Ask an expert: How to start and advance your cybersecurity career

July 18, 2019 posted by

hello there everybody and thank you for joining today's webinar today we're going to ask the expert how to start and advance your cybersecurity career my name is Camille du Puy and I am the marketing events manager at InfoSec and today we have with us Kieran Evans so with that we'll go ahead and talk about CPEs real briefly before we introduce Kieran and get on with the webinar here today so if you are looking to earn CPE credits InfoSec webinars are a good way to do that however want to make sure that you double check on the requirements of your certifying body as they all differ a little bit on what qualifies but after the presentation today you will receive the link as well as a resource to a to an article that will show you what the requirements are as well as a certificate to request a cup of completion to send to your certifying body so with that let's go ahead and meet our guest so today we have Kieran Evans and Kieran is an InfoSec instructor as well as a managing partner at km cybersecurity and great to have you with us keep trying you know you've done a couple webinars what's before and and always a fantastic guest for us so thanks for joining and as I said my name is Camille Dupree and I'll be the moderator today so I'm going to go ahead and kind of as we go here turn it over to Keith Ron but first want to let everyone know that this is of course going to be a very interactive webinar this is a time for everyone to ask questions you know anything related to advancing your cybersecurity career or questions you kind of have getting into the industry you know anything from specific to broad we'll get to as many of those questions as we can today so cute Ron I'm going to kind of turn it over to you and and see if you would share you know some of your background some of how you got started in the industry perhaps education and experience certification some some stuff kind of in that realm yeah sure I mean there's always a lot of that stuff but I'm just gonna try to focus on the stuff that actually contributed to IT because you know I mess around with music and stuff like that you know early on in fact potential career field but essentially what happened was I was working for a small city in Mississippi as an assistant to the city engineer you know and at that point they decided they needed computers and and how was the only one that was you know under the age of 50 at the time so they were like yeah that's your job now is to get us to computers and get them set up so it really started for me just just going to a local computer shop buying a computer coming back and getting it set up and from that it graduated into other things like there was a certification that used to be popular back in the day called the no Vale C and E so I was I've got my first certification this is all way back in 1998 I think I was like 18 or so available got there there see any certification and stood up my very first network and from that you know a year later everybody was like oh well no bills going away now you have to learn Microsoft so I want the MCSE route to learn how to do what it is I was supposed to be doing and that was really to start for me and and kind of wanted a good point to that is it was a really small city so and I've also learned to that like my for rate in the cybersecurity or you know IT security was when I was working for a small company as well so for those of you that are looking to try to go land that first cyber job in a big company you might want to reconsider that some because there is advantages also to like doing it with a small company because they're more apt to you can get approvals for training and stuff like that a lot easier if the schmuck but he is going to pay for it because you might be the person that's responsible for everything and I think that was what happened to me I was in charge of everything computers and eventually everything computers including security so it allowed me to be able to get that training and get into certifications and stuff when certifications was really brand new like it was really no one in the game but Microsoft and Novell so that's how I started got tired of that job I figured I could be more so I moved with Chicago interviewed at a few places and you know got a job right away doing just basic break fix replace hard drives that type thing and the company I was working for it didn't have anybody but me it was a pretty engineering firm of about 20 people and they had me doing most of their computer stuff they called it back then and what ended up happening is I was like okay well I'm tired of so I want to do something that is a little more exciting to me so I still have an excel sheet that I created this is like in 2000 where I kind of listed out certifications and things that I wanted to learn and this was all based on just what I knew about the industry so far I'm CISSP ceh was brand new it had just come out and that was really my connection with InfoSec at that point because at that time there was really like two places doing the training and I met Jack and took the classroom him and shortly after I taught a few classes and he's like yeah you're teaching from now on I'm not doing it I don't get emails as good as your so up there it doesn't make sense for me to do it and that's kind of how I started with that side of it but the certifications definitely open the doors to meeting people to get other opportunities you know I tell people sometimes you can take a five day certification class and out of that five days you only learn maybe one thing that's valuable to you sometimes that one thing is really really valuable like it rains you to that next level um so that's kind of how I got started with it it was it wasn't a you know I didn't go to a big fancy university like went to you know small Mississippi universities it was no Harvard you know MIT none of that kind of stuff and I just kind of kept begging you know to just do better and do better and do better to get to that next step and that kind of one of the things that I wanted to point out to you because this is a question that I know is gonna come up is people will you know