Episode Transcript
[00:00:13] Speaker A: Welcome to Security Serengeti. We're your hosts, David Spinegger and Matt Keener.
[00:00:18] Speaker B: We're here to talk more cybersecurity. Each episode will focus on a specific topic or two of interest to the community. Today we'll be talking about the be no do model and certifications.
[00:00:29] Speaker A: And as always, the views and opinions expressed in this podcast are ours and ours alone and do not reflect those.
[00:00:34] Speaker B: Of our employers and potentially shouldn't be listened to at all.
[00:00:38] Speaker A: Since this is episode one, we're going to talk about the name of the podcast Security Serengeti, and why we chose this. So, typically, when you hear people talk about computer security, they use terms like war, campaign, battles. And I think this is a fundamentally incorrect view of what we're really the nature of the challenges we face. And this overall situation in computer security, it misrepresents the nature of the challenges people and organizations face. There will never be a ceasing of hostilities. There will be no peace treaties. There are no laws between battles.
[00:01:19] Speaker B: Can you imagine if there was, though? Can you imagine if we signed peace treaties with each individual group attacking us?
[00:01:26] Speaker A: Well, what would be even better is, like, in the old days when winter came, you'd go home and wait till spring.
[00:01:36] Speaker B: It's Christmas. Everybody stopped attacking for a little while.
[00:01:39] Speaker A: Right, exactly. And then you just come back in the spring, and you're like, time to go back to work.
[00:01:47] Speaker B: Tomorrow is Monday, and open season starts again.
[00:01:51] Speaker A: Yeah. Have you ever seen the venture brothers? I have.
[00:01:54] Speaker B: I've seen the first couple episodes.
[00:01:55] Speaker A: Right. So you have the guild of calamitous attempt, and then you have the OSI, and they have these treaties and stuff between superheroes and supervillains.
It'd be awesome. You can't use a level six against level six weapon against a level one protagonist. It's just not done right.
How awesome would that be?
[00:02:18] Speaker B: Yeah.
Code dwello. Dwello. I don't know how to pronounce that little dueling code.
[00:02:27] Speaker A: Don't know what you're talking about.
[00:02:28] Speaker B: Like the rules for duels attackers. Oh, no. We can't beat up on these people. They have Windows XP still.
It's like taking candy from a baby.
All right, I went off on a tangent.
[00:02:47] Speaker A: And who's going to be your number two that stands there with the pistol or whatever? Right?
So anyway, the reason security Serengeti is really what we're talking about is this is life. The life of the herd, the life of the group, life of the organization.
There's always going to be attackers. There's always going to be defenders.
What security professionals need to do is be able to protect the herd, protect the organization.
There is going to be risk. They talk about assume breach, which means you have to assume there's going to be failures. A lion is going to get a gazelle, but the pride is not going to destroy the herd. Right.
And the majority of the attackers are looking for that easy win. Right. It's kind of like, you don't have to outrun the bear, just your friend. Right. So the attacker is going to knock off the weak and the sick. So unless you're directly targeted for specific purposes, as long as your security is a little bit better than the herd next door, you may come out ahead. I mean, even the head of the NSA said 99% of the work that they, the head of the NSA attack team, that is said 99% of what they do, they use off the shelf existing vulnerabilities. They don't use zero day, they don't use super custom attack code.
[00:04:10] Speaker B: So if we're going to extend the metaphor and fill in the joke, the joke about the outrunning the bear always involves shooting your partner. What is the equivalent in the infosec world of shooting somebody else in the knee?
[00:04:26] Speaker A: Well, it doesn't always have to. You don't have to kneecap your buddy if you're a sprinter. If your buddy is the sprinter, though, or if he's the cross country runner, oh, you need to kneecap him for sure.
But it almost kind of goes back to that statement that I think it's tributed to Ray Crock that if a competitor is drowning, I'd stick a garden hose down his throat.
