/ Networking

I have a CCIE, so what's my level of security?

The past 2018, I hosted a couple of security workshops all over the world. During them, I was asked the same question for many times: "I am trying to have/have passed a certificate of xxx, what's my level in the security area?" Like what I always suggest people who ask a similar question of CCIE, I'd like to use the most well-known terminology in the networking industry: It depends, which can be illustrated in two perspectives.

First, people who have acquired the same certificate (let's say CCIE Security) have an entirely different background, the only shared characteristic is all of them have enough knowledge and skills to be certified as an expert from Cisco. In the security, one may have experience of penetration tests, while another has nothing but everything in reference books. It's impossible to generally conclude that they have reached the exact level in security or hold the same interests after the exam. And to design the certificate itself, I don't believe neither designers nor the Cisco tries to make it broad enough to cover every detail. Again, some will still try to have self-assessments to further improve themselves by asking the same question. This is what I'll try to address shortly.

The second perspective is simply to define one's ability by which type of questions/work he's working on, so an experienced engineer can be an expert in security but quite novice in other areas. The following levels are purely my own understanding and may not reflect what you're thinking:

  • Kindergarten level. The most cared thing at this level is configuration, including command-line configuration, GUI configuration, and configuration in other forms. We all admit that as engineers, we have to deal with configuration, but most engineers in this level focus on it only. One common trait I've observed is the inflexibility during work because they don't care about the trendings, design, purposes or even the reasons behind why devices/machines should be configured in its way. It's quite difficult for them to change anything, like tuning parameters, in the configuration even after they've spent months or years within the same topic. We all start at this level to grasp ideas at the beginning, but being repetitively doing the same work won't improve ourselves.
  • Primary school level. After graduating from the kindergarten, we have understood some basics of how each thing works. In this step, we will expand our footages based on what we have learned. Typically, we are going to try some new parameters in tuning the systems and compare their effects of them, and try to add/modify/delete some parts to see what will happen. By doing these practices, we will gain a broader knowledge of how the systems work and build up the ground for the next level.
  • Middle/High school level. Things will start to get exciting and hard from here because we'll have to not only learn but study theories. They won't show any instant improvement. The idea is similar to have a stable and robust foundation before building a skyscraper. Just as having a DHCP service running in a network, there're a lot of docs need to be read before we can generate an idea of how to enforce its security. Also, we are more likely to learn from others' best practices and experience instead of copying/pasting files online, since we have understood that there're differences between scenarios and purposes. The work won't be as fast as what's in the kindergarten level as we have to analyze the situation and goal, and distill some thoughts after peruse other's work.
  • Undergraduate level and above. After we have passed the above one, we are looking at a level with more general topics, like architectures and concepts. A quick example happened during my training session is that all students had enough understanding of firewalls, and best practices of how to tuning them, they still had issues with security in the same zone. There's nothing inaccurate with their skills, products and the best practices they try to follow, they just missed the architectures or concepts: the firewall is not designed to meet this purpose.

When I'm asked a question which is similar to the title of the article, I prefer to define the traits in each level and let the asker answer it. You may have your definitions rather than following mines, and I'm more than happy to hear from you.