I’m Certified, Not Just Certifiable

One year ago, I had never heard of the SANS Institute. I knew nothing about their courses, GIAC certifications, or the CyberTalent Academy program. What I did know was that I needed a career change, and that I had decided to pursue cybersecurity as my new career path.

Late in 2016 I made the decision to return to school to pursue a degree in cybersecurity. I re-enrolled in college, started taking classes, and began to research all things infosec. Part of my research included looking for organizations serving the cybersecurity community in general, and women in cybersecurity in particular. My research led me to the Women’s Society of Cyberjutsu (WSC), BrightTalk webinars, and Twitter, which I had fiercely avoided until now. Then, in March 2017, the WSC hosted a webinar featuring the SANS Institute and some program they had to help women transition into information security.

Through my research, I already knew that the number of women in infosec was appallingly small. Depending on whose numbers you trust, we are somewhere between 8-11% of the community overall. Sonny Sandelius, the gentleman representing SANS in this webinar, discussed those numbers, and talked about the CyberTalent program and its mission to increase those numbers by providing training and certification to women seeking to enter the information security field.

I came away from the webinar interested and intrigued. I took a look at the SANS course catalog and began the application process. At this point I still didn’t really grasp what SANS was about, however, nor did I have any clue what I was getting myself into! I filled out the forms, sent assorted documents, took the evaluation exam, and had the phone interview. When I received the acceptance letter from Sonny in May 2017, I think I was the only one who was surprised, but I’ll discuss my struggles with impostor syndrome another time.

The SANS CyberTalent Women’s Immersion Academy agreed to cover the expenses for up to three SANS training courses, plus practice exams and the Global Information Assurance Certification (GIAC) certification exams associated with each course. In exchange, I agreed to take the training and pass the certification exams. I added up the amount all this would have cost had it come out of my own pocket, and after I picked myself up off the floor, I poured myself three-fingers of bourbon to quell the shakes. Never before had I been offered a scholarship so valuable, and I was more than a little terrified that I had bitten off more than I could chew.

June 2017 came around and I found myself on a plane to Colorado, where I took the first immersive training, SEC401, the Security Essentials Bootcamp Style. This course involves six days of lecture and lab instruction, ranging from basic networking security issues to threat management, cryptography, risk management, plus both Windows and Linux security issues. Someone had described the course to me as being an inch deep and a mile wide, but I would say it was at least a yard deep. Before the first day was over I was very glad I had years of IT experience and context to connect this new information to.

The experience of that first training was powerful. Spending six-straight days in the same room with well over fifty other people who understood, and I mean really understood, the importance of security when dealing with all our technological marvels and monsters, was eye-opening on many levels. First, the bootcamp process always tends to build camaraderie. Even so, there was a sense of a unified purpose from the outset that I had not felt since my days with the High Tech Services Reserve Unit (HTSRU) with the Orange County Sherriff’s Department (OCSD) in the early 2000’s. Everyone in the room was there to learn more about cybersecurity, about how to keep bad people from doing bad things with computers, whether those computers belonged to coworkers, friends and family members, or complete strangers.

Second, this live training was my first opportunity to meet other women in my cohort face-to-face. All of us, from the new college grads to the older workhorses like me, were there because we wanted to be a part of the information security community. We were all there because SANS had selected us from hundreds of applicants. And we were all there because we want to make a difference.

The Women of the SANS CyberTalent Women's Immersion Academy, 2017, Colorado Segment.
The Women of the
SANS CyberTalent Women’s Immersion Academy, 2017
(Denver Segment)

There are several things that make SANS courses different from other classes I have taken over the years. First, the instructors are top-notch. I’ve done technical training myself for more than a few years, and these people are knowledgeable, dynamic, and excellent communicators. Second, the material is dense, yet practical. Everything in the books and lab exercises has a real-world application.

Here’s Netcat, and here’s how you can use it to set up a listener-to-client relay…

Here’s Metasploit, and here’s how you can use it to deliver a payload while spoofing the source address…

Here are some Linux shell commands to help you do system forensics…

All this and more was poured into our brains over those six days. By the end of that week, I was glad I could remember my own name.

After the bootcamp was over, we went home and began reviewing what we had learned and assembling our indices. For those of you who have never taken a GIAC certification exam, it’s fully proctored, and open book, but when you have a stack of books that is nearly six-inches deep you need a really good Index to help you find what you need quickly!

Then came the moment of truth – taking my first ever certification exam. I was a complete wreck. I got lost on my way to the testing center, but I had left my house early, so I still arrived on time. I probably had enough adrenaline pumping through my system to jump-start an entire football team, and I needed it because that first exam was LONG. Five hours long, to be precise, and you only get one 15-minute break if you need to use the restroom or down an energy shot.

And I passed. Suddenly, I was certified, not just certifiable. I was now the proud owner of a GIAC Security Essentials (GSEC) certification!

The other two courses were not as momentous as the first, but going through them still felt like drinking from a firehose. The courses were held online, so we were each on our own to study and build our indices for rounds two and three of the Academy. But we weren’t entirely alone. The mentors for each segment held regular phone conferences, and we have our own Slack team for chatting and sharing info, links, and resources. And the sense of camaraderie remains. I count these women as friends, dear friends, and I hope to keep in touch with them for a long time to come.