But in the computer security world, that's really not a viable option because that would entail you attacking your competitor for that. But that's not to say what you want to do is make yourself less attractive by having a good patching policy at the edge or something else that's going to make someone go to the next guy and not necessarily attack you. But if you're looking at this, let's say, using that herd analogy, is that if the attacker is on the outside looking at the herd, you just don't want to be the gazelle at the edge. You want to be in a little bit.
And that's something you can do on your own without actually having to do something against the other organizations or the other gazelle within that group. And so this is what we're talking about for the crux of what security professionals should be doing and not thinking about it in the context of war, but just as continual improvement. And this is really talking about evolutionary improvements. This is not talking about radical change over time, because any security team, if they're going to say that they are doing well, really doing well, is saying they are better today than they were tomorrow, better this week than last week. And it's not that, like I said, you're not going to make these huge leaps necessarily, but continue a process and an environment and a culture of continuous improvement within the security team. And the idea is just to stay far enough ahead of the attackers that they choose someone else. Of course, farther ahead is better, but that's not always guaranteed.
[00:06:40] Speaker B: You don't have to be the top, you don't have to be the number one most secured firm in the US unless you have something that's just so utterly precious.
Like, for example, OPM, for example. They have a unique and precious resource that they should have gone way out of their way to.
But if you're, if you're a company that doesn't have something unique, if you're a company that is doing kind of the same, like Pepsi and Coke are competing against each other, neither one of them is doing something unique. They just have to be more secure than the other companies around them.
[00:07:20] Speaker A: Yep. The idea is to be good but not perfect. Right?
[00:07:23] Speaker B: Because perfection is expensive and it's the.
[00:07:25] Speaker A: Enemy, the good, because if you always try for perfect, you never get good.
[00:07:28] Speaker B: Fair enough.
[00:07:31] Speaker A: All right, so one of the things we want to talk about today is the be no do model. So as it relates to security and kind of mostly focused on just getting your foot in the door in security, what do you need to be? What do you need to know and what do you need to do? So B is really like your characteristics or the characteristics of people that are generally successful within computer security.
This is not to say that what we're going to say here, if you don't have these traits, you cannot work in cybersecurity or you will not be successful in cybersecurity. But these are generally the traits that naturally make people successful. And you can, of course, work on adapting and evolving these traits to be part of who you are. And the primary ones are curiosity. Because when you start off in security, you're going to see things that you don't understand. And in order to learn, you need to be curious about why that thing happened or why this is occurring. If you're looking at a security alert, what you want to say is, why did that alert fire? And when you figure out why, then you can determine what your next steps are going to be.
If you figure out the why is benign, then you can move on to the next thing. If you figure out it's potentially malicious, then you can start going down that investigative path. And once you go down that investigative path, that goes to one of the other traits of b is, do you like puzzles? Trying to figure out how this thing works with this other thing, how these pieces fit together, how this step goes into that steps. Because really, when you do an investigation, it is a puzzle that needs to be solved. And sometimes the thing is that you're going to have puzzles without all the pieces, and you're going to need to figure out those. And sometimes you're going to need to infer the different pieces from others to move from one step to the other step. And along the same lines, for investigations, it's helpful to be someone who's always asking why. When you're talking about process improvement, they talk about the five whys. You have to ask yourself why five times before you get to the end result. Why is nobody drinking out of the water fountain? Well, the water fountain is turned off. Why is the water fountain turned off, et cetera. And you go down that and they say five whys because that's generally how deep you have to go. But that's not to say that that standard for that is as far as you ever will need to. You may need to ask far more whys before you get to the end result. And this is also helpful when you're talking about doing or looking at vulnerabilities and not necessarily maybe the why perspective, but if this happens, what does that mean? And then if that happened, what does that mean for this and et cetera, and start chaining these things together. And then one of the final characteristics for the b of cybersecurity folks is you need to be able to handle uncertainty and failure, because those questions may not always get answered. You may run down rabbit holes that lead nowhere and your organization may end up being compromised. Someone may.
Okay, you can say certain.
That's what I mean, uncertainty. You're not certain that you are going to be compromised. They say there are two organizations, those that are compromised and those that don't know they're compromised.
