Let’s be honest; cybersecurity training for yourself or your employees isn’t cheap. Their are a variety of options available, so where do you start? Try asking the next few questions to really frame your questions better and promote growth in your organization.

What is your goal?

When asked “what training should I pursue,” I always ask in return “what do you want it for?” The training motive can be more important than the certification or cost.

I need CPEs/CEUs/etc to keep my current certifications…well, current!

Awesome! Continued learning is always a great objective in life, but sometimes forcing Continuing Education Units (CEUs) is mighty unpleasant. Most mid-high level certifications require 30 credits per year, to be met anytime before the next re-certification date (typically 3 years). The standard tends to be 1 hour of work is equal to 1 credit. This goal is the most flexible to meet. “Checking the box” can be done through living security; listening to podcasts, reading articles, and watching YouTube videos are just a few popular methods. If you are active in the InfoSec community, you are probably already doing this. If you track and document this properly, you should have no issues meeting your CEUs.

I really want to get better at a particular technology XYZ

The more specific you are, the better. If someone asks me about learning cloud computing , it’s like asking me to “teach me about databases”. There are many flavors and designs; there are front-end and back-end concerns. Are you learning in order to test, design, or manage the technology? Research, or at least some introspective thought, should help round out your intentions. If your business is looking into AWS or Microsoft Azure, start with an intro class for that specific technology. If you can learn something you can directly apply at work, it is much easier to solidify the concepts. A general class is okay, but it is less likely to “stick” in the long run. And then just like programming, once you learn a language, each one after that is a little easier.

I need certifications to beef up a CV/Resume

While not a popular decision by many, sometimes its the cold hard truth. Students fresh out of college need to show application-level skills or at least meet an industry standard. Those lucky enough to have chosen a tech training college route (like Western Governers University’s IT Bachelors degrees or SANS Institute Masters program) will show up at an interview with up to 12 industry leading certifications. Students from a more traditional Computer Science degree path may struggle when compared side-by-side. Additionally, if you are on the older side (like me!), changing your career path later in life is more common but challenging. Soft skills (report writing, briefing, and personal communications) will translate well, but your familiarity with old technology can be a weakness if you don’t brush up on the newest toys out there.

How do you best learn?

Let’s consider the formats out there: in-person, online (live), online (self-paced), and good ol’ fashioned self-study. Everyone has a particular method they like.

In-person

This is hands-down the most popular format. Students get direct access to an instructor and are fully-immersed and attentive to the topic at hand. That much focus comes at a cost…money! Not to mention, sitting in a class for a week is time away from what earns a business their cash. But remember, investing in employees is essential to personal and professional growth which leads to a higher retention rate.

Additional factors to consider: Travel costs (transportation and hotel) if training is out of local area

Online (Live)

The most visible certifications companies, like ISC2, SANS/GIAC, and CompTIA, offer certain classes in live simulcast environments. This is a hybrid between face-to-face and self-paced modules, providing the best of both worlds. Students do need to adjust their schedule to be present for class time, but they can skip the travel part. When I’ve taken theses classes, I’ve been lucky enough to be permitted to telework. This allows students to relax in comfortable clothes and in a familiar environment while avoiding traffic rush hours. I don’t recommend trying to perform double-duty (normal work while in class) because you will inevitably miss out on important tips and tricks that you are paying big money to learn. In these courses, troubleshooting virtual machines or learning material can be more difficult and more students are vying for the instructor’s time. SANS, easily consider the premier standard, employs virtual Teaching Assistants and moderators reduce the student-to-staff ratio and ensure the best learning experience for remote attendees.

Additional factors to consider: Internet availability (watch out for restrictive web proxies within the business network), telework in a busy home can be distracting

Online (self-paced)

For students with strong self-discipline or with other work and time constraints can often benefit from structured, self-paced training. Traditional computer-based training (CBT) modules are designed as bite-sized lessons (typically about 1 hour) for a trainee to work on when most convenient for their needs. These courses are specifically designed to meet certain goals and can include narrated slides or full videos.

Additional factors to consider: Not all CBTs are equal, you get what you pay for

Self Study

Self-study requires the most dedicated professionals to be a success. With little structure, you must determine your own lesson plan and which goals matter to you and your business. This means you can maximize your customization options, but that takes additional time to figure out. If gaining a new certification matters to you, plenty of study guides exist in the wild to get you to the end zone; some times too many options. Over my time, I have found a few favorites:

Security+

Professor Messer’s Study Notes: These are the “Cliff Notes” for InfoSec like none-other. Messer provides a free Security course, but these low-cost notes distill down the most critical concepts to just a handful of pages. If you have been working in the IT community for a while, these notes will push you over the top.

