Training The Cybersecurity Workforce On A Shoestring Budget

this hi i'm my name's stephen kirby and i'm a security engineer with bright spring health services in louisville kentucky and i'd like to thank you for uh stopping by my talk on training the itu it security staff i'm glad that i'm glad that you've decided to attend besides charlotte and i'm grateful that they invited me so hopefully we can make this an informative and potentially entertaining session a little bit about me uh i'm a former graduate student in history i'm eminently qualified to work in it i was a graduate student in history in my younger days i was a reference librarian for about 10 years i've been exposed to i.t for almost 30 years now

beginning back in the late 1980s when we set up a small local area network using artistsoflantastic which nobody remembers these days uh we moved on to nobel netwear a little bit later and i did netware for a couple of years and then discovered unix and i've been doing unix systems administration off and on now for about 26 years going back to some dusty old versions like deck ultrix or sdi irix that haven't been supported haven't been used hopefully in quite a while i started with linux very early on about 1993 in fact my first version of linux was running igrasil the kernel was 0.99 patch level 5. so linux and i go back a ways as i

mentioned i currently work as a security engineer and importantly for this talk i hold multiple security certifications and that's important because as you know anybody who's certified obviously knows what they're talking about right i should offer a disclaimer uh that the views and opinions expressed during this session are entirely my own my employer is unaware of the contents of what i'm going to discuss in fact most people i work with don't even know that i'm presenting so this is should not be construed as official positions of any previous or current employer unless you've been living under a rock or in a cave for the last five years you know that it's pop it's popular in the security

press to say that skills are in short supply particularly cyber security skills uh we have a quote from 2019 that the skills shortage is getting worse uh it could cost us millions of dollars there's a war a virtual war raging for cyber security talent there are thousands of information security jobs that are going unfilled there may be as many as three and a half million unfilled security jobs by 2021 that's next year uh i personally have my doubts that the situation is quite that bleak i think that there probably are some issues with structural imbalances but and this this was really real this is really geared for a physical conference and i hope to be

hopeful i'll be able to find out next year if maybe i've just missed something but if the skill shortage is really as bad as people make it sound wouldn't a security conference like b-sides look more more like this look more like a fraternity rush party none of the conferences i've been to in the past have looked like this i mean maybe the kegger was someplace and i just missed it i was on the wrong track and i look forward to going back to another conference next year and actually being able to test this hypothesis for myself but for the time being i would have to speculate that maybe there's something else at play that maybe we're not we're not suffering

from a skill shortage so much as we are a credential shortage i think the skills are there the talent is available but it's simply not qualified because the way that we hire security uh personnel i mean most security positions are not entry level they assume two to three years of somewhat of some experience uh managing servers or networking gear or desktops or whatever so that you have some idea what the assets are that you're trying to protect one of the reasons that we may have that shortage is because security training is so damnably expensive uh for example if you wanted to get training from comptia for their security plus certification which is a very popular

and very widely recognized uh entry-level certification comptia wants about 2 500 to train one individual to study to prepare for that certification and that's a lot of money uh particularly in large corporations where the trading training budget has historically been viewed with some suspicion i've heard it said that security budgets are the last to grow and the first to go when time when budgetary times get tough when there's a need to cut budget or trim costs training is often one of the first first casualties one of the reasons for that is that the link between training and corporate strategic goals are not always clear or at least not made clear uh to the budgetary authorities

and finally a lot of places including most places i've worked training is viewed as an employee's responsibility we hired you because you were good and we expect you to do your best to stay that way and it may not necessarily be the company's uh position that they need to be actively involved in that i understand that's not universally true and if you find an employer who is willing to invest in you that is definitely a feather in their cap as far as i'm concerned on the other hand as many people have said i've seen it most often attributed to napoleon if you want a thing done well you may have to do it yourself and that's really what i'm here to talk

about today ways that you can provide security credentials that will impress an employer qualify you to move from maybe a systems administrator or network administrator role into security and maybe make a career change or a career path change to the security field there are a number of ways that we can do that uh one of the most common historically has been higher education institutions in full disclosure i spent 25 years in higher education i'm a big believer in it but it's particularly as we have seen it during the pandemic it's not without some issues for example it's expensive uh we'll talk about that a little bit in a moment and right now people are objecting to

