In the first two parts in my series, a “Path to a Career in Cyber” and a “Path to a Career in Cyber Part and Then Some,” I explained how I got into IT and found my passion which is Cyber Security.

I also discussed how I built my lab in my garage and how I used it to learn about new technologies and to study for my professional IT certifications. A large part of that process, of laying out my Cyber Certification Map and keeping track of what experience, certifications or education I needed for my chosen career field was done using certain web sites and professional organizations.

In continuing this discussion I am going to talk about websites I use to this day to educate myself on new technologies or learn new skills that are required in my field of employment. I also am going to discuss additional websites and software tools I would recommend you add to your skillsets and knowledge of IT and Cyber Security.

By now you should realize I am very big on the fact that if you work in the field of Cyber Security “continuous education” should be your mantra. In the field of Cyber Security the technology, new hardware & software solutions, threats and much more are always changing.

Due to this field encompassing a large number of industries, you will need to understand that you can never know everything. However, that shouldn’t stop you from educating yourself to be the elite Cyber Security professional that you want to be. The point I want to make is education doesn’t stop, stepping on this path is just the beginning.

So as a refresher, back by popular demand from “Path to a Career in Cyber and More” here again is the “Cyber Career Path Workflow” chart again, keep it in mind as we finish up this third article on how to use the last of my recommended tools to map out and manage your path to a career in Cyber Security.

As we get started, don’t forget this article (like the previous ones) is written with the IT/Cyber Security scene of San Diego, California in mind. San Diego has a vibrant IT and Cyber Security industry.

I use it as an example throughout these articles to share with you the types of websites and organizations I recommend you look at in your area to help you begin you’re starting point for your path into IT and possibly, if you want, a career in the field of Cyber Security. The first two articles we discussed:

• Certification Maps
  • World of Cyber
  • Cyber Career Map
  • Cyber Career Map – My Career as an example
• Employment Research & Networking Ideas

In this third and final article we will discuss:

• Education Sites & Tools

As I have stated before, I am by no means an expert. This article is based on my experiences over the last 25+ years in the fields of IT and Cyber Security. So with that said, let’s have some fun!

• Education Sites & Tools

In this last discussion we will cover some sites for education and a couple of sites that have useful tools that I have used over the years to recertify or increase my knowledge of new technologies. We will start with education sites. I am first going to list some adult education sites located here in San Diego as examples of schools where you can go to work on a certification or learn a new skill. I have found many of these two-year colleges and adult education facilities to have excellent labs for working for example on Cisco certifications or the latest Network/Cloud Security certifications. So let’s take a look at a couple of such organizations in San Diego, and similar ones in your area and see what courses they offer.

