Career Professions for Today’s Security Landscape
Julie: Hello everyone and welcome to the University of Alabama Birmingham’s online IS bridge information session. My name’s Julie and I’ll be the moderator for today’s webcast. I’m going to start off by covering a few logistics of today’s webinar, move to that slide. This webcast is in broadcast-only mode and that’s to help reduce background noise with the audience here. With that, please ensure that your speakers are not muted so that you can hear the audio that’s coming in through the webinar.
If you are experiencing any technical difficulties, please click the help icon on the bottom toolbar to troubleshoot. If you have any questions throughout the presentation, please do not hesitate to communicate with us through the Q&A box at the left side of your screen. We will be collecting those questions and addressing those at the end of the presentation. We will also be sending a link to the recording of this session after the webinar, so please look out for that link later today.
On today’s call, we have Michael Shannon, who I will introduce in more detail in a moment, along with David Schofield. David is an enrollment advisor with the University of Alabama at Birmingham. At the end of today’s call, David can address any program or enrollment-related questions that come into us through our Q&A. For today’s session, career professions for today’s security landscape, our presenter is Michael Shannon.
Michael has been in the IT industry for 30 years working for companies such as IBM, State Farm, among others, and has been a technical writer/trainer since ’95. Michael has provided training to corporations through Skillsoft and through live training courses with [inaudible 00:02:15] Riley’s learning platform to Fortune 500 companies worldwide. Michael has also authored several books and holds a variety of certifications, including Comp TS Security Plus, CIFSP, ITEL, and CCNP Security. Without further ado, I will turn it over to Michael.
Michael Shannon: Hey, everybody, it’s great to have you here today. I want to thank you for joining us for this webinar, Career Professions for Today’s Security Landscape. I also want to commend you because this is such a broad field today. The area of security, of so many paths that you can take, and it’s really important early on in your journey that you do as much information gathering as you can. Any type of lifecycle, any type of programming approach, anythings going to involve as much reconnaissance and gathering of information and intel early on in the process as you can.
I want to commend you for being here. Last night, I was just watching, I had recorded a show on National Geographic and it was called Valley of the Boom. I don’t know if you’ve heard about it, but it’s a show that goes back to, basically when I started get into IT, the early ’90s. It talks about the Netscape Navigator, which was really the first real browser that was out there. The guy who created the browser also created the SSL protocol secure socket layering that we’ve used for security, and it talks about them going public.
I remember back in 1995, I was working as a network technician for a large telecom, but on Wednesday nights, for a company called ExecuTrain, I taught a course called the World Wide Web, and it was Netscape Navigator 2.0. The point I’m making is, back then, if you were a security practitioner, or you were involved in security, you pretty much had to do it all. Today, there are so many paths you can take. For example, in a minute, we’re going to look at the two specializations and the UABMIS program. Even in those specializations, you could take so many different paths from those specialties. It’s really important, early on in the process, to get as much information was you can.
In this hour I have you here, we’re going to talk very briefly about the security landscape, what’s going on out there, maybe a security briefing type thing and then look at some of the common threats that organizations are dealing with, then I want to look at the MIS program. I’ve spent quite a bit of time evaluating the program and I want to make sure that we have a good idea, basically, of what are the synergies, what are the connections between the MIS program, which is excellent, by the way, in its coverage, and different job role sand responsibilities, as well as possible links between certifications, okay? Those certifications that are broad but are also very valuable as well. Then we’ll look at, in section three, two common paths that you would take as a security practitioner, certification paths, and then I’m going to make sure I have some time at the end to answer questions.
Now, any specific questions about the courses in the UAB master of science in management information systems, we’ve got some people here to help you with that. Let’s go ahead and dive in talking about the present threatscape now. There was some important security briefings that came out in November and December of 2018. Several top firms, several top organizations, also several individuals from different government agencies, including CIA and NSA, they made some really interesting points and some things that are applicable to us as we look to a possible career in IT security.
There’s a lot in common today in today’s threatscape with the 1940s era, Cold War. In other words, there’s a lot of brinkmanship going on out there, a lot of state-based brinkmanship, and it’s very reminiscent of the Cold War. As far as one of the CIA analysts, he said, “I’m of the opinion that the biggest threat we have now is cyber war. I’m convinced if there’s another war, it’ll have a significant element of cyber warfare or it’ll be fought entirely in cyberspace.” Some say we’re already in world war C, not world war III, but WWC, world war cyber, so the need for security expertise has never been greater.
