Welcome to the Talos Takes podcast, where we discuss Talos’ latest research and security news. This podcast is for everyone from the C-suite to the frontlines. Hello everyone, and Happy New Year! My name is Amy Ciminnisi. I am thrilled to be hosting my very first episode of Talos Takes. Up until now, you've been hearing Hazel Burton. She's done absolutely amazing things with this podcast over the past year and a half, and now she's handing off the reins to me. God knows why, but I really couldn't be more excited to be here. A little bit about what I do here at Talos. I'm the Content Manager and Editor. So our researchers and incident responders write their blogs and findings and reports, and they send them my way for a polish before it goes out to the wider community. I also run our social media, and I host Humans of Talos over on YouTube, so definitely check that out. Now let's get into it. Imagine this you are a technical writer with barely a year of experience. Before then, you had been working in nonprofit fundraising, so radically different, and suddenly you get laid off. It's a cold November day. The holidays are coming up, you're on unemployment benefits, and you're reaching out to every connection that you have with open jobs. You've landed a few interviews. Nothing really sticks yet, but as you scroll through the listings, you notice that more and more content and technical writing openings are in cybersecurity. You don't have a ton of experience there. And to get maybe a leg up, you start looking at different certifications that you can get, courses that you can take, and you find an entry level one. You think, “You know, why not get some baseline knowledge? At the very least, it'll give me something to talk about in interviews if I land one.” That certification, which was at the time only half finished, probably even less than that... That entry level certification is part of why I was offered a position at Talos. So for my first episode, I wanted to dive into the very confusing world of cybersecurity certifications. And with me is someone who not only has several certifications of their own, but also mentors people through their certification journeys. And you know him. You love him. It is Joe Marshall! Joe, how are you doing? And the crowd goes wild. Joe, thanks for having me. Yeah. Of course. Thanks for being here. When I brought this topic to the group, you very enthusiastically jumped in. Can you talk a little bit about your own journey with certifications? When, why, How did you decide to get your first one? Sure. Yeah. So I started off in information technology. I didn't start off in cybersecurity, arguably cybersecurity as a mature profession didn't exist when I was in, you know, I'm and I'm in my mid 40s now. God help me. I started in it in my early 20s and cybersecurity hadn't really matured. It's where he is now, obviously. And certainly there weren't the plethora of cybersecurity certifications that exist now that did 15 or 20 years ago. So the certifications I initially got were for administration. So I'm a, you know, Microsoft certified systems engineer. I have some vendor certifications outside of that in there, like hardware, basic unveil hardware and things like that. Then later as my career for the rest, I went into working for D.O.D. and there were some certifications that were mandatory to be, an information, like, assurance management level of of of, professionalism they expect. And one of those was called the security plus. And then I would later go on in my career to get like a CISSP, which is a much, you know, different type of certification for my mix year of my Security plus or from, all these other certifications that I, that I've, that I've been able to attain over my career. So for me personally and has been a fairly long journey, to get the certifications that I have, and swim indirectly in some ways landed me here at Cisco Talos. Well, on 11 years ago now. Wow. Yeah. Yeah. So there are a million different certification providers and a million different types. And amongst those, kind of like you mentioned, there are vendor specific and then vendor agnostic certifications as well. Can you talk a little bit about like who some of the main providers of certifications are? The types that they provide, things like that. So, so if anyone ever is, able to get a cybersecurity certification or they want to get one, you are going to be just buried in a plethora of choices. And, and actually, I hope you link in the show notes. The chart that we've been looking at together for just the ridiculous amount of cybersecurity certifications that exist. But like, you have some of your major vendors, just so you have and so every major market vendor usually offers a cybersecurity certification with their product. Microsoft does, Cisco does, Amazon does. Right. So like because they want you to use their product and also have a minimum standard of qualification and certification that exists, that your employer or that you may wish to do for professional self-development. To go. Yep. I have taken Amazon EC2 cybersecurity training and I am now a certified, security administrator. I've met the vendor's standards for a qualified person. And I have a piece of digital paper to show, or maybe real that this shows you that that you know, you did the thing right. There's also certification bodies that exist outside of vendors. So you have some that are extremely vendor agnostic. So CompTIA would be a good example of that. Everyone's familiar with CompTIA in the sense of they offer the you know the plus certification. So security plus network plus a plus cloud plus Linux plus those are vendor agnostic. You have like ESI two or IEC SC squared certifications that for your security risk management, like so like they're the ones that do out the CISSP or the GSB or the Casb clause and stuff like that. Those also are vendor agnostic as well. And we're really just scratching the surface. The more you dig, the more you start to drown. And this, the more analysis paralysis that happens because you're like, especially if you're a beginner in this space, if you're just trying to get your foot in the door, you're looking this going, oh my God, what do I even do here? Like, how do I even know if this is really good? Yeah. And then you have the difference between the beginner and expert level certifications, right? They exist in all strata of your career progression. Like a beginner or a