have to spend having to spend full cost for classes that are being offered remotely uh greek programs can take a while uh sometimes full-time a four-year degree well it takes four years there's no way to streamline that and if you're taking classes part-time uh that could drag you out even longer that it's not that local community colleges and universities aren't able to to provide training but it's expensive and it's slow for example i live in louisville kentucky and across the river is purdue university the state one of the state universities in indiana it's a very fine institution with a great reputation in information technology and i.t security generally uh gene spafford who would probably qualify

as the founding father of i.t security at least in the united states has been affiliated with purdue since the early 1990s so it's a very well respected program but it's not cheap if you notice their program requires 180 credits for a four-year degree that we're at 371 dollars per credit hour if you extrapolate that 180 times 371 works out to 66 780 for a four-year degree the future value of that degree assuming in the 30-year a 30-year career and an eight percent interest works out to about almost seven hundred thousand dollars works out really to about twenty two thousand four hundred dollars a year which means that if you go that route and get that degree

the first twenty two thousand four hundred dollars you earn every year for the next thirty years goes to paying off basically the future value of that education you're gonna have to amortize it that way so that means that if you're making fifty thousand dollars a year for your first first job and that which seems a little on the high side to me that you're only really clearing about uh 26 000 because you're having to offset the income that that you lost that you could have could have earned or could have you could have acquired simply by investing that money uh in some sort of security over time that's expensive uh it has its advantages i don't recommend people avoid higher ed

but if you're looking to make a career change or if you're looking to transition into something else it's an expensive and very slow way to go there are some alternatives even within higher education we have what are called a mooc or moocs massive open online courses these are generally offered by large universities some of them with some of them world-class universities that you would have a difficult time getting regular admission to but you can take classes with them you can audit the classes very often for no no charge at all or you can take you can get a certification from them that doesn't carry college credit for a reasonably nominal fee there are a couple of them i'd like to talk about

the first one is edx which was started i guess probably 10 or 12 years ago now by mit and a couple of other institutions in the northeast if you notice down at the bottom those are not inconsequential institutions that are involved with edx most people will recognize those names i don't want to spend a whole lot of time on it because it appears that edx has recently changed its business model and their certifications have gotten considerably more expensive than they were when i first started putting this presentation together they are available though if you want to audit just for just to gain knowledge that's not a an unwise course a course of action so i will mention it but i'm going to

focus a little bit more on one of the alternatives and that is an outfit called coursera coursera is also also provides training from prestigious universities i'm very fond of the university of illinois one of the ones mentioned there at the bottom because that's my beloved alma mater uh but duke university in north carolina is there the university of michigan uh ibm obviously these these are prestigious institutions or large corporations with a good reputation in the industry and all of them offer courses of some sort through coursera not all of them necessarily are offering uh information technology classes or security classes but they are they are available for uh study as i've mentioned most most moocs offer

the ability to audit courses for free of course sarah does that fee payment is required for formal certificates or former formal credentials through coursera but it's very reasonable starting about 39 a month and you pay for as long as it takes you to complete the course so it can be if you can cram a little bit more in it might you might be able to save some money that way they do offer financial aid if you're looking at an ambitious program some of their programs can take up to a year possibly even longer i don't know for sure most of the ones i've looked at have been in the uh three to three to six month range and

those will be the ones that i'm going to focus on but if it turns out that the cost is an obstacle uh you might be able to negotiate something with coursera where they will be able to provide some assistance with tuition one of the courses that i would call special attention to if you're just starting out is this one from new york university's college of engineering uh it's it's offered by a gentleman named eddie moroso amoroso used to be i believe he was a cs the ciso or cso at a t for a while uh and he has a fascinating background he's been around for a while and the stories that he tells in class

some of the anecdotes are rich just because of the historical value so if you're looking for a place to start i would recommend this very highly i have i've actually audited this course myself because i was curious what it was about and i have to say i enjoyed that process tremendously another one that is very fairly recent i just discovered the next two in the last couple of months and i've talked to a couple of our younger people at work that are have started taking at least the first course the certificate program from ibm on cyber security analyst and they've been very impressed with what they've seen so far this is an entry-level certificate that