go get certifications get degrees and say yeah I've got these degrees I got these certs and I'm interviewed at ten places and I being at the job so you guys are saying that there's all these jobs in IT security and cyber security you know why am I getting passed over and what I would say to that is first of all you know you need to get out of the mindset that because you have a cert and because you have a degree you're absolutely going to get that job that you're applying for um you have to actually be good at it like you have to you have to put the work in to make yourself good at what you're doing just having the paper doesn't really guarantee you the job now there are some jobs where they hire people just because of the cert because they need that button to see with that some compliance criteria or something like that but the jobs that a lot of people are going for were you actually doing hands-on pen testing and hands-on thread hunting and stuff like that you actually have to be good at it because just like you're applying for it without your certs you're in a line of other people with starts applying for it and even though there's lots of jobs out there we're going to pick the people that can actually demonstrate that they have the skills better so getting the surge you know what I'm saying is don't count on getting job because you have the search but you can almost count on not getting a job if you don't have a search so like one of those things you have to do it but you have to do that plus actually put the time in to become good at what it is you're trying to do and the way I have always looked at it when I found out about security is every time I figured out how to do a hack or how to do something that I didn't know how to do I felt like I had been kind of running a marathon and it seems like every mile someone hands me like a thousand dollars so imagine how hard it is to run a marathon but imagine how much easier it'd be if every mile someone just handed you a thousand dollars cash I think I turn into a runner pretty quickly exactly that point and that's exactly I can to get that same feeling every time I figure out something that I did know how to do security related I feel as if someone just handed me a thousand dollars you know not a million because I was retired at that point but I feel like someone's handing $1,000 and that kind of drives me to just keep learning and keep going and keep finding out new things and what I would say to people is if you're in this industry and you don't get that feeling when you figure out something and when you solve the puzzle or when you commit that that first hack then you know reconsider maybe this is not the thing that you should be doing if you don't enjoy what you're doing to the point that you get that kind of euphoric feeling when you jump that plateau and move on to level that you weren't at before right oh that's a fantastic analogy kietryn I really like that you know just and and seeing this is an industry that doesn't stop changing right so you have unlimited potential to keep running that marathon and keep earning those thousand dollars right because there's going to be something new that someone needs to figure out every day so really really great analogy there so let's kind of move on thanks for the kind of the background so the guests here kind of know who they are privileged to speak with today for the guests that just joined please use the Q&A panel to start submitting questions we're going to now move on to questions that were submitted through the registration process and I see from the attendee list I think there's some of the folks live on here that submitted some questions so we picked some out that people pre submitted for the webinar and then we're going to save time at the end as well to answer questions here in the live session so starting out from this question from Michelle T and Kieran this is kind of pertinent because you said that you actually went into you know thinking about other careers so Michelle said what is your advice for someone going from a teaching career into a newer second career in various cybersecurity roles she has a bachelor's and a master's degree but they are in music and Italian language would she have to go back to school or which she just work on certifications well I would probably advise initially working on certifications to get yourself in the door of somewhere that will then pay for whatever else you need to get because the thing is if you look at a lot of the IT security and the cyber security jobs they don't necessarily say you need a degree in computer science or even anything technical most of them will say you must have a bachelor's degree and that's like the first step that you need to meet for a lot of these jobs so if you have a bachelor's degree that qualifies you to interview for a lot of positions and then on top of that they'll say and you must have this certification this one in this one so they usually append it with you can have a bachelor's degree in whatever what you need these certifications to prove that you actually know about something about this industry so I would say probably start off with the certifications because the one they're cheaper you can get them faster and it gives you an opportunity to get into doors to places a lot sooner and also since you have a teaching background you know talk to InfoSec about coming on as an instructor after you get a few good certifications under your belt because they're always looking for good instructors and people have a good you know ability to teach teaching has also been a great way for me to learn this you know some of the basic fundamental stuff like you know how to CP works and all these things you learn a lot of times you can learn that stuff and remember it better after you've taught it to somebody else a thousand times you know so teaching is also a good way to learn right and I think that's an interesting point to consider key trend like you said a lot of times people will request or people or hiring companies will request a bachelor's or a master's degree and I think a lot of times what they're requesting is that's showing that somebody's got the ability and willingness to learn and then