Jeffrey Coa, ISSO, Northrop Grumman Corporation

InfoSec Institute alum Jeffrey Coa is an Information Security Systems Officer at Northrop Grumman Corporation in Maryland. In addition to earning two undergraduate degrees in Computer Networks, Cybersecurity and Information Systems Management, he holds nine professional certifications: A+, Network+, Security+, Microsoft Certified IT Professional (MCITP), Microsoft Certified Solutions Associate (MCSA), Certified Ethical Hacker (CEH), Certified in Risk and Information System Controls (CRISC), Certified Information Systems Security Professional (CISSP) and CISSP-Information Systems Security Engineering Professional (ISSEP).

Jeff’s gearing up to earn his tenth certification — Project Management Professional (PMP) — later this month, and is just a few semesters away from finishing his Master’s Degree in Cybersecurity Management and Policy at the University of Maryland University College.

Here’s what Jeff had to say about the value of certification and his training experiences as a five-time InfoSec Institute student.

How Did You Break Into the Field of Cybersecurity?

I’ve been in cybersecurity for over three years now and want to eventually become a Chief Risk Officer. I spent about the first ten years of my career in an IT role and always knew I wanted to get into cybersecurity. I decided to earn my Security+ certification first to get my foot in my door. Security+ is a basic requirement for most cybersecurity roles, so that was a good place to start. This is especially true in government or government contractor roles.

I earned my CEH next and got my first security role as a Systems Administrator shortly after that. Since then, I’ve earned my CRISC, CISSP and CISSP-ISSEP, and am currently working on my PMP.

Why Are Security Certifications Valuable?

Certifications help you stand out in your field, especially in IT and security. They confirm you know your stuff and validate your understanding of specific domains. If you work for a government contracting company, certifications are often required to work on jobs and help your company win contracts.

I want to get into risk management, which is why I earned my CRISC and CISSP. I’m earning my master’s degree and PMP certification next because I plan on interviewing for a few managerial-level roles in the near future.

Why Did You Decide to Earn Both Your CISSP & Your PMP?

I decided to earn my PMP in addition to my CISSP because it gives me another advantage over other CISSP-certified managerial candidates. PMP certifications are also required to work on some government contract jobs.

The best managers have technical, practical and managerial experience. I’ve spent the first part of my career building my practical knowledge and experience and am now ready to move onto management. I don’t want to be a manager without practical experience — I want to be able to relate to my team and understand how systems work.

Why Did You Select InfoSec Institute as Your Training Provider?

Northrop Grumman has a partnership with InfoSec Institute through the course voucher program. Since we have budget set aside for training, it’s easy to enroll in classes and get certified. InfoSec Institute offers a myriad of certification paths and programs — I haven’t had to go anywhere else for training since working here.

Tell Me About Your Courses. What Was Class Like?

I’ve taken five boot camps with InfoSec Institute and all my instructors have been great. We’d often stay after class to study, and the instructors would stay with us and help answer our questions. They’d also reach out to us around exam time to share extra advice and encouragement.

I’ve connected with several students and instructors via LinkedIn and email after class. Michelle, my PMP instructor, has been especially helpful. Even after class, she’s gone out of her way to share pointers and study tips.

Did You Pass All Your Exams On the First Attempt?

I passed all of them but one. I missed my CRISC by just a few points, but was able to pass it on my second attempt. On my first attempt, I changed several of my answers during review. I think this is where I went wrong — I normally don’t change my answers like that and it’s the only exam I didn’t pass. On my second attempt, I stuck to my guns, didn’t change my answers during review and passed.

How Does What You’ve Learned in Class Differ From Your Practical Experience?

In class, you learn how things are supposed to be done in an ideal situation. This can be a lot different from what security practitioners experience in the field. I’ve been in class with some people who’ve really struggled with this. They keep comparing what the book says to what they do at their jobs — this doesn’t work. It’s like what one of my InfoSec Institute instructors said in class: “When you sit the exam, put on your test-taker shoes. When you’re done, take them off and put them away.” On test day, it doesn’t matter what you do at work. You can’t get wrapped up in that — you have to open your mind and change your mindset.

How Do You Prepare for Your Exams? What’s Your Strategy?

I’ve mostly followed the same approach each time. I hunker down for the boot camp and take the exam a few days after class. I have a few coworkers who study for weeks after their boot camps — my advice is to study hard for a week or two and take the exam. I actually schedule my exam dates in advance of the boot camps so I have a deadline to work toward.

I’d stay after class to join the study groups and then do practice questions in my free time. I do about 50 to 60 questions every day, and drill down into the areas where I’m not doing well. I’ve found the practice tests and questions are often harder than the exam — if you’re scoring around 80% on your practice tests, you’re usually ready to sit the exam.

Do You Have Any Advice for Others Just Getting Started In Cybersecurity?

My advice to new college grads or people just entering the field is to enroll in a few certification boot camps and learn how to do things correctly early on. I’ve seen so many experienced professionals really struggle to get certified because they can’t let go of the way they do things in their daily roles.

I’d recommend earning your Security+ certification first. It’s becoming the high school diploma of security. After that, get your CISSP. It’s a Level 3 certification on all 8570 contracts and can really open doors for you.

Certifications like Security+ make yourself more marketable — this applies even if you have limited experience. It proves you at least understand security theory and can hit the ground running in your new role.

Would You Recommend InfoSec Institute to Your Peers?

Yes, I would.