off i think it takes about three months to complete uh and would be an injury would be a good entry-level credential to be able to show to somebody that it demonstrates that you can complete some that you can complete a task you've got a you've got to validate your interest in knowledge insecurity and as i say might be a good place to start if that's what you want to do if you've decided that's what you want to do if you want to get a little bit more serious about it ibm also offers what is called a specialization and that's more extensive uh training and security matters i think it i think this one runs six or

eight months something like that so it's a little bit more involved but uh it's an extension of the certificate program it both of those might be worth taking a look at and as you notice on the screen uh you can do a seven day full access trial to see if this is something that you might be interested in to kind of get a feel for what these courses might be like and what what they're going to cover i've got one more that doesn't really fit the mooc uh model but i didn't have any place else to put it so i'm going to talk about security blue team this is a british outfit that has just recently started i think in the

last year or two they are now providing training for what they as they say defensive cyber specialists the the name pretty much explains it uh they currently offer courses uh i think the cost was about 20 20 british pounds which i believe is about 30 dollars per course the last time i looked i didn't i haven't verified it lately but it would be worth looking at and at the end of each course uh level one level two level three the theory is that you'll be able to take a certification exam that validates that you've you've learned the material uh level one is available now levels two and three will be forthcoming probably in the next year or so

but again if you're looking to uh cut your chops and show that you have some uh background that might be of interest in possible use to an employer this would be another place that you might want to start the big question that we want to talk about though is are you certifiable i've had people tell me that i am for years but i think they meant in a different context here we're talking about cert being certifiable in the context of information being of information security uh certifications have a lot of advantages over more formal uh forms of education the big ones are there faster cheaper and more directly focused on job skills because a lot of these are designed to provide

to document that you possess skills that employers are looking for and that's how these credentials are able to earn their reputation

one potential model or road map for deciding what certifications you're interested in would be the department of defense's 8570 section 8570 program if you're going to work for the dod in any capacity whether it's a civilian or as a service person you're going to need to be aware of this because these are certifications that it are required to advance and to even qualify for entry level positions it's not something that necessarily is looked at quite the same way in private industry but it's a useful guide because it gives you somebody somebody some influential employers idea of what certifications are worth i mention it here it's kind of a reference we'll come back to the idea of a road map a little bit

later towards the end of the session but if you're looking for places to start and what certifications you might want to aim for in the future this is one possible way of finding that out uh other there are other ways i mean i've seen very often uh people cite the number of times that a particular certification is mentioned in job ads that's a little bit hit or miss because you don't know whether that certification was listed as a requirement or as desired or as an example of something that's required or desired so this provides you something a little bit more tangible than just the idea that it got mentioned in somebody's advertisement the first thing i want to talk about

would be vendor certifications and there are a couple of vendors that i think merit particularly mention microsoft does offer a nice introduction retroductory level certification in security and then the other vendor has been cisco historically cisco has been a major player in security certifications but it looks to me like some of the changes they've announced in their certification programs lately indicate that they're kind of stepping back from that a little bit microsoft offers their technology associate certification and as i say this is entry level it's aimed at recent high school or college graduates or maybe someone who's working on a help desk somewhere and looking to advance to a different position it's it would it would be almost an

ideal first certification and there are several advantages to it it's not a terribly expensive uh certification uh there are a number of ways that you can prepare for it we'll talk about some of those and it does provide documentation that you're familiar with some of the core security concepts as well as that you can see a program through to completion there are other microsoft mta microsoft mta certifications besides security some of those might be worth investigating as well for example they offer one on windows servers administration they offer an introductory networking certification all those might be useful to look at but i wanted to call special attention to the security mta because right now that's i as far as i

know the only security certification that microsoft offers i mentioned cisco and not too long ago they introduced the certified cyber cyber ops credential and it is still available it is one of the it is the main security credential now that cisco offers uh it is an introductory level certification but probably on a little bit higher level than microsoft's mta uh if particularly if you're coming from a networking background and you want to explore what might be available in security and possibly make a transition this would definitely would be something that you would want to investigate of

the used to be a cc there was a ccna or cisco network associate i believe it is insecurity and apparently that doesn't exist anymore uh there's now one ccna to rule them all and it is a general credential so i'm not sure how long organizations are going to recognize the old ccna i would assume that those are going to be grandfathered in and will be good for life but i have i guess that will probably vary from institution to institution but i did want to mention that it looks like cisco has stepped back a little bit from the prominent role that they used to play security certification probably because network security is network certification is really their