1. http://www.sdce.edu/ – for the San Diego area this site is great. You can get free classes in IT including your CCNA. Just sign up for it and put in the time. Under the Jobs Training/Certificate Programs tab http://www.sdce.edu/job-training/computers they have programs for “Interactive Media,” CCNA, A+, CCNA – Security, and Web Server Maintenance and Security. Under the Programs tab select “Business, Computers and IT” http://www.sdce.edu/classes/computer-classes  and you will get the full list of courses that are free and available for you to take. Even with a MBA I like to occasionally look at this site to see what classes are available. I would recommend if you are starting out to take some of the beginning computer classes to get your feet wet. What is nice about schools like these is that they are a very inexpensive way to get your basic certifications completed and into an entry level position as we continue to work on that Cyber Career Map.
2. http://extension.ucsd.edu/studyarea/index.cfm?vAction=certificates – this is the University of California San Diego (UCSD) extension program’s web page and from this site you can scroll down and go through the certificate programs they have to offer. These courses cost money but they are relatively cheap compared to paying for a full college class. Many colleges now offer extension type courses or certification tracks that include multiple courses covering a specific area. It is a good way to get some quality education and training to beef up a skillset you need for the “future job.”
3. http://www.codecademy.com/#!/exercises/0 – this is great place to go learn how to code for free. You can do projects and learn how to program in JavaScript, HTML/CSS, PHP, Python, Ruby, and build API’s. Even though I work in Cyber Security I have taken numerous classes. You will find that if you want a long career in IT you will eventually need to learn a language and this is a great place to learn for free.
4. https://www.coursera.org/ – another site for some free or low cost training but you will need to buy your books. There also are some courses that are available and if you want them to count as college credit you can pay a fee. I have done classes in Cyber Security, Cryptography and Mobile Cloud Apps. On this site one school, the University of Maryland, is offering a group of courses that result in a Cyber Security certificate. I would recommend this site if you enjoy doing classes online at your own pace and don’t mind the challenging curriculums. Just remember to keep up with your assignments and enjoy talking with your classmates.
5. https://www.edx.org/ – this is another education site I keep an eye on as I have noticed they have added more Computer Science courses. I am always looking to increase my knowledge in the field we work in so I like to see what they have available. This site is very similar to Coursera. The classes are free and if you want them to count there is a minimal fee.
6. http://www.lynda.com/ – hands down one of the best training sites on the web. For $30 a month you get full access to all of the curriculum and files so you can train and learn numerous skills. I use this site all the time to brush up on skills when I am doing presentations or to learn how something was created because I am curious. I would highly recommend this site to you if learning in an online format works for you. Again there are numerous classes in coding and software development plus they are adding new curriculum including business classes all the time.
7. http://teamtreehouse.com/ – this is the last education website that I recommend. It is fairly new and the curriculum is still being developed. What I find intriguing on this site is you select a specific track that you want to learn, which is made up of sequential courses that by then end are supposed to have taught you a specific skill. Very nice but it costs $25 per month for a basic subscription and $49 per month for the pro subscription that includes extra content. It is definitely a site to watch as they add new content.
8. http://ddosattackprotection.org/blog/cyber-security-blogs/ – this website is actually an article. It lists the Top 100+ Cyber Security Blogs and to a surprising degree it is fairly accurate. I list it as a tool for you to help educate you on the various professionals that work in Cyber Security. I actually each week make my way down the list checking out many of the sites for new information to educate myself on new threats or technologies that are becoming prevalent in the business world. Several I would recommend to start with are:http://nigesecurityguy.wordpress.com/
   http://www.securitycurrent.com/
   https://cloudsecurityalliance.org/
   http://krebsonsecurity.com/
   http://www.wireshark.org/
   http://www.darkreading.com/
   https://www.eff.org/
   http://www.securityweek.com/
   http://thehackernews.com/
9. http://distrowatch.com/ – as you pursue a career in Cyber Security eventually you will need to learn the Linux operating system. This site has information about hundreds of different Linux distributions. This site is important because if you want experience it’s time to roll up your sleeves and start learning how to download and install your first Linux distribution. This site also has links to weekly newsletters and can keep you up to date on Linux, just don’t get overwhelmed. Pick a flavor of Linux like CentOS or Ubuntu that is mature and stable and enjoy!
10. http://sectools.org/ – this is one of the last websites I will recommend and that I have used it over the years as it has aged. However, that said the site lists links to many of the best network security tools available. It tells if the tools have costs associated with them and you can see if they run on Windows, Mac or Linux. For someone starting out in Cyber Security this is a good website to bookmark because I guarantee you will be coming back to it on occasion to find a tool or a link for more in-depth information.
11. http://www.boson.com/default?r=1 – the last web site I list is for Boson — one of the best network simulator software tools that is available. They also do testing and exam simulation. Unfortunately this does cost money but I have used their product over the years to prepare for numerous exams or to simulate network designs prior to actually building them to ensure we had designed them correctly. I have been thoroughly impressed with their CCNP toolset and all of my Network Architects use it.

In conclusion, the main thing to keep in mind is just as I have said before you are starting on a path that will take time, you will not be a cyber-security professional overnight. I would recommend that you approach this in increments and over time you will be surprised at your progress.

First, I would take stock of what you education have completed, what IT knowledge you already know and what is your IT experience level. With this annotate it on Your Cyber Career Map and see where you, if you are at the beginning of the map don’t worry about it as I was there myself at one time.  The big thing to remember is now you have your starting point. Second, find out what IT Professional or Technical organizations are available in your area. Remember, this is so you can start working on building your peer network group plus this will help you get more information about IT career fields and help fine tune that Cyber Career Map of yours. Third, now that you have done that, let’s do some research online into IT or Cyber Security jobs that are available in your area. Do you qualify for any entry level positions? Do you see a “future job” that you find interesting. If you do find a “future job” that is now your “goal” for your Cyber Career Map – it’s your finish line. Add it to the map and we now need to fill in what it will take to get there (Cyber Career Path Workflow). So for our final next step let’s look at what education or training curriculums are available to you. Do you like to do courses online? Are you more comfortable take courses in class? Not a problem, the thing to do here is to select a class that falls within the workflow to get you to your finish line.