Another challenge that companies have, whether they’re public, whether they’re private, is this rapid integration of humanity and technology. That’s a clear security concern. I remember watching the news yesterday and there was a story, Nike has a new basketball shoe coming out, and maybe you’ve heard about this, it’s called the Adapt BB. The shoe, the Nike shoe, has a smartphone app, so you can actually use the app to automatically or remotely tighten the shoe laces, and of course, it’ll do other things as well going forward as they update the app. It’s $350 for this pair of shoes.
As a matter of fact, tonight, when the Celtics play the Toronto Raptors, Jason Tatum’s going to be wearing those, so that’s an example of the IOT, the Internet of Things, which is everything has an app for it, everything’s on the internet with an IPB6 address, that integration, wearable IT, implants that we’re starting to see, more robotics, more AI. All of those things represent security threats, privacy threats, security vulnerabilities, so there’s a huge need there. Now, I don’t have a way to annotate on these slides, so I have to just point you to these bullet points visually. If you go down to the last bullet point, it says there’s an ongoing reduction in IT budgets.
What? A reduction in an IT budgets? I thought we’re spending more money than ever. No, we’re not. One of the reasons why is virtualization.
More data centers, more server forms, more organizations. Can you see slide number four? The Present Threatscape, Julie?
Julie: Yes, I see that now. It seemed it had not proceeded to slide four yet, so yeah, I pointed that out just now.
Michael Shannon: Sorry, I beg your pardon, I beg your pardon.
Julie: We’re all set now.
Michael Shannon: The final bullet point talks about an ongoing reduction, and again, the reason is because of virtualization, the reason is because we’re moving our on-premise data centers to a virtual solution, maybe cloud solutions, services provided by companies like Google Cloud platform and Amazon web services, IBM Cloud, Microsoft Azure, Oracle Cloud and others, so that’s leading to the reduction of IT budgets. However, there’s a huge skill shortage in cyber security, and that’s, hopefully, why you’re here. This is just a short list, hopefully we’re on slide number five now, the Present Threatscape, there’s a short list of the things that companies are dealing with now. We know about data theft, identity theft.
Obviously you know there was the Experian issue that happened last year in the summer, that was one of the biggest breaches in American history, right? We know about ransomware where you’ve got malware that you could just get a drive-by malware download surfing the internet or going to Google images and clicking on some picture, and the next thing you know, they’re trying to get Monero or Lightcoin or Bitcoin out of you to decrypt your files. Advanced persistent threats, an APT, or an Advanced Persistent Threat is advanced because it’s planned in advance. It can be state-based, it can be a syndicate, it can be a crime group, a hacker group, it can be a script kiddie person, it can be a wide variety of threat actors or threat agents, and it’s advanced because it’s planned in advanced. Some of these campaigns, they will actually go through a cost benefit analysis before they attack a certain company, or maybe before they attack Netflix or Sony or whatever, they’ll actually do a cost benefit analysis to see if it’s worth it, whatever they’re going to be able to steal, right?
The persistent part of that is really twofold. It’s persistent in the sense that the malware or the payload that they deliver is going to stay on that system even if the system reboots or restarts, and it even has the ability to morph and evade antivirus and other tools. It’s also persistent in that if they see it being enough of a payoff, they’re going to keep trying. They’re going to keep trying and keep trying. They may actually even try to create a fake identity and get somebody hired at that company, if the payoffs big enough.
That is an ongoing advanced persistent threat reality. Often, the payloads are going to be a zero-day code that nobody knows about yet and it’s just waiting to be launched. We’re also seeing a lot of extortion and blackmail, or we call it blackstortion, where somebody who’s a key individual of the company, maybe they’re part of the C suite or the C team, right? The CEO, the CIO, they will try to get some type of content onto their system, like child pornography, or something like that, and then they will blackmail or try to extort that CEO.
It’s very similar to ransomware, but we’re starting to see that type of activity, as well. Rogue cyber mining is prevalent. Now, we saw a lot more rogue cyber mining in 2017 when the price of cyber currency had that huge run up in the fourth quarter. It’s stabilized now, so cyber mining is not as big a threat as it used to be, but companies like Google Cloud and Amazon web services still have to deal with people trying to use Cloud resources to do that in a rogue way.
