Lifelong learning, being 100% certified, situational awareness, and my thoughts

     My route to becoming an InfoSec practitioner was anything but traditional. For this I am thankful. Why? Because I discovered a breadth of information that has served me well in life.
     This story begins in 1990 when I first joined the Navy. I joined between my Junior and Senior years of high school. The underlying reasons for me joining are as follows:
         
1. I was 17 and knew that I wanted to see more than the "Golden Triangle" of Texas. ( my travels took me as far as Dallas to the north, San Antonio to the west, and Pensacola, FL to the east.)
2. I wanted to go to college but didn't know what I wanted to do when I grew up
3. Home life sucked and I wanted out

The job I signed up for in the Navy was entitled Cryptologic Technician (Maintenance). This is code for "mostly works in air-conditioned spaces" and Class "A" school located in Pensacola, FL. At least that is all I knew about it from the information sheet I read. An entire career of 20 years was based on those 2 things. Looking back I ask myself "how stupid could I have been?" and "how lucky was I?" My school lasted for almost 1 year (was supposed to be shorter) and I learned electronic theory, AC/DC theory, soldering, recorder theory, how receivers and transmitters worked, how to run a maintenance shop, and the troubleshooting methodology. This is where my first failure came into play.
     All my life, schoolwork came to me easily. I was bored with school and always spent minimal effort on homework, etc. This caught up with me in Pensacola. A class in power supplies theory and maintenance ended with me failing the module. I got rolled back into the next upcoming class and was told that I would lose my slot in school if I failed again. Nothing learned other than the "walk of shame sucked." From Pensacola I went to an advanced course in electromagnetic transmissions and intercept for submarine systems. Once again, I fell into the routine of just getting by. Once again, I almost got dropped from training. Once again, I took the "walk of shame" and learned nothing.
     At this time I met a man named Rob Bartlett. He introduced me to a thirst for knowledge, not just a quest for checks in the boxes. Rob, if I have never thanked you, I am doing it now. Still not knowing what I wanted to do when I grew up, I began taking college courses to figure it out. My majors, in order of declaration were: Mathematics, History, Psychology, Occupational Psychology, Computer Studies, and finally Business. I took classes at:

 The George Washington University                     Coastline Community College       
Hawaii Pacific University                                      Community College of the Air Force
University of Md University College                     Prince Georges Community College
Excelsior College                                                   American Military University
Carnegie Mellon University/CERT                        Webster University
National Cryptologic School                                  other formal training institutes

This 13 year meandering through collegiate life led to a very broad background of knowledge, a better understanding of how different people approach a problem, and an understanding of written goals/requirements.
     Something else I learned from Rob was to take any class offered by the military regardless of what it is. This led to me taking classes anytime offered (something I still do today). I have taken some really cool classes that were never meant to be taken by someone in my career field. I have not performed a pen test in over 6 years but I ended up taking Dave Kennedy's SET class at BlackHat. Why would I spend all that money for something I may never perform again? Because my boss offered and it is an opportunity to learn something new. Plus, I got to meet new people with various backgrounds and learned from their experiences.
     If you search for the subjective "knowledge" as opposed to the objective "results" (cough* paper MCSEs* cough * paper CISSPs*) you will understand the point of certifications. They are something you can frame and show your friends as a badge that says I took a test. Same goes for a college degree. A degree is something you can frame and show your friends that says I took lots of tests. If done properly, you can show your friends these pieces of paper and then debate the merits of, say, a truly air gapped network,  how it would be implemented, and the upside/downside of that network. Moreover, you can speak about it with authority and experience because you have operated/managed one not just read about one when you read the majority of an article in Slate magazine once.
     Do I see value in certifications/degrees? Absolutely! The value, in my humble opinion, is that I can put them on my resume as a check in the box. This should allow me to get my foot in the door for an interview and then I can use my experience to get the job. What about the plethora of jobs that do not mention certs/degrees in the requirements. Fine. I can put my certs/degrees on my resume, placing a check in the box I drew on the form myself, get an interview, and use my experience to get the job. This should be the emphasis of ANY hiring official. The questions should not be what boxes can you check, they should be what can you show me and tell me about how you would handle x.
     A short story to prove my point. While in the Navy, I was given the opportunity to screen all junior officers, all with fancy degrees, and senior enlisted members deploying to Iraq and making recommendations on who should go. I was told to give these guys a test to measure how successful they would be in the field. (As if could actually be done.) My test was simple. 100 questions. Multiple choice. You have 5 minutes to answer them all. Begin! After this was handed in, never completed, I would give each person a scenario.
           {You are providing tactical intel support to a Ranger company. Your purpose is to tell them which of 2 doors they should kick in, using highly specialized cell phone intercept equipment. What do you do. The officers with technical degrees would usually begin by walking in an ever increasing circle, attempting to get a fix on the target, and would then make a recommendation. The enlisted personnel would usually think for a second or two, then tell the Rangers to kick in both doors, interrogate the subjects, and arrest the guilty party (probably the guy with the cell phone in his hand).}

      I always recommended the enlisted guys. I caught flack for my recommendations because officers are required to lead for promotion while enlisted members are taught to lead and promoted because of it.

What is the point Branden?
1. Seek knowledge, understanding, and experience NOT papers, titles, and pretty frames
2. Never pass up a chance to learn
3. Like a child, learn from everything you do, taste, smell, and touch
4. Be humble. Nobody likes people who think they are smart, they like smart people.
5. If something you do now seems painful, it is ok. Next time will be less painful.
6. Teach others. You will learn from this too.

     So I know that this is kind of scattered all over the place (I blame insomnia). To make matters worse, I will not edit this in the morning before I publish it. Hey, why write something twice? Especially when no one reads this anyway.