Regardless of whether you’re happy about your current career progression, adding security skills to your portfolio is practically a requirement for any branch of IT. We explore several online resources that you can use right now to sharpen your IT security know-how.
By Wayne Rash
If it’s one thing today’s IT professionals can take for granted, it’s that their careers won’t stay the same. No matter what part you play in your organization’s IT fabric, the list of what’s needed to do your job is going to expand in scope. A key example is security. No matter what technology goal you’re working to achieve, you’re now also expected to know how to keep it safe and secure. While you can probably pick up the basics of security on your own or with the help of your colleagues, it’s much more efficient to learn security at the hands of a skilled instructor via in-person or online learning courses.
Likewise, if you’re interested in growing your level of knowledge, especially to move into a more senior role, then additional training not only works wonders, but it’s practically mandatory in the long run. And if you’re interested in moving on to an IT role somewhere else, then having at least something in the way of security certifications can help make that happen, too.
But knowing that you want some security training and knowing which specific training you need to take are two different things. As you might expect in a field as in-demand as security, there are thousands of training choices available, some of which are definitely more useful than others. Making the choice more complicated is the fact that security has become a field of specialties, and one with a list that seems to always be growing.
“When moving into cybersecurity from another IT discipline, whether it’s network engineering or server administration, you need to determine first where you want to focus your role, whether it’s on the defensive side of the isle (blue team) or offensive (red team),” explained Alissa Knight, a senior analyst with the Aite Group’s cybersecurity practice and author of Hacking Connected Cars: Tactics, Techniques, and Procedures.
Getting the Basics Right
But Knight cautions that, before you even start thinking about which side of security you want to be on, it’s important to get the basics right. “I would recommend a more generalist training route via the Certified Information Systems Security Professional [or CISSP] and studying the common body of knowledge [or CBK]. By studying the CBK, you’ll get the mile-wide, inch-deep approach to cybersecurity capacity building-getting a better understanding of the tenets of confidentiality, integrity, and availability, and more,” she said.
The CISSP certification is probably the best-known professional credential in security but it’s not the only one that counts. Bryan Simon, Principal Instructor for the SANS Institute, points out that the Cyber Security Certification: GSEC certification and the Global Information Assurance Certification (GIAC) are also highly respected. The GIAC certification is considered by many to be equivalent to the CISSP certification.
While there are likely a few IT pros who already have most of the knowledge required for the CISSP or GIAC certification, most people will need to take some training classes before they can pass the certification exams. Finding the necessary training for these certifications isn’t hard as a Google search will reveal.
Deciding Between In-Person or Online Training
But just because there are lots of courses doesn’t mean that they’re all equally effective. Some courses emphasize hands-on learning and some are classroom-based, while the majority of online courses are video-based. How useful they are to you depends on how you learn. “Look out for real-world understanding or real-world adversaries and real-world problems,” Simon advised. “For too long, courses focused on theoretical situations.”
“Look for something heavy in practical and hands-on lab work, and don’t try and boil the ocean too quickly,” Knight added. “Start out with the basics and fundamentals of cybersecurity, such as the…GSEC course or the CISSP, to understand the very basic fundamentals of cybersecurity before trying to niche yourself into anything specific.”
But not everyone wants or needs to get their GIAC or CISSP certifications, at least not right away. There’s also a role for starting with some training that’s essential for IT staff these days, and perhaps building from there.
“The world isn’t in silos anymore,” said Ralph P. Sita, Jr., CEO and co-founder of Cybrary. “An IT department means a whole lot more than it did five years ago. We’re talking about philosophy of security enablement. Your whole organization needs to be gatekeepers, not just the people in security or IT.”
Growing Need for Cloud Security Training
Sita points out that there are some specialized security courses that can be important to IT, such as those from Cisco. He said he’s seeing a rapidly growing need for cloud security training. Cybrary offers cloud security training either in a classroom setting or as a series of free video courses.
So, what are some recommendations for essential security training for IT pros? A lot depends on your specific circumstances. A good source for insights is the community of IT pros at Spiceworks.
Some additional guidance comes from Knight, who said there is training for both (offensive) red team and (defensive) blue team interests. For blue team, Knight suggests the GIAC course or the CREST Certified Network Intrusion Analyst certification. For red team, Knight suggests starting out with the Certified Ethical Hacker (CEH) certification or the Certified Penetration Tester (GPEN) certification.
“The final stop should be… Offensive Security’s Certified Professional (OSCP) training, which will be heavy in lab and practical work over written and multiple-choice exams,” Knight said.
Taking These Essential Courses for IT
Each of the trainers also had some suggestions for essential courses for IT folks. Sita lists five that are available on the Cybrary website:
Simon had a similar list of essential courses that are available from the SANS Institute:
* SEC401: Security Essentials Bootcamp Style, covering topics such as Intrusion Detection, Intrusion Prevention, Defensible Network Architecture, OS security, and more.
* SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling, covering all aspects of attacks and exploitation combined with defensive concepts.
* SEC511: Continuous Monitoring and Security Operations, covering how timely detection and timely response are key for success against the modern adversary.
* MGT512: Security Leadership Essentials for Managers, which is similar conceptually as the previously mentioned SEC401 but focused more exclusively for managers.
* FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics, covering advanced incident response from a digital forensics perspective.
Keeping Overall Training Goals in Mind
Note that the SANS Institute courses are available in a variety of formats and locations. You can search for the training you want with the SANS Institute Training Finder. It’s worth noting that there are a number of respected training courses, some of which are mentioned here, but this list is by no means inclusive. But remember that you need to keep your overall goals in mind when considering a course.
“Don’t focus on memorizing what you need to walk in and pass a certification exam just to run through the certification mill to add a bunch of acronyms after your name,” Knight cautions. “Don’t be that guy or gal who uses certifications to get past the resume review stage; [don’t be that person who walks] into an interview and [isn’t] able to answer any technical questions as simple as what the headers of a packet are, what two TCP ports FTP uses, or what two protocols DNS uses.”
According to Knight, it isn’t about memorizing what you can to get the certification. “The point is [more] to learn what the training for the certification teaches you, and less about the paper hanging on the wall or the CPE credits you have to maintain to keep it. It’s about the learning, not the reward at the end.”
Originally published at https://www.pcmag.com on July 29, 2019.