Distributed denial-of-service attacks where you get some type of code that has a reverse connection back to some command and control server, maybe somewhere in eastern Europe or some other part of the world. The most common DDoS we call Botnets and that connection can lead back to a command and control server or it could be to another member of that bot network, another bot. Also, web service attacks. Using HTTP, and HTTPS is the most common protocol used on the internet, it’s vast majority of our traffic, so we have to deal with insecure browsers or unsecure browsers, and that’s not really going to change.
Vendors, large companies really don’t want to lock down browsers, they don’t really want to make them highly secure because you lose functionality, you lose the ability to track what that customer’s doing. You lose interoperability, so that’s a huge challenge that we have, just unsecure usage of browsers and web clients out there. There are attacks against the backend web services that are using SQL or Microsoft SQL or MySQL, MySQL with SQL injection attacks. Cross-site scripting and request forgery on websites, many websites are vulnerable to that.
Attacks against SSL, I mentioned that Netscape is where SSL came from. Nowadays, you should be using TLS, Transport Layer Security, 1.1, 1.2, 1.3, you don’t want to let somebody who, as a client, downgrades your web server to SSL because there’s vulnerabilities there. As we see just this short list, I could go on and on, I could spend the rest of the hour just talking about threats, but as we see the present threatscape and we realize the need and the demand for qualified, accredited, certified, validated through degrees and experience, security professionals, hopefully that’s why you’re here. This is a career that you decide this is what you want to do, I can’t really recommend a more exciting and demanding career.
One thing I tell a lot of my students is if you decide to become a security professional, it’s like if you decide to get a master’s of science degree, or even if you decide to go just a pure certification path, you’re going to be in graduate school the rest of your life because it’s just a constant process with newer technology and newer threats and vulnerabilities. Now, when I look at the management information systems program here at UAB, two things happen to me emotionally, one, I’m super impressed, but secondly, I’m bummed because I wish that I had this type of program when I was doing my undergraduate work. I did undergraduate work at University of Houston, and when I was there, all we had was mainframe computers. We had a mainframe in the computer science department, we used IBM punch cards, the courses we had in computer science were things like Fortran language, COBOL language, it was excruciating.
Nothing as broad and exciting as this core program here, so I’m a little bit jealous. I went and did my graduate at Texas Tech in political science, so you can see, it doesn’t really matter where you come from, but if I could go back in time in my DeLorean, I sure wish I would’ve had a program like this one. When I look at this program, for example, I look at things like Intro to Cyber Security, I look at the IT and Business Strategy, what impresses me there, and this is so important, gang, is that if you go back and you watch, let’s say that show I mentioned, Valley of the Boom, people back in the ’90s that were IT, they were really geeks, they were really programmers, they weren’t business people. Today, you don’t have that luxury.
If you’re going to pursue this path, this is why you see things like business strategy and management in these types of programs, you cannot separate your IT and your security knowledge from understanding the synergy with business, with the bottom line of the company, with the value proposition of your for-profit or nonprofit company. There’s a tight integration, so it’s very important that a program have this type of business strategy and business synergy in it like this one does. Of course, IT governance and management, 612, that’s critical because there are so many different types of regulations out there. We have HIPPA in the healthcare industry, we have Sarbanes-Oxly in the financial industry, retail has PCIDSS, if you’re dealing with EU now, March of 2018, the GDPR came out, their new privacy act.
You go work for a company, you go work for an organization, you’re going to be under, most likely, some type of regulation or governance, so that’s key that you have that in a program. I look at 615, that is an exciting topic for me, it’s an exciting course because social media, social engineering, social networking is so pervasive and so rot with security issues. Virtual communities, I have a 14 year old and she’ll tell me, I can find out from her, about what’s hot. They get off of Instagram and I think now she’s onto this thing called VSCO, which is V-S-C-O, which is a photography site but you can also augment all these pictures and stuff, so she’s really into this new VSCO site.
It’s critical that you have some type of knowledge of using different type of tools for doing opensource intelligence with social media sites. Data science, 617, that’s a core topic and that’s also critical in the security profession. We’re going to look, by the way, at these job roles and responsibilities here in just a minute. I see data science and I think, you know what? You really have to have some Python scripting capability.