I am sure you will find that you won’t yet know all of the classes and experience required to fill in the steps in your Cyber Career Map and Cyber Career Path Workflow chart to get you to that “future job.” This is where your peer network and the professional IT organizations come in to play. They will help you fill in those gaps. This is the same process I did years ago and once you do that you will find you now have the maps before you that lay out a path you can follow.  Just remember these maps are living documents. You should be constantly watching the industry and talking to your peers to see if you need to change classes or certifications on your career maps to ensure they’re up to date with the industry. As I have mentioned, if you want to work in the field of Cyber Security you will be going to school and educating yourself continuously. This field is not for those who want to do the “one-and-done.”  It a field for those who are curious, who are amazed at technology and the many twisted ways it can be used for both good and evil (plus some really cool stuff!).

With that I am going to end. I think I have given plenty of information to keep you busy for a while. As always I hope this has been useful and is of some value to you. If you need anything in the future don’t hesitate to contact me if I can assist I will. Take care of yourself and welcome to the world of Cyber Security!

The post Path to a Career in Cyber and Key Tools appeared first on Security Current.

Part one in the series Path to a Career in Cyber can be read here

In my first article “Path to a Career in Cyber” I explained how I got into IT and found my passion which is Cyber Security. I discussed how I built my lab in my garage and how I used it to learn about new technologies and to study for my professional IT certifications.

A large part of that process, of laying out my Cyber Certification Map and keeping track of what experience, certifications or education I needed for my chosen career field was done using certain web sites and professional organizations.

In continuing this discussion I am going to talk about websites I use to this day to track changes in my field of employment, such as what new skills Senior Cyber Security Engineers are expected to possess.

I also am going to discuss professional organizations I recommend membership in to build your peer network. The final part of our discussion will be a third article where I will discuss additional websites and software tools I would recommend you add to your skillsets and knowledge of IT and Cyber Security.

By now you should realize I am very big on the fact that if you work in the field of Cyber Security you need to always be educating yourself because if you don’t this dynamic field will leave you behind in the blink of an eye.

So as a refresher, here is the Cyber Career Map from the first article, as you can see this plan consists of a step-by-step certification tree, a tree that I used to map out what certifications and experience I would need to work at a specific skill level.

One last note before we get started, this article is written with the IT/Cyber Security scene of San Diego, California in mind. San Diego has a vibrant IT and Cyber Security industry. I use it as an example to share with you the types of websites and organizations I recommend you look at in your area to help you you’re your starting point for your path into IT and possibly, if you want, a career in the field of Cyber Security. The first article “My Path to Cyber” I discussed:

• Certification Maps
  • World of Cyber
  • Cyber Career Map
  • Cyber Career Map – My Career as an example

In this article we will discuss:

• Employment Research & Networking Ideas

As I have stated before, I am by no means an expert. This article is based on my experiences over the last 25+ years in the fields of IT and Cyber Security. So with that said, let’s have some fun!

• Employment Research & Networking Ideas

For this section we will cover websites I use to research positions, required skillsets & education for specific jobs or new career paths I find interesting. We will also look at professional organizations and why it’s important you build a professional peer network and get involved in your local IT community.

The first set of websites are job websites that I like to use for research, several that I find useful are listed below:

1. www.glassdoor.com – this is one website I like to use. You can do research on companies you are looking to apply to and see what previous employees are saying about it, pay ranges of a specific job title, and even what the companies’ interviews are like. I like to go to this site and put in a zip code “92101,” then put in the search field “Information Security” and review the jobs that pop up.  Even at my career level today I am still curious to see what companies in my area are hiring, what they are paying for talent and what skillsets/certifications they expect a new hire to possess.

   What I would recommend is you search in your area and look at the jobs that you can do currently and then look for something that you would like to do in the future. With the “future” job listed, look at the education/skills/certifications required for the position. Now go back to your career map and look at where you are at on the skill tree and what you still need to complete. This will give you an idea of what education and skills you need to work on so that you could be a viable candidate for that “future” job.