pursuing that with certifications so even if it's not directly in the field you're going into you know I think I've heard some stories of different individuals who have gotten into cybersecurity from very different careers but it's just those individuals that really have the willingness and interest in learning new skills which they can prove then by certifications instead of degree necessarily absolutely yeah the best pentester I have on my team she was not a she didn't come from a technical background she didn't have a Kansai degree or any technical degree she was actually majored in drama but he was interested in computers and hacking and technology and we kind of just mentored her and and just I would give her little projects to go and practice on and she would take it to the next level and once I saw that I was like okay she's gonna be really good at it because she's really digging into it and doing way more than I asked you know to problem but she's learning a whole lot while doing it and now she's literally the top pentester that I have and she's got the least amount of actual technical experience of everybody else so well very cool it's so cool to see how people can transition and in this industry and really come from come from anywhere and be successful absolutely so here's a question that was submitted what projects do you do on your own to learn more about cybersecurity and kind of where do you get started and that questions from crabbin so I think you know kind of interested in like you said you just kind of started I'm playing around with different different computer strategies and that kind of thing and and how did you know where to start yeah that's a good question because back then in 98 when I was starting there was no really internet you know or it didn't exist like it does today so you really had to to read books you know I would go to the local computer store cuz there was one there was only one for like a hundred mile radius of where I grew up right so like there was the computer store for that entire part of Mississippi so I would go there and when you would go to buy things I can go buy cables and new network cards and in different pieces and while you're in there you have conversations with the people that work there because at that point in time the culture was different then the computer store was where you went is like your hub that was kind of like your internet to get information about technical things because those people who had access they would turn the sale stuff they knew what was coming out in the near future so I actually got into networking and stuff like that just by hanging out there but now I would say join definitely join some groups on LinkedIn like jump into some of the cybersecurity groups and there I'll rate it so you can find the ones that are really good from that point definitely just start doing some hands-on projects like get on there to see what people are doing but you're gonna have to actually get some hands-on stuff yourself so I would recommend downloading a few VMs like Kali because we all use that in the industry it's on some level download Metasploit able so that you can start practicing how to exploit things and there's a lot of other careers in cybersecurity other than pin testing other than hacking but I still think it's one of the best places to start practicing because it builds so many different types of skill sets other than just pin testing I mean you're going to get very solid with Linux you're going to get solid with some scripting you're gonna get solid with just how operating systems and how networks work it requires you to kind of get a good mastery of all those things so I still think that just dive into looking at like security plus even if you don't take a classes look at the syllabus and just go learn those things practice those things same thing with ceh and go look at the syllabus and then learn those things and then to maybe take a class after that you know after you've studied it enough on your own to justify spending that money right and now follow up to that a question that kind of came through was these are two too big certs in the in the security world and someone was wondering what the difference kind of is between pen testing and ethical hacking yeah there's so it's really not that much of a difference really pen testing is a form of ethical hacking right so in testing is generally a professional service that we provide to customers and it is a form of ethical hacking that we get paid for now you see different definitions of it in industry some people say well if i hack into chase comm or Bank of America comm but I don't take anything and I just do that to show them what their vulnerabilities are that's ethical hacking but you're not careful with that because maybe your intent is to be ethical but still you just broke the law and you still could go to jail for doing that without a signed contract so I think the definition is kind of gray there but generally speaking I would say that pen testing is just a form of ethical hacking that's you know been more than – a professional service that we sign contracts and get paid for sure okay that's I think that's helpful to to kind of answer that question I know that those are just two – buzzwords and someone who's starting out in the industry you know can see why there'd be some confusion on that so thank you okay so here's a question from Chandra she says she's already completed digital forensics and computer security course and she has the room and a variety of equipment at home where she likes to test scenarios without destroying the network she actually uses for work so this is kind of going back to the different ways to practice I think she knows there are online game hacking challenges etc but she'd like to have a system in a network where she can have a bit more control and access yeah I think that's that's a good question – and part of I think what she's getting at there is she wants to be able to build the network because you actually learn a lot building you know your practice area but Chandra what I would strongly recommend that is kind of you know give all that equipment a break go and set yourself up Amazon AWS account or a Microsoft