If somebody asked me a question, and I get this question, if you were to do any type of programming, if you’re not a programmer and you want to do anything, I would say Python. Go learn Python. We’re also seeing the R programming language, which is critical for data science, for creating visibility representations of different types of metrics and key performance indicators, meaningful, success factors, so the R programming language. I see data science, data science for IT, data science for business, that is a very important topic.
Then, of course, project management. More than ever, you have to understand the business model at the company you’re working for, your organization, and having project management skills is really super important. If somebody’s going through and they get their master’s degree, they may want to consider, like one of those certification paths like PNP, PNP has their PMBOK approach, or PRINCE2 or Agile, one of those certifications, once you get enough experience, that’s a great thing to think about. Now, I look at this core program, this is one of the things, when you look at a program and you compare it to, for example, all the different types of certifications that are out there, which we’ll look at.
Here’s one of the key factors, and I’ll maybe just go to the next, there’s two specializations. The first concentration, which would be more in my wheelhouse, is cyber security management, so as we look at this, when you look at the different courses that are offered by a program and you see a strong correlation between their course offerings and the actual objectives in those courses and you compare them, you see a correlation to the same type of objectives in popular certifications out there, which we’re going to talk about and the domains of those certifications. That is a really positive indicator. That’s a good indication that the course designers at the college or university really have their pulse on the real world industry.
Remember those certification exams that are out there, they’re based on input from a wide variety of industry stakeholders and practitioners and experts that themselves have master’s of science degrees, some PhDs, so they understand that synergy. When I see a program like this and I see, in the cyber security management specialty, I see, obviously, we’re going to be looking at cyber attacks and threat mitigation, when I see digital forensics, that really impresses me. These are strong correlations between the objectives of many of the popular global certifications. That’s what some of you need to look for, obviously.
Now, one thing that I mentioned earlier, that when you see a specialty like this, you can look at these four courses and there’s so many paths you can take from here. You go to 613, IT Security Management, maybe like an ITIL 4, which is now the most recent version of Information Technology Infrastructure Library, ITIL, if you go that management path, or COBIT5, that direction, or you might want to be involved in cyber-attack and threat mitigation or response, cognitive operations, all of these topics, by the way, are critical to be a well-rounded security practitioner. Digital forensics, I’m really excited to see that there.
Another way to approach some of these different courses, when we think about the different job roles that we’re going to talk about here, well, I’ll wait until I get to that slide. Let me go look at the next specialization, which is more of an IT management. This is not going to be as security centric, the IT management, however, notice incident response and business continuity, that course, 621, is in both of the concentrations because that this the most important aspect of security. It’s risk management. You have to be able to handle and treat risk, you must be able to recover from incidents.
First of all, you need to be able to determine what is an event and what is actually an incident, and then the different classification or level of reaction to that incident and be able to get that business back into normal operations as quickly as possible. That is the vital, critical risk-management skill or specialty that a practitioner must have. Understanding business continuity, planning, business impact analysis, developing an incident response team or management approach, it even includes things like backup and restore policies. Continuity of operations, COOP, and that’s such a critical knowledge base for a security practitioner and that’s why I can see they’ve included it in both concentrations, so that’s critical.
Notice here also, budgeting, capital budgeting. Again, it goes back to the concept of you can’t just be just a geek anymore. You can’t just be a coder. A security practitioner needs to have some business acumen and some business skills. You have to understand that the things that you develop and acquire have to fit into the budget of your department or your organizational unit, or your business unit.
Planning, understanding different life cycles and understanding different solid approaches to developing application security and system security. I like 641, just leadership in IT. Developing the ability to leave a program like this and assume, very quickly, not just an administrative role but maybe a management role, and maybe a management role that, hopefully quickly, gets you up into that C suite or that C team, and we’ll talk about that, as well. The big takeaway here is evaluating a master’s program and seeing how there’s a synergy, how there’s a mapping to the same types of domains and objectives of the main industry certifications and the main job roles.
Now, these job roles that I have here, and I had a little bit of help from my friend Denise on this, I got this from a particular website. I’m going to go ahead and put a link to this website, I’m going to put this in the Q&A area down there. I’ve already got a question coming in, and we’ll get to these questions, I got one from Daniel coming, but I’m also going to go ahead and send this link out to everybody. Let me send that link out.
I’m going to answer one of Daniel’s questions here and I’m going to send the link out, Daniel. I’ll hit your question specifically. I think I’m going to answer your question, by the way, right now in the next slide. Let’s send this to all.
