Every year I try to make some achievable goals for myself for learning, practicing, and getting certified in various topics related to my career in IT and infosec. I’ve been in the industry for over 18 years, and this is the fourth year I’ll have made and pursued concrete goals. In my early years, I learned a ton through informal self-education, and later on pursued a trickle of formal certifications. Then I coasted a bit, and have since made specific effort to formulate goals and plans to achieve them. More often than not, the number of things I want to learn and do far exceeds my capacity to pursue them in a given year, but I do try to make concerted effort to make progress forward through the backlog and keep my activities focused on some goals.

I have a bunch of options for this year, and with the way the year is starting out, I may have some fluid choices to make as the year progresses. For the first quarter at least, I have a solid priority that won’t change. From there on, I’m just giving myself some options while planning on doing some maintenance of skills and make use of the wide range of online labs and platforms available these days.

Honestly, I have quite the backlog of one-off courses, lab environments, challenges, presentations, and other things to do and consume that I don’t want to spend most of my free on-keyboard time in 2020 doing formalized training towards a certification. I want to keep free time and energy set aside to do these sorts of filler tasks, bits of learning, trying new tools, and chopping away at the large list of things I want to do, complete, or learn. Keeping the time free also lets me do things like sign up for a month-long lab (paid) if I so desire, without wondering if I’ll actually get to it in time.

Formal Training/Certifications

AWS Security Specialty (Q1) – The next step on my cloud journey, and really the goal of this journey is studying to understand this topic and pass the cert exam. I consider this one to be somewhat technical and a little hands-on, since I plan to work within AWS a bit more during the studying of this. I expect this to take about 1 quarter.

Either CCSP, CISSP-ISSAP, or CSSLP – I’m skeptical how useful the CCSP may be, and I’m not sure I’d make great use of the CSSLP. The CISSP-ISSAP domains also look pretty familiar and known to me, but it would be a nice progression to consider. Overall, I don’t need to commit to more than 1 of these this year. And no matter the choice, these are book-study activities where I may learn some additional tidbits.

Either AWAE (OSWE) or SLAE (towards CTP/OSCE) – I do like to mix in hands-on-keyboard activities along with book-study plans, and these would be very much hands-on events. I’ve long wanted to do the OSCE, and I’ve long slated SLAE as a precursor towards it. AWAE is new and I may get a little bit more worth out of it. Either way, I probably can’t do both of these in one year, and I really should get one at least started in 2020.

SANS course/cert – This item goes away if my work budget doesn’t allow for a choice of SANS course. If my choice of course/cert does get approved, I actually wouldn’t anticipate the preparation for the exam would take a full quarter; I’m initially planning just a month.

Informal Training

Pentester academy. I have this subscription and I should make concerted effort to fill some gaps in the above studies with some time going through these courses for understanding. With no exam or post-completion activities, these can be the sort of thing I sit down for a week or two and binge through.

Various specific courses signed up for. I have several free-tier courses I’ve signed up for in the past 6 months that I’d like to pursue. They’re nothing crazy intensive, but not something I can bang out in a weekend or even 1 full week. Hence, they get placed here. Doing some of these one-offs may be “important” enough to me to include in my goals in a more ad hoc fashion as the year progresses.

Maintaining or improving existing

Maintaining existing knowledge or skills is often a lot easier than learning something brand new, so I try to make use of this section before the list of new things I’d like to get to. The things I want to maintain or improve specifically: web app testing, linux, pentesting, forensics, powershell, Burp Suite.

HackTheBox and web app testing platforms and labs. Honestly, I can get plenty of practice by continuing to semi-regularly dive into HTB and dissect various web app testing platforms and labs. The platform of choice is usually Kali and Burp, and HTB challenges often can introduce chances to practice some scripting and forensics.

Informal new skills

Reversing – I have a couple books, free courses/tutorials, and other resources to use here.

Binary exploitation – SLAE and some HTB pursuits may start to give me confidence in this topic.

AWS – I plan to get more AWS experience not only with earning the next cert in that part, but also doing an AWS project to stand up a public wiki again. I had one years ago that I hosted, but when I moved to my current cloud provider, I just left the wiki behind. I kinda miss it.

Python – I have a bunch of small tasks and topics I can use as fillers and as excuses to do some more Python scripting.

Other

AWS Wiki project – A project just to stand up and utilize and maintain a wiki platform again, this time hosted in AWS.

Defcon – I’d like to attend Defcon this year, and if so, I need to plan this sooner than later!

Blog – I just want a reminder to keep blogging.

Pocket – I have lots of things sitting in Pocket that I should start consuming.

Career Goals – I should make a concerted effort to decide where my career should go and specifically what I want to do. This is basically a 5-year plan. This has always been hard for me, since I like doing almost anything in security, as long as I have support to do it.

Certs to renew

CISSP – Just my yearly reminder to declare a few CPEs just to keep up.

CCNA Cyber Ops – This actually expires 3/2021, so if I wait until 2021 to look into this, that’ll be really late! Renewing this probably means taking the exam again (not worth), taking Cisco CCNA R&S (marginal value to me), or taking a CCNP level exam. I’m inclined right now to say I will let it lapse, but I want to make specific effort to research this.