2. www.dice.com – this is similar to the previous website, it is specifically for IT jobs. It has the same job search capabilities and you can upload your resume to be seen by hiring managers. I also like to go here sometimes to just see what types of skills companies expect you to have for a specific job.  Plus they have very good discussion groups and articles on IT careers.
3. www.linkedin.com – if you are looking at a career in the IT field and don’t have a profile here you are seriously hamstringing yourself. Just understand this is not Facebook. This is or is intended to be a professional site for career minded individuals. I would recommend you set up your profile with a good picture, get active in your selected forums and use it as a foundation to start building your professional network. Another tool you will like on this site is the “Jobs” tab.

   You can use this tool together with Glassdoor.com to look up a job posted on LinkedIn and then use Glassdoors to research the company. One last thing I like about this website is if you read peoples profiles, you will see some very well worded descriptions of work, projects, and experience that will assist you when you get stuck writing your resume. I don’t advocate copying some else’s profile but it does help viewing how others describe a difficult project or job experience.

3. www.vistaprint.com – you don’t have to use this particular vendor, I just put them down to make a point. Part of finding that new position or building your peer network is networking. Part of networking is you need business cards; it is very awkward to ask for a potential employer’s card so you can contact them about an opportunity and when they ask for your card in return you have nothing to give them.

It also is very hard to talk to a peer that you want to follow up with and meet for lunch to get ideas for expanding your IT experience and you have nothing to give them. Be professional, have business cards, take notes on the back of them about what you discussed with that person and make sure you follow up. This will pay off over time and you will meet some great people in the process.

Now let’s look at professional IT organizations and some not so professional. I am sure there are many to choose from in your area, but with that said we will discuss some in the San Diego area as an example of ones that I would recommend you check out and get involved. I joined many of these organizations to speak with IT professionals about what companies were hiring in San Diego, what types of jobs were in short demand and where they did their training, education or earned their experience. Some good examples of organizations are:

1. http://sdtechscene.org/ – this is an event calendar of many local tech oriented groups; it lists things happening daily in the San Diego area. Note this site is managed by the San Diego Tech Scene, which is a local Tech entrepreneurial organization so there is tons of stuff going on for tech startups. I go to many of the events to network and see new types of technologies. Another site linked to them that is tied into the tech scene is http://startupsandiego.co/  The reason I go to startup events is I want to stay fresh with what is going on in technology.  You may think this is not related to Cyber Security but you would be wrong. Many a new technology turns into tomorrow’s zero-day. Educate yourself, enjoy a beer and see some really cool tech.
2. http://evonexus.org/evonexus/ – this website is linked to the EvoNexus, which is an incubator for some incredible technology companies located in the downtown “Gaslamp” quarter of San Diego. Again, just like the SD Tech Scene, I go to the EvoNexus events to see how people are using technology. I am fascinated to see what entrepreneurs create and the hard work they and their teams go through to bring a technology to market. As you are creating your career path I would suggest you go to events like these in your area to see how quickly technology is evolving. This is why I state you need to be constantly educating yourself or you will get left behind, especially in the field of Cyber Security.
3. http://sandiego.networkafterwork.com/city/san-diego  – this is the “Network after Work” site for San Diego.  These events are held in many cities around the world and typically have monthly networking gatherings at some of the best hot spots in your area. People typically go to them to practice their networking skills and meet new people and yep you guessed it “Look for a new job”! I would recommend you at least check one out, sit back and watch people network. It can be quite educational and along the way you will learn a lot about human nature and how to approach a stranger and strike up a conversation. Have fun and don’t forget your business cards.
4. http://www.meetup.com/ – this is an awesome site. Right now there are thousands of meetups here in San Diego going on all the time and all you need to do is set up an account and start searching for groups that are meeting on things that you find interesting. It can be groups for professional networking, IT/Tech events, specific subject like hacking, big data, drones, bitcoin etc. Once you start looking at this site you will see there are tons of things you can do. Make sure when you go to these events you have fun, educate yourself, and don’t forget to bring your business cards with you.
5. http://www.sdissa.org/ – This is the San Diego chapter of ISSA (Information Systems Security Association) and a good place to network and get involved in your local Cyber Community. They typically will have monthly luncheons with speakers who cross the field of IT and Cyber Security. I have been a member for over 10 years and actively go to these luncheons when my schedule permits. I  even present at the San Diego chapter on occasion. The main thing to remember here is if you are starting out in the field of IT or Cyber Security you will meet many people in both fields at these gatherings. It is here that you can collect information to fine tune your cyber career map.
6. http://www.isaca-sd.org/ – This is the San Diego chapter of ISACA (Information Systems Audit and Control Association). If you are into Network Audit and Risk Management this organization is for you. I have found they have great presentations at the monthly meetings. Many of these presentations are given by very knowledgeable people within the field of IT and Cyber Security. This is a very good organization to get involved with if it is available in your area and I would highly recommend it.
7. http://aitpsd.org/ – this is San Diego’s chapter of AITP (Association of IT Professionals). This is an organization that focuses on IT education for professionals. They are active and have members that range across the IT and Cyber career fields. Here in San Diego their meetings tend to be in the evening, typically a dinner format, with great speakers. Locally they are known for their annual “Cloud Security Conference.” What I like about attending AITP events is you have people from all over the IT spectrum. While networking at these events the conversations you get into with people are fascinating and again you learn about other IT fields. Going to these events is all about broadening your view of IT and Cyber Security and giving you context of how technology fits into the career path you are building.
8. https://www.owasp.org/index.php/SanDiego  – this is the San Diego chapter of OWASP (Open Web Application Security Project).  This is a worldwide organization dedicated to improving the security of software. I have gone to several of their chapter meetings and even presented at one. There is an incredible amount of information and training that is available through an OWASP chapter and if your career path involves software development I would definitely recommend joining this organization. The main organization website is https://www.owasp.org/index.php/Main_Page I have used it to educate myself on software security and provide training to my developers.