newbie to cybersecurity is not going to get their CISSP. As a matter of fact, there's a minimum in time experience that you have to be able to document before they let you sit down for the certification, right? But they do offer entry level certifications that, you know, only require a year or less of experience, or they're willing to waive some of that experience based on, say, college education or things that they would sit or, counts as experience sort of sort of standards. And that's relatively unique. And in that space. But, you know, from security operations to asset security to architecture and engineering, there's something for everybody. There's something for everybody. So like it, it's it's very fluid is what I'm saying. It is situationally applicable to where you are in your career, who you're working for, what vendors you're using or not using. Because there are certainly generalist cybersecurity certifications that exist that I actually I do recommend because they are vendor agnostic. And you can see just by me talking about this, I can see your eyes starting to go, what have I done? I've asked Joe these questions. I don't understand any of this. What the hell, man? I I'm always thinking in terms of, like, practical steps. So, like you said, analysis paralysis. And I went, yep. That's it. That's what I'm feeling. If someone is at that stage where they are trying to figure out where to go next, what certification to work toward next, what are the the best methods you suggest they use to kind of finally drill down and focus on one? Yeah. So like this is such a hard question to answer because I don't know, like, so for anybody listening to this right now and you're going, yes, Joe, give me the wisdom. Tell me what test to go take. You have to be able to answer that yourself, because I don't know where the individual background of anyone that wants to go to take a certification exam where they are or you're already in the space. Are you trying to get a job into this cybersecurity career field? What's your what's your past like? Have you done it like I did? And you just sort of organically shifting into it or you coming in blind, right. So the the advice I have is just that it's advice. It's generalized. All I want for anyone is to work hard and be successful and be a student of this game. And there's certainly a certification that is applicable to you. All right. From a practical mentor experience because so I'm, one of the mentors of the Women in Cyber program here at Cisco and certainly, personal relationships that I've had outside of my organization where I mentored others. I'm kind of a fan of the CompTIA certifications. So this would be your A plus your network plus, your security plus. And the reason for that is real simple one you can study at home. You don't have to go to class. You can take online courses like, Udemy or one of the certainly there are if you go to YouTube for the CompTIA base certifications, the reason I kind of like them is they're they're establishing a very vendor agnostic security and technology baseline. How does the internet work? How does a PC what are the minimum standards to operate something? What is an operating system? What is hardware? Like they're just trying to establish the bare minimum of what you should understand before you go into, like a vendor certification, like the Cisco Certified Network. Administrator cannot. Right. Where you're going to learn some of that, obviously, but you're also going to learn sort of like the Cisco methodology behind why and how we use our core level and access routing to do the things that we do for switch in route. Right. So like, but if you understand, like, a routing protocol like rip G, rip OSPF or if you're going to understand how the both the protocols TCP and IP work, you know, how are they constructed, what is their their packet structure. Like like you're you're if you can understand that at a general level, it's going to carry you foundationally into so many different things that if you just wanted to do networking, we haven't even talked about cybersecurity yet. So let's say I talk about something like, DNS exfiltration, which is, a way to steal network, data from a victim, and you exfil out using, bogus DNS requests. If you don't know how DNS works and you see a DNS exploration question on your security Plus exam, which I don't know if it would be there, but let's say you do. Well, then you're not going to get the question right, because you don't have a foundational understanding of what domain naming systems actually are and do and how they make the internet work. Right. So like there's a core level of of just technical proficiency and acumen that you have to do. And the worst part about all of this is when you're studying cybersecurity, generally speaking, this isn't something you can just pick up and touch. It's not like I'm learning how to weld. I'm learning how to do Hvac repair. I can't just do hands on journeyman practice from a found. I can't hold the OSI model in my hand and take it apart, per se, right? We're talking about a lot of theory. We're talking a lot about things with the way the internet was constructed way back in the 1980s, and it's not easy to wrap your brain around sometimes, though. Like, what do you mean, what's the data frame? What's a packet? What's up? You know, like, I don't know what any of this stuff is, but I'm reading some really weird stuff in this book and it says I have to know it from this certification exam. Right? So yeah, it's a challenge. It can really be a for if you're coming in cold and you don't have a mentor and you're just wondering what like you're reading this book, I get it, people are intimidated by it and they get lost in it. And they're like, my brain shuts down because we're talking about really ephemeral stuff, but all that stuff is super important. Every other foundational aspect of cybersecurity, and will really come to pay dividends when you are confronted with something either personally, professionally in your journey for for being a security professional. And you're going to go, Emily, do I know how that works? I can understand the exploit or the vulnerability that's being discussed because of how it works. Yeah, honestly, it's the greatest feeling in the world. You know, I'm doing the Google Cybersecurity Professional certificate on Coursera, right now, and it's really basic stuff. But like once I finish a module and I, you