Since making the switch from an Army Transportation Officer to a Supply Chain Management in the private sector and now working in Information/Cyber Security, I’ve done a lot of learning. Often, I am asked how I did it. Typically, I respond with the most hated two words in any language on the planet earth: hard work. Albeit true, it’s not as helpful as I could be. So, I figured I finally sit down and take the time to write out what I’ve done and what I used starting in September 2017 to present day to make the career change into Information/Cyber Security.
WARNING: Wall of text to follow
Shortly after making the decision to completely change my life, I realized I didn’t know anything about what I was about to get myself into. So, I started with the basics (which if you are faced with a similar situation I would recommend you do the same).
edX.org was my first stop and honestly, I can’t recall exactly how I found edX.org, but it truly is what got the ball rolling for me. BONUS: It’s ALL free. The following are the two courses I took from edx’s website:
- University of Washington’s Essentials of Cybersecurity. – I took this class to basically a get a sanity check on what I thought I cyber/information security was and if it was really a good fit for me. Not a necessary step, but it definitely did a good job of giving the 50,000 foot overview. If you don’t know anything about cybersecurity, but you just want to learn more and see if this is the right career field for you, I recommend you start with this course to at least learn about what it is. It’s FREE.
- Rochester Institute of Technology Cybersecurity MicroMasters – This course really put the rubber on to the road for me. It was much more “technical” than the U of W course and got into all the basic networking and infosec you NEED to understand in order to be successful in this space. The course also did a great job of introducing risk analysis and management as well. Love it or hate it, risk is a big part of any job in information security. The quicker you understand risk management and analysis, the dividends it will pay for you down the road. If you need to learn the basics, I would highly recommend you start here before you start shelling out money anywhere else. It’s FREE.
Starting with the edx.org courses worked great for me. They were free. They challenged me and most importantly, they got me in the rhythm of “attending” school and learning. I can’t stress enough how important the repetition of learning is in order to succeed in this industry.
About midway through the RITx course, I decided this is what I want to do, but asked myself, “how do I do it FASTER?” So I started searching for boot-camps. Luckily, I came across SecureSet Academy. Luckier still, they had a campus in Denver, CO (their HQ in fact). So, I enrolled in the HUNT program. For those who don’t know SecureSet Academy, is a cyber security boot-camp with two courses lasting from 3 – 6 months.
I won’t go into all the details of SecureSet’s HUNT program or what I learned there as they have an amazing marketing that will provide you wealth of information. What I will say is this, if you have an opportunity to attend either of SecureSet’s programs, do it. Your life will change almost immediately and you will be glad you did. If you’re reading this and would like to as me specific questions about SecureSet’s coursework, comment below or hit me up in our Slack.
Certificates is how information/cyber security rolls. Deal with it. There are good certs and there are not so good certs. There are certs potential employers value and there are certs no one cares about. This is just where the industry is at this point and those who will be looking at your resume (i.e recruiters who may have a hard time opening Outlook) will be looking for those silly abbreviations on your resume when that time comes.
With that being said, I want to take a moment to remind readers to not be discouraged with your lack of certificates if you’re just starting out. They will come and few people start day one in cyber security with a bunch of certs. In hindsight, I probably went a little cert heavy in my first year of infosec, which is why people ask me about how I did it and why you’re probably reading this now. Don’t try to copy what I did or what other people did, run your race. Do what you’re comfortable with and can handle. You don’t want to burn out. This is a career. Cyber security isn’t going anywhere.
So with that being said let’s run the gauntlet:
- CompTIA Security+ (SEC+) – This, for better or worse, is the baseline in the industry. It’s a vendor neutral cert meaning it’s not affiliated with a brand or manufacturer. This is where I started and where many others before me have as well. Consider it the proving ground. It doesn’t mean you know everything, but it means you’ve accomplished something in this industry. A small thing, but it’s at least something and it will help you get the ball rolling on an awesome career path.
- CompTIA Cybersecurity Analyst (CySA+) – This cert was added to CompTIA’s line up last year and is not very well known due to that fact. It was good cert that helped me learn some different tools. It was not a hard exam at all and it added some flair to the resume. I can’t say it’s a must have, because it really isn’t, but it will definitely give you some insights into the analysis side of infosec without getting overly technical. It gave me a good sense of accomplishment as well, which was also nice to have on this learning marathon.