This is the site this came from. Now, one of the good things about this, as we look at these job roles, is this is Info Sec Institute, and they also do training. I haven’t taken any of their training, I’m not recommending them, but the value of this website is it’s one of the most comprehensive repositories of security job roles and responsibilities that I’ve ever found. The other cool thing about this website is for each one of these job roles, it has metrics and it has information about the kind of salary you can expect, the demand for this job role, so it actually has a meaningful metrics for each one of these roles and responsibilities based on their industry research, so you get an idea of what the demand is, what the salary ranges are, what to expect, so it’s a good website. I highly recommend it.
The way I put these roles out here, starting with more entry-level and then we’re going to move up as we go. If we look at this slide, we see auditors, specialists, technicians, researchers, those are more the entry-level jobs. For example, if you look at security auditor, if you get an entry-level security job for a corporation, often what you’ll be doing, if you’re entry-level, is proving yourself. You might be on the service desk, you might be doing tech support or security support, you might be doing monitoring, just sitting there eight hours a day doing continuous monitoring of logs and alerts and alarms and monitoring and auditing systems using manual and automated system. That’s what you might expect.
There’s not so much of the, I have to crawl around and run cable anymore, but there might be some of that, too. These are some of the more entry-level. Now, if you are going to go through a master’s program and you get a master’s program, you maybe combine a couple of popular certifications to it, what you’re doing is you’re improving or increasing the chances that you will be able to go beyond these entry-level jobs. Some of these are specialties, like SCADA, for example, S-C-A-D-A, that’s Supervisory Control and Data Acquisition, so that’s dealing with, let’s say, public utilities, the water company, a nuclear facility, the electrical grid, the programmable logical controllers, the PLCs they have, so that would be specialty-type of technician.
As a matter of fact, I just read an article a couple days that our U.S. electric grid was just hacked with a spearfishing technique, so what they did was somebody had some cleverly formulated emails and they targeted them towards contractors, contractors who had system access, right? They actually said that they could have temporarily shut off power. Now, there’s blame to go around, we don’t really know who it was, but it was a huge amount of states that were vulnerable. I’m in Texas, you’re probably in Alabama, maybe, our two states were not vulnerable, but a lot of others were, especially on the West Coast.
You can see some of these are very specialized, like a cryptographer over on the far right. If you like math, if you’re into mathematics, if it’s a strong suit for you, then something like cryptographer and malware analyst would be something you would look at. A data recovery specialist, going in and creating images of memory and volumes and drives and then analyzing that with tools. A lot of these are just hands-on type job roles.
Pen tester, ethical hacker. Another way to differentiate, because there’s a lot of job roles here, let me give you another way to think about these roles and responsibilities, and maybe this will also help answer the questions that came in from Daniel. I like to combine these into what we call blue team, red team, and white team. If it’s blue team, that means you are in the mitigation category, you’re an administrator, you’re involved in protection, you’re doing incident response, data recovery, right? Visibility, it could be cryptographer, you’re creating crypto systems, threat mitigation, that’s the blue team type thing.
A red team is more of the attacker side, so you’re a pen tester, you’re doing ethical hacking, you’re doing cryptoanalysis, you’re looking for vulnerabilities, right? There’s those two ways to look at these job roles. Or if you can do both, if you’re somebody who’s developed expertise in blue team, the attacker, and the red team, the defender, we call that the purple team because red and blue gives us purple, I think, I don’t know. You have strengths in both areas.
The white team is more of the auditor, the monitor, forensics, reporting, creating dashboards, using the R programming language to create visibility tools, data science, doing research. Blue team, red team, white team, that’s a good way to look at these, because remember, there’s so many different paths we could take. Now, as you move up, right, in the job roles, for those of you who, let’s say, decide I’m going to go ahead and I’m going to go for this master’s degree. I’m going to go for that graduate-level information degree, it’s more likely that with that degree and a couple of key certifications, one of these jobs is going to be what you’re shooting for.
Management positions, IT manager, data center manager, analysts, analyst, architect, engineer, that’s the type of thing. For a lot of organizations, what they’re really shooting for is to become an executive management, a chief security officer, a chief technology officer, a chief information, a CISO, a CSO, an information security officer, a privacy officer. There’s really three paths to this executive management. You can just get in with a company at a lower level and just work your way up the company, that’s a path, it takes longer, but you can do it.
