Cyber Security Skills in 2018

Last week I passed the EC-Council Certified Ethical Hacker exam.  Yay to me.  I am a professional penetration tester right?  Negatory.  I sat the exam more as an exercise to see if I “still had it”.  A boxer returning to the ring.  It is over 10 years since I passed my CISSP.  The 6-hour multi-choice horror of an exam, that was still being conducted using pencil and paper down at the Royal Holloway University.  In honesty, that was a great general information security bench mark and allowed you to go in multiple different directions as an "infosec pro".  So back to the CEH…

There are now a fair few information security related career paths in 2018.  The basic split tends to be something like:

  • Managerial  - I don’t always mean managing people, more risk management, compliance management and auditing
  • Technical - here I guess I focus upon penetration testing, cryptography or secure software engineering
  • Operational - thinking this is more security operation centres, log analysis and threat intelligence and the like
So the CEH would fit as an intro to intermediate level qualification within the technical sphere.  Is it a useful qualification to have?  Let me come back to that question, by framing it a little.

There is the constant hum that in both the US and UK, there is a massive cyber and information security personnel shortage, in both the public and private sectors.  This I agree with, but it also needs some additional framing and qualification.  Which areas, what jobs, what skill levels are missing or in short supply?  As the cyber security sector has reached a decent level maturity with regards job roles and more importantly job definitions, we can start to work backwards in understanding how to fulfil demand.

I often hear conversations around cyber education, which go down the route of delivering cyber security curriculum at the under sixteens or even under 11 age groups.  Whilst this is incredibly important for general Internet safety, I’m not sure it helps the longer term cyber skills supply problem.  If we look at the omnipresent shortage of medical doctors, we don’t start medical school earlier.  We teach the first principles earlier: maths, biology and chemistry for example.  With those foundations in place, specialism becomes much easier at say eighteen and again at 21 or 22 when specialist doctor training starts.

Shouldn’t we just apply the same approach to cyber?  A good grounding in mathematics, computing and networking would then provide a strong foundation to build upon, before focusing on cryptography or penetration testing.

The CEH exam (and this isn’t a specific criticism of the EC Council, simply recent experience), doesn’t necessarily provide you with the skills to become a hacker.  I spent 5 months self-studying for the exam.  A few hours here and there whilst holding down a full time job with regular travel.  Aka not a lot of time.  The reason I probably passed the exam, was mainly due to a broad 17 year history in networking, security and access management.  I certainly learned a load of stuff.  Mainly tooling and process, but not necessarily first principles skills.

Most qualifications are great.  They certainly give the candidate career bounce and credibility and any opportunity to study is a good one.  I do think cyber security training is at a real inflection point though.

Clearly most large organisations are desperately building out teams to protect and react to security incidents.  Be it for compliance reasons, or to build end user trust, but we as an industry need to look at a longer term and sustainable way to develop, nurture and feed talent.  Going back to basics seems a good step forward.

Cyber Security Skills in 2018

Last week I passed the EC-Council Certified Ethical Hacker exam.  Yay to me.  I am a professional penetration tester right?  Negatory.  I sat the exam more as an exercise to see if I “still had it”.  A boxer returning to the ring.  It is over 10 years since I passed my CISSP.  The 6-hour multi-choice horror of an exam, that was still being conducted using pencil and paper down at the Royal Holloway University.  In honesty, that was a great general information security bench mark and allowed you to go in multiple different directions as an "infosec pro".  So back to the CEH…

There are now a fair few information security related career paths in 2018.  The basic split tends to be something like:

  • Managerial  - I don’t always mean managing people, more risk management, compliance management and auditing
  • Technical - here I guess I focus upon penetration testing, cryptography or secure software engineering
  • Operational - thinking this is more security operation centres, log analysis and threat intelligence and the like
So the CEH would fit as an intro to intermediate level qualification within the technical sphere.  Is it a useful qualification to have?  Let me come back to that question, by framing it a little.

There is the constant hum that in both the US and UK, there is a massive cyber and information security personnel shortage, in both the public and private sectors.  This I agree with, but it also needs some additional framing and qualification.  Which areas, what jobs, what skill levels are missing or in short supply?  As the cyber security sector has reached a decent level maturity with regards job roles and more importantly job definitions, we can start to work backwards in understanding how to fulfil demand.

I often hear conversations around cyber education, which go down the route of delivering cyber security curriculum at the under sixteens or even under 11 age groups.  Whilst this is incredibly important for general Internet safety, I’m not sure it helps the longer term cyber skills supply problem.  If we look at the omnipresent shortage of medical doctors, we don’t start medical school earlier.  We teach the first principles earlier: maths, biology and chemistry for example.  With those foundations in place, specialism becomes much easier at say eighteen and again at 21 or 22 when specialist doctor training starts.

Shouldn’t we just apply the same approach to cyber?  A good grounding in mathematics, computing and networking would then provide a strong foundation to build upon, before focusing on cryptography or penetration testing.

The CEH exam (and this isn’t a specific criticism of the EC Council, simply recent experience), doesn’t necessarily provide you with the skills to become a hacker.  I spent 5 months self-studying for the exam.  A few hours here and there whilst holding down a full time job with regular travel.  Aka not a lot of time.  The reason I probably passed the exam, was mainly due to a broad 17 year history in networking, security and access management.  I certainly learned a load of stuff.  Mainly tooling and process, but not necessarily first principles skills.

Most qualifications are great.  They certainly give the candidate career bounce and credibility and any opportunity to study is a good one.  I do think cyber security training is at a real inflection point though.

Clearly most large organisations are desperately building out teams to protect and react to security incidents.  Be it for compliance reasons, or to build end user trust, but we as an industry need to look at a longer term and sustainable way to develop, nurture and feed talent.  Going back to basics seems a good step forward.

ForgeRock OpenAM Deployment Training in Bangalore, India

This blog post was first published @ www.fedji.com, included here with permission.

Just yesterday, I concluded a five day ForgeRock University training program on ForgeRock OpenAM at Bangalore. I wish to express my sincere gratitude to each one in the picture below for showing up for a ForgeRock University course on our Access Management solution and wish them success in their ForgeRock Projects.

OpenAMDeploymentTraining
To know what we discussed during the training or to subscribe for one such program, all details are here.

If you aren’t looking for a detailed program on our Products as the one you find in the link above, we do offer half a day free (as in beer) overview session on both ForgeRock OpenAM and ForgeRock OpenIDM, the details of which are below (keep checking the links below for the next occurrence):

ForgeRock OpenAM Product Overview
ForgeRock OpenIDM Product Overview

Lastly, if you are keen to validate/demonstrate your skills in ForgeRock OpenAM, check out ForgeRock Certified OpenAM Specialist Exam.

Again, to all my friends who dropped by for the OpenAM training, thanks for all the fun and learning.

OpenAMTrainingCollage

Availability in OpenDJ Training in London, Week of June 23rd.

TrainingThe ForgeRock University department has scheduled an in person, instructor led training for the OpenDJ Administration, Maintenance and Tuning module, in London from June 23rd to June 26th 2014.

The 4 days training provides the perfect opportunity to learn in details everything you’ve ever wanted to know about the OpenDJ directory service and how to get the best of it.

The training is firmly confirmed but still have a few seats available. If you’re interested, you can register here.


Filed under: Directory Services Tagged: administration, class, directory, directory-server, ForgeRock, instructor, ldap, London, maintenance, training, tuning, university