Darrell Gibson’s Security+ Study Guide is the “gold standard” for passing this exam. After completing a cyber fundamentals course, I was given this book and 2 weeks to self study. I managed an 823, so I’ll say it was pretty handy.

CISSP

I have both of these next books in my personal library and I’ve been able to lend them out to several friends with much success. They follow one of the two philosophies: In-depth or short and sweet.

My preferred book: The 11th Hour CISSP.

I push this book first because it is relatively short (238 pages) and handles information in snippets of just a paragraph or two. NOTE: This is not a training guide by itself; the book is great to identify what you don’t know. I recommend looking through it and making a list of the items you either don’t know at all or are weak at. Use that to guide further research. If you procrastinate on studying, this is great for the last week or two cram session before a boot camp or test.

THE CISSP book: Shon Harris’ Exam Guide

This book is what you want if you are ready to learn! Now updated to the 8th Edition, this qualifies as a tome (1408 pages) with more than you ever need to know for the exam. As the cover notes, this is beyond a study guide; it’s an on-the-job reference. The quality and depth is unrivaled for risk assessments and preparing managers to lead a variety of information and cyber domains.

…Now How do I Save Money?

As mentioned above, for CEUs and topical knowledge, stick to articles, podcasts and YouTube. Some of my favorites include:

• DarkNet Diaries

• Paul’s Security Weekly

If you are interested in learning about pentesting, my favorite videos come from Ippsec on YouTube. He primarily works through machines on HackTheBox.eu, but his skillset and tool usage is practical for all kinds of testing. If you want to know about a specific technique or technology, his videos are all indexed and searchable at ippsec.rocks. Your search will result in a link with a time code, dropping you to exact spot in his videos you want to be. Such a cool resource!

On that note, HTB is my new favorite past time. You must “hack” your way in, but once inside, new VMs are dropped every week or two. Older machines are then “retired” and individuals are allowed to post “walkthrough” writeups and videos demonstrating their techniques. This resource is free, however for a small monthly fee, you get full access to all the retired boxes and a less crowded VPN connection to their labs. This is a great tool for hands-on advanced certification prep (GCIH, GPEN, OSCP, OSCE, OSEE, etc) at a super low cost. VulnHub also has VMs available for downloading and off-line hacking and the OWASP Broken Web App (BWA) project has intentionally flawed web applications to practice on.

Bonus: As of Oct 2019, HTB now directly links with ISC2 and reports all CEUs automatically for you!

If you have an existing certification, companies like ISC2 and CompTIA also have their own CEUs available. For ISC2, they run over $10,000 in courses for free if you are an ISC2 member in good standing and access their “Continuing Education” portal. Here are just a few offerings:

I started in the beginning mostly watching DefCon videos online for free; DefCon 22 was spectacular. Again, a 1 hour video or lecture is good for 1 CEU, so this can be a great way to keep costs down while having a little fun.

Because it is my absolute FAVORITE DefCon talk to date, I’m listing this as a MUST watch:

Gene Bransfield’s Weaponizing your Pets

Great, but what’s the best deal?

The last thing I want to plug is the SANS Work Study program. I recently had the opportunity to take the course and serve as a “red apron” facilitator. It involves building student workbook bags, prepping the classrooms, and being a SANS ambassador throughout the week. As a teacher’s assistant, you are responsible for passing around daily handouts and surveys, along with making sure the classroom is a comfortable learning environment. You are required to work one night session, which is either a cool lecture, or in my case, facilitating NetWARS. Realistically it’s not incredibly hard and is a great way to network and meet new people. For this opportunity, it will cost $1,500 for the course and the exam fee is waived if you are local or stay at the event hotel. No kidding, this is my receipt: $11,000 in course and add-ons for the low, low price of $1,500 and a little sweat equity. This gets you access to super affordable top-tier training and certifications when personally funded. Another work study participant was able to outline this plan to his boss and now got approved for 4 work study classes (since it is comparable to one “standard” registration). It’s solid way for individuals or “resource constrained” organizations to get in the game too!