know, I've completed everything and I come back to work and I hear people talking about stuff, it is the most rewarding thing to be able to go, yes, I know this, I understand it, and people have like a super beginner level conversation. But like, it's so like I said, it's so rewarding. Knowing that I am increasing my understanding of really important concepts, but like just because it's rewarding toward the end doesn't mean that I am motivated throughout all of it, right? So like, I end up having to put like three hour time blocks on my schedule in order to find the motivation to keep on, going with the certification. And there are just times when I really struggle to sit down and pay attention to these videos and especially the readings. So I'm curious, in your experience as a mentor, what are the biggest challenges other than it being super ephemeral content? That people face? I could see the look on your face right now. We're asking the hard questions today. Yeah, coming at me hard. All right, so not everyone is on the same playing field when it comes to taking these tests. I've done 11 certification exams in my career. All right? All of them require a level of commitment for me to set aside the free time. And the money. Because these tests aren't free. They can be really expensive. And to be able to go do it. Yeah. So, listeners, if you click on the link in the description, it takes you to a security certification roadmap. And I was just amazed at how expensive some of these are. So I'm looking at the crest registered technical security architect, certification right now, that's $2,300, two exams, and they're in-person in the UK. You know, you're gonna see security expert is almost 7500 for ten exams. And so, I mean, those are kind of more on the expert level, but these are really steep prices. The beginner intermediate ones are more in the 300 to $500 range. But that's not always accessible to other people. Right. Like, sure, if you're in the security industry, you might have the salary that will allow you to do those exams. But if you are trying to get into the industry and you know you're working a minimum wage job studying for these certifications, that's really expensive. And I'm not saying that these certifications aren't worth it, but they are a huge investment, especially if you're not financially privileged. You know, the first certification exam I ever study for was my CNA, but certified Cisco Network administrator. I was working at Krispy Kreme at the time, and in between batches of donuts because I was a cook, I was studying my CNA book because I knew the donut life was not for me. Like a big, big donut was not going to bring me in. Yeah, I and also like if you're working a minimum wage job, that's probably not the only job that you're working. And so it's the time commitment as well, not only finding the motivation to study for the test, but also, you know, when you have free time, that's the last thing that you want to do. So you really have to be focused. And also, what if you're a single parent? What if you're a primary caregiver? What if your partner is sick and you have to take care of them? What if you are already in school? Let's say you're trying to get into this field. You go to the Barnes and Noble or your local bookstore. You find a book on, say, security plus or plus or as an example, and you go to your house, you start to read chapter one in chapter two, and then you realize, well, that I've got self-testing, I've got things I can do to see where I'm at and that I'm understanding material. And then you get, you know, you get 3 or 4 weeks into it, you read a little bit less and you read a little bit less, and then by two months you've already forgotten that you have this book and it's sitting on your desk and it's just collecting dust. That is a such a common narrative from my mentees that I've talked with. And one of the things I tell them is when I start reading a book, I've already found the money to take the test in 90 days, 90 to 120 days. I'm going to be taking this test. When you put the money down and you commit to a date, you're going to be shocked at what a great motivator that is, because you don't want to waste this money and you want to be prepared for this test. So because you know you will find the mental justification to go, well, I'll sign up for it next week. I'll sign up for the test next week. Oh. Next month. Oh, no, I better take it. I mean, like you will be. Excuses will eject from you because you don't want to go take a very hard, painful exam to get your certification in whatever you're trying to be certified in. So I always tell my mentees, commit the time and the money in advance so that you hold yourself accountable for being able to invest this effort into it. Yeah, you got to be honest with yourself and know yourself well enough to let you be able to tell what you know, what your motivation is and like, whether or not you feel like you actually, you know, are ready and like want to go do it, there's like no worse feeling than like knowing an exam is coming up in a few weeks and you have done nothing yet. And so like to me that is such a powerful motivator of like, okay, yeah, put that money down, put that time in my calendar. And now I'm, you know, I have to come up with a plan to figure out how to do this. On on the other side of it, like certifications are really great. They, you know, may not be a replacement for experience, but they do show a certain level of skill. Right. There are a lot of loud people on LinkedIn, on Reddit who tell people not to waste their time with certifications. What would you say to people who are certification skeptics? So where I'm at in my career right now, it would make a tremendous amount of sense for me to go get, say, my A plus or my security plus. I already have Nici, SSP. My career path has pushed me more from architectural engineering into security and risk management. So there's like a lot of certifications I can look at and go, nah, I just this is not right for me and my time in my career. That math changes. If that certification is a requirement to a job like like plane like you have like they will not hire you unless you have it. Right. So that has to be the first consideration that anybody has to take. All right. If you're a job seeker, you have to pass the AI firewall. And you, you need to be able to do that. So first off, love it. Hate it. It's just the way life is. Second thing, there is