network defense, like a SOC analyst, we’re talking about things such as digital forensics, reverse malware engineering, and malware analysis. We’re talking about things like doing network traffic analysis, system log analysis, all of that stuff is the stuff you have to understand how the bad guys are breaking in, and by being able to do that, that’s gonna make you a better attacker later on when you become a pen tester, because you know what all the defenses are, and you know how to get around them.
Chris: Right. Now, so, speaking of being on the defender sides of things, what are some ways to sort of get your foot in the door there? I mean, obviously there’s still a chasm between help desk and that, so what’s your optimal path there?
Jason: I worked with a local community college here in the Baltimore-D.C. region, where we have a very high need for cybersecurity. And in college, we got together with all the local companies in the area, and we’d try to figure out what it is you need and what can we do to put people through a year-long pipeline to get their foot in the door at one of those entry-level cybersecurity jobs. And what we’ve determined with the employers was getting their A+, Net+, Security+, and CCNA was the four certifications that aligned most to what they needed for somebody to be able to walk in the door, get some on the job training, and become a SOC analyst. Which is surprising to some people, because you would think that something like CySA, which is the SOC analyst certification from CompTIA, would be what they were asking for, but it wasn’t, and the reason why was they wanted people who knew how to read logs on a workstation, so that was A+, understanding basic system administration. They wanted somebody who knew Network+, because that made sure they understood network defenses, network architecture, and the concepts of the OSI model. They wanted somebody who knew Security+, because that way they could speak the language of cybersecurity, ’cause that’s kind of the baseline certification, so everyone’s talking the same language in the company. And then they wanted somebody who was CCNA because the majority of the traffic you’re looking at as a network analyst was gonna be network traffic. So you’re looking at a lot of server logs, and router logs and firewall logs, and that’s the kind of stuff you learn how to configure and program inside of CCNA, Cisco Certified Network Associate. And being able to take that knowledge, and use that, was something that gave them a good baseline person. So we were taking people as part of this program, it was a Department of Labor grant, we were re-tooling people who were unemployed, putting them through a year-long college experience where they got these four certifications at the end of it, and then they were able to go walk in the door into a company making between $40-60,000 a year, as an entry-level SOC analyst, and work their way up from there.
Chris: So, you said that they aren’t looking for the CySA so much as these other four, what are your thoughts on the CySA; is that something you might pursue after you’ve already been doing analytics for a while and you want to kind of, harden your knowledge?
Jason: Yeah, I think that’s exactly what it’s designed for. So if you look at the CySA, it’s supposed to test the equivalent of somebody who’s been working as a SOC analyst for about two years.
Jason: That’s why they have, in the current version, the CS001 that’s currently out. In the new version, they’re actually going to be making it a little bit harder and they’re trying to target two to four years of experience. And the reason for that is they’re trying to make it that intermediate career progression certification. So that’s why employers weren’t looking for that as the entry-level to get in the door, they were expecting you get your foot in the door, learn a little bit, and then go back and get your CySA as you progress up the ladder.
Chris: Okay, how long have you been an educator?
Jason: I started teaching professionally in 2013, so about six years at this point.
Chris: Wow. Okay, and has the cybersecurity training landscape changed in the time since you began? Are classes different, expectations different, things like that?
Jason: Yeah, definitely. One of the big things I’ve seen that’s changed is a lot more of a focus on hands-on learning, as opposed to just book learning. I started out, and you would go take an A+ boot camp or something of that nature. It would give you a textbook, they would PowerPoint you for a week long, and then they’d have you take the exam. And you could get people who could pass the exam, but they couldn’t do the job. So the focus has really shifted to do a lot more hands-on stuff. One of the things that’s really helped with that is virtualization. So because we have virtualization now, we don’t have to spend $100,000 on a network environment to be able to train students.
Jason: Instead, we can have a couple of high powered PCs or a Cloud, and we can build those things in the Cloud and allow the students to be able to use it, and it’s very inexpensive to do. Also, the technology’s gotten much better for students to learn at home, using platforms like yours, where they can go and for a small monthly fee, they have access to all the video training from a bunch of experts. When I first started out, when I took my first A+ back in 1999, so I’m showing my age here, twenty years ago, you would pay $3,000 to go sit in a class for a week, and have an instructor teach you. Now you can get that online for $10, $20, $50, $100, and get the same quality education for a fraction of the cost. I think that’s some of the things that have changed a lot, because of the technology we have nowadays.