But I don't know how many organizations I've been at where they're like, we've never been compromised. But unless you actually figure that out, that you are compromised, if you're one of those organizations that is compromised and don't know it, you can confidently say that you've never been compromised.
But you are going to get a phishing email and someone is going to click on that link and hijinks will ensue. So you have to be able to accept that those things are going to happen.
And with that failure and the acceptance of that possible failures, don't blame people for those failures. It's going to happen. Don't blame your users, don't blame your coworkers, sir. People will make mistakes. But overall these are challenges you have to be willing to accept and understand and then learn from those and build from those.
[00:12:09] Speaker B: I don't know.
After they click on that link for the fifth time, there's going to be a point where I'm going to start meeting people.
[00:12:18] Speaker A: Well, your phishing training is supposed to flag those people as problem people, right? And they're supposed to get additional training. Yeah.
[00:12:25] Speaker B: We give them an etcher, sketches their.
[00:12:26] Speaker A: Computer, right, turn it upside down to reboot.
That would be awesome if you could do that. If your phishing training were actually tied to permission access or something like that, that would be interesting.
But really at that point what you're saying though is, oh, we're going to take away your permissions, which means you can't do your job. And if you're saying you can't do your job, well, maybe you need to move on.
[00:12:55] Speaker B: I'm okay with that challenge.
[00:12:56] Speaker A: Actually, there's some challenges there with that because there are probably some outstanding, let's just use a university, for example. There are probably some outstanding professors that are the best at teaching anthropology maybe, I don't know.
But they will click on that cat video every time, right?
[00:13:24] Speaker B: Actually though, we're getting off on a tangent. I'm sorry about that. But I could see we're reducing not necessarily their level but like the level of access on their system. Obviously nobody gets admin rights, but if you can't pass phishing, you don't get power user, you get application whitelisted.
You have to talk to install literally anything. You've got to talk to your help desk.
[00:13:48] Speaker A: Actually, you know what might be better, and we were talking about this before, is maybe after you've clicked on the x number of phishing email, you get plain text email.
[00:14:00] Speaker B: Yeah, there are things you could do.
[00:14:02] Speaker A: Or maybe you no longer can get attachments or all emails with attachments for you go to quarantine or something like that. Maybe, I don't know. I haven't really explored that before. That's an interesting idea.
I'm sure you would get all sorts of crazy pushback that'd be something you'd have to really get buy in from way up top for.
[00:14:22] Speaker B: Yeah.
[00:14:23] Speaker A: So moving on to know is, what do you need to know in order to get into cybersecurity, or what's going to benefit you in cybersecurity? And one of the things is programming, if not programming scripting, it's going to be critical for you to be able to do analysis on reasonably and sometimes extremely large data sets in order to figure out what the different problems are, or not necessarily different problems, but to get some data elements onto there or increase your knowledge about a certain incident that you're investigating. And there are all sorts of classes online. You can, of course, go to college, there are boot camps, et cetera. But one of the things for the programming or scripting is that once you learn it, you need to put it into practice on a regular basis in order to maintain your knowledge level and improve on that. And there are sites like, if you're doing Python, there's like Python challenge, there are other sites like Elite Code and Hacker Rank, where they will present you with challenges that you will use scripting or programming to solve. And that's helpful to do, like I said, regularly, in order to keep those skills up. And with any luck, or maybe not even luck, you'll be using those skills at work, doing investigations and doing data research. Now, I mentioned a moment ago about finding where to learn programming. Well, not only learning programming, but learning other aspects of computer security or cybersecurity. There are, of course, college courses, there are udemy courses, there are boot camps, there are single classes, and each one of these is going to have advantages and disadvantages depending on what you're attempting to accomplish and whether those things are actually going to help you get your foot in the door. To start off with, some organizations require a college degree to get your foot in the door, which is actually terrible because there are a lot of really skilled computer security folks that don't have degrees. And I think forcing a degree for pretty much anybody in the cybersecurity realm is a mistake.
[00:16:39] Speaker B: I've been kind of disappointed with a lot of the people straight out of college. I would have much rather they had four years working on help desk. Even a year working on help desk, right.