Azure or Google Cloud account and go on there set up some VMs set up some virtual routers start learning about virtual private clouds and software-defined networking because the thing about it is if you look at what's happening in the world now most companies large and small now are rapidly migrating everything the cloud services so there won't be a need that won't be as much of a need I don't think in the near future for the skillsets to be able to work on actual hardware you're going to be much more valuable to knowing how to navigate inside a cloud services environment and if you build an environment of your own from scratch that is the best way for you to get kind of leapfrog everybody else and have a leg up on that when you tossed into that environment in a corporate situation to have to manage it there's security pentesting whatever the case may be so I would recommend doing that instead of and then use that space in it you know throw away get all that equipment sell it on eBay to someone that didn't watch this webinar see they're still buying equipment and you know set yourself up a music room or something I like that I like that a tip there that's fantastic but it is interesting to see kind of how many how many companies and things are transitioning to the cloud and as we said you know you just got to keep up with the industry to stay in the industry so good recommendation on on you know what's coming up and I think that's important that people continue to watch for the future you know some certifications unfortunately might not be valuable in in a few years so definitely keeping up to speed important with that perfect well we've got a couple more submitted questions before we move on to questions from attendees so want to remind everyone to start submitting those feel free in the Q&A panel but let's move on to the next question here so teacher maybe you could tell us a little bit about your certifications and how you plan those and then as well as the other part of the question is does experience outweigh certifications or vice versa and kind of what you see there yeah so that's a really good question too now currently I've got over you know like 70 different certification different things and initially I did have a plan for how I would approach them and I started out with just looking at what was out there and what they covered and you know I looked at at the time CSP was kind of like where I wanted to to be because it was looked at as if you get this when it's kind of the grandfather of all but then what happened is as I got into it I learned what the certifications actually were and now I even recommended people CSSP may be a good next logical point after like Security+ or something like that because it covers a lot of different things very shallowly and that allows you to get an idea of what it is you really want to do and specialize in because you kind of touch on all of it with something like CSS PD or C is n so my plan was to get you know I had a very solid like I said I have this big excel sheet I had in there first a plus Network plus and the logic behind that was I needed to learn the basics first and then after network plus I went the security plus and all the Microsoft like MCS see and then I moved into the security stuff after that and that was kind of my plan was to make sure that once I got into the hacking I actually knew how operating systems work and how networking word because again once you have a system you know you go and get you know Metasploit pro or whatever and you compromised a system what are you going to do once you get on that system if you don't understand how the operating system works if you don't understand how networks work so I was afraid of that I was I've always been afraid of being underprepared so I always just stack and make sure I plan it out the other reason I think this question it's really good is because the whole experience out waiting certifications things that's kind of a big argument in the industry and my take on it what I always tell people is definitely if I'm hiring someone to do a specific job that requires a specific technical skill if they've got a lot of experience doing that that's probably going to be more important to me than than having the certifications because I can get them the certifications really quickly but there's also the flipside an argument which is you know from you for yourself for your own personal goals Camile if you were trying to do this what I would say to you as well experience is something that you get over time there's the only way to get five years experience is to work for five years right takes a minimum of five years but the certifications you can get right now so you got these two things you got to get both you got to have experience and you got to have the certs so why would you delay one you know when you can get that now while you're trying to wait and to get the opportunity to get the other because experience is definitely gonna probably come from an opportunity that either someone gives you or an opportunity you create for yourself but either way while you're you're you know provisioning that opportunity or waiting for it you should still be getting the certifications because you can do that now you know you can really quickly and increase your net worth as far as a cybersecurity career right away just by getting some of the certifications right now that's a that's a great point I think there's a little bit of again a gray area in that space because like you said you know certifications can get them so quick like you know someone who has a little bit of knowledge and has some of those prerequisites you know they could sign up for a couple courses right in a row and and pass those all and all of a sudden become so much more valuable but also experience where they've done this hands-on work for several years is also of incredible value as well so that is a really interesting question I think it's really a paradigm of how that works in this industry yeah it's definitely important because I can remember you know when I was taking going through my Microsoft stuff there was a service that Microsoft introduced I think with Windows 2000 when they went to Windows 2000 a MCSE and