Chris: At the start of the show, we sort of teased it a little bit, but you mentioned the cybersecurity skills gap. What are your thoughts on the skills gap in general, do you think the right things are being done to reverse the course, or what would you suggest that should be done that is not being done right now? What solutions do you think, you have?
Jason: Yes, so, there’s a couple of issues we have with the skills gap right now. I think there’s three different sides of it, and each of those sides has a different perspective. So, I’ll talk about it from the industry side, the education side, and the student side. So when we talk about it from the industry side, the industry is looking for the perfect unicorn, right? I see a lot of job descriptions out there that say, “I want somebody who has a CISSP, and this, this, this, this, and this,” and they put this long list of requirements. And a lot of times, the people who are writing the requirements don’t even know what they’re asking for. I saw one, they asked for somebody who had 15 years of Go programming experience. Well, Go has not been out for 15 years, so nobody has it! The guy who wrote the language doesn’t have 15 years of experience, you’re never gonna find that guy, right?
Chris: Yeah, oh yeah.
Jason: They wanna look for people and I see, they want someone who has a CISSP, they want them to have a Masters degree in Cybersecurity, they want them to have their ethical hacker, their OSUP, and the list off this long list of certifications, and if somebody had all of those certifications, they wouldn’t have the time to do their job. And so, they wouldn’t be useful to you.
Chris: Well they wouldn’t be looking for work because they’d be, people would be coming to them offering them work, I imagine.
Jason: Exactly, and I think that’s one of the other problems from industry is, everybody is fighting for the same small group of people. There’s a lot of people on the outside who are kind of a good fit, but not exact, and they don’t wanna take a chance on those, so they’re only looking for the perfect fits. That’s causing some of this skills gap, I think. Because the “expectation”, and nobody wants to put the effort into training an employee anymore. I think that’s one of the issues. So that’s kind of the industry side of things, where I see one of the problems.
Jason: Then I look at the education side of things, so we’ll go to that. There’s two main buckets of education, you have colleges and you have non-traditional training, which, I would put your platform, my platform, and places like that into. That would be boot camps and certifications and things like that. I think there’s an unrealistic expectation that’s being sold to students, specifically by a lot of the colleges right now, that if you get a bachelor’s degree or if you get a master’s degree, that’s your foot in the door, and you’re gonna get a job. I see a lot of students who go and get a master’s degree in cybersecurity, and they can’t get a job. Now, why is that? Because they don’t have any experience. They just spent eight years of college, and hundreds of thousands of dollars of student loans, to get a piece of paper that says, you have a degree. But employers look at that and they go, that’s the least of my worries. Employers look for three things; they look for experience, certifications, and then degrees. Generally, degrees aren’t gonna get you a job. Degrees are gonna get you where your placement on the pay scale is.
Jason: Certifications, that will get you in the door, and experience trumps that, obviously. I would rather have somebody who has 20 years of experience and no certifications, than the guy who has 10 certifications and one year of experience, right? Because a lot of people aren’t experienced. So I think that’s one of the fallacies, especially in my area, I hear a lot of colleges in here putting out ads, talking about, hey, come to our college, get your cybersecurity degree, and you’re gonna get a great job, there’s this skills gap, we’re gonna train you for it, and you’re gonna get a job. And a lot of people are coming to the end of that pipeline and not getting a job because they don’t have the experience. So that’s something that we as students need to figure that out, and start getting that experience. That brings us to our third piece, which is the student’s expectation. I had mentioned this earlier, right? There really is not a lot of entry level cybersecurity. When we talk about entry level cybersecurity, that’s really mid-grade IT. Generally you have to do other things in IT first, build your experience, so then somebody will take a chance on you, and bring you into the cybersecurity side of the business, it’s kind of a fork in the road. And I think a lot of the students don’t see it that way because that’s not what they’re being told in the industry. I see this a lot online, people come to me and go, “hey, I hear that cybersecurity pays $100,000 a year, I just got my CEH certification, how come nobody’s hiring me for $100,000 a year?” Well, because you have zero experience, right? And most of those people who are making big money, or have no problems finding jobs, it’s because they have that experience component. So that leaves students with the question of, how do you get experience, right? If nobody will hire me, how do I get experience? This is something I talk with my students a lot about. You have to sometimes get creative, and work your network of connections. Maybe you’re already working in a company that has an IT department, and maybe you can get them to shift you over into the IT side, so you can start getting some experience there before you move out to another company to go work cybersecurity. I’ve seen folks who come from the police and law enforcement side, and they come in, and they get into cybersecurity because they have a physical security background. Being police and security guards, you understand how security cameras work, and all the access control systems and all that kind of stuff. So you can leverage that experience to get your foot in the door, and then tool up into those IT sides and become an IT cybersecurity guy. It’s things like that, sometimes you have to think outside the box, and people have to be realistic that, you know, you’re gonna have to start not at the high job, you’re gonna have to start somewhere lower, get the experience, as you’re doing that, you build up your certifications, and that’s gonna help you get into those jobs that you wanna get into.
