Not everything that tastes good is healthy, and not everything healthy tastes good. I think of exams as the latter. They are one way to test knowledge, and that attitude is a big part of how I survived getting certified. After taking all kinds of exams, one thing hasn't changed – I don't like them. I get anxious when faced with tests. I dislike the all-or-nothing of each question. I have an aversion to the idea that the items can be drawn from the fine points of any of the 100,000+ words that I just read. On top of that, exams are an imperfect form of testing one's knowledge (a trait shared by any other type of academic testing). What has kept and what keeps me going despite all of this is the goal – getting that certification.
Lessons from My Past on Obtaining a Certification
My years in music and martial arts have provided me with plenty of lessons in how I approach certifications. I'll mention a couple here. (You may not have a background in these, but the lessons aren't relevant to music and martial arts alone. You'll be able to identify something in your past that provides these same lessons.)
A Certification Prep Lesson from Music
Practice. (One might call it rehearsal.) Or you can say, "Practice makes perfect." Or even, "Perfect practice makes perfect." The important take away is that preparation has to be done. Take little tests (10-15 questions), take long practice exams, use notecards, make a Python script for a quiz – anything to prove that A) you can take tests and B) you won't pass out if you fail.
A Certification Prep Lesson from Martial Arts
The main lesson I learned is perseverance. Don't give up. There are two sides to this coin. One, when you put in the time and effort, you succeed. You might not be the best or the fastest or the strongest, but you'll get there. And when you get there, you are in a different league. This flows into the second side: respect. People who have the belt or the degree or the cert (pretty much any accomplishment) automatically know you're part of "the group." You've done what's needed to earn it. They all know you didn't give up.
Trajectory to Obtaining an Infosec Cert
I had to ask myself along the way, "Do I want to be in infosec? Or do I just want a place to work?" Everything was fine when it was just a job. I did what I was paid to do. There's nothing at all wrong with looking at it as just a job. But there's frustration involved. Where do I spend my time? How can I limit what I have to do or learn? When I changed to "I want to be in information security," my whole mindset pivoted. How can I know more? There is SO MUCH to do. How can I manage my time better? How can I leverage technology better to make my tasks and projects faster and more efficient? How do I communicate this all to my coworkers, my managers and the C-suite? I chose information security because I was happy in my profession, but what seemed to be lacking in the company was a focus on security. (NOTE: There was not a lack of security. Everybody did an excellent job of securing the organization. There just wasn't a security focus.) I decided that maybe I could fill in a little of that here and there. I did that in my spare time, you know, in those times when you have 10 minutes until a meeting or when there wasn’t a project that you could really start or complete. Or when some task was eliminated, there's a little extra time. Do you have a job? Or do you have a career? This outlook determines where you will put your time, money and effort. If you're truly stuck on what cert to get (or whether you should even get one, for that matter), you may find that you haven't committed to a career yet.
Training for an Infosec Cert
I believe in quality training, but I'm also a firm believer in free training (or, more appropriately, being an autodidact). What options are available for what I’m studying? Some of the most readily available resources are white papers and online videos. What are the available avenues for you? What can you afford? What will your company reimburse? --$60 for a book --$150 for an online class --$1,500 for a class with other materials included --$3,000 for a week-long boot camp Recently, I was able to afford the university path, but it wasn't always that way. I've downloaded a lot of free whitepapers, attended free events, signed up for free online training courses, and watched many online videos. If it was free, I snagged it. This led to many sales emails, but that's part of the cost of "free." Performing a personal ROI and debt repayment schedule is highly valuable when committing to the certification path. If I get cert A at the cost of X, I could start in position B, receive Y as pay, and pay off my debt in Z years. (Yes, math is integral to the certification path.)
Tools for Passing an Infosec Cert Exam
What counts is passing the test, not how glamorous your study option is. Barring unethical practices (e.g., cheating), if something helps you remember, use it. My favorite tools are Evernote, Quizlet, Notepad (yes...Notepad), and music. But use whatever works for you! Gather tools that help you study. Make it anything that you like, anything at all that helps you study. These tools don't have to be limited to the study materials included in a package you bought. I found that no matter what was provided, I always needed something else. Everybody learns differently. Just be you. You might find it helpful to study the different types of intelligence. That can help you identify what can improve what you have in your study tools toolbox. Don't limit your capabilities to "I can only study if I have my perfect environment," but certainly do your best to do your best.
Timing Considerations for Taking an Infosec Cert Exam
When should I take the exam? When should I embark on the degree journey? Which cert in the roadmap should I achieve first? The timing for my prep and attainment of each cert was predetermined because a degree program has its own syllabus. While I wanted to get done in the order I wanted, the courses were well laid out, and the next semester built on the previous one. The benefit was that each class, whether it ended in cert exam or not, ended up well-timed. Each course provided some useful knowledge or tool for my job. I wanted to skip particular topics, but it ended up just fine. The world of information security is incredibly large, so any information you can learn is beneficial. Risk measurements? I need to know. Understanding buffer overflow? Necessary. Getting a handle on regulations, delving into some scripting language, reading a whitepaper on cloud security, improving presentation skills and exploring many more subjects are all useful and will be applicable to your career. Is it all useful right now? No, not all of it, and not any specific aspect is relevant every single day. But if you've chosen it as a career, then you're looking mid- to long-term. The infosec journey will present bends in the road, and each career security professional needs to be ready for those turns. I've heard that "It's better to be prepared and not have an opportunity than to have an opportunity and not be prepared." Be prepared – something in cybersecurity will come your way. No one gets a guarantee as to how things will turn out. I started down the infosec career path, and things have been even better than I imagined (and harder than I thought at some points). It's always scary looking at the years ahead and committing the finances and the time to any career. Making a calculated risk is different than a gamble. Make your best calculations based on your extensive research and take the next step whether it's to choose a different track, wait until the time is right or just simply get it done. Trust me. You can do it.
About the Author: Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company's BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.