it was something called volume Shadow Copy Service and what that means is anything on your system if you you know right-click it and turn on something called versioning what it does is if you were to delete a Word document for example and modify it well every time you make a change my current windows creates a the previous version of that document so you can go into your computer even with the versions of ones that we use now right-click any document go to previous versions and if you have the shot the shadow service on you can see all the different versions and actually restore it so if you modify the document the wrong way for the last five hours and you want to go back to where it was before you can do that just within the operating system whereas before right before that we would have to go get backup tapes and all kinds of stuff like that to restore those documents and that was a service that was key because what happened for me is I went into an interview once where they gave a scenario on how would you go about restoring these documents if they got deleted it was a network engineer position and the person that everybody else that interviewed was what the manager told me was that they said yeah you would you know go into your backups and restore from backup and do this this and that and I said well I would just you know makes your volume Shadow Copy services on and then I will just restore the previous version and they were like but once a volume Shadow Copy Service and I was like well that came out so I'd lets a whole twenty minute conversation of me explaining it and what that was it's showing me and the only reason I knew it is because a month before I had went and did the latest MCSE certification and that was one of the new things that they added so it was a situation where I clearly got the job there were people who were experienced to me and had more definitely more hands-on experience but they didn't know that thing and I knew one thing because I was up on my certifications so I think it was both ways and you really just want to try to have both I'm one that you have control over that you can fix right now as a certification the experience when you have less control over you just have to wait and get that right fantastic good answer okay so here's one more submitted question before we move on to the live questions so this person is currently working on the CompTIA Network+ and the IBM cloud application developer certifications at school should they be looking for a network analyst or cloud technician jobs first then transfer to a cybersecurity field or should they start pursuing entry-level cybersecurity certifications such as security plus and then look for a job in cybersecurity so this is again kind of the interesting certifications versus experience questions so really interested in what you think about this yeah I mean I would probably lean more towards getting a cybersecurity certification first and then trying to get an entry-level job in cybersecurity somewhere and then you can still backfill you know the network skills and the cloud skills on your own or maybe as part of that job just to because my thing is if your eventual goal is to get into cybersecurity you can still get into it and backfill the skillsets that you you need to really be good at it and you know I'm a proponent like everywhere but now I've done I've said to me the best path is you become you master networking and master operating systems and all these other things first and then you move into cybersecurity but you can definitely do the opposite you can you know get into cyber security in a very entry level fashion and then backfill learn those other things so I would say if you're really trying to make the jump now look at security plus make some connections see if you can get an entry-level job and then move into cyber security and backfill on the other stuff and keep in mind there are other cyber security roles to that that you know don't even require so much of the the networking and things like that because there's a lot of management jobs there's a lot of jobs that aren't really technical at all you know compliance based jobs where you just have to make sure organizations are compliant so I think a lot of that question your depends on what it is you're trying to do it in cybersecurity you know are you trying to do a technical career or are you trying to just be in cybersecurity period if it's just trying to be in that period and I would say to jump in and give yourself some time to explore and that's another thing too I want to tell people don't be afraid to like start a career or start a path in cybersecurity and realize it's not for you and say I don't like doing this I want to do something else in cybersecurity don't absolutely don't be afraid of doing that because that's what you're really gonna excel is when you start doing stuff that you want to do for sure and I think I think that's an interesting point with with doing stuff that you want to do this industry has so many different portions of it like you said you know there's auditors there's engineers there's you know something that I think is an interesting job is as people that like develop security content for training like some people on our team and you know develop different security education I think is an interesting job that some people can go into if they don't necessarily like you know and all of the hands-on but they have the experience and knowledge on how to you know develop this material to teach to others I think that that can be you know an interesting path to go down as well and and there's just so many different roles that need to be filled I mean if you go on any job website right now and and kind of just keywords cybersecurity which I did that the other day just kind of working on a different project looking at looking at different roles that were available all across the country there is so many different titles and so many different roles you know that are options absolutely all right well now let's move on some questions are coming through through the Q&A panel here and and keep submitting those to all the attendees that are on with us today so first question is from will and he have said what