core business and there's a lot of other competition that makes the security route difficult and expensive for them to maintain we need to talk to about some certification bodies some of the most important ones would include comptia the computer technology industry association they offer several security certifications including one we've mentioned already security plus that is probably the best known entry-level security certification on the market and it's certainly well-regarded one they offer several others a scissor plus which is the cyber security analyst i believe it is a blue team certificate if you are looking to become knowledgeable to demonstrate knowledge and background in blue team activities in incident response or cyber self-defense that might be a security certification

that you would want to pursue it's an intermediate level certification as is pentest plus which is its counterpart uh as the name suggests pentest plus is a red team certification for people who like to break into systems but with a white hat for they're doing they're using their power for good as you should uh it is a relatively recent certification i think it came out in 2018 if i remember correctly uh and it's got a developing file one but it i don't think it quite has the uh recognition that some of the other uh comptia certifications do as of yet the last one to re to mention is the cast plus uh i hold this one it is

that is geared towards senior level security people with 10 years of experience who don't want to go into management who want to remain technical and that's how it uh seeks to differentiate itself from other certifications that we'll talk about here in a minute uh i read on dice.com back during the spring that this is one of the emerging certifications for 2020 so if you fit that category where you're looking for a senior level certification but you don't necessarily want to pursue a path that will prepare you for management cast plus might be one that you would want to consider one of the neat things that comptia has started doing in recent years is the concept

of stackable certifications and what that means is that if you earn two or more certifications you get an extra certification as a bonus for example uh if you get the security plus and comptia's cloud plus certification you automatically qualify for the secure cloud professional certification without having to take any other additional exams and as you progress you can actually it almost gets to be like a video game because they they do multiply so quickly uh if you i think ultimately you can get i i have a number of them it and it makes for an impressive impressive looking collection i guess if you just value having stuff to hang on the wall but these are all valuable

certifications that i think would be of interest to employers at least they have been to folks that i've talked to and i thought i'd mention them because that is another another path to demonstrate your knowledge the next one that i want to talk about is isc squared or the international information system security certification consortium say that three times real fast there's a reason why it's almost universally known as isc squared ise square offers two very well known certifications uh the lower ranking one would be the system security certified practitioner and if i were going to recommend a an initial certification for someone with maybe two to three years of experience on a help desk or

as a junior administrator of some sort this would be the one uh sscp is a natural transition to the cissp that we'll talk about in a moment uh it is it does have isc square's reputation behind it so it has it does have some influence uh it's also considerably cheaper believe it or not than some of the other uh alternatives i i think most places i've seen a voucher for example security plus running somewhere around three hundred dollars the event the voucher directly from ise squared for sscp is 249 dollars and again i can tell you from experience that studying for sscp will get you a large percentage of the way towards cissp which is the next

certification we want to talk about the cissp is probably the gold standard for security certifications in the marketplace in 2020 and has been for quite a while uh if you are looking to become cso at a company or if you are looking to become some form of technol of security management cissp is going to be an almost a requirement and if you're looking for even some senior level technical positions like a an architect position a lot of employers are going to look more favorably on the cissp than any other credential the downside to the cissp is that it's expensive uh i will i don't recall exactly what the latest uh certification costs but i think it's

about eight hundred dollars so it's not an inexpensive examination to sit for but the return on the investment can be quite high uh and as i say it is the gold standard for security certifications so it's definitely one you need to be aware of if you weren't already another not necessarily gold standard but definitely on approaching the ise squared level would be isaka uh which had the good sense to change its name from the information systems audit and control association to just isaca because nobody nobody used their real name either and they offer several interesting credentials one that i was surprised to find out i just discovered the first one a few months ago and that's the

csx cyber security fundamentals certification again it's an entry-level cert uh and it is also quite reasonably priced as well it does not have an expiration date uh with security plus and sscp you would have to recertify i think after three years i know in the case it's three years in the case of security plus and i believe sscp is the same the cyber security fundamentals uh certification from isaca does not require that so once you've earned it it's yours it's yours to keep forever probably their two best known certifications are excuse me the cism cssm the certified information security manager which as the name suggests would be very appropriate for someone looking for a management credential