As we finish this discussion I think it is important to use all of the tools available to you, with that said the workflow below I believe demonstrates why these sites are important. They are tools that can be used by you as you start your career path into the world of Information Technology and Cyber Security.

So as always I hope this article and the information I have provided is of value to you. I bring this to you not as an expert but as a practitioner who has been in the field for years with a true wish to share some of the experiences I have learned. With that good luck as you walk your path and done forget, “always be curious.”

The post Path to a Career in Cyber and Then Some appeared first on Security Current.

When I started my career in the US Navy, almost three decades ago, I originally went into the field of advanced electronics. It was close to what I wanted to do, which was work on computers. However, in the mid-1990’s, I read a book that changed my life.

The book, “Information Warfare,” was written by Winn Schwartau and after reading it I became fascinated with not just computers, but the idea of global networks and how computers could be used as both an offensive and defensive weapon. The book started me down a long twisted path full of curiosity and after 25+ years of walking that path I find I am always curious.

Information Technology (IT) today permeates every facet of our daily lives. We would be very hard pressed to find a place in the world where some type of IT is not being used. With that said, because this technology is such a multi-faceted tool, it can be used in an exponential number of ways for both good and evil.

So, over the years as I have walked this twisted path in IT I have sought to expand my knowledge into the field of what we now call Cyber Security. I have purposely worked in many positions to learn new ways to use computers and increase my understanding of enterprise networks and how to protect them.

Over time I even built a lab in my garage, to the dismay of my wife, made from way too many shopping sprees on eBay and Fry’s. Before you knew it I had a full rack of Cisco equipment and several rows of Windows and Linux desktops and servers (pre-virtualization days – I feel old). I used this equipment over many long nights to teach myself networking, a little hacking – who am I kidding a lot of hacking, and computer forensics. I also used this lab to help me study for my first certifications and as I changed jobs I would reconfigure the lab to study for new certifications.

This lab would teach me that to work in the field of Cyber Security you need to start small. You need to figure out what you don’t know, lay out a plan for where you eventually want to be, and then put your head down and get to work.

I used the lab to experiment and increase my knowledge, I used it to break things and then figure out how to fix them. Sometimes, humbling that it may be, I learned I was not as smart as I thought I was and I would have to ask for help after breaking something. In spending this time, over several years, working in that lab and taking any class I could find at the local colleges and junior colleges I developed what I called my Cyber Career Map.

This map consisted of a certification tree, a tree where I mapped out what certifications and experience I would need to eventually be at a certain skill level. The hope was someday I would have an interesting job in Cyber Security. As I look at where I am at today I would say that plan worked very well.