is the difference of CISSP and another certification which certification is more valuable for people who kind of want to have a fast track and that kind of touches on the question just previous so what are your thoughts there I mean I think if you're trying to fast-track yourself into cyber you have your your you know your usual suspects CSSP security plus network plus ceh you know those ones are kind of the ones that if you look at cyber jobs I mean I would I I would bet you that it would it would be nearly impossible to do a search a monster or career builder for a cyber security position and not see at least one of those three certifications so I think getting those three are getting one of those three would be like your quickest way to at least be get the attention of some people recruiting for sniper positions but again the key there is you know make sure that you you have an idea of what it is you want to do before you even embark on that mission because that's going to dictate several things one what you want to end up doing is going to dictate the order at which you get those certs in and then secondly what you want to end up doing is gonna dictate which search you get after those three primary search so I would say have an idea of what it is you want to end up doing before you try to fast-track into cyber like know what you want to do after you get in and then fast-track in right okay very cool well well thanks for the question I hope that helped a little bit another question that kind of came through is this person is trying to transition into cyber security from their current career working in the public school system so they recently got a security plus certification and a Bachelor of Science degree in cyber security but they don't have any professional or paid experience so they've searched and found hundreds of cyber jobs in the metropolitan areas but the entry level or Tier one jobs generally require three years of a experience from what this person has found so he's being told that he doesn't have enough experience how can he overcome this and convince employers that he can do the job he or she I'm not sure yeah I would definitely say you know with that question you probably want to make sure that you know you again have an idea of what it is you want to be doing and when you go into these interviews and you run into that whole thing of experience over certifications I think you can't have asked well why do they even call you in for the interview TIFF if they really there had to be a reason that you even got called in for the interview so there may be some other things that's going on that's that's dealing with it a little bit that's you not as attractive you know maybe look at the skill sets they have but and then also one way to overcome that is you might have to do life some volunteer work and things of that nature like go to your local nonprofit organization one of your nonprofits and just volunteer to do a pen test or security auditors or some security consulting thing for them you know on the house kind of justice just so that you can have it on your resume that you've done these things you've actually got a client that's someone I can call and in reference and say that you've actually done these things that for me is one way to kind of get past that experience challenge because that is definitely a chat knowledge that I even see it myself with employers and I mean I advise employers to kinda you know take just take a look at least behind the curtain sometimes even the person doesn't have the experience take a look at it because again I got my best pen tester like now she's my best pen tester and she didn't have any experience that was required but because of how she approached the interview I kind of decided to take a shot and it was it was definitely worth it so but for you guys trying to get these jobs definitely just continue to get the search because again the whole thing if you run into employers that that clearly value experience there is no magic thing that you can do to get around that you just have to keep interviewing until you get somewhere where that's not the case but the main thing is while you're doing that while you're you know preparing for those interviews keep preparing for search keep learning because again to me like when that opportunity comes you better be able to hit the ground running and the only way you're gonna do that is to keep learning as if you already know you're going to get the job so keep preparing for the job that you want to do and that will set you up for when that luck happens or when preparation and opportunity finally meets you'll be prepared to take advantage of an opportunity I think some people get frustrated with that conundrum and they stop preparing so at that point they are not even prepared to take advantage of the opportunity when it does present itself or worse they're not even aware that the opportunity's there because they unplug from cyber to where they're not familiar what's going on now so I think you just have to really just stay at it but at the in the meantime don't waste your time keep prepare keep getting the skills so that when you do see somebody that will take a chance because to me for example the thing that I look at the most is I always give technical interviews so I will give you a laptop what the collie CD and say do these things so when you run into somebody like me that experience is not gonna mean as much as you might think because you can have a lot of experience doing something the wrong way you know so you've been testing for five years but you've been doing it terribly for five years then I don't want to hire that person either but if you're kinda new to it but you actually got some solid skills and I see that in your technical interview then I'm definitely gonna hire you over the person that's got experience so I I don't think that's going to necessarily make it easier for you but just to encourage you there are some of us out here that that look past that experiencing and we look for the actual skills because sometimes experience doesn't always equal skill right and now going off of that what percentage or in your experience when people are hiring for cybersecurity