[00:16:52] Speaker A: If I were to pick ideal candidate, they would have worked the help desk for a bit, they would have versed the desktop for a bit, they will work network a bit, and maybe they would have worked server for a bit, because then they would have the context for those different realms, especially for help desk because there are a lot of troubleshooting and desktop support as well. And we were talking about puzles and curious and why those people have to deal with that a lot. So that kind of inculcates that into their mind before they even get into doing computer security.
[00:17:29] Speaker B: Yes, absolutely. My ideal soc one is a help desk admin or desktop admin. My ideal engineer would be somebody that's coming from a networking or a Windows admin background or database admin, something like that.
[00:17:42] Speaker A: And additionally, having those people on the team when they go and they talk to these other parts of your IT department, they have some credentials, some bona fetis there, because they've been in the trenches doing those things as well and can understand their perspective.
[00:18:00] Speaker B: I was going to say, on one hand you don't want to pretend that you don't know information, but just speaking as I was working as a government contractor initially, and it is very kind of alarming to have your new vulnerability management guy be a fresh, brand new analyst and he doesn't know anything about BSD or Linux or asking dumb questions about windows, things. That definitely puts kind of a damper on that relationship there, right?
[00:18:31] Speaker A: And the thing about security is most of the time you have to get things done through other teams or other people.
Your desktop team, are they going to be the ones that reimage desktops? Your ad team, are they going to be the ones resetting passwords? Mostly depending on the organization.
So you're going to need to be able to talk to them in terms and relate to them so that they understand the challenges you have and you understand the challenges they have in order to meet down that middle ground to get something done.
And then of course, just doing some cybersecurity on your own, building your own lab at home, watching YouTube videos, going on forums, having podcasts, these things all, even though you don't necessarily do them in a work environment, will improve your ability to talk to people. When you're doing interviews, getting into cybersecurity, when people ask you about snort, ids say, oh well, in my home lab I've done this, this and this with snort.
So even though you haven't done that in a work environment, they're like, oh well, they're doing self directed study there. They've already had hands on with that tool. There's no reason that they can't take those things and apply it to an enterprise. It's just a matter of scaling.
[00:19:52] Speaker B: That especially applies for people that are career switching, coming from a completely different career. That's a great way to start proving, oh, I haven't done this before, but I will figure it out.
[00:20:07] Speaker A: And that brings us to the last of be no do so actions you can actually take that are going to improve your marketability in getting into computer security. So go into conferences, and some of these can be expensive and some of them can be far away, but there's hundreds of computer security conferences every year, and not all of them are in Vegas, just a lot. So don't feel that you have to go to Vegas in order to get into a conference. And there are vendor conferences. So if you're in an organization that has a security product, there's a vendor conference. There's a possibility that they're going to provide free passes to that conference, and I haven't seen it before, but that's not to say that someone outside the security team couldn't get in on attending one of those conferences. Depending on how many seats are available and the relationship with the vendor, you can also get certifications. So there's the standard a plus network plus security plus, which help get your foot in the door, in it and into security. And there are other high level ones, and some of them are really expensive, and some of them are not terribly expensive. I would say that at least starting off, you do not think you need a CIssp or Ceh to get your foot in the door in computer security.
And we talked about degrees a minute ago. It doesn't hurt to have a degree.
It helps to have a degree, but it's not necessary.
But as I said, some organizations will require it. So take that with a grain of salt, whether you think you need to have a cybersecurity degree or not, because as we all know, college is expensive. So I would say if you're going to go down that path and get a cybersecurity degree, make sure you start off in community college to get that part knocked out before you go into your bachelor's to save some money there. And I've seen a lot of people trying to get into cybersecurity, starting with a master's degree in cybersecurity. They have no practical knowledge until they have that master's degree and then try to get into the field, and then they try to ask for a bunch of money because they have a master's degree, which, having been a hiring manager before, doesn't mean anything to me.
You have a master's degree, but you have absolutely no practical application of putting that degree into practice.