and then the certified information systems auditor those last two are definitely senior level credentials so they would be something that you would aspire to after five to ten years experience in the security field as you are ready to make a transition from a hands-on techie to managing hands-on techies and the auditor obviously is geared towards people who are going to be uh auditing involved in auditing and compliance uh both of the both of these are widely recognized and widely respected credentials and anything from my saca is going to have name recognition with employers the last certification body i want to talk about is mile two uh this one has been this body has been somewhat

controversial on certification discussion forums uh because there's some question as to how widely recognized their certs are full disclosure i have three from them in fact mile two is basically what i have done during the to keep myself entertained during the coronavirus pandemic mile t specializes in alternative certifications a lot of their certifications are loosely based on something else the advantage that they have is they don't have some of the overhead for example work experience requirements that are required to even sit for something like the cissp or the cism or cisa you pass the if you can pass the test you qualify for the certification and that's the end of the story and these are not

these are not simple certifications uh for example i've mentioned that they're some of their certs are generally based on other more widely known certs uh the cisso comp that compares to the cissp in fact mile two's version was developed by the same gentleman kevin henry who developed the training materials for ise squares cissp so he's very knowledgeable about about the material and from what i can tell they cover a lot of the same questions they just it just doesn't have the necessarily the same recognition but if you've got some other certifications to hang your hat on that may not be such a big deal uh other certifications for mile 2 that might be worth mentioning would be

the cissm which maps to the cism from asaka there is a cissa that compares to the cici for my saca and the c-i-a-h-e which is an incident handler certification that compares to the jack or sans institution gcih which is simply not going to be in my my budget anytime soon uh either to prepare for or to sit for i mean sans exams certifications are very widely regarded very highly regarded very widely respected but they are prohibitively expensive unless you can find at least for most people i know unless you can find someone else who's willing to to pay the examination fee so in to summarize so far here here's one possible set of uh career paths that you might might follow

as you look to advance your credentials in cyber security you might want to begin with something like the microsoft mta or cisco cyberops security plus sscp or the cyber security fundamentals certification from isaka uh those would require anywhere from zero to probably three years of experience uh before you can before you can really get the most out of them uh you if you have a little bit more experience as you as your career progresses you can look at other certifications like the sisa plus that i mentioned or pentest plus the sscp does a little bit of double duty here because it uh covers some of the ground that comptia has split off from what what the

security plus used to be and they've used that to populate their intermediate certs the sscp from ise squared covers some of that same ground uh in a single certification and then if you're if you're feeling ambitious the cisso from mile 2 might be a way to get your feet wet and find out where you stand without spending the full price to sit for the cissp and maybe have it qualify as an associate which we you would have to do if you didn't have requisite uh work experience and other background and finally if you're once you reach the seven to ten year mark you might look at something like casp plus or the cissp or one of the isaccar credentials is a

way to put a an exclamation point on your career progress we need to talk some about online training providers and where you can go to prepare for these certifications because as i mentioned early on uh getting trained for most of these search directly from the vendor is going to be very very costly and if you're doing it yourself if you're having to fund your own uh security certification preparation you're probably going to want to do so at the lowest possible cost that will enable you to prepare to pass the certification exam one of the most popular ways to do this or one of the most popular vendors of certification preparation and other training is plural site i recommend them

very highly i generally i have had my own subscription uh from time to time i don't have it i'm it's not currently active because i'm doing some other things but i recommend them very highly they provide for example their certification course for sscp and cissp training is developed by kevin henry who developed the training that you would actually pay ise square to take but you can you can get his uh course directly from pluralsight for a relatively low fee i think it's about 30 a month right now or at least it was a few months ago when i was still i had an active subscription and as i mentioned in addition to certification training pluralsight

offers uh courses on multiple topics that might be of interest to security staff for example software solutions like splunk or ibm's q radar both event log or sim solutions uh vulnerable scanning with vulnerability scanning with uh tenable nessus or if they their course is aimed at open vas but openvas as such doesn't exist anymore it is now the green bone security assistant gsa i believe uh and it's more of a demo for the commercial product unfortunately but you can still at least master some of the fundamentals of vulnerability scanning by using that product in conjunction with the training on vulnerability scanning that is available through pluralsight and if you're looking for training on security frameworks and that's a popular