positions how many of those include a technical interviewer or a time to showcase their skills or is it more specifically just kind of looking at that resume looking at that years of experience and looking at that list of certifications well I think the list of certifications and that type of stuff is what's going to get you the interview once you get the interview if they're expecting you to do pen testing you're probably going to have to do like some technical stuff in your interview if they're expecting you to do a technical cyber job I can't imagine a lot of places not at least having you do like a little test mister where you have to actually do things so I think that's more likely what you're going to see a technical interview but if you're interviewing for an honor position then don't expect to go in doing something technical either sure okay that sounds good and that makes sense you know with again just with the variety that there is so another question that came through is Michelle again is is as she's interested in likes the idea of potentially you know transitioning from her education career into education within info soccer with in information security technical technical education is there a specific certification you would recommend for someone who is interested in teaching cybersecurity Oh which one which question is that this one came through on on the chat panel okay yeah I would definitely say that if you want to teach it like I said cybersecurity is a very broad thing so if you start off with broader certifications like security Plus is on the lower end abroad and CISSP is on the higher end abroad so those I think are two good starting points because it gives you visibility and insight into a lot of different things cyber and that sets you up as a good teacher for whatever specialization you want to go into teaching because now you can speak to other things that are you know to the right or the left of what the main topic is what about topic type of thing and that to me makes you a much more fluid instructor is if you if you have the ability to you know kind of seamlessly go from one topic to the other get off practice a little bit but not enough to distract people and get back on topic so I think that would be some certifications that would be good to start there with sure good here's another question that came through on the QA kind of interesting about you know the location of cybersecurity jobs so this a person is asking seems like companies in the Silicon Valley are looking for people with a lot of experience and are super competitive are there other areas of the country more open to taking a chance on someone without a lot of experience if so any suggestions on a metro area that might be good for this person yeah I mean I think that I don't think it's so much the metro areas I think people have to just kind of lower somewhat their expectations of what job they're they're gonna enter into cyber with like you're not going to enter in with this dream pen test that you see you know people talking about on the internet because they've probably done other things too you know to work up to that job also you know take some time to actually go and talk the places I just did an experiment you know a few months ago I went downtown you know Chicago and I said I'm gonna spend the next two days you know six hours a day just walking into buildings because there's so many office buildings town there's literally thousands and thousands of companies and I went and just walked up and down you know knocked on doors rung bells walked into the receptionist and just asked if I could leave a resume because I'm looking for a position in cybersecurity I mean I'm not really and it wasn't really my name on the resume because if they googled it they would be like yeah this guy can't possibly be looking for a entry-level position so I had a some fake stuff on there just to see and it was amazing because within the first day I think I dropped off probably 60 resumes that first day and by that afternoon I had got about 17 calls Wow and I specifically structured it to where you know the skills that I had I had security plus and I had on there studying for ceh and I had like some just some very extremely basic skills on there and I got 17 calls you know that first day from just walking and I didn't do any LinkedIn I didn't do any emailing I literally walked into those places and just left resumes with the receptionist or whoever happened to be there saying hey I'm looking for to do some entry-level cybersecurity work so I think for one you have to make your expectations realistic as to what position you're trying to get and to start thinking about doing some unconventional things to market and so yourself including the way that you used to have to do it which is like I just described walk into places and actually say you know hey I'm looking to get into this field because you never know you might walk into a place and they might be having a security instead or something or somebody just got a phishing email right in right you know run into that that's a that's a very interesting experiment I like that I think when you first started saying you walked into different Chicago office buildings I I kind of first thought this was going to be an experiment on like physical security you know seeing how many people would would let you in or buzz you in without a pass or that kind of thing because even that's a little bit of a little bit of a tie into the cybersecurity field with you know who can get on your network or who can you know have access to the different businesses and and that's always interesting to see as well but I really like that experiment of just kind of handing out the resumes and that's just a way to to make yourself more memorable and make yourself noticed right away because it is so rare that you know a physical resume is given unless it's perhaps a job fair or something like that so that's a really interesting tip I think I think I you know would like to see more people try that and if anyone has any cool stories to share send them to me via email it'd be interesting to hear about it looks like we've got time for just a couple more questions before we move on so another