Chris: Okay, so if you, specifically, Jason Dion, had a magic wand to solve the skills gap tomorrow, what actions would need to happen?
Jason: One, we would have to get employers to be more willing to take a risk on people.
Jason: I have had a lot of students, and we can put together the greatest training programs out there, right, I can put together a two year school, that is fully hands-on, because most of the stuff we do, we don’t need a college degree for. But we do need people who have the experience. We can build a college-like environment, a vo tech school, like we would for a plumber and electrician, but for cybersecurity. We can teach people how to use the tools, we can have training ranges, where they can go and defend the networks and attack the networks and do all that stuff, right? But if employers aren’t willing to value that two year educational degree program as equivalent experience and hire those people in, then we still are gonna have this gap. Because we can have lots of people who are qualified and certified, but if we can’t get them into the job market, that’s gonna be a problem. So it is a two-way street, right? Employers need to communicate to the industry what it is you’re looking for, and we need to build towards that, which I think a lot of us are more than willing to do and we have been doing. And then the other side of things is that employers have to be willing to start taking a risk on some people, and do some on-the-job training. One of the best organizations out there for this, honestly, is the U.S. military. They pull people right off the street, right, they put them through school, they train them up on what they want them to do, and after they’ve done their six months of schooling, they now go out and do that job. I look at the U.S. Navy and they take people off the street and teach them how to fly planes. They teach people how to drive ships, run nuclear reactors. The army, driving tanks, right? Nobody knows how to drive a tank when they get hired by the army. They teach them how to do it, right?
Jason: But employers aren’t necessarily willing to do that on-the-job training yet, and so we have to start getting more of a culture in industry, of, as far as the employer’s side, of valuing our employees and investing into them. Personally, when I hire at my company, I hire for personality and aptitude, and I train you in what I want you to do. I can train anybody to do anything, right? I just need somebody who wants to learn. If I find those people, I would hire them in in a minute, but I’m not seeing a lot of that in most corporate America ’cause they’re risk-averse. They’re looking at a checklist, and, do you have x years of experience? Do you have these certifications? Do you have this degree? And they go down that checklist. And if you don’t match up, they find somebody else who does.
Chris: Is there, would there be sort of a possibility in the future, I mean, obviously it’s out of our hands, but, making education sort of, go hand in hand with hands-on experience, like sort of, you know, not mandatory, but included hands-on internships, or other sort of, other ways of getting the experience sort of side by side with doing the training, is that a possibility?
Jason: Yeah, I think that’s a good thing, and what I’m seeing a lot of development in is actually the community college level. The bachelors and the masters degrees, it’s just much more book learning and focused on certifications. At that undergraduate, associates level, at the community colleges, they are doing a lot of work with industry in their local area trying to figure out, what skills do you need? We’re gonna train people; if you tell us what you need, we’ll train them to that level. That’s what we did here, at Anne Arundel Community College, when I was working with them, is we built our program around what the local employers needed, and because of that, we had a very high success rate of getting students out the other side and into an entry-level job. There has to be that communication between industry and education to build that pipeline, so we can build to the needs they have. And the answer’s not necessarily gonna be a four year degree or an eight year degree and getting a master’s degree. I had somebody ask me the other day, “Should I get a PhD in Cybersecurity?” My answer to them was, not unless you wanna be a professor. Because nobody needs a PhD to do cybersecurity unless you’re gonna be a professor or a researcher. And this person just wanted to get a job, you know, being a SOC director, or something of that nature.