a tremendous amount of gatekeeping that exists in our profession that says there is no value or worth in a certain certification, and that you, you shouldn't do it, or that you've wasted your time doing it. One of the, one of the most frequent penalties that I see is that CISSP, which is the, Certified Information System security professional, it's put out by Ista. It's very expensive, reasonably hard exam to go pass. I never understood the heat. I never understood the things because. So let's say you go take your security plus your A-plus. You're in plus. And these are considered entry level certifications. And you don't immediately like jump out of the gate going I'm security for certified. I'm going to be a security a tier one security operations center, analysts or whatever. Let's say you go into a different career path, but you took the time to commit to memory and absorb. So literally, if you will, the study material that you really, successfully were able to, to do in a test, right, right. So you have invested a lot of hard work and doing the thing. I cannot envision a world where I ever crap on someone else's hard work, because they took the time to be a better version of themselves. They took the time to learn and to grow and to level up themselves up right. So obviously I don't subscribe to people, especially, on LinkedIn, which is the most artificial and crappy place that I know of. For people who are like, well, if you're a CI, SSP, you don't know anything about cyber security. Let me tell you a real story. All right? I went from working in the DoD space to the private sector space, working for a large facility. And the the way I got my foot in that door was I had a college degree, and I had just passed my CISSP because it was a firm requirement for a lot of the senior level information architecture, security protection roles that I was looking to move into. Right? Like if you didn't have it, they weren't even going to consider you. And so when you take the exam and you go through all the course material, a lot of it is technical, but a lot of it's not right. And so a lot of the things I was able to learn say, well, that and say I took something called an ITL, certification honestly was a vocabulary test. But one of the things I learned was the stop thinking, as a purely technical person and be able to translate these technical things in code, switch into business talk. Because when I'm talking to the vice president of information technology, when I'm talking to a CTO, which is technology officer, a chief financial officer, they know business risk and they know things like that extremely well. It's the language they talk they don't want to know or don't really care about the minutia of something that is technical and requires a security professional to look at. They need someone who can sit in between and just do the human work of translating, but who understands both of those things. Right. And that's something this ISP taught me. But that's my career space. Someone who's doing more red team and penetration testing, you know, they got to be really great at customer service and customer understanding and writing. Really great reports. Just because you're an offensive certified security professional with, you know, penetration testing with Kali Linux, you've gone through all that really brutal certification regime. You know, it's really funny. Is like, we haven't really talked about the hacking certs like your OCP or AOC, your exploit development, stuff like that. But it's really funny to me and I love this is like so when you think about cyber certifications, we think about learning technical stuff and then passing a test and then you go, okay, now how do I apply this stuff? Some of these tests are eminently practical. So like OCP, there's this really difficult one day hacking competition exam where you have to break into these machines. Part two of that, these last I checked, was you writing a report about it. Like, you have to summarize all the findings that you've you found and you have to articulate it in a report. And I think I know this, is important because when I worked for my electric utility, I paid people to break into systems, and I didn't care what they did. I cared about the report. That's what I was paying for, right? That's why I paid them a lot of money for was that report so I can look at it and go, oh, crap, we are over here. We need to get, we need to get the system patched. We need to find some money to remediate this, this bad thing. Everybody wants to hack stuff. Nobody wants to write a report. Right? So, like, there is professional acumen that is expected of you to pass. And that's considered one of the leading cybersecurity certifications in the space for hacking practitioners like Red team, folks who are pen testers and stuff like that. And it's not always going to be, can I break into this thing and do this thing? That's just called, you know, hack and stuff, right? That's but that's the difference between amateur and professional, right? It might be right. No, I totally agree. I mean, I am a little biased. I'm a former technical writer and my work right now is dealing with, you know, reports and blogs that researchers are writing and then handing to me. But I could talk for hours and hours about how important documentation is, how important report writing is. It's a bridge between the actual work itself and the people who are giving you budget or trying to make decisions. So having skill in that aspect is incredibly desirable for a cybersecurity professional. And if a certification is going to teach you that, that is awesome. Listeners, Joe is rubbing his head. He looks mighty distressed right now. I hate it. No, I hate it so much I don't like I don't like documenting. I know, I know, it's necessary. I love it, and I thank God we have people like you and other folks like Cory and other folks at Cisco who are so good at it. But man, I'm not a fan of it. I just don't have the middle discipline to do it like you find folks do. So God bless you. You heard it from Joe, folks. Get those reports in, write your documentation, no matter how annoying it is, and maybe thank an editor or technical writer in your life today. So that's it for this episode of Talos Takes. Joe, thank you so much for joining me. That was a really great conversation and hopefully it helps a lot of people. So stay safe out there and we'll see you in another two weeks. Bye friends!