Before we continue the journey with Step 3, be sure to read through Step 2: Explore Areas of Interest. This will give you the background and context for what will be discussed here. For those joining me from Step 2, let’s get to it!
In Step 2 I identified the Security Architect as the role that I found to be most interesting in my journey. I encouraged you to explore and possibly discover a work role that was of interest to you. Fret not if it was a lot of information to digest – I will walk you through the process as I did it using the Security Architect work role as the example.
For this process, I had the best success in creating an excel sheet in order to help me filter the KSATs for the role, and help me identify gaps in my knowledge that I could work towards. It also makes it very easy to capture progress in one location and allow you to calculate progress metrics (if that’s your thing). If you wish to follow along, follow this link to view the Security Architect work role on the CISA website. I prefer this method because it is graphical in nature and makes it simpler when selecting content for copy/paste into excel.
When you arrive at the site, you will notice an interactive map. For the time being, find and select Cybersecurity Architecture 652 (in a green circle). This will bring up more details about this specific work role. Separately, create a new excel sheet and label 3 columns with the following: Type, ID, and Description. Switching back to the website and in the tabs now visible, select the “Tasks” to show more information about the tasks that compose this work role. Starting with the first row (A* T0084 Employ secure configuration management processes), select this row and everything following it and copy to clipboard. Switch back over to excel and select cell A2 and paste with the option of Match Destination Format. Repeat this for the “Knowledges and Skills” tab as well. Once completed, you should have 220 total lines in this excel sheet. The final step is to select cell A1 and insert table, with the option of “my table has headers”.
Now that we have the KSATs necessary for this job role, it may seem a bit overwhelming. This is why we created a table, to enable us to filter content. Let’s filter column B (ID) for everything starting with a “K” (knowledge) to reduce the results. Let’s further reduce the results by also filtering column A (Type) for “Core”. At this point the list should be 36 items – much more manageable than 220!
This is where I will introduce you to the final piece of this puzzle. Knowing what is required for the work role is one thing, and knowing how to get the knowledge is another entirely. This resource has been of great help to me personally and is one that I actively follow as I proceed in my own journey. I hope you too find it useful. This person has taken the time to create a roadmap of numerous certifications that one can seek. Furthermore, they are conveniently categorized by the domain that they best fall under and are listed at the top.
With this website and the excel sheet you created, it now becomes a task of looking at the bottom portion of the chart (the ‘beginner’ certifications) and which interest you most and help you learn information you have gaps in. I understand that there is a good amount of effort involved in mapping certifications to the items on your excel sheet, as I am currently not finished doing so myself. Most importantly, it has enabled me to focus my efforts and explore trainings that will help me “check a lot of boxes” by taking a select few. For example, Security+ training (listed in black), is a certification that will allow you to check a large number of KSATs listed in the work role. Though it is listed under Security and Risk Management in this chart, it also has applicability to Security Architecture and Engineering. To further my example, once I complete the Security+ training, I will be taking AZ-900 (Microsoft Azure Fundamentals), AZ-500 (Microsoft Azure Security Engineer Associate) to gain a basis in Cloud. CASP+ (CompTIA Advanced Security Practitioner) is the intermediate next step for someone who has completed Security+ and has gathered a good amount of hands-on experience, and one that I plan to also take in the future.
As we arrive to the end of Step 3, I hope this information helped demystify cybersecurity. We started in Step 1 with an explanation of some frameworks to better understand the domains in cybersecurity. In Step 2, we dug a bit deeper and explored the numerous work roles within these domains to help you find one that may be of interest. And finally in this step, we explored how to understand the KSATs for each work role and use this to identify gaps that you can take actionable steps to fill.
May your journey be fruitful and remember to always keep exploring and learning.