You can go the, I get experience through different companies, I get a bunch of certifications and I developed this experience profile and I get hired by a company as a CSO, that would be the path that I would go, since I don’t have a degree, a master degree or a PhD in MIS or computer science, but I have 30 years of experience. That would be my path, if I wanted that particular type of job, which, at this point in my life, I do not. That’s a path. The quickest path, in my opinion, though, to become part of the C suite or the C team would be to get a master’s degree, and then with some key certifications.
Let’s talk about two paths real quick. Certification paths. Here’s a common certification path, and again, I’m looking at these as a compliment, most likely if you’re on that fast track to move up in your career as quickly as possible, I’m looking at these as a compliment, for example, to some type of graduate work. The first one you want to look at is CompTIA, which they have a bunch of certifications, they’re globally known, CompTIA Security Plus. CompTIA Security Plus, this is the kind of certification that, if you go back and you look at just the core program, the core program covers most of the domains of Security Plus, and therefore, you could knock this one out, let’s say, in the summer, right, or between semesters and go take that. The thing about Security Plus is there’s no prerequisites, you just study the objectives and you go take the exam.
It’s very broadly accepted. That’s a great entry-level certification that I recommend everybody get. Now, below that, we see the ISC squared organization, which is also a very globally renowned organization. They have one called the SSCP, the security practitioner, and it’s similar to Security Plus, it’s their version, but you have to have one year of on-the-job experience. Anything below Security Plus, you’re going to have to have some type of job experience out there and you have to show through letters and through documentation that you’ve had that experience.
Here’s one of the great things about going to college or doing graduate work and the certifications, whether it’s the ones at the bottom, CISSP, or the advanced practitioner, CASP, or the ISACA, security manager or security auditor, all of those, you have to have three to five years of on-the-job experience. The good news is your degree will qualify you for one, it depends on the program, but your existing degree will go ahead and qualify you for one or two years towards that three to five years of working experience. That’s one of the positives. All of these organizations, ISACA, ISC squared, CompTIA, they encourage people who go through undergraduate and graduate programs to also get the certifications, and they’ll reward you by applying that towards the prerequisites.
This is a very common path. This is a path that I’ve taken. I, at one time or another, have taken all of these exams, passed them and obtained these certifications. Some of these, I got the certification and I let it lapse, and that’s something I want to point out to you, when you get a certification, most of them are going to expect you, over the course of a year or three years, to get continuing education credits to maintain that certification. That’s something to keep in mind.
If you get the CISSP, which I would say is probably the most globally known certification, I actually got that one twice, I got it in 2002 and then I let it lapse and I got it again in 2014, don’t let it lapse. Do those education credits. Another very common path that people take as security practitioners is the GIAC path. This is an organization that has set five main specialties. Obviously, CompTIA security plus, you’re going to take that first because that will actually take the place of their introductory course.
The next step would be, after Security Plus, the GSEC. By the way, there are no prerequisites for any of these, but they’re extremely expensive and they’re very difficult. Typically, people will go get official training for these. After you take the GSEC, then there’s five specialties that GIAC does: cyber defense, penetration testing, forensics and incident response, developer, that’s where you would use data science tools, Python, R programming, and then management leadership. You can take one or more of those paths for specialties.
Let me just give you an example. For example, let’s say you’re going the cyber defense path, in the cyber defense path, you wouldn’t need that first introductory course like the GISF, you wouldn’t need that because you’ve taken Security Plus and you’ve passed that, but you would need to get the intermediate, GSEC. After that, you start getting into the even more granular, enterprise defender, parameter protection analyst, advanced intrusion analyst, Windows security administrator, Unix and Linux administration, continuous monitoring certification, certified detection analyst. This is a path, another path, that people can take.
Notice, as I continue on, a couple of more advanced things, critical controls and defending advanced threats, all those different advanced path you can add to that certification. Below that, you see where it says ISICS, that’s an example of a very special path for somebody who’s going to go into that SCADA technology. Remember supervisory control, that kind of thing for a utility, so we actually have a path for that. Those are the two, I would say, main cert paths, and there’s lots of synergy and correlation between solid graduate programs in IT and security. There’s this path and there’s this second path.