Something else to consider is internships. So that can help get your foot in the door with cybersecurity. And if you have certifications or currently enrolled in a degree program, will help bolster your intern resume to get your foot in the door and start actually putting some of this stuff into practice. Some internships are paid and some are not. Really depends on who you're talking to and which organization you're working with.
You can also take courses at Udemy itproTv. Other of these sites online have relatively inexpensive courses in both IT and computer security. Because if you're just trying to get in computer security with no it background, that is most certainly a mistake, or it's going to be really hard for you to get your foot in the door if you don't understand the principles on which it is based, which it security is based. And of course, one of the other benefits of going to a conference is networking, being able to talk to other people in the industry, pass along your resume, glad hand talk to them, and be able to convey information to them so they get the impression, or they understand that you understand the different aspects of security and say, oh, well, this guy could be a good fit for this, or reference you to someone else. Or when an opening comes up in their own organization and say, hey, I know somebody who I talked to just recently that wants to get into this and we have this opening, I think they'd be a good fit and bring them in that for a conversation. And one of the last things you should do, not only just getting into computer security, but once you're in computer security, is try to keep up with current events and things that are going on in the industry, what new vulnerabilities are coming out, what new attack methodologies are the bad guys using.
And there's a couple of different ways you can do this. Podcasts are really good because there's a lot of podcasts out there that will go over recent news articles, and some of them will do deep dives on certain aspects of computer security for different reasons, for different items that are helpful in order to get a more in depth understanding of particular things that are going on. And you can, of course, what is also helpful is subscribing to RSS feeds from certain sites that specialize in computer or cybersecurity. And I'll pass it off to you for certificates.
[00:25:37] Speaker B: Hey, let's deep dive into one of those topics you were just talking about for the deal.
See, look at that. Look at that transition.
[00:25:44] Speaker A: Awesome.
[00:25:45] Speaker B: Well, that's the point. You got to sound excited.
So certifications.
Why do certifications matter? Well, simple answer is they mostly don't.
They're mostly trash. They're mostly trash. But they do have two things that matter. First of all, and most importantly, they are an HR screen.
There are people unfortunately, that hire for certifications.
There are people unfortunately, that require it to apply, especially the DoD. The DoD requires for many of the cybersecurity positions that you have assert. So despite the fact that they suck, despite the fact that most of them do very little to help you out, you have to have some. Now, some certs have an additional bonus over and above helping you get that job. They might actually teach you something.
Some certs may actually help you learn. It's crazy.
And we'll talk about which ones of those there are later. Leave that off as a little cliffhanger. So what certifications should you get? Well, in determining what certifications you should get, you really kind of have to look at the job. For example, if you are going to be working for the Department of Defense or as a government contractor, there is a list of certifications that maps to each type of job. And you will have to go, you'll have to dig up a copy of that, which is not hard because google it. And then you'll have to figure out what the job is and figure out what certifications, what job you want and then what certifications you need to get there. For example, the IAT level, which I believe is information assurance technician, the security plus, or the SSCP, which is the junior version of the SYSP. Both of those will cover most of those guys. Or you get a SYSP and that works for them as well. If you are an information assurance manager, you need a security plus or a certified information security manager or a CISP. And then they've got a couple other ones at the bottom. But you'll notice there's some that apply to most all of them. For example, the SySP is pretty popular. It covers all the iam. It covers the Iasae, which I have no idea what that is, covers the Iat, covers a lot of the kind of generic other ones it has on there as well. So what I would look for here is if you're getting it for DoD, try to find the certification that covers all of the roles that you eventually want to do so that you don't have to buy 20 different certifications.
[00:28:22] Speaker A: Yeah. And to translate, SYSP is CISSP.
[00:28:26] Speaker B: I guess. Sure you're right. I guess if we are targeting this and new people, we should explain that is what certified information security something practitioner, you know, what? I use it so often, I don't actually know what it stands for. Certified information systems.
And then I clicked on the link. I shouldn't have clicked on the link.
Certified information systems security professional.
[00:28:49] Speaker A: Right?