topic these days you want to learn the iso 27000 series or nist or pci dss there are individual courses on that that are available through pluralsight very similar to pluralsight is linkedin learning which would used to be known as lynda.com and they've been around for quite a while too they were recently well a year or two ago i think purchased uh by microsoft and merged into linkedin if you have a premium subscription to uh linkedin which again i think is about thirty dollars a month you have access to one to uh linkedin learning again it's very similar uh in scoping and intent to plural site you will find training on a wide range of subjects

including a lot of courses that can be useful for certification preparation i want to mention make special mention of udemy in some ways udemy is my favorite of the certification providers they provide they're they contrast a little bit with uh linkedin learning and with pluralsight with those courses you pay a monthly subscription and you get access to their whole range of training whatever you whatever you want to study that at that minute if they've got a course you can take it you to me it's a little bit different you purchase access to a course and then that course is yours for life uh whereas with pluralsight and with linkedin learning you may you will find generally

one course per topic if you're looking for example for security plus training they will have one set of courses uh from usually from one uh trainer that deals with the subject matter udemy is a little bit different you can have mult canon will find multiple training providers for most of the major certifications so you have have a wide range of choices some of these choices are very very some of these alternatives are very very good some of them are not so you need to pay attention to things like the reviews available one of the nice things about udemy is they do offer a trial so if you don't like the course after 30 days you can get your money

back uh the other thing that is noteworthy about them is that very frequently they offer reduced prices for training courses i don't recall ever having paid full price for a udemy course if you wait maybe a month almo it seems like inevitably the course is going to be available for 9.99 or 11.99 or something like that as opposed to in some cases the list price which could be over a hundred dollars per course but the advantage that udemy has is that you do have a range of providers if you don't see one if you don't like a particular course you may be able to find one that you do like from someone else for example for

uh the microsoft mta cert security certification here we have multiple courses that could be used to prepare for that examination uh i would call attention to a couple of things here that are a little bit more important that they might be for providers like pluralsight and linkedin you need to check the expiration date or the up last day update on each of these courses because sometimes you'll find courses here that go back number of years in fact if you want to look for i believe that there are still certification prep courses for the previous version of security plus uh that are still available through you to me and if you're not careful you can wind up

buying something that really won't do you much good to prepare for the current version of the examination so you might want to check and make sure that the course is currently being devel updated and it's also useful to notice the student ratings that might give you some benchmark of how other people have looked at the course they do provide reviews the opportunity for people to provide reviews the way that amazon does for products for example and so you get some idea of what people did and did not like about a particular course and again as i mentioned uh they do offer a 30-day money-back uh guarantee if you buy the course and decide that you don't like it

i've actually taken advantage of it several times and they're very prompt about refunding and that's one of the reasons that i am so fond of you to me as a training provider another interesting uh provider is pac publishing and this is one that a lot of people haven't heard of you can prov generally with udemy you can purchase access to a course but if you want to download that say and store it on your laptop most often with udemy you can do you can do that for mobile devices but as far as i know they don't have an application uh that will allow you to download it to a laptop or to a desktop pc

pack allows you to purchase that and similar to udemy uh that matter of fact they offer a lot of the court a lot of the same courses that are available through you to me if you want to if you're looking for a particular one and want to hang on to it for a while you could possibly buy that udemy course through pack publishing but you're able to provide down actually download it as mp4 files and you can actually have a package of full training for generally for often not a lot of money i if you wait again you can probably find something on the ten dollar per course range and they do have uh black friday and

a lot of sales or at least they have the last couple of years late in the year where i one point i think i got 10 for 40 or something like that uh now the downside is that in packs case you may they may break up a single course into three or four different components and ask for you to pay for each section separately so the cost can mound up but if you if you time it right if you catch it catch them on one of their sales the price can still be quite reasonable and if you don't want to necessarily uh be attached to the internet all the time though that's not quite the problem that

it used to be pact is one way to go you can purchase the offer also offer pdfs of what would normally be printed books that can be used for certification training or preparation so that is something else to be aware of they offer they also offer a monthly subscription it was 9.99 i haven't checked it recently i mean in the last couple of weeks to know whether or not it's still that price or not but it is an alternative that you might want to investigate if you're looking for preparation for a particular security certification i will recommend several uh providers that are available through pact as well as udemy uh one is jason dion i've used his

