Interview: Barry Cooper of FishNet Security Training

| August 27, 2012

barry_cooper.pngWe describe ourselves as The Ethical Hacker Network, a free online magazine for security professionals. With that in mind, we try to have a wide range of topics of varying difficulty, all with an aim towards helping the readers on their chosen career paths. As the Editor-in-Chief of EH-Net, I am constantly asked online and off about the best way to get into the field, how to get a job and most often about the value of certifications, experience and education. Long-time colleague, Barry Cooper of FishNet Security Training & iSWAT 2012 in September, not only has an abundance of each but also works in the security and training fields. So who better to offer up some advice?

For a little background information, Mr. Cooper has over 25 years of experience in information technology and security designing, developing, and delivering technical training courses for over 15 years. He has significant expertise in systems analysis, computer programming, information security, instructional design, and network engineering.  Mr. Cooper is responsible for the vision, operation, and management  of the FishNet Security Training organization. In addition, he manages vendor, security, and distance learning product development. Under his guidance, FishNet Security’s training LOB now include 10 national training centers and offers well over 100 courses. He also developed FishNet Security’s eLearning capability and remote live training delivery systems from the ground up. Barry has attained over 70 high-level security and technical certifications including CISSP, JNCI, CCSI and CTT+.

And we are lucky to have him answer some questions and offer some great advice.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Editor-In-Chief}

 


fishnet_trainingservices.png 

1. How did you get into the position you hold now? Was it a planned career path, a ‘stumble along as you go’ approach, blind luck, something else entirely or all of the above?

I’ve always had a passion for technology and teaching ever since I was a kid.  I was notorious for taking the vacuum tubes out of our black and white TV set as a boy, continually studying them and carefully replacing them over and over again, then teaching my little brother and the neighbor kids how to do the same thing (to our parents chagrin).  Things that interest me, I pursue whether it’s a college degree in Organizational Leadership or hard to obtain  technical certifications.  The thing that intrigued me the most  was how to explain very technical concepts in a simple and concise way.  My career at FishNet Security started as a technical security instructor and gravitated to running the entire LOB that included developing Remote Live Training, eLearning, and Onsite delivery capabilities.  I prepared myself by following the things I am passionate about, minimizing distractions, then targeting companies to work for that had the same paradigm.

2. We often talk of the big 3 factors in advancing one’s security career: a degree, certifications and experience. You’re in the unique position of having all 3 and an abundance of the latter two. Can you share with us your thoughts on what you feel helped you the most, what didn’t and any other insights for our budding ethical hackers out there? 

When I train students on the qualities that make the best ethical hackers, my primary focus is on fortitude.  If you have the passion and desire to stick to something, anything, you can and will prevail.  I’m wired to pursue mastery over subject matter.  There is something in me that drives me to gain expert level knowledge of the subject matter I’m passionate about.  To all young ethical hackers trying to find a path, be relentless and stick to it! Whether it’s attaining relevant certifications, degrees, or experience, don’t give up, don’t be denied, and most importantly never stop learning.

3. What is the value of security certifications in today’s tough job market?

High in my opinion.  Attaining a certification does NOT necessarily mean you are an expert on a particular technology but DOES demonstrate your stick-to-itiveness and the analytical ability to understand what the test writer was asking!

4. What would you consider to be the top general security certifications, the top certifications for ethical hackers (pen testing, forensics, web app, coding, etc.) and why?

All of them!  Really!  As I mentioned earlier, connect your technical passion with your career goals and follow that path.  If security management interests me CISM is a great certification to hold.  If my goals are more on the operational side then CISSP is a good foundation.  There are a some newer foundational certifications such as CASP that have value.  For those in web app, or coding, CSSLP, GIAC Secure Software Programmer, java and .net are excellent.

5. What are your thoughts on the best practices for acquiring security certifications?

In a nutshell, gain mastery.  Statistics show that it takes the average person between 7-10 years to become an “expert” at their job while it takes only 3-6 months to master specific tasks, duties, and concepts.  Get your hands on the subject matter or technology you want to master and begin to “remove the vacuum tubes” over and over again until you gain have it down cold.  Prepare yourself for exams by finding others who have been through the process and determine, the best that you can, the specific exam’s paradigm and study, study, study.  Practice exams are a good way to exercise question types.

