Meet Erich Kron, one of the hottest commodities on the security awareness speaking circuit today. With over 20 years of experience, Kron’s done it all: He currently works side by side with the infamous Kevin Mitnick for the firm KnowBe4, an enterprise partly owned by Mitnick himself. Before revolving into the private sector, Kron worked for the Department of Defense (DOD) as Security Manager for the Army’s Western Hemisphere Regional Cyber Center.
As a guy whose had to meet the stringent standards that come with working for the federal government and still prove himself capable of private sector work, when Kron delved into the topic of career preparation and advancement we knew it was time to lean in and listen up.
For Government Work, the Requirement for Certain Certifications is Codified Into Law
In general Kron says that certifications are pretty important because they give employers an idea of your basic knowledge in certain topics. But the starkest example of where certs really come into play is with federal government work. In fact, the certifications required to secure a position with the Department of Defense (DOD) are literally written into law. As Kron put it…
“In the Department of Defense especially, there are some regulations that require certification for certain job titles. The private sector is typically a little more lenient on that … but in order to get your foot in the door in DOD, and a number of government sectors that follow the same thing, the regulation is 8570.01.”
Kron went on to say, “That is the one place where I think certification is absolutely vital in order to get your foot in the door. Many times they’ll hire you without certification if you agree to get it very quickly, but if you really want to beat out those other folks and have a step-up in the game, some of the basic certifications based on which organization you want to go for will certainly help.”
Regulation 8570.01 pertains to anyone who focuses on the development, operation, management, and enforcement of security capabilities for systems and networks of the DOD and affiliated information systems and networks. This would be applicable to any cyber defense job with the US government. The law even applies to civilian contractors.
Some examples of the industry certifications that qualify you for different levels of DOD-related jobs include:
- CSSP, CSSLP, CISSP, CISSP-ISSMP, CISSP-ISSAP, CISSP-ISSEP, and SSCP – sponsored by (ISC)2
- A+ CE, Network+ CE, and CSA+, and CASP+ – sponsored by ComptTIA
- CCNA – sponsored by CISCO
- GICSP, GSEC, and GCIH – sponsored by GIAC Certifications
- CISA – sponsored by ISACA
Kron himself has 13 certifications in total, including CISSP-ISSAP from (ISC)2, certs from CompTIA, and many from Microsoft.
Whether for government or private sector work, Kron advises, “Understand what it is that you’re looking for and drive towards those sort of certifications.” This is going to require some reverse engineering. You’ll need to understand the position you’re pursuing enough to know which certifications meet the basic hiring requirements and align with the work you’ll be doing.
In the Private Sector, All the Experience and Certs Out There Won’t Make up for Not Having a Degree
Even with a résumé showing 10 years of experience with the DOD and a long list of professional certifications, Kron said he still encountered obstacles when pivoting into the private sector. Despite all his talent and proven expertise, the fact that he didn’t hold a college degree proved to be a major limiting factor…
“I was being shut down at the door by organizations because I didn’t have a degree. So I went back in about 2013 and I actually got my degree even though I had a lot of experience, background and certifications.”
Kron bit the bullet, went back to school in his 30s, and got a BS in IT-Networks Administration. In the private sector this degree, combined with his certifications and experience, was the key that opened the door for him to eventually climb to his current position with one of the best-known private cyber security companies in America.
Kron’s own experience and words of wisdom are reflected in a wider sentiment found throughout the industry. Cyber Seek, a company with a grant from the National Institute of Standards and Technology (NIST), helps link professionals in this field with employers. In 2016 it reported there were 312,000 job openings for information security analysts and related jobs demanding cyber security skills. And (ISC)2 reports that by 2020 there will be 1.5 million unfilled cyber security jobs globally.
A 2017 article in the Harvard Business Review cites one of the main issues behind the national and global workforce shortage is a lack of skill in the workforce. The irony is that this could very well be chalked up to nothing more than a perceived lack of skill. Some of the best in the field, including virtually all the legendary hackers-gone-white hat, including Mitnick himself, never earned a degree and likely don’t hold many certs. Despite this, businesses still tend to look for people with traditional technology credentials, namely a college degree.
That’s not to say that a degree isn’t extremely valuable, even beyond allowing you to put a tick in the checkbox for formal education. The IT field can be very compartmentalized. For those who want to break out of the box and transcend this compartmentalization, a college degree in cyber security can be the key.
This is where having a formal education really comes in, explains Kron. “It will open your eyes to areas where you’re really not involved, and you get to see some things that are happening that perhaps your current job doesn’t allow you to see… I think the traditional education and learning about this stuff is incredibly important.”
Having Earned Your Stripes Through Real World Experience is Always Highly Prized
There is nothing quite as powerful as your reputation. And a reputation is always built on experience. This is particularly true of advancement. Kron says, “I think a lot of what happens between the entry-level and the senior positions is an experience thing in many cases.”
He lays out two clear paths for gaining the experience you need:
Join local groups like (ISC)2 and ISSA chapters …
As cliché as it may be, Kron says you have to break from your introverted tendencies and get out there and network a little. As Kron put it…
“Nowadays there are some absolutely wonderful local groups. (ISC)2 chapters. ISSA chapters. Any of those sorts of groups you may have in your local area are fantastic for getting in there and meeting people. Getting involved with people that are there. There are educational opportunities that are usually free or very low charge; those sorts of things. And you get to meet other people that are in the field already.”
“That can become invaluable as you try to get that first job. Knowing somebody who will come up and say, ‘You know what, I know this guy doesn’t have a lot of experience. But I’ve met him here and I’ve talked to him here. He’s interested in some projects.’”
Make Cybersecurity Your Hobby…
Kron explains when he started out, “I was a geek…I just spent my evenings and weekends kind of delving into that world.” He even has his own lab at home with his own machines where he tinkers and learns-as-he-goes. As he put it…
“To get your foot in the door, having that experience when you do get that interview and you can say, ‘You know what, yeah, I run ESXi. I run it at home, but at least I’m familiar it.’ As opposed to the candidate who says, ‘You know, I heard about that once.’ That can make the difference between someone willing to give you a chance, and not.”
This kind of devotion shows that cyber security is something you live and breathe. Kron says, “You’re going to need to kind of go into that mode if you want to be really successful. If you really want to be successful in cyber security it really needs to be more of a passion of yours, or something that you find you really like to do because, quite frankly, this is a very fast-moving career…this is one of those jobs that if you don’t like what you’re doing you’re going to burn out very fast.”