- CompTIA Advanced Security Practitioner (CASP) – This is a cert CompTIA created to compete with the overly celebrated CISSP. In reality the CASP should be called SEC+ PT. 2: This Time It’s Personal. This cert, when originally introduced, was criticized for being too easy. So of course, CompTIA swung the pendulum the opposite direction and made it much more difficult than it should be. In reality, it’s really a more technical dive into the concepts learned/taught in CompTIA’s Security+. For me, this cert was a challenge and a little nerve racking since it’ a pass or fail exam. Go or no-go, something I’m sure a few readers are familiar with. All in all, the best part was again the sense of accomplishment as well as solidifying the core concepts I had learned up to this point. Also, it was a lot cheaper than the CISSP.
- GIAC Information Security Professional (GISP) – GIAC is SANS Institutes’ certification program. I was lucky enough at the time to fall into not only the SANS Institute’s CISSP prep course, SANS MGT414, but also at the end of the course, take this exam. The exam is really a check on learning in preparation for the CISSP exam. I thought the course work was excellent and the instructors and SME’s even more valuable. It’s pricey (course + exam), but if you can afford it (or better yet get someone else to cover cost), I would recommend it. Truth be told, I had no interest in this cert because honestly, I had never heard of it and had almost less interest in taking the CISSP this early in my career. But as the saying goes, “don’t look a gift horse in the mouth”. If you’re just starting out in infosec, you don’t really need this cert or the CISSP. You need to learn the fundamentals, tools and core concepts of cyber security. As I said before this was my race and I just happened to be in the right place at the right time to earn the GISP.
- (ISC)2 Certified Information Systems Security Professional – Where do I start? This cert requires me to speak carefully. Depending on who and where you are, it’s seen as the greatest cert in cyber security or it’s valued less than used toilet paper. But, in the case of recruiters who will inevitably be looking at your resume, this cert for whatever reason is gold. I don’t necessarily agree, but don’t hate the player, hate the game. As for the exam, it’s hard. Flat out. The questions are ambiguously worded, the answers even more so, the scoring is weird and it’s expensive. Very expensive. Especially if you fail. Here’s my bottom line on the CISSP, if someone else is covering cost, do it. You’ll have it, be done with it, and never have to look back on it. As one SANS CISSP Subject Matter Expert (SME) said to me, “I’d pay $10,000 to never take that test again”. After having taken it myself, I can’t agree more. For those of you just starting out, you’re going to hear a lot about this cert. Don’t worry about it. Don’t even think about it. I,t like the rest of cyber security, isn’t going anyway. It’ll be there when the time comes. Focus on fundamentals.
Now, if you have some how managed to read through what is essentially my resume and you have any specific questions on studying for or materials I used to study for those exams, please do not hesitate to reach out. I have all the info ready to send and am happy to share with you, veteran or not.
There’s a lot of resources out there to get the ball rolling in infosec. In some regards, too many are re-hashing the same concepts in disorganized fashion. Here, I want to share some resources I have used and trust to help further my infosec education:
- edx.org – Already covered it above but definitely worth checking out. You can’t get into MIT? No worries, take some MIT courses for FREE. Want to take some Microsoft training but your current employer won’t pay for it? It’s available for free. This is college level and professional level training that is free you can get right now.
- Cybrary.it – This is a go to for many, both within information security as well as those who are just getting their feet wet. There’s a multitude of classes that are very well organized and for the most part, well structured. I’ve personally used it for several of the certs I discussed early. Oh by the way, it’s FREE.
- Professor Messer – This is the man, the myth, the legend. His videos on YouTube will go down in IT/Infosec history as being the single most contributing factor to CompTIA certificate passing scores. His videos are clear, concise, nested in fact and truth. I can’t say enough good things about them honestly and I’ve only watched a few. He also offers study group sessions for those who are willing to spend a little cash, but all the actual video training is FREE.
So, there it is beyond me just telling you it’s “hard work”. Don’t get me wrong, switching careers or transition out of the military to private sector infosec will be hard work. You will have to make sacrifices, things may go wrong, you may fail (I failed a cert test), and you’ll second guess your decision to make this career move. I speak from experience when I say I felt all those emotions and more.
But for that we have Jocko:
As always, I will encourage veterans reading this to join the VetSec Slack channel. We’re growing every day and if you have any specific questions, please do not hesitate to contact myself or any other VeteranSec writers/admins. We’re all here to help and see you succeed, whether you have served or not. Until next time!