So fast forward to today, I was recently asked to describe how I developed my map and to write an article with some mind maps as a visual tool so readers would better understand my process. There are three tools that I used to develop a Cyber Career Map, those are the Certification Maps, Employment & Networking Web Sites, and Education & Cyber Web Sites. This article is centered on Cyber Certification Maps and its three sub component areas:

• Certification Maps
  • World of Cyber
  • Cyber Career Map
  • Cyber Career Map – My Career as an example

Before I get started, I want to say I am by no means an expert. This article is just based on what I learned from experience over the last 25+ years as my career has progressed in both IT and Cyber Security.

I believe my experience in having moved through multiple disciplines within the IT and Cyber Security fields gives me a unique perspective on the experience and insight a senior cyber security professional gains from having a broad range of IT knowledge. So with that said I plan to describe some of the tools and web sites I used to help me in my career and why I used them. Let’s get stated.

• CYBER Certification Maps
  Diagram #1

​

1. The first diagram is labeled “The World of Cyber-Security.”  Here I am trying to show you that there are many areas that fall under the umbrella of Cyber. The certifications I have listed in these areas are by no means all that are available, they are only examples of what you would find if you wanted to focus in a specific area.

You will also note that I didn’t list any certifications dealing with programming or application development; this field is extremely important however I have been out of that field for some time and feel I do not know enough about it to do it justice so I didn’t add it at this time.

The main idea I want you to get from this diagram is that under the Cyber umbrella I have always felt there were five main fields of study. They are:

• Network Management
• Network Engineering
• Information Security
• Audit/Risk Management
• Application Development (not shown)

Please note that under each of these “fields of study” are sub-groups and inside these are numerous disciplines that one can delve into and find their passion. What’s important to note here is that there are plenty of disciplines to choose from.  I know numerous people who, like myself, are multi-disciplined and have worked at times across several of the fields I have listed in this diagram.

I have found through my years of experience that many of the great Information Security professionals I have met were people who had also worked as application developers, network engineers, and security auditors etc. The key point I want to make to you is having experience in multiple fields gives you some context on how enterprise networks are designed and implemented and a better understanding of implementing security controls.

These controls that come from a selected information security or risk/compliance framework reduce the risk exposure of your organization and they are a key point for why properly implemented cyber security is crucial for an organization today to survive in the dynamic threat environment we currently face.

Diagram #2

2. Now the second diagram shows what I like to call a “Cyber Career Map,” a map very similar to this is what I have used in the past to map out my career progression and it’s the tool I have used to mentor my teams over the last decade.

What you should take away from this is if you work in this field of “Cyber Security” you should always be adding to your skills and your knowledge, whether it’s working on a new certification or taking a college class on something you find interesting. The field of Cyber is constantly changing, you will both update your skills and change with it or you will find a new field of employment – this field is not for the faint hearted so keep that in mind.

As you note from this second diagram it starts at the top, there are several basic certifications listed (Security+, Network+, CCENT). Under the basics certs, that someone starting in the field of Cyber Security would do first, are five headers:

• Security Engineer
• Network Engineer
• Information Security
• Professional Education
• Professional Growth.

How this diagram would work is after you have completed your basic certs at the top you would select an arm of the diagram, left for “Security Engineer” or right for “Network Engineer.” Over time as you work on your “Professional Education” you would continue to work on certifications listed under the section you selected and as you gain some experience, select a certification from “Information Security” to add to your growing knowledge of Information Technology.

I originally put this certification tree together to use as a visual map, which enabled me to see the flow of certifications in specific areas that I found interesting.  It also would help me see the succession of classes, labs, job experience etc. I would need to work in a specific field or at a specific job level (Senior Network Engineer). The map was a good reminder that as I perused www.dice.com looking for a specific job description and it stated you needed to be an “RHCE,” there were prerequisite certifications and experience I should work on first to eventually get to that level of skill if I expected to qualify for that job.

Diagram #3

3. The third diagram is how you would use a career map. This is my career, mapped out as an example. As you can see from this diagram the certs and degrees highlighted in yellow are ones I have completed over the last 20 years of my career, I put the “Professional Education” piece in the center of the diagram because over my career I completed my education in parallel with certifications that I was working on. Something to note, from this diagram you can see I started with two of the three basic certs (Security+, Network+, CCENT) and then moved into the Network Engineer track first.

