This feature first appeared in the Fall 2015 issue of Certification Magazine. Click here to get your own print or digital copy.
The world of cybersecurity changes constantly. New threats arise that pose new risks to organizations with existing security programs. Security vendors develop new technologies designed to combat these emerging threats. Researchers discover new vulnerabilities in operating systems, applications and supporting infrastructure. Cybersecurity is clearly a cat-and-mouse game and the advantage goes to the security professional who actively works to maintain current knowledge of the profession.
Many security professionals, especially those early in their careers, choose to pursue professional certification as a way to develop a foundational knowledge base and demonstrate this competency to potential employers. CompTIA's Security+ certification program serves as the entry point for many aspiring security professionals. The Certified Information Systems Security Professional (CISSP) program, with its five-year experience requirement, then often caps off many certification paths as cybersecurity workers demonstrate that they possess the fundamental qualifications of the field.
But what happens next? How do security professionals continue to keep their knowledge current so that they remain employable for decades to come? All major security certification programs include a continuing professional education requirement. CompTIA requires that Security+ certified individuals complete 50 hours of professional education during every three-year cycle, while the CISSP program requires 120 hours over three years. Security professionals should consider these requirements a bare minimum — 40 hours a year is not much when it comes to digesting the large amounts of new security news hitting the landscape over the course of 12 months.
Let's take a look at five ways that you can enhance your security knowledge on a regular basis. Remember, continuing professional education should be a continuous process: not something that you cram in at certification renewal time!
Attend Professional Conferences and Gatherings
Security conferences are an outstanding way to build your knowledge, enhance professional networks and simply have a good time! While they do require a significant commitment of time (and often money), these gatherings of security professionals from around the world offer unparalleled opportunities to learn from your colleagues. If your budget permits, the two premier security gatherings are the annual RSA Conference held each winter in San Francisco, and the combined Black Hat and DEFCON conference each summer in Las Vegas.
These conferences are often the venue for major security announcements from both vendors and security researchers, and generate significant buzz in the mainstream media as security professionals and hackers of all persuasions descend upon a city to share knowledge with each other. Attending one of these conferences also has the benefit of allowing certified professionals to gain an entire year's worth of continuing professional education credits in a single event.
Learn on the Job
If you work as a security professional, then you undoubtedly have a significant number of opportunities to take on new responsibilities on the job. Don't underestimate the usefulness of these opportunities to advance your professional knowledge. Take on the challenge of making every day you go to the office a learning experience.
If you have the choice between performing routine work that's in your comfort zone and taking on an opportunity that stretches your skills, opt for the choice that allows you to develop new knowledge. There's really no better way to build your security knowledge than by actually participating in security activities and learning as you complete assignments on the job.
Read, Read and then Read Some More!
Massive amounts of security information exist in print and on the web. It wouldn't be surprising to learn that there is literally more security knowledge published each day than a single individual could reasonably consume in that same day. Find the security resources online and offline that you feel best enhance your professional knowledge.
This might include books, magazines, professional journals, security discussion forums, security blogs and many other sources. Try to diversify your standard lineup of reading materials, and use a clipping service like Pocket or Instapaper to save interesting articles that you come across for consumption at a more convenient time. You can learn more in an hour of surfing the cybersecurity web than you might imagine!
Participate in the Security Twitterverse
Social media, particularly Twitter, is full of cybersecurity knowledge. By judiciously following individuals that you consider cybersecurity experts, you'll keep your knowledge extremely fresh. I'd suggest following Brian Krebs (@briankrebs), Richard Bejtlich (@taosecurity) and Chris Soghoian (@csoghoian) for a balanced perspective on security and privacy issues.
Starting from there, you'll likely find many other Twitter accounts that you'll want to add to your list. Twitter participation might not earn you professional education credits, but it's probably the best way to expose yourself to breaking security news and a diverse set of viewpoints on cybersecurity issues.
Use Vendors as a Source of Knowledge
OK, it's true that none of us appreciate the onslaught of phone calls and e-mail messages from cybersecurity vendors clamoring for our attention. Vendors can be a great source of knowledge, however, helping security professionals stay current on available security technologies. I would never advocate engaging in conversation with the many vendors who cold call you, but it is very worthwhile to develop a few key relationships with vendors that you consider your security partners.
Once you've cultivated two or three of those important relationships, stay in touch and ask them to visit you on a periodic basis to share news about their roadmap and their firm's perspective on emerging cybersecurity issues. Leverage these relationships to build your own professional knowledge and build your cybersecurity network.
Continuing education is a critical component of any security professional's career development activities. We work in a rapidly changing field where today's knowledge may become outdated in a few years or, in some cases, a few months. We each bear the responsibility to ourselves and our employers that we remain current on developments in the cybersecurity field.
Fortunately, there are many different tools that cybersecurity experts can use to fulfill these obligations, ranging from formal conferences and training programs to informal participation on social networks. Why not take a few minutes to commit yourself to one new professional development activity for the coming year?