Chris: Yeah, they were hoping that, you know, the higher up it goes the more guaranteed you are of the job.
Jason: And it’s actually the opposite, right, because you start pricing yourself out of the market, and people go, oh, you have a PhD, you’re gonna want x amount of dollars and I can’t afford that. And they move on to the next candidate.
Chris: Yeah, so, we’re talking today mostly about Infosec Skills, and just the notion of subscription based training, so as online training becomes more ubiquitous, what are your thoughts on subscription based training versus boot camp or academic study of a subject? Is it sort of the way of the future, you think?
Jason: Yeah, I think the way that we’re seeing things is people are looking for training for the need they have, when they need it, right? And colleges tend to be slower to adopt to that. So, having been a college professor before, and be the course author for the school that I was teaching for, if I wanted to make a change, it took almost three years to go through, change out the books in the bookstore, change out the curriculum and then start teaching something new. And in computers, that’s just too slow, right? A lot of schools are trying to get around, trying to speed up that timeline by using electronic books now instead of paperbacks and all that kind of stuff, but they just can’t compete as far as, as quickly as commercial sector can. So the great thing with doing boot camps whether in person or online, or a subscription based service, is that they can create content much quicker and get it out much quicker. I look at, like, for our company, when we put out a course or Infosec Skills, we can go from idea to execution in under 30 days, sometimes as much as, you know, the longest it takes us is about 90 days, usually, for one course. And that’s because we’re doing most of the stuff in house, we’re able to shoot the video, edit the video, write the curriculum, get everything done, and meet those needs very very quickly. As far as for students, I find that, from a cost-benefit perspective, the online subscription services are excellent. Infosec Skills is, for one low payment, you get access to the entire library of courses, which is awesome, right? This isn’t just a commercial for Infosec Skills, obviously this is your guys’ podcast, so–
Chris: Sure, true.
Jason: There’s tons of other competitors out there, I mean, right now, there’s probably 40 or 50 different companies, and so you gotta look at the catalog of what they offer and which one’s the best for you, with the instructors that you like and the way they teach. I tell students this all the time, you know, you may not like me and I’m not the teacher you want, that’s okay, there’s 50 other guys who teach the exact same thing, right? If you wanna go learn Security+, there are at least 50 courses online you can go take Security+ at. Mine is one of them. Hopefully you like my methods, and we have a really high success rate of getting students to pass the exam and teaching stuff, but not everybody likes my personality, and that’s okay, right? I think that’s important for students because when you start dealing with these online subscription sites, it is very student-driven. The student has to be motivated. When I’m teaching a boot camp, an employer can say, you know what, you need to go to boot camp for five days, and they put you in my class, and that’s your place of business for that week. You’re gonna kind of be forced to learn. But with a lot of these subscriptions, you’re doing it on your own time. In nights and weekends, or at your lunch hour. So you have to be motivated to want to do it. But if you’re that motivated person, you can save a ton of money and learn pretty much anything you want using these type of trainings.
Chris: Note to our listeners, of course, Jason Dion is the teacher that you want.
Jason: Of course!
Chris: So yeah, you just mentioned that, but I wanna kinda go a little deeper into it. Without a professor assigning weekly tasks, it might be hard for some users to stay on track and meet your learning objectives. So do you have any tips to help lifelong learners stay focused on training and accomplish their goals in a timely fashion?
Jason: One of the things I always tell my students is, you need to develop a plan. You need to know when you’re planning on taking your exam. Most of my stuff is based on certification, so let’s say you wanted to take your Security+ exam. You can say, okay, today is August 28th, and on September 30th, I’m gonna go take my exam. I know I have four weeks to do it. If I’m taking Jason’s class on Infosec Skills, that is gonna be a 250 lectures that I have to watch inside that four weeks. So I start breaking that down, I go okay, out of 250 lectures, that’s about 15 hours worth of content, four weeks means I need to watch four hours a week. If I can dedicate one hour a night, Monday through Friday, that’s four hours of video watching and an hour of exercises, activities, doing the hands-on stuff. And so you can give yourself that timeline and break it down into manageable chunks and keep yourself on task. Because again, you’re right, there is nobody who’s gonna tell you, you have to do this.