As a network engineer I did my Cisco certifications then proceeded to learn operating systems. I found doing the Cisco certifications first actually helped me because I understood how networks were put together, how data flows in enterprise networks and had a good understanding of protocols before I got into specific operating systems.

As I gained more experience and started to manage teams I became very interested in doing network penetration testing so I started working on certifications in the Hacking & Pentesting group. After completing several of those certifications I had close to ten years of experience working on enterprise IT networks and knew I had enough experience to qualify for the CISSP certification so I decided to work on it in the Information Security group……..

The main point to note looking at this diagram is that I worked on both sides in multiple areas, many of these changes were directed by changes in my employment. However, many of the certifications in the different fields of experience were actually selected by me because of research into specific job descriptions.

I did much of this research joining organizations such as ISSA or ISACA to better understand the different fields of IT and Information Security and while talking with members I would sometimes find a job that sounded interesting.

Once I found an interesting job I would access job boards like www.Monster.com or www.Dice.com and look for a job descriptions that matched the job I was interested in. Reading the description I would annotate the experience required and any required certifications. I would use this information as a blueprint to build my “Cyber Career Map” and then assess where I was currently on this map and what I still needed to complete if I wanted that particular job.

I found over time, as I educated myself on my career field, I would see particular skills become mandatory if you expected to work in a specific job and with this knowledge I would adjust my career map and reassess any outstanding skillsets or experience I was missing.

In conclusion, the main thing to keep in mind with all of the information I have provided is that starting on this path will take time, you will not be a cyber-security professional overnight. Many of you may already have some experience and education and you are looking to go to the next level. For that I say continue your education.

I would also recommend you get some hands-on experience in building some computers or networks (hardware or virtual), play with some operating systems, volunteer at some non-profits. Big thing to remember is don’t quit, make sure you go to some of the IT meetings at your local IT organizations and network with people there and ask for their advice.

Who would they recommend you go to for experience, how did they get their experience and training – these are questions you need to just keep asking until you find answers that are right for you, then adjust your Cyber Career Map and keep moving forward.

I hope this has been useful and it is of some value to you, take care of yourself and welcome to the world of Cyber Security!

The post Path to a Career in Cyber appeared first on Security Current.

As a CISO, you will find your job requires you to have experience in many areas. As the leading cyber security executive for your organization you will be expected to manage your organizations cyber security suite and lead your team in protecting its assets. In this position you will also work with your organizations departments and in the process meet many of your critical stakeholders.

As you build your human network in your organization, remember these stakeholders are your customers and it is important that you understand what issues they are presently having with your organization’s enterprise network and its current application portfolio.

Your stakeholders will eventually turn some of these issues into business cases for new IT projects. I have seen many of them come before my IT Department’s Technical Review Board as they make their way through my organization’s governance process.

Knowing the context of why these projects are being proposed by your stakeholders’ department and understanding the underlying issues that drove them to propose a solution will help you view their business case with a more informed view.

The reason this is important is that as a CISO, your expertise in security and risk management will be called upon to review new projects or proposed solutions. Many of these projects will be to assist one of your stakeholders in correcting an issue that is interfering with them being able to provide services to your organization and its customers.

Sometimes your stakeholders will propose projects that incorporate new technologies. As the CISO, you will have to decide the risks involved in using these new technologies and whether they are a good fit for your organization’s technology roadmap.

As CISO, I firmly believe part of your job is to not say “No” to projects that don’t quite meet your organization’s roadmap. Instead, I believe, as a CISO your job is to say “Maybe.” This leads you to looking at proposed IT projects with a critical eye to ensure they induce the least amount of risk to your organization.

However, you still have to remember there is a business reason for the project so you will need to think of alternatives. Sometimes, to do this you have to remember the reason why these projects were being proposed, and what “issues” they are to solve. Your job in your organization is not to stop it from doing business, in fact I look at cyber security as a business enabler. We provide the foundation to build your organization’s IT portfolio on and then keep it safe.

Part of keeping your organization safe is being able to answer the “Maybe.”  I have found being able to do this involves being knowledgeable of new technologies and the risks involved with old ones.

I constantly do this by attending classes, training events and start-up incubators to see new technologies and how to add them to legacy networks. I have found that to be an effective CISO for your organization you must be able to say “Maybe” when needed and give them an alternative to succeed.

The post Cyber, It’s All About the Maybe appeared first on Security Current.