But the Academy isn’t just about making connections with other people. It’s ultimately about getting a job in the cybersecurity field. Several women in our cohort did so before completing their final course and related certification. Others accepted jobs shortly after graduation. Some of us have gone to work for cybersecurity firms. Others have found jobs working for large corporations, defending them from cyber threats of various kinds. But all of us have shared two key things:

  1. The SANS CyberTalent Academy has had a tremendous impact on our lives, in part because of the training and the newfound understanding we have of cybersecurity, and in part because of the foundation it has given us in multiple aspects of the community of people who work in the field.
  2. Being a graduate of the Academy has allowed us to get interviews we might not otherwise have gotten, and the training we have received has allowed us to perform better in those interviews than we would have done without it.

As for me, I’m working with SANS as a contractor while I finish up my school work. That means I get to review labs, quiz questions, and course materials, helping to make them better for other students who want to improve their cyber-fu. But once I finish school… I have no idea.

What I do know is that having the knowledge and experience of having gone through the Academy will let me go boldly, wherever I go, with a better, more solid foundation than I could have achieved otherwise. And that’s a really good feeling.




11 thoughts on “I’m Certified, Not Just Certifiable

  1. Great job! So what’s actually required to enter the industry as a contractor? An undergraduate certificate program or some kind of master’s degree or certificate from SANS?

    Regardless, what kinds of things to you do to stay abreast on the latest cybersecurity threats and techniques?

    1. Certification certainly helps. It’s a way of demonstrating and proving a certain level of knowledge, and depending on where you want to go having certifications may be required by potential employers or clients.

      Twitter, blogs, and newsletters can help you stay informed. Here are a few of my favorites:

      Daniel Miessler’s blog: https://danielmiessler.com/
      He also has an entire section dedicated to tutorials: https://danielmiessler.com/study/

      Bruce Schneier’s Schneier on Security blog: https://www.schneier.com/
      Crypto-Gram is a free monthly e-mail digest of posts from Bruce Schneier’s Schneier on Security blog: https://www.schneier.com/crypto-gram/

      Anything by Hak5: https://www.youtube.com/user/Hak5Darren/
      Including & Especially HakTip with Shannon Morse: https://www.youtube.com/playlist?list=PLA2578BDE9CB9AAB3

      The BHISblog: https://www.blackhillsinfosec.com/blog/
      And BHIS Webcasts: https://www.blackhillsinfosec.com/blog/webcasts/

      SANS Internet Storm Center: https://isc.sans.edu

      Bleeping Computer: https://www.bleepingcomputer.com

      Dark Reading: https://www.darkreading.com/

      And Twitter Feeds: (Sorted alphabetically)

      @BHinfoSecurity, @BreanneBoland, @BrianKrebs, @DarkReading, @DayOfShecurity, @DeviantOllam, @EdSkoudis, @Hacker0x01, @Hacks4Pancakes, @IanColdWater, @InfoSecSherpa, @MalwareJake, @malwareunicorn, @SANS_ISC, @SANSForensics, @schneierblog, @SCMagazine, @SmashinSecurity, @tarah, @TheCyberWire, @WendyNather, @WomenCyberjutsu, @WomenWhoCode, @WSC_SoCal

    1. I’m not a good one to ask about how difficult the application process was. I’ve worked with technology most of my life, and I’ve had to survive interview-gauntlets in years past when looking for work. (Some employers seem to think that running a potential candidate through five sets of interviews rapid-fire is somehow going to reveal the “right stuff”.)

      That said, when I applied it was a three-part process: aptitude test, documents and refs, phone interview. I expect the process is similar today, but you will need to check the official application information from SANS.

  2. Hi,

    How long did it take to hear back from them.
    I have put my application since February And haven’t heard back.
    I am so sad.

    1. Hi Betty,

      A lot depends on when the application windows open and close. I know that when I applied it felt like forever before I got a response. I also know they should advise you if your application is not accepted, or if you don’t make it through the various hurdles involved.

      Best of luck!


  3. Is the coursework so rigorous that I would have to quit my job to study? I recently graduated with a bachelor’s in IT and got a decent job in IT as technical support but InfoSec is where my true interests lie. The career development at my place of employment doesn’t seem to offer the level of trajectory this program would have.

    1. The coursework for any SANS course is intensive, especially if you intend to take the associated GIAC certification exam. That said, you typically have three months to study, and the OnDemand video playback is nice because you can re-view any complex or challenging sections as many times as you want. Most of the people I know take the SANS courses while working full-time, so it is definitely do-able.

  4. Hello! Thank you for the wonderful post regarding your experience in the program. How do you think someone with zero IT background would fare taking the application assessment and in the program itself?

    1. I have seen people who do not have a background in IT do very well. In no small part, it’s about being willing to apply oneself. Skills can be learned. Knowledge can be acquired. But it’s also important to know where your own strengths lie. If you have a difficult time with basic technology issues like using a password manager, trying to become a penetration tester might not be a good choice for you. On the other hand, if you are really good at writing policies and procedures, or doing research and writing about it, there are niches within cybersecurity that need you.

      Always play to your strengths, not to what is trendy or being hyped a lot as the hot career path. If you followed some of the links I shared in the article above, and the content got you excited and eager for more, keep going. If, on the other hand, watching one of the HakTip videos with Shannon Morse makes you want to scream, listen to that.

      Cybersecurity is not for everyone. Pay attention to how you response (or react) to material from pros already in the industry, then use that to help guide you.

Leave a Reply

Your email address will not be published. Required fields are marked *