Now that I’ve gently pivoted my career, I have a chance to identify and work on some of my knowledge gaps and desires over the next couple years. This is
especially important to me, as over the past 4 years or so, I’d a) gotten comfortable where I was, b) been really busy with business-critical work, and c) drifted away from learning a ton. While work was busy, I had a few new hobbies/people show up afterhours that took away time as well. That’s partly the point of the gentle pivot from being systems *and* security work, to doing full time security work. It should free up some energy to get my learning back on track. I also hadn’t put much money back into myself as far as training, but then again, neither did my previous employer. Sure, I was always offered it verbally, but there was really very little follow-thru on proposed options if they weren’t immediately in line with devices or projects we had already on the books. And security for security itself was not a priority.
This is partly why I posted several weeks ago about the various security roles that exist. It not only helps me decide what I want to do for my career, but also what I want to continue to study and strive for over the next 3-5 years. I test and study well, and sponge up information all the time.
This is certainly not all-inclusive for my interests, skills, and what I want to do on the job today and tomorrow. This is simply a small guide for myself on what to do next, if I’m ever looking towards the professional horizon and wondering what’s next on a quiet winter day. Obviously, this is also ever-changing.
PWK/OSCP from Offensive Security – Not prohibitively expensive, well-regarded, satisfying, self-paced study and a cert to show for it after.
CTP/OSCE from Offensive Security – Not prohibitively expensive, well-regarded, satisfying, self-paced study and a cert to show for it after.
CCNA – Not expensive, satisfying, but might be a bit below me and require some extra effort to utilize some labs.
Linux – local class? – night class during the summer, not expensive, quality might be hard to know beforehand.
Linux – other (further research required) – There are plenty of other accessible options from SUSE/Red Hat specific all the way down to Linux+ for the heck of it.
Certified Ethical Hacker from EC Council – Not prohibitively expensive, popular even if much maligned, doable and something to add on the resume. (You’re allowed to hate on this; I get it.)
python, powershell, .net self study for coding knowledge (even C++/assembly) – This is less structured, but I could acquire books or online learning goals to help with them.
OSWP from Offensive Security and CWNA (wireless) into CWSP from CWNP – These are wireless specific goals of mine. Attainable, not terribly expensive self-paced study.
web app sec self study or other certs (further research required) – In a really quick search, I was surprised to not find any useful web app sec related certs.
get other small gadets or toys (hackerwarehouse type stuff, great scott gadets…) – A bullet item reminder about this.
get a Mac – This is really to broaden my horizons with a new platform/tool investment for myself.
Arduino learning – Hey, I have an Arduino learning kit I can make use of.
cons and local groups – A bullet item reminder that these exist!
other specific tools self study – A bullet item reminder that I can look at any other specific tool in depth and will.
further lab building – Maybe purchase more hardware for the lab and build it out further. I was really thinking hardware, but even trying to admin it better could be a useful project.
SEC560 (GPEN) – Network Penetration Testing and Ethical Hacking – Just time and cost prohibitive, but if I had the sudden bonus budget, this is where I’d start right now.
forensics and reversing self study or other certs – further research required, most of these are expensive or product specific
ISACA offerings (CISA/CISM) – book cost, self-study webinars, exam cost and trip make this somewhat prohibitive
CSSLP from ISC2 (web app) – An app sec certification for SDLC work and experience. Not expensive, but annual ISC2 maintenance, of course.
Other SANS/GIAC – Basically just cost and time prohibitive. Will look into it on my own personal dime when budgets allow.