Now, the final thing I want to talk about before we do our Q&A, because I want to give it at least 15 minutes for Q&A if we need it, so my final slide I want to show you is I’ve been talking about vendor-neutral type certifications, so everything I’ve shown you so far, we would consider it to be non-proprietary or vendor-neutral. It’s quite likely that once you finish your graduate program and you get into the workforce, maybe you get an internship or you get into a company, private or public, they’ll be using some specific type of technology. You may also have, in your future, proprietary security certifications. For example, these are the entry-level, so if it’s Cisco, you would take the CCENT exam, which is their route and switch exam, their basic route and switch exam, and then CCNA security, right?
If you go to a company and they’re using Palo Alto Networks, their entry-level is called the PCCSA, the Cybersecurity Associates. You may have to get that. You may have to even go farther and get a certification that I have, the Palo Alto Networks Certified Network Security Engineer, I also have that certification. Maybe they’re using Juniper equipment, well, you have to get the Junos, that’s their operating system, Associate, and then their Security Specialist, I have that certification as well.
If you’re going to go the Microsoft path, the first order of business is the Microsoft Technology Associate. Maybe your company uses Google Cloud platform or Amazon web services, they have certifications that may be in your future, as well. The good news is these are all complimentary to what you’ve learned in your graduate program, which will be also more vendor-neutral and less proprietary. Maybe you’re dealing with virtualization, vSphere for example, or one of the other virtual machine vendors, you may have to go that path.
Or maybe a Red Hat Linux, which is very popular. In addition to these, what I would call non-proprietary or vendor-neutral certification paths, like this first one or the GIAC path, in your future, as a compliment to your education and your experience, you may also have a more proprietary security path based on the platform and the security technology, the firewall systems, the IPS systems, the other security that’s being used by that company that’s hiring you or looking to be hired. Now, obviously, looking at this list, Cisco is the market leader, by far. I think Palo Alto Networks, they’re trying to get 11% of the market share, but if you look at the infrastructure of the internet, Cisco dominates that area.
You know what, gang? I hope this was helpful for you. I know I gave you a lot of information, but the good news is you’re information gathering, you’re doing reconnaissance, you’re getting some answers early on before you start to expend your own time and your own resources on your career. Again, you want to get as much information as possible. You don’t want to just dive in, right, you want to get as much information, and so hopefully, if you have any questions out there that you have, feel free to put those in the Q&A area now.
Daniel asked the question earlier, what are the most common entry titles or paths? Hopefully you see Security Plus, and would be an entry path either way. That’s a very well-accepted certification across the board. The good thing about Security Plus is unlike most of the others, it has no prerequisites, so that’s the kind of thing you want to knock out between semesters or during the summer while you’re going through a graduate program.
The good news is what you’re learning in the core graduate program is going to be teaching you a lot of the domains of Security Plus and CISSP. Julie’s saying she has some questions that were sent for David. Okay, so Julie, I’ll let you take over.
Julie: Yes, I will. There are more questions for you here, you’ll see that as I put it in the chat for you.
Michael Shannon: Yeah, let me address that question, here’s the question, and it’s a very, very good question, how fast does the security landscape change and how can a professional keep up with it? This is my humble opinion, there’s very few negatives to, let’s say, a college, a university program. This is not with all programs, but from my experience and analysis, one of the negatives of a college or university program is sometimes they become very static. In security, they can get outdated within three or four, five semesters. That is something that is critical.
Now, the core information is going to be extremely valuable, but that, in my opinion, is one of the pros and advantages of combining a degree with certifications because the certifications are often updated. The CISA and CISM, the security auditor and security manager, those are changed every year. Other ones, like Security Plus and CISSP, those are changed every two to three years, so that’s one of the advantages of using certifications and maintaining those certifications, is that that shows to a potential employer, it shows even to your own customers as a consultant that you’re also staying up to date. It’s like if you’re going to be a nurse, if you’re going to be going into healthcare, if you’re going into the financial, if you’re in the insurance business or you’re a real estate agent, there’s ongoing continual education in all of those fields.
You use that to show your own perspective employers or your own customers or partners, hey, I’m keeping up with what’s new. The landscape does change, but what really changes is those new threats, new vulnerabilities and new technologies. We encrypt our data at rest, we encrypt our data in transit, typically with AES, AESCBC or AESGCM, well, that doesn’t change. The techniques and the algorithms, we typically add to them.
The thing about security is all of these frameworks and architectures are extensible, so what you’re keeping up with is just new variations. The way they extend IPSEC, the way they extend EAP, the way that we’re extending other frameworks and architectures. I’m not familiar with the NSACAE designation, so you’ll have to look that one up on your own. That was the question that came in, what’s the importance of the NSACAE designation? I don’t have an answer for that one.