6. Can you list some practical steps for managing and maintaining security certifications?

This one of the most overlooked and painful problems the well certified security professional can encounter.  For me, it’s more about the time I waste recertifying simply because I missed a fee or continuing education requirement more than the expense or study involved.  I’ve inadvertently allowed difficult to obtain and expensive certifications to expire without even knowing. Bottom line, keep a certification journal and reminder system using the 90-60-30 day rule to be sure you are ready for any and all cert upkeep scenarios.  The most important thing you can do to ensure you maintain your hard earned certifications is to know what path the vendor or certifying body requires for you to stay certified.  If may sound simple, but the varying requirements can be a minefield if you don’t properly document (journal) what YOU need to do to stay on top of things.  Remember, these are YOUR certifications and they stay with you wherever you are employed.  Certifications are a key part of your career growth portfolio.

7. I’m a firm believer that one should not only learn from their mistakes but also try to learn from the mistakes of others. How can our readers learn from your example and leverage security certifications into an actual paying job or get more pay for the job one already has?

It’s about value.  If the certifications you possess are desired by management then that allows for a certain amount of “pre-leverage” when it comes review time.  Please keep in mind, there are so many different types of businesses and organizations that a “one size fits all approach” to certification is not possible.  If you currently don’t have certifications your organization (or manager) deems valuable, get them.  Be relentless.  Also, be equipped to speak to the fact that your certifications (and your willingness and fortitude in getting them) increase the ROI possible regarding your organizations’ security infrastructure because you can fully leverage all of the feature sets available and employ a forward thinking security best practices view based on what you KNOW.

8. What advice would you give to those who are unsuccessfully looking for work in this field either with experience or those who might be switching careers?

Don’t give up!  Certifications are hard to achieve and difficult to maintain. Here’s a short story to illustrate my point.  Several years ago, I hired an instructor who, though not certified in all the areas we normally require, had the determination and fortitude I like to see apply to become an instructor on my team.  I went out on a limb and made the hire.  All new instructors must attain a certain level of routing and switch knowledge in order to properly function as a teacher in the security world.  Problem was, my new hire failed the exam 4 consecutive times.  Frankly, I was worried. I sat down with the distraught new hire who was concentrating solely on how he had failed to pass this pretty difficult technical certification.  I chose to focus how much he had already learned and not on the failed tests themselves. Just relax and answer the questions from the vendor’s perspective.  We discussed some common self-study items, and he went on his way.  This instructor now holds a senior position in our organization and has not failed an exam in over 6 years.  Moral of the story, have the right attitude, study efficiently, and don’t quit.

9. Finally… when looking back on such a long and successful career, I’m sure there were plenty of missteps either of your doing or not. What’s the funniest story you can share with EH-Netters?

iswat_chip.jpgOh man, wow.  Uh, ok here goes. I went to a testing center many years ago to take a VERY high level technical certification exam and had been studying ferociously for several days.  The testing room was in an airport flight school hangar (of all places).  Needless to say, I was in somewhat of a caffeine induced haze as I checked in, logged on and began to take the exam when to my surprise the technical exam I was expecting failed to appear.  After clicking and messing the knobs and switches I suddenly realized, I’m not sitting at a testing station (which here nestled neatly against the far wall) but I had just turned on a flight simulator for a Cessna 410 and was approaching take off speed!

———-

Thank you for taking the time to squeeze us into your busy schedule. For more of Mr. Cooper’s wisdom and wit, be sure to catch him, his training and a great presentation, "Certifying Your Future. Preparing for Success." at FishNet Security’s iSWAT 2012 Security Training event in Las Vegas from September 17 – 21. As luck may have it, yours truly will also be speaking at iSWAT. "I’m Certified, Now What?" combined with Mr. Cooper’s talk should make for lots of fun but most importantly some shared experience. For more details, please go to the iSWAT 2012 Schedule Page.

Donald C. Donzal
Editor-In-Chief
The Ethical Hacker Network

Category: Editor-In-Chief

Comments are closed.