preparation for his materials to prepare for several certifications mike myers is both a trainer himself and owner of an outfit called total seminars and i found their products to be universally quite good and one that i have discovered relatively recently is thor peterson uh i'm actually using one of his courses right now to prepare for uh my next certification and i think he does a very good job as well so if you want if you're looking for someplace to start those names might give you someone to look for the downside about peterson is that he really only targets upper level uh certifications cissp cism cisa as far as i know he doesn't offer any lower level certification prep courses

one more that i would like to mention is cyber and once upon a time siberia would have been a favorite uh they used to be and used to means maybe a year ago be famous for offering free training and they would charge you for certification to completion the way that a mooc might they've recently changed their business model because they've merged with some other training providers and they're now providing a wider range of training some of it obviously commercial but they've also increased their price to about 49 dollars a month per subscription or 400 a year you can you may be able to find it during specials for a lower price but it's no longer universally free for

anything that they offer and a lot of their good certification prep courses now uh required payment of a fee i don't recommend them as highly as i used to but they're still a lot cheaper than uh most of the formal training from certification providers so it's worth at least knowing about a couple of people that i'll mention is would include kelly handerhand i used her uh training class to prepare for the cissp or in my case cisso uh last spring and it was quite good i caught i got i was able to take it right before it got moved behind i guess you'd call it a pay wall and i recommend it very highly it was the best

cissp prep course i took and as i mentioned that also includes kevin henry who developed the training for ise squared and hand her hands courses are usually i've never i've never taken one that i didn't like and i've taken several and another gentleman i'd like to recommend i mentioned ed amaroso before uh he is now and is a professor at nyu new york university but he also has a couple of courses available available through cybury that i would expect would be very very worthwhile uh i think one of them is a for preparation to become a ciso or siso and the man is definitely qualified to address that topic last but not least this is something

that the uh staff on our help desk turned me on to i don't know about a year ago when i was starting to put together this presentation and that's professor messer uh the advantage that that professor messer's courses have is that they're free not only does he offer for example security plus training he also offers i believe a plus and network plus training if you're interested in something like that but he also offers uh free study sessions online study sessions where people can meet and exchange ideas and discuss uh topics that they've gone over in that week's lecture uh the courses are available for free he makes his money by selling access to training notes and

study questions and things of that nature and his material is surprisingly good given the fact that he's not charging for it i mean you can't it's hard to be free for free for price and if you're on a tight budget uh looking for a place to prepare for one of these lower level certifications definitely check this guy out uh there's a link to his website in the slides uh you can you could probably navigate from there to find some of the other certs but i actually recommend him quite highly and have recommended him to other people that in our in our team that are looking to get certified to wrap up and summarize what we've

covered uh i hope i made the point that security credibility is a combination of experience and credentials if you just have the credentials but don't have the experience that's not going to be as valuable as if you've got both if you've been a security if you've been an assistant administrator or a network administrator for a couple of years you've got some if you've got some technical skills under your belt that's going to make the credentials a whole lot more valuable than just having just being a paper tiger and having a certification to hang on the wall credentials both the degrees and certifications they complement experience but they do not replace it so just you shouldn't think of a

certification training course if something is going to teach you skills it's going to help you emphasize skills that you've already developed because that's what employers are really going to be looking for i maintain that systems and networking experiences is essential for security work because those are both parts of the part a large part the assets that we as security professionals are protecting and obviously things like patching hardening and configuration skills can be reinforced and enhanced with security certifications because the skills you've acquired along the way could be can be documented uh and you can you can be shown you know how to apply them uh to security work last but not least even after your

career is launched you're going to need to learn continuing education and continuing education credits most certifications with a few exceptions that i've mentioned require them for example for comptia cert you're going to have to earn so many so many uh continuing education hours per year for three years in order to renew your certification you're also going to have to pay a fee i think it's 50 per year the number of uh ceu credits varies from certification to certification and i hope you know that learning never stops uh the fee the reason that continuing education requirements exist is well partly to make sure that there's a continuing income stream for the certification providers i'm too much specific not to believe that

but it's also to help keep people engaged in learning and new developments in the field so i hopefully this this brief chat can serve as an introduction or for a reminder for some of you some excellent low-cost means of learning and i believe we've got hopefully we've got a little bit of time left and we'll be available for questions thank you