Security Certifications: Training on a Budget and Breaking Down the HR

I have one my name is Nick metropolis and I want to think besides Athens for giving an opportunity to speak to you guys about security systems I'm quite excited that I have this session with you and I hope you find it beneficial just a bit of background for myself before we start off being the security industry for about 13 years now so quite a long time I've attended a numbers courses throughout the years I've also managed to get quite a lot of different certifications and I do teach quite a lot of courses to individuals like comme TI EC council and IC square courses so I have an opportunity to often speak with others and get an understanding of what

they see being viable in their career paths what types of courses they benefit from and what types of challenges they often face so the most common challenge people have is the course prices this is by far one of the most challenging aspects of titles so you approach your manager and you say I want to do a specialized course the course cost six thousand pounds whoa that's not gonna happen anytime soon you have to be in a position to create efficient business cases you have to be able to stand your ground you have to be able to justify why exactly that course is valuable for yourself and also how can that course allow you as a person to contribute to

the wider business in addition to the course price itself you also have to think about any exam and renewal associated costs some exams are fairly straightforward and cheap while other ones may be more complicated may span across two days and tend to be quite more expensive finally you have to account for any other associated costs because if you're taking a course which is remote where you are for example you have to account for traveling so tickets for to fly there lodging subsistence and any other associated expenses now the time required for you to take a course might be four or five days but you also have to think about the time that it will take to absorb the material so you

might attend a course for four days but it might take six months to actually study afterwards take any labs and ensure that you've solidified any concepts you've learned in that course finally the certification exam should you wish to take it all also account into your time it may be two hours four hours or for complicated certification attempts it might be even six or eight hours the attendance mode is another thing that comes into play some people learn while they're on the site with a trainer and in individuals that they can ask questions they can converse they can have interactions with some other people learn better when they actually do a course remote also another factor that

comes into play is if you're going to do a course live or on-demand now the return of investment is really important for any type of employer allowing you to take a course so what usually happens is you get your manager or they get their manager and they always come down asking so what happens with this course what happens if the individual takes it what is their ROI for my business so a common question that pops into mind for a lot of people is what happens if training people move on so your manager says what happens if I give you two or three courses this year and then next year you move on so let's try to answer that straightaway by

allowing Richard Branson to actually answer for us so Richard Branson said trained people well enough so they can leave treat them well enough so they don't want to the question that comes in mind after that is what actually happens if you don't train people and people stay so how are those individuals going to be able to work and do their jobs properly especially in security what we deal with complicated threats all day long so our courses simplifications worth it is it worth the time is it worth the cost let's see what I will say a study from is e-square showed the majority as you see in the slides values how much their skill set improves so 40%

of the people are from the study actually answer that they do execute courses and get associated certifications because they want to improve they want to add a new skill to what they already have which is quite impacting now about another third of the people so 28% I've actually mentioned that they see that as something that they can use to enhance their CV and this is quite important for people that are new to the field so for someone that starts now and has potentially six months or one year of experience getting the appropriate certifications in order to be able to convince potential hiring managers or an HR team of people that they good to do the job is quite substantial

most people don't seem to be doing it for the money so salary increase doesn't seem to be a primary reason because if you see the slide it just comes in sixth place it definitely isn't the primary reason for getting certified and lastly another thing I wanted to highlight is that about 1/3 of the people do security courses and certifications because they do feel that when they attend courses they do get the expertise that comes with them now the training budgets come into play from the business this is a study from training Mac and it shows an average of about 1,300 dollars per person spent across all companies in 2019 it's an increase in relation to

2017 which started with almost $1100 but it's still quite short now in relation to specific businesses as you can see small companies reduced their budget significantly in comparison to 2017 we have a decrease from almost $2,000 to $1500 so 25% decrease Mitas companies have also dropped from nine hundred and forty-one dollars to eight hundred and twenty nine dollars so about $100 shorter while large companies are the only ones that seem to have increased their budget quite substantially the budget has skyrocketed and it has actually quadrupled in relation to what it was in 2017 so they went from about $400 to almost $1,600 in 2019 quite an investment there from them this is generic trends by the way now

let's just jump into a specific focal study that Deloitte did how financial sector businesses are accumulated training costs around individuals so as you see the average is about $2,300 it ranges from 1,300 all the way up to $3,000 it does seem to be quite different it does seem to almost double in some cases but again would this be enough for a security individual would $3,000 or 2300 which is the average be enough for them to be able to get the training that they need first of all let's just see some examples of some security roles on the first row we have CSIS head of SEC so quite senior individuals within organizations then in the mid role you have meet senior levels

so security architects security consultants are those types of roles and in the last row you have mostly technical roles so incident responders security engineers quite a lot of different roles actually that required different levels of training some specific skills that those roles might have these are just three examples as a comparison so you have security analyst security managers and compliance experts a lot of different skills by required in different areas we have a security analyst which requires quite a lot of soft skills in order to be able to cope but we do tend to focus quite a lot in technical skills at that level so individuals would need to have in-depth knowledge around network around host

