Cue the Opening
Probably the scary story I had was not scary for me - but for a client, long ago. And it's a story that's been probably experienced by countless IT pros that have been put up against the bulkhead and threatened to be shot professionally for not having a cert.
We've all been there. That sudden drop in the stomach, the fetid smell of vomitus as the stress peaks, knowing that one's immediate future will involve the unemployment line and the associated hacking of the budget. And to have it happen just before the holidays when starry eyed kiddies have no idea that their Christmas dreams are about to come crashing down. The sweaty palms having to tell one's significant other, that the death knells are sounding...
Our tale opens with a manager somewhere, informing his employee that because the Government has mandated documented security training and certification, he would have to acquire a certification in a field in which he was only remotely affiliated. I can only imagine this poor soul walking out of the office, not even sure where to begin, only knowing about the Security+ in name, maybe an offhand aspiration of acquiring it...someday. But really, it's not part of his role, so what's the point?
The clock was counting down to Halloween - the due date for him. And it was late September.
As for me, I was doing some side tutoring when I got this email from a potential client. He informed me that he had about 30 days to get his Security+ and wanted to meet up to go over it. So, we linked up and I brought a couple of Sec+ books that I had and met him at a Panera to go over what we were facing. I figured it would be a simple thing.
He was a fellow in his early 30's. Unremarkable in appearance. But he was fidgety and nervous. Seems like he was very worried, so when he saw me, with two textbooks, a laptop, and a shirt and tie (no fedora at the time), his career would be saved. We sat down to a coffee and one of Panera's many over-caloried goodies. I cracked open the book to chapter one, Introduction to Security. We talked for about 20 minutes about Confidentiality, Integrity, and Availability. I defined the concepts of Authentication, Auditing, and Availability, as well as Non-Repudiation. I was getting to the discussion of the subtle differences of Risk, Vulnerability, and Threat when I could see the panic begin to glaze over his eyes, amidst drowning in a sea of his own lack of training.
I bookmarked the tome of knowledge, looked into him, with an exchange that went something like this:
Me: "You alright, man?"
Client: "All of this is confusing. Can we begin at somewhere simpler?"
Me: "Alright, well, let me ask, when did you take the Network+?"
Client: "Never"
Me: "Um...okay..what about A+?"
Client: "No, sorry"
Me: "O....kayyyyy....um, what do you do for work? What's your role?"
Client: "I maintain a security camera system. Replace and tune cameras, run cable, and set up for security kiosks."
Me: "And your employer is requiring you to take the Security+?"
Client: "Yeah. 8570 requirement - I have to get the Security+ by the end of this month to keep my job. What do I need to do, man?"
Me: "Honestly, friend. You need to polish your resume. There's no way you're gonna get this done in 30 days."
He didn't like my answer and I think he was even a little angry at my brutal honesty. But I think he was terrified that he was going to lose his job and now more so when he finally got a peek at what the Security+ entailed. I think when I said, "you're not going to get this done in 30 days", he heard something like "you're never getting out of this alive.."
And now for a commercial break
I felt bad for the guy; he'd been doing the job for a few years now and basically, his company was going to push him through the strainer. We finished the hour and he walked out, in the most sad, dejected manner one could imagine, as if all his hope had been drained out of him, and he was just zombified.
And I really did not understand why someone in his role, specifically, would need Security+, except it being the only Information Assurance/Security credential that the DoD would accept. He looked astute enough that with about six months of dedicated study and practice, he could get there...maybe.
But this is a story that is sadly common in our field. We see things like (and I've personally seen these things):
- A student who is trying to secure that big money job, trying to snarf up certs to make his resume look good, so he can quit his job at Burger World and start his exciting career in IT
- A company that is required to have certified staff, yesterday, because the Government requires it, so a person who is doing security cameras, telephones, or some other thing has to get a crash course in PKI or how to configure a CA server.
- A school/training house that is pushing to create a program that is supposed to fit with a time frame (usually too short) and get students through, hopefully successfully, trying to find the balance between getting them trained and getting them passed (all of us in academia have been on that balance beam)
So, as I bring this tale to a close, hopefully you have been both entertained and informed in some way this Samhain season. I look forward to seeing other stories.
Cue the Closing
/r
