I keep an eye on the latest version of the "how to break into security" article. They often have some good suggestions, and I like to see how it has changed over time.
However, this one counts as a waste of time and bandwidth. The first thing I noted was that the style is wordy yet vapid. Taking a LONG time to say simple things and not saying much at all. Here is my recap:
[The author] started as a teacher, then got tired of it, went back to school for an MFA, did not expect to become a journalist, has been in the security journalism field for a year, discovered things change fast and everyone is looking to hire.
All actually useful information is promised in the next installment.
The title of this amazing Opus?
Why certificates matter, and which ones matter most
With a title like that I expected more than a promise of information later. No where in this "article did the author give us solid reasons for certification, a list of certs, a suggestion of what certs matter to which groups....nothing.
Thank you CSO Online magazine for bringing us the amazing article.
I can only hope that when the series is done, the aggregate is useful.
So waht should you do if you want to start in the security field by getting a certification or two?
First, have a plan. Second, don't spend money you don't have. I know a number of people who got themselves into trouble spending thousands on certifications dreaming of a high paying job without actually having a plan that went beyond getting the cert.
This past August I went to the BSides Las Vegas conference. They managed to wrangle a Q/A session with a bunch of head hunters representing some big name companies in the security sector. The question of Certs came up early and was quickly dismissed. Its not that certs don't count, its that they are a single data point, and not even the most important.
The most important thing they wanted to know was "what are you doing in your lab?" Which really means, what are you teaching yourself at home? Have you taken the time to test yourself on a few VMs running on your laptop? Have you secured your own network? Your own life? Can you speak intelligently about security? Those discussions, more than the letters after your name, were the most important and telling item looked for during an interview.
As for those who DO like certification, that group was made of consulting and contracting firms. Their contracts often require certs for the people they put in place, but those certs change regularly and given the right person the company will pay for the test and sometimes even the training.
So what does this all mean for you? It means get some informal training on sites like Cybrary and HackerAcademy or even Coursera. This wont give you any certs, but it will give you a foundation. Then get some VMs up and running, re-purpose those old PCs, grab dying machines from friends/neighbors/the municipal dump and build a lab[here and here and here].
Lastly, get excited and go learn. If you find yourself up til 2am working on a thorny tech issue with your security lab, your doing it right.
I have been criticised in the past for this view, so I will explain it now and you should understand that it is an opinion, not a set of facts.
You do not have to love Security or IT or Fixing things to go into it, but you will be a far better practitioner if you do. The best indicator of success is the ability to persevere. Its far easier to persevere when you like what your working on. So yes, you can take a bunch of certs, pass them all, and have the technical knowledge to be a security professional without a home lab. However the person with the home lab who struggles to understand and to practice will be a far better hire.
This advice is free, take it for what its worth.
No comments:
Post a Comment