Hello, luvs, information security training, and certificates have been a lengthy debate over the years. In this post, I like to take you with me to my journey around this subject, it's been almost over a decade.
The techworld is moving amazingly fast. A few years ago we didn't have smartphones very a few decades ago even we didn't have internet. Still, we did change everything, and people will keep being amazing and inventing even years after this writing. I spend more than a decade following infosec, and it did change my life, and I owe this community everything and in every aspect. When I start my career as a teenager, even though I was good at my job, sometimes, I had a difficult time dealing with my colleagues and managers because they had a degree and a few certificates from Microsoft or Cisco, IC2, EC-Council, etc. and I had none. And still have almost none! Time passes by, and I meet a fantastic CEO, which lets me work as a junior pentester; Boom! landed first job in infosec in return, I worked so hard met some more amazing people and learnt a lot more .I thought by myself soon as I had enough money, I will take all the certifications in the world, so I did. Or did I?
I took many courses during the past decade, and I believably will enroll in some in the future as well. I love learning! I'm not going to review them one by one because it will take ages, and some of the courses I took almost a decade ago are irrelevant today. For updated information, you have google their name visited their website.
But I briefly review those I remember (only infosec related ones)
Advanced ethical hacking
Penetration testing with backtrack
Advanced software exploitation from practice security
Advanced web attacks and exploitation
I even went to college and recently finished my major. Not for a "certificate," but to learn, I made lifetime friends, I learned discipline and dedication. It just leads me to better "me."
Before I continue, I like to thank all of the companies named or not named here. I learned a lot, and I'm thankful. You are pioneer In the information security training, and what I'm going to suggest next it's just matters of somebody who loves this community. but I suggest to change for a better good.
1- Most of the course materials are outdated because of its delivery method: the very top many courses in information security used to be a few hours of video content plus some documents. The amount of time it takes for the creator to protect and DRM materials makes it very hard to update materials frequently, for example, most of this training has not updated during past two years, in case of information security we live in the minutes and two years is too long of a gap.
2-Most of the labs are on old infrastructure: Classic infrastructure and VPNs are not sufficient for toady's worlds. They are generally slow, expensive, and hard to use in case of pentest labs.
3-Certificates. In the end, it is a piece of paper which we should avoid because we are killing trees to make one. I believe in this concept as much as my little startup is all about being paperless. Let's harm nature less! While admiring someone's achievements is fantastic, and the right thing to do. The way we handle a certificate isn't flawless. Think about someone who is passionate about infosec and wants to land a very first career in infosec but can't afford certifications, or even a degree. and you just cut them out. It's wrong and unfair. Luckily it's getting a lot better, and even big companies changed their culture and talent management idea. But still, we have a way to go.
If you are going to release next generation infosec training, following paragraphs are few things you can consider.
Infosec is all about struggles: what's with all the courses, why always give the perfect state of how to solve a problem to the trainee? The recent wave of live stream related to infosec is a good example; a person who wants to learn can simply see how the instructor is struggling and how they tackle variously related and unrelated issues — a part of the information which is too valuable to ignore.
Infrastructure change: thanks to awsome DevOps, cloud, and virtualisation guys, you can almost run all your previous labs on a browser, safer, cheaper, and faster. It can avoid various kinds of problems. You can start with:
Make it affordable: as much as doing business is understandable, an average online training between 2 to 8 hours, and an average live training is around three days. Now a single stream of someone working on a single CTF task can take that long. So if you want to put a high price that it should be far more sophisticated than this.
Make it up to date: Infosec is about minutes; by changing your DRM model, lab infrastructure and content delivery model, you can deliver frequent updates to users.
The change has already begun.
The speed of information technology evolution always fascinates me. We already have some excellent examples of suggested model . website academy, exploit education , pentesterlab are few examples. I'm not affiliated with any of these entities, and you can find more examples by googling around. these entities leveraged a more modern tech stack, which helps them to deal with the issues we mentioned.
If you are new to into infosec.
As you may guess, I spend a lot of time and money in many courses. But it doesn't mean you have to take the same path. It's alot easier and cheaper now. honestly it has never been easier. just do it o_O ! you want to be a bug bounty hunter, red teamer, security researcher, infosec pro, or you name it. And you were thinking about taking certs or even getting a degree. If you don't have much disposable money to spend, then don't, Instead, spend your time reading and practicing the niche (for example, mobile security) you like, for more read my first post.
Sir, If you in Techworld and certificates and degrees are is the most important item in your checklist. I suggest you to re-define your hiring idea, or you may just lose the chance to work with some brilliant people. For instance, just like the information security training model, thanks to technologies like cloud computing, you can make your very own CTF on the weekend (with the exact skill set you need) and examine your candidate skills deeply and accurately. Case solved. No certification of any kind ever required.
If you work in the infosec industry, kindly spread the word and share this post (or at least its idea) with your colleagues for a better good. Also let me know what do you think ? here.
Here I'm, A decade later, still enjoy making and breaking it. Yet with almost no certificate and no regrets so ever.
If you still love to take one, there is nothing wrong about it. Go for it and enjoy; the point of this post is to think about the ways it can go wrong morally and ethically; in the end, most of these materials are labeled "ethical." and "moral." right?
Luckily the cultural change has already begun. And we see recruitment departments when it comes to general information technology are making it a lot easier than before for new talents to take their shot. Keep it up!
I wish you a "2020" with cheaper, more accessible information security training and awesome managers who give a chance to yet to discover brilliant talents.
PS: how lucky I'm I can share this with you.
Till then luvs