[00:28:50] Speaker B: Yeah. So now if you're not doing DoD, how do you figure out what to get? Well, I actually took a quick look on indeed the other day, and I did a search for a bunch of the super common certifications. I'm not going to go over this whole list because this whole list is quite long, but the most prevalent one was CISP. There were 2461 jobs that asked for CISP in my metro area, which is a pretty big metro area. The second most common one was security plus from Comptia at 1031 jobs system certified information security manager was 615. Certified. Ethical hacker was 427. GAC certified incident handler was 381. Et cetera, et cetera. Some of the GAC ones were pretty uncommon.
There's one that I took, actually recently called the EJPT, the elearn security junior penetration tester that showed up on zero one ads.
[00:29:53] Speaker A: We can put this list in the show notes.
[00:29:55] Speaker B: Yeah, we should actually, we haven't talked about what's going to go in the show notes, but, yeah, we'll stick that list in there. But that's definitely a way to kind of figure out how in demand a certification is. Now, that being said, some of these certs have a good technical background. For example, I mentioned the GAC certified incident handler. GAC and sans do a really good training program where they do between four and six day course before they take the exam. And the exams are super in depth, and they're generally fairly highly regarded as quality certifications that show that you've learned something. But our downside. There's a downside. I was going to talk about that under the price, but they are very pricey. There's another one I just mentioned. I took the elearn security junior penetration tester. It's funny, I actually made fun of it when I was taking it because I kind of wanted to dabble in some red team stuff, and it was super cheap.
So I was initially kind of like, I would laugh to people saying, I'm taking this script, kitty class, et cetera, et cetera. But it actually turned out to be pretty good. They have labs associated with it, and the final exam was actually a lab based exam where there were six systems you had to break into. And admittedly, this is the junior penetration testing cert. It was all metasploitable. None of these were things we had to write your own exploits. But I'm still impressed that they went to the length of providing the labs and making you prove that you could actually break into systems to certify.
Because that was one of the major complaints about certified ethical hacker. Originally they've actually added a practical component, now we have to pay extra for it. But that was always one of those like, oh well, you just memorize the answers and you take the test and it doesn't show that you actually know how to hack anything.
So that would be one thing. If you're looking at a cert, if we're just going through the list here, you've validated that the cert is important for the job you want to get. You've taken a look and it's being mentioned by the one ads for the type of job you want to work at. The next thing I would do is I would check, make sure that it has a good technical background that you are actually going to learn something. The next thing you want to look for is if it has a specific niche. There are some niches. Niches? Sorry. I guess we can all laugh at how I pronounce things. It's okay, my wife does it all the time. There are some niches that only are served by one or two certifications. This is more important, especially for people that don't have work experience. It's actually part of how I got into security was I was working as an it wireless network administrator, but during my evenings and free times, I was trying to get a certification or two and going to security related conferences, which we'll talk about in another episode to try and prove that I know that I don't have any work experience in security, but I'm going to try and get this. So there's some specific niche certifications like the OSCP, the offensive security certified professional, some of the sans ones like incident response or forensics. There aren't very many certifications serving those niches right now. The generic ones like security plus SB, there's a lot of certifications that are kind of broad. So if you niche down, some of those might be worth looking at.
[00:33:11] Speaker A: And.
[00:33:14] Speaker B: Just as a general Cert plan, I know what I did and what I would recommend other people do is when you're first starting off, you probably don't need more than a security plus or a certified ethical hacker.
The certified ethical hacker one, at least in the past, has gotten a reputation as being a pretty mediocre cert, but it's required for DoD 85 70 and that gives it a fair amount of cache, unfortunately. So start off simple. Do not get a whole bunch of certs. I've talked with some people, I've interviewed some people that are cert hounds, and I think if you're spending all your time and effort getting certs, you're probably not spending time and effort building skills.
I think that that is a higher return on your investment of time. Then after you have that initial Sec plus and you're starting to get some work experience, or again, you're trying to get into a specific job, then maybe you want to look at those niche specific certs. And then finally, once you have the experience, five years, I think for the CISP or four years with a degree, you may want to look at a SySP or Assysm, the certified information security manager, and that's really all you need. You don't need to have a ton of certs with this plan. You have the two most well known certs, which are the SEC plus and CISP, and you're not wasting a whole ton of money. Jeremy, thoughts on that?