Jason: When you buy my course, there is, I have 10,000 students taking that course right now. They can ask me a question anytime they want, but I’m not going and asking each student, “Hey, did you do your work tonight? Did you check in?” That’s not the way this type of stuff works, it’s very self-driven.
Chris: Okay. So you mentioned, obviously, that there are a lot of subscription based education programs out there, so can you tell me what you think distinguishes the best ones? What should you be shopping for when seeking out subscription based training?
Jason: One thing I look for is the catalog size. And not just the number of courses, but the quality of those courses. If I look at some of the big competitors out there would be, if I compare your side to my side, let’s do that, right? I look at Infosec Skills versus diontraining.com, ’cause we have a subscription as well, I only have my courses on there, so you’re only gonna have access to 20 courses if you buy my subscription. If you buy Infosec Skills’, there’s 50-100 different courses, because there’s all of my courses plus there’s other instructors’ courses. If you know, hey, I need to get my A+, my Net+, my Security+, my this this this, and you start making a list of what you wanna learn, you look at that catalog and see if they have what you want. Some of the bigger catalogs out there would have thousands or hundreds of thousands of courses, right? But, again, a lot of those courses don’t really apply to you. I do some work with LinkedIn Learning, I have some of my courses there, and if I think of them, I think they have 100,000 courses. But they also have courses on art and cooking and playing guitar, and stuff you don’t care about with infosec skills, so if I’m trying to get infosec, that may not be the place for me. The nice thing about something like Infosec Skills, is it’s a focused community, and they’re also working on updating those courses more often and more frequently, to get you the best information. The other thing I like to look for, is I like to look for hands-on stuff. I don’t just want an instructor who’s gonna sit there and talk to me all day. That’s good, and that helps to pass the exam, but you also want application. So if you go through my Security+ course, for instance, we’re gonna talk about password cracking, and then we’re gonna go into a video where I show you how to crack a password, and show you what tools it is, and then I tell you, hey, you should probably go download that and try it on your own. And make sure you’re putting your hands on the keyboard and making that stuff work. Those are things I think are really important for student learning. The other thing I think is really important, especially for certification exams, is making sure the platform has practice exams for you. Because you wanna be able to practice before you go spend $300 on that exam. If you’re taking a Security+ course, you wanna take a practice Security+ exam, and make sure you’re gonna pass it. Then you can spend the $320 to go take the real exam, because you know you’re gonna pass. I think those are three of the main things there, and then the other thing would obviously be student support. Do you have access to the instructor to ask questions? It may not be you can call them up on the phone, but can you send them an email, or post a message in a Q & A, or something of that nature? Can you get your questions answered?
Chris: Okay, could you talk a little bit about, you know, ’cause obviously we’re talking about cert training through the Skills program, can you talk about people who might be just interested in learning one specific thing? Is that applicable, where it’s like, I’m already on the job but I need to know how to do this one thing by next Monday, are there classes in there where you could learn this one aspect of penetration testing or whatever?
Jason: Yeah, definitely. There’s basically, you’ll see that there are three different types of training. There’s gonna be the full path, long trainings like Security+. You’re gonna go through the entire textbook essentially, and learn everything you need to know, to pass this exam. Then you might have other trainings. For instance, I have a course on malware analysis. It’s a short course, about 90 minutes, and it basically teaches you how to do dynamic malware analysis, which is what you do as an instant responder if somebody says, “hey, I think this computer got hacked, I think there’s malware on it, what does that malware do?” You can pick it up, run the malware, and figure it out. And then we have other training which might be shorter, very focused on one particular skill. So maybe it is, “hey, how do I crack a password?” And there’s one YouTube video on how to crack a password. So those are kind of the three ways I look at training, is the micro lesson, kind of the shorter course, and then the longer course. As a student, when you’re looking at your catalog, that’s one of the things that is good to look at, is how does the catalog allow you to search for information? Some places are very good about searching down to the individual video, so you can figure out, “hey, I wanna learn how to crack a password”, and you type in “cracking password” and the one video for my Security+ course will show up. A lot of platforms are not as good, and it’s basically, “hey, we cover cracking passwords someplace in this 15 hour course, you’ll figure it out.” That’s something that I do look at as a student, when I’m picking a platform, is, is how in depth can I search and how well can I find the content I’m looking for? The other thing I think with subscriptions that’s important is to figure out what your commitment is. Some places do it by the month, some places do it by the quarter, some places do it by the year, and if you’re testing something out, most of them have a free week or a free month to try it out first and see if you like it. Some of them just do it as a month to month subscription, cancel anytime, like Netflix does. That’s an important thing to consider as well if you’re gonna lock yourself into a subscription.