Julie: Thank you, Michael. We have a couple of enrollment-based questions for David to address, in terms of requirements for the program. The first one here is are there GPA requirements and what would those be?
David Schofield: Absolutely. Thank you very much. As far as the undergrad program, what we’re looking for, typically for admission, those that have under 24 college credit hours would be basing their admission on their high school GPA or GED. In that case, if you’re out of high school longer than four years, we’re looking for a 2.75, and if you’re fresh out of high school, we’re looking for a 2.25. If you have over 24 college credit hours, we’d base your admission on that experience, and we’re looking for a 2.0 GPA to transfer in. For the graduate, it’s a 3.0 GPA, and the further away you get from that 3.0, we’d have to score higher on GMAT to offset that.
If it is a 2.2, it’s not very realistic, but if it’s not a 3.0, it’s slightly under a 3.0, it doesn’t automatically disqualify you to the program. You just have to score higher on a GMAT exam.
Julie: Okay. Thank you. The other question was in terms of the length of the program. It actually might be the different programs you offer, really, as I think about that question.
David Schofield: Yeah, absolutely. For the bachelor’s degree, you’re looking at a little over 4.3 years with the way we have the program structured, if you were to start from scratch. For a brand new bridge program, and when I say brand new, our first term just began January 7th, so last week, the bridge program itself will take you a year, it’s six undergraduate-level courses, takes three semesters. The graduate program, after you finish the bridge, takes a year and a half, so five semesters.
The bridge, in total, would take eight semesters, and the undergrad itself, 4.3 years.
Julie: Okay. If there are other questions, we still have a few more minutes with Michael. I just want to thank him for his expertise and opinions here, being a real practitioner in this space. Yeah, one question I thought of, Michael, is at a high level, why would someone choose to go into cybersecurity as a career? I think people, they may have some experience or they’re looking at this opportunity, if you can get some perspective on that and what the future holds.
Michael Shannon: What I would say to that is if your goals I just want to have a decent salary and get a job, then I’m not going to encourage you to pick a path through IT security because, like I said, it’s a demanding industry. As I mentioned, you’re going to be in graduate school the rest of your life. Not all professions are that way. Many professions, you get a particular level of knowledge and you can pretty much ride that knowledge for years.
Not so in the security field. The other advantage is that you have so much opportunity. For example, I was going to mention this earlier, but let’s just talk about the insurance industry, there are several insurers that provide cyber policies, or they have writers on existing policies, so companies like AIG or Travelers or the Hartford or Chubb, those are companies that are looking for security expertise and practitioners. Cyber insurance is another growing field, so the advantages of this career is that it’s expanding.
Hopefully one thing that you got from this training is that the more paths there are, the more specialties there are, the more opportunity that there is.
Julie: That’s great, thank you, Michael.
Michael Shannon: I’d also say, if you hate math, if you hate math, this might not be the right path for you. You might want to look maybe more at management or governance that type of thing, just general IT. Also, it doesn’t hurt now to have some scripting skills, Python, Ruby, Go, understanding JSON and those types of things. If you’re going to be taking a security career, you’re really probably going to have to get some scripting or programming knowledge along with it.
Julie: Yes, that’s great advice. The languages we should all learn, I totally agree with that. What I’d like to do is just thank everyone for their time today. Thanking Michael and David for joining us.
Oh, you know what? There is one more question that popped in, we do have a minute left. Here, I’m trying to read the question here.
Michael Shannon: I’ll go ahead.
Julie: Oh, sure, there we go, it’s in the Q&A.
Michael Shannon: Yeah. The question is does having a security clearance level help for better job opportunities? The answer is absolutely. Absolutely. Don’t get arrested for anything. Maintain control of your finances because those types of issues will affect your ability to get security clearances.
Where I live here in Texas, there’s an air force base and to be able to get to do contract work there, you have to have a security clearance, so that’s a really good question. Yes, it definitely would help in job opportunities, absolutely.
Julie: Great question, thank you. I think that’s it for today. I don’t see any further questions coming in. Again, I want to thank everyone for their attendance and for their interactions today with the questions. This has been a great webinar, and thank you, Michael.
Michael Shannon: Thank you everybody. Great having you here today.