forensics around malware analysis and all those sort of skills security managers net cost and interaction with c-level executives and also how to have an ability to manage complex budget as a team depend on it they also need to be quite technical skilled in order to be able to efficiently drive investigations and also understand what exactly the security team is able to do and then we have an example of a compliance expert Compliance experts need to be specialists in a variety of standards for example GDP our cyber essentials ISO 27001 or any other standard that a business would need to be compliant with they need to be very well versed in dealing with internal and external

bodies and also very acute in order to be able to cope with virus teams within the business let's look at some questions that come up when we consider training cost in relation to what we've discussed first of all we know that there's a variety of different price tags for courses we have a lot of courses that tend to be free and then we have some other ones that tend to be quite cheap and then obviously we have a lot of courses that tend to be quite expensive so the first question is which is the best fit for you so do you believe that a free course or a low cost course with very best for your team or

for yourselves in order to get the skills that you need to enter your job the slide shows another study from IC square which shows that about 13% of the people participating in the study have paid for three associated certifications through their companies but there is also almost the same amount of people that they've paid for courses themselves which is quite an impacting statement because it seems that there is quite a lot of gap still in how companies invest budgets for people to get the training they need sometimes we see companies using training courses to reward high-performing employees it happens quite a lot and we see people saying that if for example people are high-performing in the team then the top

two or top three will get a very expensive course but the question we should be asking is are those individuals the ones that should be attending those courses so would you expect that someone who is already really good at what they do is the best person to attend the course to improve all should be someone that was actually less skilled or less knowledgeable in that area certifications also often used to lure high caliber talent so sometimes you see in HR ads but they require candidates who have quite a vast collection of certifications in order to wheel them in the challenge is that when those candidates actually start in the role they might not get those courses or

they might not give any opportunity to do training afterwards so this is something that also happens quite a lot and then another thing that we see quite often is training costs or training budgets becoming tool budgets so for example because we wanted a new seam or a new next-generation firewall actually that budget has been converted into a tool budget instead now different approaches with different types of situations there's a reference light here showing how many different types of websites we have and obviously how many different types of inter courses we have that are totally free so this is just sample but there are quite a lot of these about hi beneficial and a lot of

the vendors offer quite a lot of their course trainings for free which is really good for example wireless trainings are quite good they're all free for all modules and Splunk offers their first level of training around their tool for free and again it's quite beneficial and so on and so forth so really good courses that don't necessarily come with a price tag now open-source tools are another good example so as per for people that are beginners in the field they can use these tools to get knowledge around them an experience and then they can obviously get that experience and apply it to the workplace now this is a really good reference slide of various courses that we see

within the security industry the vendors are ordered alphabetically there's no preference there different types of courses again fit different types of people some people for example want to do a lot of technical courses for example they want to do CCNA cyber ops or CCNP security other people who might need a more background at the level of course they might want to be doing Network class or security plus to get a basic understanding some more experienced people within the industry might want to be doing some courses from is U square for example like CC SP or CISSP with specific focal points those courses would need to be done only if you have the necessary experience so for

example for CSE speaking need to have five years of experience about the industry in order to be accredited the certification and be a fool is a square member some people that really like pen testing might prefer courses from offensive security or relearned security so there's a lot of different options here not just chosen a case study from Cisco which actually highly demonstrates a particular path so for example you might have an individual just now in their security career and want to get the maximum out of it that individual might start with a CCD course or routing a switching which will give them obviously the necessary networking background in order to proceed further and afterwards they might continue with

getting CCNA cyber ops which is cisco cyber security track which is a really interesting certification there's going to be a professional cyber ops of our certification released later this year which is really good if they want to go towards the network security engineering track you might see an option for getting CCMP security and if they quite like it and they want to dive more into it they might even go for CCA security which is one of the top level certifications that you can achieve in the industry it's quite challenging to get now what do people say what do people see being most valuable in their security careers IC squared shows that about 40% of the top certifications are from

my ex's square and Cisco so you have CISSP or CSP with a particular concentration and then you also have CCNA security and CCNP security but in mind that this study was for 2019 which was when the older Cisco truck was still in play so you have CCNA security there which doesn't exist now and then we also have another study from InfoSec careers which haven't depicted here but it still showed from a number of 200 professionals about 50 percent almost consider CSP to be the best security certification which quite aligns with the IC square study that was undertaken here those individuals after CSS people felt CIS MCH security plus no se beef now I'm some type of training plan how

can you actually design the ultimate training plan for your needs so first of all you can use obviously any free training that you can get any type of vendors you already have within your corporation feel free to get the training from those they do generally offer it for free because you've already purchased some of the products you can do internal trainings if you have someone who is really good already in some tools or in some security areas or in some security certifications even you can use those individuals to teach others within the business brown bags lunch and learns mentor assignments or some examples of how those people can be used positively throughout the company interesting training is another thing

