When I started my career in the US Navy, almost three decades ago, I originally went into the field of advanced electronics. It was close to what I wanted to do, which was work on computers. However, in the mid-1990’s, I read a book that changed my life.
The book, “Information Warfare,” was written by Winn Schwartau and after reading it I became fascinated with not just computers, but the idea of global networks and how computers could be used as both an offensive and defensive weapon. The book started me down a long twisted path full of curiosity and after 25+ years of walking that path I find I am always curious.
Information Technology (IT) today permeates every facet of our daily lives. We would be very hard pressed to find a place in the world where some type of IT is not being used. With that said, because this technology is such a multi-faceted tool, it can be used in an exponential number of ways for both good and evil.
So, over the years as I have walked this twisted path in IT I have sought to expand my knowledge into the field of what we now call Cyber Security. I have purposely worked in many positions to learn new ways to use computers and increase my understanding of enterprise networks and how to protect them.
Over time I even built a lab in my garage, to the dismay of my wife, made from way too many shopping sprees on eBay and Fry’s. Before you knew it I had a full rack of Cisco equipment and several rows of Windows and Linux desktops and servers (pre-virtualization days – I feel old). I used this equipment over many long nights to teach myself networking, a little hacking – who am I kidding a lot of hacking, and computer forensics. I also used this lab to help me study for my first certifications and as I changed jobs I would reconfigure the lab to study for new certifications.
This lab would teach me that to work in the field of Cyber Security you need to start small. You need to figure out what you don’t know, lay out a plan for where you eventually want to be, and then put your head down and get to work.
I used the lab to experiment and increase my knowledge, I used it to break things and then figure out how to fix them. Sometimes, humbling that it may be, I learned I was not as smart as I thought I was and I would have to ask for help after breaking something. In spending this time, over several years, working in that lab and taking any class I could find at the local colleges and junior colleges I developed what I called my Cyber Career Map.
This map consisted of a certification tree, a tree where I mapped out what certifications and experience I would need to eventually be at a certain skill level. The hope was someday I would have an interesting job in Cyber Security. As I look at where I am at today I would say that plan worked very well.
So fast forward to today, I was recently asked to describe how I developed my map and to write an article with some mind maps as a visual tool so readers would better understand my process. There are three tools that I used to develop a Cyber Career Map, those are the Certification Maps, Employment & Networking Web Sites, and Education & Cyber Web Sites. This article is centered on Cyber Certification Maps and its three sub component areas:
- Certification Maps
- World of Cyber
- Cyber Career Map
- Cyber Career Map – My Career as an example
Before I get started, I want to say I am by no means an expert. This article is just based on what I learned from experience over the last 25+ years as my career has progressed in both IT and Cyber Security.
I believe my experience in having moved through multiple disciplines within the IT and Cyber Security fields gives me a unique perspective on the experience and insight a senior cyber security professional gains from having a broad range of IT knowledge. So with that said I plan to describe some of the tools and web sites I used to help me in my career and why I used them. Let’s get stated.
- CYBER Certification Maps
Diagram #1
1. The first diagram is labeled “The World of Cyber-Security.” Here I am trying to show you that there are many areas that fall under the umbrella of Cyber. The certifications I have listed in these areas are by no means all that are available, they are only examples of what you would find if you wanted to focus in a specific area.
You will also note that I didn’t list any certifications dealing with programming or application development; this field is extremely important however I have been out of that field for some time and feel I do not know enough about it to do it justice so I didn’t add it at this time.
The main idea I want you to get from this diagram is that under the Cyber umbrella I have always felt there were five main fields of study. They are:
- Network Management
- Network Engineering
- Information Security
- Audit/Risk Management
- Application Development (not shown)
Please note that under each of these “fields of study” are sub-groups and inside these are numerous disciplines that one can delve into and find their passion. What’s important to note here is that there are plenty of disciplines to choose from. I know numerous people who, like myself, are multi-disciplined and have worked at times across several of the fields I have listed in this diagram.
I have found through my years of experience that many of the great Information Security professionals I have met were people who had also worked as application developers, network engineers, and security auditors etc. The key point I want to make to you is having experience in multiple fields gives you some context on how enterprise networks are designed and implemented and a better understanding of implementing security controls.
