avatarHelen Patton

Summarize

Navigating Cybersecurity Certifications

It Ain’t Easy…

I have the privilege of talking to a lot of people trying to become a cybersecurity professional. They ALWAYS have questions about certifications: Are they worth it? Which one(s) should I pursue? Which ones would get me a job? How should I get it? I talked about it in my book “Navigating the Cybersecurity Career Path”, but this topic keeps coming up, so here are my thoughts.

Photo by Honey Yanibel Minaya Cruz on Unsplash

Should I Get A Cert?

Answering this question always leaves me a bit uneasy. Why? The answer to the question is complicated. Consider:

  • Just because a certification is popular doesn’t make it good.
  • There are a ton of certs out there, so how can one person know enough to make a recommendation?
  • Doing a certification takes time and money, so recommending the wrong cert is a gate-keeping exercise at best, purely negligent at worst.
  • Most notably, hiring managers often value on-the-job experience over certifications, so if you only have limited time to invest, I suggest you invest it in practical, on-the-job experiences, not on a cert.
  • Almost every job posting asks for some kind of cert.
  • If resumes are similar in every other way, having a cert might tip the hiring manager to prefer that candidate.
  • For seekers without on-the-job experience, a cert can at least demonstrate commitment, interest and the ability to learn.

But job-seekers, particularly ones with little or no on-the-job experience, think that getting a certification is a way to bridge the knowledge gap. And hiring companies continue to ask for certs, instead of doing the harder work of specifying the exact skills they need.

So the answer to the question of “Should I get a cert?” is probably “Yes”.

Which then leads to the question:

Which Cert Should I Get?

There is an entire industry built to help people get certifications. Check out this great (and slightly scary) visual at pauljiremy.com:

This is overwhelming!

We have reached a point where there is a certification for pretty much any job, and at every level, in cybersecurity.

If the candidate is someone who has never worked in cybersecurity before, with no on-the-job experience, there are entry-level certifications that might help. The most well-known are CompTIA Security+ and ISC2 Associate, and most follow a learn-and-test format.

If you’re interested in a certification that is specific to a particular type of security role, you can start by checking out cyberseek.org, which lists common cybersecurity jobs and the certifications for that job (among other great data). You can also do a job search for the kind of job you’re interested in, and see what kind of certifications are being requested.

Once you decide what certification you want, you need to decide how you want to eat that elephant. Self-paced learning using a book? Self-paced on-line? In-person boot camp? As part of a degree? There are many modalities available to learn this stuff. In general, the more complicated/senior the cert, the better off a candidate would be to learn in a group setting with instructors — but that costs $$$$. (Here’s a link to a list of free or low-cost online learning resources). Only you can work that out.

Notice that I haven’t talked about the QUALITY or EFFECTIVENESS of any of these certs. Why? Because there are no resources that independently evaluate quality, or how often the certification leads to a candidate getting the job they want. Also, quality and effectiveness are in the eye of the job-seeker.

So, for those cybersecurity career job seekers who are considering getting a certification, here are some questions to ask when you’re evaluating a certification (or, for that matter, a degree or a bootcamp):

  • Who is providing the certification? Check out the organization that creates and maintains the certification. It’s no small administrative feat to do this, and takes resources and expertise. Check out how long they have been in business, what kind of continuing education you need to maintain the certification, and whether you are willing to sign up to their administrative overhead.
  • What are the functional domains covered by the certification? Are they things you already know because of previous job/life experience? Are they things you can teach yourself through other online/self-paced learning? If so, maybe this cert is too basic for you. (OTOH, this may be an easy cert to get… but don’t forget the time/money involved in getting and maintaining the cert — is it really worth it??)
  • Do people currently doing the job you are seeking have this certification? There are lots of penetration testers with the Certified Ethical Hacker (CEH) certification. There aren’t many governance managers with a CEH (which doesn’t mean they don’t know the material, it just means they don’t have to prove they know it). Don’t just look at certs the job postings are asking for, look at what people in the role actually HAVE.
  • Does the certification training offer skills building that simulates on-the-job skills, or is it simply book-learning? Always look for a certification that gets you as close as possible to a real world experience, and real-world skills (usually through training/exercises that use a cyber-range or other virtual learning environments). If the certification is heavy on theory, it might be OK as an introductory cert, but will likely not land you the job you seek.
  • Is the cert offered by a security vendor? This isn’t an automatic reason to reject the certification (lots of vendors are doing great work at training people on general security topics), but it does require you to look further into the domain of knowledge covered by the certification, and an understanding of the point of view (network, cloud, etc.) of that vendor.
  • Do you know someone with this cert who can act as a mentor? Never let an opportunity go by to find a way to network. If you do pursue a cert, find someone in the field who can help coach you through the process. If you don’t know anyone, use LinkedIn or The Google to find someone in the job you want, with the cert you seek, and ask them to be a mentor. Better yet, ask the certifying organization if they have a mentoring program.

For all cybersecurity job seekers, here are some things to remember:

  • Getting a certification doesn’t mean you know how to do security in an organization — in the context of the job you seek, it doesn’t demonstrate skill mastery.
  • It does, however, indicate that you understand the concepts, and can speak the language of the role (hopefully).
  • It doesn’t entitle you to a job interview, or a job.
  • Hiring managers may use certifications as a differentiator with all other skills or experiences being equal among candidates, but a certification will never outweigh a candidate who has on-the-job experience.
  • A certification by itself isn’t enough to land a security job — continue to network, do internships or cyber-adjacent job roles, and apply for multiple jobs in multiple companies and multiple industries.

Having said all that, it is worth it to get a certification, particularly if you have no prior cybersecurity job experience, or are looking to move into a different part of security. Even if you don’t want to sit an exam, reviewing the material covered by a certification is a great way to learn about things the security industry cares about, and can be a great way to do self-learning. Most stand-alone certification classes are taught by people who work in security, which is a great way to network and learn real-life examples of how things are done.

One day, I hope there is a resource to independently verify the effectiveness of all the certifications out there. Until then, do the homework you can, and enjoy the journey.

Good luck!

Cybersecurity
Information Technology
Certification
Careers
Career Advice
Recommended from ReadMedium