Building Your Career in Cyber Security: Certifications
“The long term benefits of sunscreen have been proved by scientists, whereas the rest of my advice has no basis more reliable than my own meandering experience. I will dispense this advice, now.”
Following on from my previous article about getting started in Cyber Security, I want to move on to certifications. I’ve interviewed a lot of people over the years. A lot. And then I’ve had to built out and lead teams for various clients with the people I interviewed and hired. Certifications are a recurring theme — a requirement from HR, nebulous ‘standards’ pushed by technology vendors — and I get asked a lot about which ones are valuable, and which aren’t.
On average, for any open position I’ve had to interview for, I’ve chewed through around 100–120 CVs. Those are the ones that have made it past the various HR and internal recruitment teams. So here’s my very personal view on Cyber Security certifications.
Rule 1 — Never say you’re “working towards” or “studying” a certification on your CV
Honestly, the moment I see this when reviewing a CV, it gets binned. No exceptions. I know of several recruitment agencies who say to put this on to show you’re working towards something, that you’re interested. These people have no idea what they’re talking about, and they’re sabotaging your career. They are not your friends. Worse still, I’ve seen people adding that they did the training, but they never actually took (or, in reality, passed) the exam.
You sat in a training course for 5 days and couldn’t pass the exam? Congratulations! Now, as a interviewer, I know you like to waste £5–7k of your employer’s money. Well done! There’s the door.
To quote the ultimate authority in Cyber Security — Yoda — “Do, or do not. There is no try”. You either have a certification — to top off a lot of demonstrable experience — or you don’t. Sometimes — maybe — in an interview, there is an opportunity where it’s relevant to say you’re working towards something. But it has no place on your CV.
Rule 2 — Certifications don’t prove knowledge or skill
In my previous article I covered what you should be doing to stand out to an employer, to show you have passion and drive and you want to work in the industry (as opposed to just having a job). You should be building a portfolio to show you areas of skill and interest. You should be self-studying, and you should be able to talk about that, and the areas that interest you.
Any certifications are the way you underline that knowledge. You passed the OSCP but have nothing else to show you are interested in or have explored pentesting? Well done! All that shows is that you know how to pass an exam. My dog can do that. Try harder.
Your certifications are your value-add on your CV. Don’t believe the industry, or shady recruiters, who say they “showcase knowledge” and “demonstrate talent”.
Think of the rainforest, and work with me to stop so many CVs getting binned.
Security+ — Yes
This is the basic, entry level certification from the CompTIA people. Some of the sample questions on this are nonsensical (Hi, Mark!) but overall taking and passing this shows that you get the basics, across networking, general purpose computing, and software. Anyone starting out a career in Cyber Security should grab this as way to underline all the other studying/research/work they have been doing to get started. Go for it.
CEH — No
Over many years I’ve been very vocal about how much of a useless rip-off I think the CEH (and anything from the EC Council) actually is.
First strike: any certification where you can’t pass unless you pay to attend their course is bogus. It’s a money making scam. It’s ripping you off. If it wasn’t, you could self-study, use your own knowledge, and rock up and pass.
Second strike: the CEH teaches you how to use tools. Common tools. Tools that are amply documented elsewhere on the Internet — for free. Having a CEH is basically saying “I paid money to read the manual”. That’s not a great look for you.
You’re not taught to problem solve, you’re not taught to dig into root causes — you’re taught how to use specific tools in specific use cases.
Worse than useless. Frankly, everything they do is bad, and they should feel bad. Investing in their certificate-mill shows poor judgement — not something you want to showcase on your CV.
CISSP — Yes
I have known plenty of people who had fast-tracked their careers to get a CISSP. They were rubbish. I have known plenty of people with years of experience in the trenches who got their CISSP to highlight and underline they had the skills. They were awesome. So, there is a right time and a wrong time in your career to go for the CISSP.
The CISSP isn’t just an exam — you need to demonstrate 5 years experience in Cyber Security, and this has to be authenticated by another CISSP.
When I took it, it was a 6 hour exam with hundreds of questions, and it was pretty brutal. Now the exam is adaptive, with a smaller breadth of knowledge required, and people are passing after 2 hours and 100 questions.
Arguably, this has made it easier to get. However, with the experience requirement as well, it’s long been seen as ‘the standard’ for the industry. Is this a good or a bad thing? I don’t care. It’s another way for me to assess breadth and depth of knowledge when interviewing.
If you have the years of experience, there is no reason to not have the CISSP. It’s a no-brainer, because it’s been around long enough that any mid- to senior-level Cyber Security job will have HR asking for it, so get it and pass the first round of CV screening.
OSCP — Yes, if you’re a pentester, otherwise No
The OSCP doesn’t just teach pentesting, but also keeping good notes, and report writing — the much ignored but usually much more important part of a pentester’s life. The OSCP is a hands-on, difficult to get certification, with a practical final that takes place over 24 hours. It’s a good sign if you can get it — if you’re a pentester.
I interviewed an Enterprise Security Architect who made a big thing about studying for the OSCP. Yes, yes, red flags in abundance, it was like the October Revolution in the interview room. What relevance does hands-on pentesting skills have to someone who will be working with the C-Suite to churn out enterprise-wide security strategies? If they had had it 3 years ago, kudos. Actively studying for it while working as an ESA? Showed a lack of understanding about what the OSCP was and what their role as an ESA is.
Any other specialist certification — Maybe
There’s a mixed bag out there. There are a lot of niche certifications that cover things like Cloud Security, telephony, communications: there are some good certifications as well that don’t get as much notice in the mainstream.
SANS do some good certifications — the GSEC, for example, is on par with the CISSP — and they also do some flakey, niche ones which really don’t have much value. Pick and choose carefully.
My usual rule of thumb is: are job adverts asking for this certification? Does this certification build on my interests and experience? If both of those are a no, my advice would be to skip it.
Any vendor certifications — Maybe. But probably No.
You’re a Certified BullCorp Next Gen AI Firewall Specialist? I don’t care. The odds that you’ll be working with a client who has that exact same bit of kit are vanishingly small. If you invest in vendor certifications, you’re basically investing in working in that vendor’s products for your career.
However, sometimes this can be useful — I have a raft of Solaris certifications, and I worked with Solaris for over 20 years. But Sun is dead, and you have to pay to go on the course to pass Oracle’s new certifications, so they’re essentially useless now. They did their job, when they were relevant to my consulting career and the clients I was working with. If you invest in a vendor, your career is tied to that vendor, and you need to understand that limits your career options, and is also something you have to eventually throw away.
There’s a reason I don’t talk about my awesome Principal Certified Lotus Professional certification. cc:Mail for life, man.
I’m sure, reading through this, lots of people will disagree with what I’ve said. That’s OK, they probably all have the CEH, and are feeling hard done by. But if you’ve got some well reasoned arguments — or some recommendations for other certifications you think are useful — please sound off in the comments.