Lessons from My Infosec Certification Journey
Not everything that tastes good is healthy, and not everything healthy tastes good. I think of exams as the latter. They are one way to test knowledge, and that attitude is a big part of how I survived getting certified. After taking all kinds of exams, one thing hasnât changed â I donât like them.
I get anxious when faced with tests. I dislike the all-or-nothing of each question. I have an aversion to the idea that the items can be drawn from the fine points of any of the 100,000+ words that I just read. On top of that, exams are an imperfect form of testing oneâs knowledge (a trait shared by any other type of academic testing).
What has kept and what keeps me going despite all of this is the goal â getting that certification.
Lessons from My Past on Obtaining a Certification
My years in music and martial arts have provided me with plenty of lessons in how I approach certifications. Iâll mention a couple here.
(You may not have a background in these, but the lessons arenât relevant to music and martial arts alone. Youâll be able to identify something in your past that provides these same lessons.)
A Certification Prep Lesson from Music
Practice. (One might call it rehearsal.) Or you can say, âPractice makes perfect.â Or even, âPerfect practice makes perfect.â The important take away is that preparation has to be done. Take little tests (10-15 questions), take long practice exams, use notecards, make a Python script for a quiz â anything to prove that A) you can take tests and B) you wonât pass out if you fail.
A Certification Prep Lesson from Martial Arts
The main lesson I learned is perseverance. Donât give up.
There are two sides to this coin. One, when you put in the time and effort, you succeed. You might not be the best or the fastest or the strongest, but youâll get there. And when you get there, you are in a different league. This flows into the second side: respect. People who have the belt or the degree or the cert (pretty much any accomplishment) automatically know youâre part of âthe group.â Youâve done whatâs needed to earn it. They all know you didnât give up.
Trajectory to Obtaining an Infosec Cert
I had to ask myself along the way, âDo I want to be in infosec? Or do I just want a place to work?â
Everything was fine when it was just a job. I did what I was paid to do. Thereâs nothing at all wrong with looking at it as just a job.
But thereâs frustration involved. Where do I spend my time? How can I limit what I have to do or learn?
When I changed to âI want to be in information security,â my whole mindset pivoted. How can I know more? There is SO MUCH to do. How can I manage my time better? How can I leverage technology better to make my tasks and projects faster and more efficient? How do I communicate this all to my coworkers, my managers and the C-suite?
I chose information security because I was happy in my profession, but what seemed to be lacking in the company was a focus on security. (NOTE: There was not a lack of security. Everybody did an excellent job of securing the organization. There just wasnât a security focus.)
I decided that maybe I could fill in a little of that here and there. I did that in my spare time, you know, in those times when you have 10 minutes until a meeting or when there wasnât a project that you could really start or complete. Or when some task was eliminated, thereâs a little extra time.
Do you have a job? Or do you have a career? This outlook determines where you will put your time, money and effort. If youâre truly stuck on what cert to get (or whether you should even get one, for that matter), you may find that you havenât committed to a career yet.
Training for an Infosec Cert
I believe in quality training, but Iâm also a firm believer in free training (or, more appropriately, being an autodidact). What options are available for what Iâm studying? Some of the most readily available resources are white papers and online videos.
What are the available avenues for you? What can you afford? What will your company reimburse?
â$60 for a book
â$150 for an online class
â$1,500 for a class with other materials included
â$3,000 for a week-long boot camp
Recently, I was able to afford the university path, but it wasnât always that way. Iâve downloaded a lot of free whitepapers, attended free events, signed up for free online training courses, and watched many online videos. If it was free, I snagged it. This led to many sales emails, but thatâs part of the cost of âfree.â
Performing a personal ROI and debt repayment schedule is highly valuable when committing to the certification path. If I get cert A at the cost of X, I could start in position B, receive Y as pay, and pay off my debt in Z years. (Yes, math is integral to the certification path.)
Tools for Passing an Infosec Cert Exam
What counts is passing the test, not how glamorous your study option is. Barring unethical practices (e.g., cheating), if something helps you remember, use it.
My favorite tools are Evernote, Quizlet, Notepad (yesâŚNotepad), and music. But use whatever works for you!
Gather tools that help you study. Make it anything that you like, anything at all that helps you study. These tools donât have to be limited to the study materials included in a package you bought. I found that no matter what was provided, I always needed something else. Everybody learns differently. Just be you.
You might find it helpful to study the different types of intelligence. That can help you identify what can improve what you have in your study tools toolbox. Donât limit your capabilities to âI can only study if I have my perfect environment,â but certainly do your best to do your best.
Timing Considerations for Taking an Infosec Cert Exam
When should I take the exam? When should I embark on the degree journey? Which cert in the roadmap should I achieve first?
The timing for my prep and attainment of each cert was predetermined because a degree program has its own syllabus. While I wanted to get done in the order I wanted, the courses were well laid out, and the next semester built on the previous one. The benefit was that each class, whether it ended in cert exam or not, ended up well-timed. Each course provided some useful knowledge or tool for my job. I wanted to skip particular topics, but it ended up just fine.
The world of information security is incredibly large, so any information you can learn is beneficial. Risk measurements? I need to know. Understanding buffer overflow? Necessary. Getting a handle on regulations, delving into some scripting language, reading a whitepaper on cloud security, improving presentation skills and exploring many more subjects are all useful and will be applicable to your career.
Is it all useful right now? No, not all of it, and not any specific aspect is relevant every single day. But if youâve chosen it as a career, then youâre looking mid- to long-term. The infosec journey will present bends in the road, and each career security professional needs to be ready for those turns. Iâve heard that âItâs better to be prepared and not have an opportunity than to have an opportunity and not be prepared.â Be prepared â something in cybersecurity will come your way.
No one gets a guarantee as to how things will turn out. I started down the infosec career path, and things have been even better than I imagined (and harder than I thought at some points). Itâs always scary looking at the years ahead and committing the finances and the time to any career. Making a calculated risk is different than a gamble. Make your best calculations based on your extensive research and take the next step whether itâs to choose a different track, wait until the time is right or just simply get it done.
Trust me. You can do it.
About the Author: Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the companyâs BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2âs SSCP and CompTIAâs Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.
Editorâs Note:Â The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Gloss