[00:34:35] Speaker A: David? Well, that's something that once you get your foot in the door for organizations, they generally have funds available for training and certification. So once you get your foot in the door with some of the less expensive certifications, like SeC Plus, a plus, network plus, et cetera, then when you're in there, you can look at whatever job you're in and available training funds as well as some, depending on what tools your team has, you can get training for tool specific stuff as well that can help bolster your resume or your knowledge in general.
[00:35:18] Speaker B: I would stay away from the tool specific stuff until you have a job, though, because it seems kind of silly to me to get a Splunk cert or Apollo cert before you actually have a job doing that for sure.
[00:35:28] Speaker A: Right. Well, that's why I was saying once you get in and have access to those training funds and some companies, that if you have a good relationship with the vendor, you can get into those courses for nothing, for free, and then only pay for the exams. And speaking of splunk, that's really advantageous because splunk exams are inexpensive. It's the courses that get pricey.
So a splunk exam is generally around 100 and $2550, and the exams are over 1000. So if you can get those for.
[00:36:01] Speaker B: Free, the classes, you can get those.
[00:36:03] Speaker A: Free from the vendor, and then they'll go and take the certification for only a couple of. That's really advantageous for you there.
[00:36:10] Speaker B: Yeah, and you're right. The value equation changes when you're not paying for it yourself. Like I said, I paid for my own security plus, and I paid for my own network plus and a plus way back in the day when I was first starting out, and I paid for one or two other ones. But, yeah, since I've been working, I haven't paid for a certification since. I would not have gotten the GX certifications if I had to pay for them myself.
[00:36:34] Speaker A: Yeah, those are crazy expensive.
[00:36:36] Speaker B: Yep.
[00:36:37] Speaker A: And one of the things to consider, I don't know, depends on who you are, I guess, as far as how much you take this into consideration. But some certifications will expire and you'll need to recertify.
Some certifications only require you to get additional cpes, which are, I forget what CPE stands for.
[00:36:58] Speaker B: Continuing professional education, I believe.
[00:37:00] Speaker A: Yes. So you just need to get points for CPE, and you have to have so many cpes annually in order to maintain that certification.
[00:37:10] Speaker B: Well, and that's a valid point for taking more certs. Once you add in the points and you add in the fact that somebody else is paying for it, then the equation changes and it becomes a little more valuable to maybe look at other certs because you can use them for cpes.
[00:37:26] Speaker A: Right. Just getting the cert itself goes towards maintaining your other certs.
[00:37:34] Speaker B: Well, since most of the certs are attached to a training course, I know, for example, for the GAC, I think I've got the forensic analyst and the forensic examiner. When I got the forensic examiner. Yeah, I think that course counted for all of my cpes, for the analyst one. So it just took care of my continuing education requirements there. So now, that being said, how much did you spend on certifications? I did go out and do some research on how much these things cost, and it is a widely varying amount. So the cheapest one I found was the security plus. Security plus is currently $339. It is not a terribly technical exam, at least when I took it, it did not have any practical component. You could easily pass it by studying, so you don't need to take a class for it unless you learn better that way.
The next one was the EJPT, the junior penetration tester. That one was $500, and it included the training. It included something like 40 hours of training. It included 20 hours of lab time. So that overall is pretty cheap, too. A SYSP is about $700 right now. That does not include any training time. Although the SySP is kind of like the security plus, it is a paper tiger. You will probably need to spend a significant amount of time studying for it, but it does not have any practical part of the exam. There are many people that do take courses for it, but the courses are pretty dry. They're super study heavy and like, cramming tips and lecture, which is pretty unpleasant. I don't know if anybody else feels that way, but I definitely do.
[00:39:06] Speaker A: Well, the CISP, a lot of the questions that you would get on that are situationally based. So experience helps a lot in bolstering any gaps in your studying.