Chris: Okay, so let’s say you’re someone who is doing something completely different, whether you’re working in PR or you’re working for your dad’s shipping company or whatever but you’re thinking you wanna sort of go in this direction and you got the money to put down for a month of Infosec Skills, where would you start to sort of put your toe in the water and decide whether or not this is even something you’d be interested in?
Jason: If you’re trying to figure out if information security and cybersecurity is for you, I really do recommend starting with Security+, that’s why I’ve brought it up a gazillion times in this talk. Because it is kind of the baseline, foundational thing that is looked at in the industry. The nice thing about Security+ is that it covers a little bit across a lot of topics. There’s six domains, it covers everything from cryptography to wireless security, down to some basic coverage of malware and the different types and phishing scams and all that kind of stuff. It really does give you a good overview of the industry, and it’s usually the first place that we have people start. Because if you can start with Security+, as you go through, you’re gonna figure out, okay, I learned about this thing called secure software development, and I really liked it, so maybe I wanna go learn how to be a programmer and start doing programming tools for cybersecurity. Or you may have gone through the course and you said, you know, that part when he was playing with malware was really really interesting, I wanna go become a malware analysis guy, start going in that route. Or you may go, hey, you know what, this digital forensics stuff was really cool, I wanna be able to recover lost files and work for the police department. There’s all sorts of different things and you kinda touch on all of those a little bit throughout Security+. And then after Security+ things start getting more stove piped into, okay, I wanna be a SOC analyst, I wanna be a pen tester, I wanna be a digital forensics guy, or whatever that thing is.
Chris: The parallel track is, let’s, sort of continue this further, you’ve decided I wanna give this a try, you’re looking at Sec+, you’re getting excited about different things, but you don’t wanna be in that thing where you’re just getting certifications and nothing to do with it, what are some hands-on things that an average person can do, not necessarily, getting a job in it, but are there things you can do on the side, or as a hobby or as a freelancer, or whatever, to learn things.
Jason: Yeah, definitely, I mean, there are tons of ways to learn now because there is, like I said before, virtualization has made it really easy for us. You can go on your computer and you can download a program called Virtual Box, from virtualbox.org, which is a virtualization software, completely free to use, open source, and then you go over to vulnhub, V-U-L-N-H-U-B dot org, and they have a bunch of virtual machines that are intentionally vulnerable, so if you wanna practice being a pen tester, and learn hacking, you can literally download these machines, they’ve got hundreds of them, and they even have walkthroughs, and you can start learning the techniques and practices of breaking into those machines and figuring it out. It’s a great way to pass some time, and it’s kind of like a puzzle as you’re trying to figure these things out.
Jason: It’s basically a big online video game. So that’s one of the great things to do.
Chris: I’ll just mention that on resources.infosec.com, we have tons and tons of these, capture the flag and vulnhub walkthroughs and stuff, they’re great fun.
Jason: That was the other thing, capture the flags are great, and when you start playing in capture the flags, you’re not gonna do well the first time, ’cause you’re brand new, but you’re gonna start learning more and more, and the more you do it the better you get.
Chris: Yeah, and also, like all sorts of games, you have to learn the system before you know how to solve the puzzles.
