What cyber security courses don’t prepare you for

2018-01-20  Cyber Security

It’s almost a year to the day that I left my journalism job and started at the SANS Cyber Retraining Academy, and I’ve written a lot of blog posts about how much I enjoyed the experience and how valuable and life-changing it was. But now I’ve been in the industry for a few months, I thought it would be interesting to explore what it didn’t prepare me for.

Scale and complexity

The academy gave me a great foundation in computing, networking and security, but there’s a huge difference in implementing that knowledge on a lab network of five virtual machines (if you’re lucky) and a corporate network with a complex layout and thousands of endpoints.

To make things even more challenging, one of my instructors once said he’d never spoken to a business that could give him an accurate and up-to-date map of its network. The days of dealing with a handful of sequential IP addresses on a flat network are certainly over.

Corporate language

Even if you know everything there is to know about computers and networks, you probably won’t get very far in the workplace unless you familiarise yourself with the array of processes and corporate jargon that governs everything that happens on the network.

To get things done, you have to get to know your change processes from your CMDBs and your risk matrices from your DRPs. You pick it up and get used to it as you go, but the most comprehensive online glossary I’ve found is on Peter Bance’s website.

Learning at speed

In all honesty, this is something that the famously quick-fire SANS courses did actually prepare me for. The challenges above are obstacles to getting your job done, and you don’t get much time to find a solution once you’re faced with one of them.

Within your first couple of weeks in the cyber security industry you’ll become an expert at quick Google searches that help you work out where things you’re unfamiliar with fit into the big picture. But if you can’t find anything online, there’s always someone to ask!

The naked level

You know that one level that appears in nearly every video game? The one where your painstakingly developed, heavily armed character is captured and has to complete the next stage without any of their gear or abilities? That’s what cyber security is like.

You probably learnt how to use a range of tools during your courses, from Nmap to Nexpose, but chances are you’ll be heavily restricted in what you can use in your corporate environment. This might be frustrating at times, but really it’s an opportunity to learn and broaden your skillset – so perhaps it’s the most valuable challenge in this list!

Photo © Richard Corfield (CC BY 2.0). Cropped.

Looking for the comments? My website doesn't have a comments section because it would take a fair amount of effort to maintain and wouldn't usually present much value to readers. However, if you have thoughts to share I'd love to hear from you - feel free to send me a tweet or an email.