These controls that come from a selected information security or risk/compliance framework reduce the risk exposure of your organization and they are a key point for why properly implemented cyber security is crucial for an organization today to survive in the dynamic threat environment we currently face.
Diagram #2
2. Now the second diagram shows what I like to call a “Cyber Career Map,” a map very similar to this is what I have used in the past to map out my career progression and it’s the tool I have used to mentor my teams over the last decade.
What you should take away from this is if you work in this field of “Cyber Security” you should always be adding to your skills and your knowledge, whether it’s working on a new certification or taking a college class on something you find interesting. The field of Cyber is constantly changing, you will both update your skills and change with it or you will find a new field of employment – this field is not for the faint hearted so keep that in mind.
As you note from this second diagram it starts at the top, there are several basic certifications listed (Security+, Network+, CCENT). Under the basics certs, that someone starting in the field of Cyber Security would do first, are five headers:
- Security Engineer
- Network Engineer
- Information Security
- Professional Education
- Professional Growth.
How this diagram would work is after you have completed your basic certs at the top you would select an arm of the diagram, left for “Security Engineer” or right for “Network Engineer.” Over time as you work on your “Professional Education” you would continue to work on certifications listed under the section you selected and as you gain some experience, select a certification from “Information Security” to add to your growing knowledge of Information Technology.
I originally put this certification tree together to use as a visual map, which enabled me to see the flow of certifications in specific areas that I found interesting. It also would help me see the succession of classes, labs, job experience etc. I would need to work in a specific field or at a specific job level (Senior Network Engineer). The map was a good reminder that as I perused www.dice.com looking for a specific job description and it stated you needed to be an “RHCE,” there were prerequisite certifications and experience I should work on first to eventually get to that level of skill if I expected to qualify for that job.
Diagram #3
3. The third diagram is how you would use a career map. This is my career, mapped out as an example. As you can see from this diagram the certs and degrees highlighted in yellow are ones I have completed over the last 20 years of my career, I put the “Professional Education” piece in the center of the diagram because over my career I completed my education in parallel with certifications that I was working on. Something to note, from this diagram you can see I started with two of the three basic certs (Security+, Network+, CCENT) and then moved into the Network Engineer track first.
As a network engineer I did my Cisco certifications then proceeded to learn operating systems. I found doing the Cisco certifications first actually helped me because I understood how networks were put together, how data flows in enterprise networks and had a good understanding of protocols before I got into specific operating systems.
As I gained more experience and started to manage teams I became very interested in doing network penetration testing so I started working on certifications in the Hacking & Pentesting group. After completing several of those certifications I had close to ten years of experience working on enterprise IT networks and knew I had enough experience to qualify for the CISSP certification so I decided to work on it in the Information Security group……..
The main point to note looking at this diagram is that I worked on both sides in multiple areas, many of these changes were directed by changes in my employment. However, many of the certifications in the different fields of experience were actually selected by me because of research into specific job descriptions.
I did much of this research joining organizations such as ISSA or ISACA to better understand the different fields of IT and Information Security and while talking with members I would sometimes find a job that sounded interesting.
Once I found an interesting job I would access job boards like www.Monster.com or www.Dice.com and look for a job descriptions that matched the job I was interested in. Reading the description I would annotate the experience required and any required certifications. I would use this information as a blueprint to build my “Cyber Career Map” and then assess where I was currently on this map and what I still needed to complete if I wanted that particular job.
I found over time, as I educated myself on my career field, I would see particular skills become mandatory if you expected to work in a specific job and with this knowledge I would adjust my career map and reassess any outstanding skillsets or experience I was missing.
In conclusion, the main thing to keep in mind with all of the information I have provided is that starting on this path will take time, you will not be a cyber-security professional overnight. Many of you may already have some experience and education and you are looking to go to the next level. For that I say continue your education.
I would also recommend you get some hands-on experience in building some computers or networks (hardware or virtual), play with some operating systems, volunteer at some non-profits. Big thing to remember is don’t quit, make sure you go to some of the IT meetings at your local IT organizations and network with people there and ask for their advice.
Who would they recommend you go to for experience, how did they get their experience and training – these are questions you need to just keep asking until you find answers that are right for you, then adjust your Cyber Career Map and keep moving forward.
I hope this has been useful and it is of some value to you, take care of yourself and welcome to the world of Cyber Security!