[00:39:21] Speaker B: The Ceh, just $1,200 for the exam. Only they have a new practical exam that they've added. That's $550, which looks like they're trying to address the common criticism of the CEH, which, of course is that if finishing an exam does not prove that you know how to hack. But once you add those two together, you're up to about $1,700. And if you want to take a training now, you're up to $3,000 or so. So that's getting pretty expensive.
And then finally, the big daddy, the sans courses. Currently the price has gone up. The last couple of years. They were 5000 about five years ago, but now they're up to seven and a half thousand. They are super expensive, but they are kind of considered the cream of the crop for classes and certifications. They cram a ton of value into that week. A ton of things happen during that week. I've taken two of these courses, and there's an unreal amount of content they put in there.
[00:40:14] Speaker A: And you usually get some really good books.
[00:40:18] Speaker B: Yeah. And when you renew, they send you updated books now, of course. Really? Time to review them.
Yes. Speaking of renewal, like you said, you have to get continuous professional education credits, and there's usually a fee for sans. I think I'm currently paying $450 every three years for my two certs, so that's kind of expensive. SySP runs $85 a year. Security plus is now continuous education, too. I don't know what their annual is, but it's probably cheaper than that.
So something else to keep up with. And finally, almost every certification now has an available boot camp you can go to where they can try to cram your head full of information. I would stay away from those, with one exception. Two exceptions. The first exception is if you need that to learn, if you need somebody else telling you the information, if you're an oral, if you need somebody verbally telling you the information to learn, although you can still probably get it cheaper with like a book on tape, or something. And then the real reason to do it is if you need that accountability. I know that I have this problem.
I said for years that I was going to get assistee and I didn't do it until I finally put the money down. Once I bought the test and set a date and was like, all right, well, if I don't pass it by this date, I'm going to lose that money. Then it suddenly became a priority for me.
[00:41:43] Speaker A: But one thing I would like to say about the ceh as well is that that $85 is not just a fee for no real reason. It's actually a membership in the ISC two organization. And they have a lot of free training and documents and stuff on their site to both help maintain cpes and basically improve your knowledge as well.
[00:42:05] Speaker B: I have not been taking advantage of that.
[00:42:07] Speaker A: Yeah, you can go and they have webinars and things like that which will give you CPE credits because they auto apply to your SYSP cpes.
[00:42:18] Speaker B: Interesting. Yeah, the GAC ones, when you renew, they send you the updated books. So that seems expensive at 150 a year, but you are getting the latest and whatever information you have. So given how much textbooks cost.
All right, well, final question. Shouldn't I just get all the certifications, especially with what we're talking about, if my company pays for the certifications, shoot, just get them all. Well, you probably shouldn't for a couple of reasons. The first one is you are curating a story with your resume and getting all the certifications can confuse the story with your resume.
You want to make sure that when you're applying for a new place, depending on how good you are at the networking thing. I hear a lot of people that get real fancy and great with the networking thing never really have to apply to places they just kind of move, which would be nice. But for those of us this peons, those of us who have to actually apply for jobs, part of your certifications is part of your curation and part of the story that you're presenting of your career and your life. So don't muddle that story out. Second is, if it doesn't help you with the role you have or the role you want to have, then you could be spending that time doing things that will help you in the future. And finally, this is a piece of advice that David gave me years ago when I asked him if I should get the project management professional certification. He said, well, do you want to do project management? I said, well, no, but it's free and I can just do it and he was like, well, if you have it on your resume, somebody's going to ask you to do it.
All right. That's all I have about certifications. They are valuable in narrow circumstances. And you should probably get a couple that serve your needs and fill out your resume. And then you should probably just move on, maybe get the ones that are important for your job.
[00:44:10] Speaker A: Right. Just like anything else in security, it's about prioritization. Yeah.
[00:44:14] Speaker B: You don't have time to what's most.
[00:44:15] Speaker A: Important and targeting that.
[00:44:18] Speaker B: All right, you want to take us out?
[00:44:20] Speaker A: And that's it for this episode. Thanks for listening to security. Serengeti podcast follow us on Twitter at Serengeti sec. And, of course, download and listen to this podcast using your favorite podcast app.
Don't.