Jason: There’s another one, over the wire, that I really love, overthewire.org. And if you’re trying to learn how to do Linux, for instance, ’cause you’re just that brand-new to Linux, they have a walkthrough of 26 levels I think it is, and as you go through and run the different commands in Linux and learn them, you find the keys that unlocks the next level and you keep working your way through and so it’s kind of a gamified way to learn things. I think that’s another great thing. The other thing that I would recommend is one of the things that we, as cybersecurity people, don’t do very well, but I think is really important, is get out and meet other cybersecurity people. Don’t just sit behind the computer. In most large metro areas, so if you’re near New York, D.C., Baltimore, Los Angeles, any of the major markets, there’s a thing called BSides, which is a security conference that’s like $20 to get in. Go there for the day on a Saturday or Sunday, and go learn stuff, meet other people. Because I guarantee you, the job that you’re gonna get, is gonna be somebody who’s willing to take a chance on you because you met them in person at one of these events. When employers are getting resumes, they’re getting hundreds of resumes at a time, they’re searching for key words, and they spend about 6-60 seconds per resume where they’re looking at it. So you have to make an impression on that resume in sixty seconds or less, for them to wanna give you a chance at an interview so they can even meet you. But, if you were at BSides last week and you were talking to some guy, and you spent 30 minutes over a beer, you may go, oh, I remember Jason, let me give that guy a chance. That personal touch, that soft skills like I started in the beginning talking about is really really important.
Chris: Yeah. Any other sort of soft skill recommendations that you can give?
Jason: Time management is big, being personable is big, dressing appropriately is big. And dressing appropriately means different things different places. On the East coast, you should be wearing a suit and tie or a shirt and tie, at least. If you’re on the West coast, if you walk in with a shirt and tie, some of those companies would probably laugh you out of the room. So you’ve gotta know your audience and what is expected. In my company, we’re fairly casual, it’s t-shirts or polo shirts. So I think that’s important is knowing how to dress and being able to present yourself well, and then being communicative, looking people in the eye, firm handshake, skills we learned growing up as kids that a lot of people just forgot, it seems like, in this modern digital world.
Chris: So as we wrap up today, where do you see cybersecurity education going in the years to come? Are there any innovations we can expect on the horizon, and what are some issues currently out there that you hope will be resolved?
Jason: I think we’re gonna continue to see it get more and more hands on, and more and more lab based, where it’s, “what can you do?” as opposed to “what do you know?” I think that’s gonna be one of the major changes that you’re gonna see. Another thing that I haven’t seen a lot yet is virtual reality. Everyone keeps talking about virtual reality, it’s gonna be the next big evolution of training, I haven’t seen it come out yet, and there are certain places where it makes sense, and certain places that it doesn’t. As a SOC analyst, it doesn’t really make that much sense, but if you’re gonna be a field service technician, it could make sense to you, some virtual reality, as far as, let me show you how to take out a hard drive, let me show you how to install memory or those type of things. So I think we’re gonna see that ’cause there’s been a lot of money being thrown behind virtual reality. The other thing I think is that you’re gonna see a lot more micro training. Things are gonna get down to those shorter lessons, very targeted, and very searchable. So you’re not gonna necessarily go and buy a 15 hour Security+ course because you wanna learn how to do password cracking. You’re gonna go search for password cracking, and the system’s gonna pull out three or four videos that are relevant to you. Kind of the way that we learn on YouTube now, I think that’s gonna become more mainstream in a lot of these content catalogs.
Chris: Okay, and if our listeners wanna know more about you or your other activities, where can they find you online?
Jason: My one place you can find everything is diontraining.com, D-I-O-N training dot com.
Chris: Okay, Jason Dion, thank you for your time and insight today.
Jason: Thank you.
Chris: And thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page, just go to YouTube.com and type in “Cyber Work with Infosec” to find our collection of tutorials, interviews, and past webinars. If you’d rather hear us in your ears during your workday, all of our videos are also available as audio podcasts, just search Cyber Work with Infosec in your favorite podcast catcher of choice, and finally, to see the promotional offers available for podcast listeners and learn more about our Infosec pro live boot camps, Infosec Skills, on demand training library, and InfoSec IQ security awareness and training platform, go to infosecinstitute.com/podcast or click the link in the description. Thank you once again to Jason Dion, and thank you all for watching and listening. We’ll speak to you next week.