question is InfoSec and cybersecurity are such broad terms and I'm specifically interested in digital forensics any suggestions for certifications that support a forensics path more than security and other preventive measures oh yeah there's definitely some certification specific to digital forensics I would say any of the like CH Fi the CC Fe you know all the fun on the InfoSec website for it specifically for digital forensics and then it's kind of as a cross over the incident response training there's a lot of forensics involved in that training and that certification as well because when you do technical response to a big part of it is actually doing some variations of forensics whether it be Network host memory whatever the case may be so I think driving towards those certifications CHF I see see effie and then some of the incident response certifications would probably be where you would start if you're trying to do that type of thing now as far as defense because I think it said something about the fence have been there as well I think at that point it gets very it becomes a lot more vendor-specific you know like if you're if you're gonna have an entire Cisco infrastructure of Cisco firewalls then you want to take in get Cisco defense certifications or Cisco security certifications if you have juniper then you want to get their certifications right really tailoring that to to meet your needs mm-hmm sure very good well you know as we get to kind of clips to the end of our hour here we're going to go ahead and move on but I just want to again thank everyone for the fantastic questions and everyone that submitted them in advance of the webinar as well as live today and then of course for those who your key Trond us today so appreciate you having us or having us with with webinar today so I wanted to go ahead and move on to just some information real quick on InfoSec skills which is our new platform that is different for testing all sorts of cybersecurity skills and not only testing but learning as well so kind of what you can do with this platform and I don't know kietryn if you've gotten to play around on here much yet but really neat there's VMs on there there's press practice exams for different certifications so really helpful for people who are you know not sure what they want to get into great site to just kind of go into a few different areas and an experiment a little bit with different press practice practice exams excuse me you know different learning modules that kind of thing and really find out what you're interested in so it includes over 300 courses and 45 skill and certification based learning paths so really interesting would recommend just kind of taking a look at that and that's InfoSec skills also a very affordable platform for anyone who is interested in giving it a try with that some exciting news for the webinar we are going to be giving away a one-year subscription of info sex skills so teacher on what question do you think was the most beneficial that we kind of asked today and I can go back if needed yeah I think it was I kind of took notes here great Sandra's question about you know how to set up something to practice and and how to go about doing that because I think that question allowed us to answer a lot of questions as far as you know where to to practice and how to practice safely and I think it will save a lot of people from going on eBay buying a whole lot of equipment that you're just not that they're not going to need right well I think that was probably the better the best question my favorite question all right well Shandra congratulations we're going to go ahead and contact you after the webinar today to get you enrolled in that and and go ahead and start practicing so you're welcome I see you say thank you and the in the panelists there no problem expect an email from me later this afternoon with that it actually looks like we've got a couple more minutes left Kieran would you mind sharing just a little bit about what you currently do and and so you told us about kind of how you started in the industry and I think this might relate to the one last question here which is how do you start your own cyber consulting business so I think that kind of ties in with with how you've progressed throughout your career yeah I think that that's a good question and honestly for me like the thing that I think was most valuable is first of all you need to become really good at doing cyber consulting you know like it's it there's a whole lot of business concepts but that stuff is not going to help you if you're not good at it you know right but you have to become really good at what you're doing if you're going to do cyber consulting and it's the best advice I would give is number one focus on something like find a specialization in cyber consulting and focus on that become very very good that and then if you see opportunity to grow other areas do that because I started specifically doing pen testing as my cyber practice and that grew into a whole lot of other different things that we do now but I was careful not to branch into other areas until we really had a lock on pen testing and then forensics and then incident response and now threat hunting has become like the fastest-growing business area for us we get a lot of RFPs for that so I think that doing it that way and the other thing is make sure you see a lawyer an accountant an insurance person like see those three people first when you think because a lot of your questions will be answered just from talking to those two people sure fantastic well again Kieran thanks so much for joining us your insight is just always so valuable and and helpful for those you know both already in the industry as well as those who are just starting out and and kind of looking for a pathway so definitely appreciate you joining us with that it looks like we're coming close to the end of our time here so we will wrap up and I hope everyone has a fantastic day all right thank you

1 Comment

One Reply to “Ask an expert: How to start and advance your cybersecurity career”

  1. Earth Changing Extremities says:

    Great video

Leave a Comment

Your email address will not be published. Required fields are marked *