you can for example have the penetration testing team sit with the incident response team and those guys sit with the security analysis team you can have meshed capture-the-flag competitions you can involve management you can do all sorts of things you can also choose to train specific individuals in an area and then use them to train others which is another really beneficial aspect or you can get team training packages that you can leverage from vendors in order to train your teams as a whole another option is offering our practical elements so cyber Rangers CTF those types of things so for example hack the Box virtual hacking labs or any other type of cyber Rangers would allow people

type gamified a version of learning so they can actually learn to trying to break stuff to trying pen testing and those types of things self-starting is another option if there is no significant budget then you can still try to cover the exam cost and people can self-study for their specific certification courses then you can include training courses and certifications in your personal development plan which is really good and I highly recommend it because it allows you to have this as a part of what you do throughout the year so if you manage to get this approved through your development plan there's no one that will come afterwards and try to not allow you to take that training the

combined it will approach in general is what works you can combine three courses I like the ones that we just discussed earlier with self-study and then if you want to take at least one paid course which will maximize what you get throughout the year that would be the ideal approach if you knew if you're a newbie in the security field then you just try and oversee to get your foot through the door with HR again you can look up getting some of the most common security certifications that are being looked at by a chart for example if you want to be a security analyst shortly you might look at getting a solid foundation around security plus of Cisco

CCNA M Cisco CCNA cyber ops and both types of courses and then as I said earlier experimenting the device open-source tools is quite beneficial because it allows you to have experience that you can demonstrate when you have those discussions I've also built two scenarios just to show you a practical aspect of how you can build up these types of trainings so for example the first scenario is for our person who is quite new and they're placed in a team which has a very limited training budget that individual can actually attend any free courses that they can get their hands on so for example through Coursera or through udemy they can also self-study for particular basic

certifications because they tend to be easier to absorb and they can actually do that without necessarily attending an official course which might cost quite a lot examples as I said are CCNA in CCNA cyber herbs really good foundational certifications network plus and security plus certified ethical hacker security analyst or junior penetration tester there is a mix of skills that an individual can actually absorb you can also have a free visual lab in your machine or you can actually use an online available one like hack the box which actually comes at a very very logical price all of those things are quite beneficial and all of them are quite achievable with a very very limited training budget and then the

second scenario I have is in relation to a security manager or any type of manager for that matter who has a very medium-sized training budget now if you're the manager or a team lead then obviously you want to do training for the whole team you should try to focus on getting anything courses approved so for example if you approach a vendor with training passes or getting training credits you can always get a discount which will be quite beneficial for the team versus individuals just getting approved by themselves also if you using multiple tools within a business it's not always feasible to have everyone trained on the tools so for example if you use 20 tools it might not be

feasible for everyone within the team to get individual training to all those tools in those cases it's really beneficial to have a specific subject matter expert and then allow that person to get full training while they aid the rest of the team as much as possible and get them trained up it's kind of train the trainer approach and for any specialty courses in security then you would need to devote time and budget in order to allow those individuals who attend those courses for example if you expect your team to be a high-performing Incident Response Team high-performing Incident handlers then you will need to allow them to attend at least one specialty course throughout the year to

get those specialized skills they need in order to do the job now after some final thoughts first of all there is no one-size-fits-all you can't funnel this in for everyone you can't say to everyone you all get this training you'll all get the same thing it just doesn't work you have to spend time with people get accustom with what they want what their aspirations are their career progression and also fit that into account with what the team expects I try to leverage particular individual plans for everyone they're always gonna be budget constraints there's no question around it just try not to let it stop you doesn't matter the constraint just would put the different approaches we just

discussed training should be for everyone it shouldn't just be for a selected team of people so in my mind you shouldn't be rewarding high-performing individuals or it shouldn't be only allowing one or two people within a team to get specific types of high end trainings that usually frustrates a lot of people because they also want to get the training they see others getting and it frustrates them quite a lot when they can so you have to be very careful when you do those types of things the other thing you always need to account for in your mind is did you actually want the people protecting your business to have an adequate training so whenever you get pushback from higher

management you always have to take this into account it's okay when people come to you and say we don't have a budget or whatever like that but you always have to pose this question okay we don't have a budget or we have limited budget but how are these folks going to protect the business especially when they deal with incidence that might cost the business millions and lastly always encourage people to take some time from their week in order to do training or any type of research for that matter I know that a lot of us in security were quite extensive hours so allowing people to take for example three or four hours through the week in order to devote it

to something like this is really beneficial for the mental health as well it keeps them focused and then you also have to remember that creativity is really important it's almost equally important productivity because the research that individuals do might benefit your team quite substantially think of your team think on what they need most what you need most in order to protect the business and that should guide you grout if you have any questions please do feel free to reach out to me by LinkedIn or by Twitter and I'll be glad to have any discussions routed thank you very much for your time