How to Decide on a Security Certification - OperationCode/member_content GitHub Wiki

Thanks to @hedgemage, @mikerod_sd, @cam, @cburgett, @camhopkin, @ashley, @chadg1980 on Slack for providing the useful information on this post.

I’ve heard a lot of bad things about security certifications from InfoSec professionals. The marketing surrounding these certifications make it appear that they are very important to have, yet for any given certification, someone has trash to talk about it. With so many options and only negative comments, it’s hard to decide whether to get one at all, let alone which one(s) to get. The following is the advice from the real security pros regarding certifications and breaking into the industry. Originally, this conversation happened with a much different flow, but I reorganized it by category for quick reference.

General Advice on Certs

If new to the industry start small (entry level certs) and work your way up

Starting out…Sec+ is fine as it provides baseline knowledge. The CEH is fine if you want to know about tools and nothing else (being a sript kiddie is a good analogy). CISSP is fine too but its meant for experienced folks.

https://www.blackhillsinfosec.com/webcast-5-year-plan-infosec/ --Saw this presentation and while I agree with years 1-3 (but not everything in those years) I found it very actionable

Certs aren’t a waste of time. You won’t regret getting them. Anyone who tells you that you don’t need them probably does just fine without them. To each their own.

In the end, smart organizations value demonstrated skill and experience over certification (of the “here’s a cert” variety or the academic degree variety) because the latter demonstrates potential while the former demonstrates not only actual competence but what kinds of competence you bring to bear.

It depends on the type of company. Those doing primarily government contracting want certs, but almost no one else does.

Just because the job posting says certs are “required” doesn’t mean you need them.

I feel like the general consensus is certs are a double edged sword, on one hand they aren’t useful for measuring actual talent, on the other they get you past HR.

Most companies I know that are hiring junior sec staff and that DON’T do any contracting for government entities are pursuing one or more of the following strategies:

  • Hire new grads from uni infosec programs and hope they know something (only about 10% do, which is pathetic for the price)
  • Find generally sec-savvy programmers and sysadmins with a few years exp in those roles and at least 1-2 infosec-relevant - accomplishments, and trust them to come up to speed on the job.
  • Find anybody with a tech background willing to work cheaply enough that you can afford to drill them for 6 months and - find out if they learn fast enough.
  • Find open source hackers with security exp and snap them up (pro: they are usually way more skilled than they think they are and don’t ask for much $$, con: there aren’t enough of them, and many don’t have experience working in a grown-up workplace)
  • Find folks who can demonstrate any technical background and have a successful history of bug bounties CTFs, and so on… assume you can bring them up to speed the rest of the way.
    The new grads thing… I don’t like, generally. I find smart ones sometimes but most are very obedient and trained never to question an authority figure or think too hard. That’s a bad recipe for infosec people. Moving savvy programmers and sysadmins over has worked great for me. the find anybody cheap and see if they learn thing…has actually worked well in my exp when the manager isn’t too soft to fire the ones who aren’t working, and is good at teaching those who can learn the open source hacker thing is great when you can find 'em The bug bounty/CTF thing is a mix… I know LOTS of companies who swear by this, but I do pentesting maybe twice per month so I’m not sure it’s that convincing to me. It shows you can red team, but I need strong blue team people here. Again, this is my observation NOT a scientific sample or a good cross-section. This is companies I’ve talked to about this sort of thing in the last year or two at conferences and stuff. But…here’s the thing that bugs me the most… Except for the companies that are basically pentesting-on-contract job shops, almost no one is willing to train in-house despite the critical shortage of good infosec people. They’re all fighting over the same several hundred mid-level and senior practitioners who keep jumping between companies. WTF It just drives me crazy. Many won’t even hire juniors when they have a solid-for-a-junior background.

CISSP

If you are starting out I advise against the cissp

CISSP is something that I’ll only take seriously in combo with experience. It’s a management cert, but a bunch of newbs cram and go get it out of the gate. If you do that, it just tells me you memorized things and didn’t bother to learn about the industry. It won’t make you a good engineer or anything.

Security+ (and Net+)

Net+ and Sec+ may be very basic certs but they are basic and explain basic concepts well

Sec+ is only really respected by .gov and .gov contractors, so if that’s your target audience go for it. It runs you through enough basics to learn the terminology for a bunch of things, which can be helpful, but it’s also really focused on securing office machines and doing compliance checks which is much less $$$-able in the private sector than it may sound

In most of our clients job certification schema, Security+ along with a few of the GIAC and SANS certs, happen to fill the lower level reqs for most of the job categories. In some cases it’s become a checkbox. I don’t believe SW devs should be required to pursue it. But as I tell my new people, better to have it and not need it, than need it and not have it. I don’t like the idea of someone with education and/or experience being let go or not getting hired; because they didn’t have one lower level cert that is obtainable with study and time.

That is the problem with Government and Finance jobs. I think certification is a complete waste of time and effort. A Dev shouldn’t do Network+ when they should be understanding Application Security through OWASP training

CEH

From a gov contractor point of view, don’t bother w/CEH. Yes mgt likes it, but most of the gov people I know in the security field value experience and/or a degree more. OSCP has recently gained a foothold locally, and seems to be more worthwhile for someone seeking tasking in appsec or netsec vice info assurance. Besides, I’m not going to trust a security cert from an org that can’t even secure their own website at times. CEH is still needed for CND roles so its not useless.

OSCP

OSCP is valued now in the DoD space but those reqs are few and far between cause usually the ones that pay well get filled quickly and the ones that don’t turn into a revolving door

OSCP is the gold standard of pentesting certs https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/

Degrees that include certs

My advice would for someone that has a just enough experience and no degree go through WGU. They give you credits for certs, and it is inexpensive:
https://washington.wgu.edu/online_it_degrees/cybersecurity_information_assurance_bachelor_degree#
But they only accept people with real world experience.