You already have a few cybersecurity certificates tacked to the end of your name. Maybe one or two landed you a job or netted a raise. But not all certifications pan out as promised.
“The top technical security industry certifications don’t always pay the expected dividends,” says Mitch Kavalsky, senior director of security governance, risk and compliance at Sungard Availability Services.
You may be at a crossroads in your career, wondering whether it makes sense to go for one of the more technical certifications. To cert or not to cert? That is the question. Which ones should you pick and which will make the biggest difference in pay or career advancement? Read on.
Grounded Ninja Moves in the Cloud
Many companies are cloud-natives, and many more are at least working with cloud services. While the cloud isn’t inherently more dangerous than its on-premises counterparts, protecting these two very different attack surfaces requires a bit of extra finesse and a bucket load of extra skills.
“For my team, I look for more general certifications on cloud technologies that move into focused disciplines that require labs and reviews from peer practitioners – GSEC-Gold over GSEC, for instance,” says Jason Barnes, a senior manager of security operations at Netskope.
Each cloud vendor also offers its own highly technical security certifications, with the most sought-after being (in no particular order) Google GCP, Amazon AWS, and Microsoft Azure. But that list may look deceivingly short and simple. AWS alone includes over 305 services and is growing. Securing cloud customers and a growing array of cloud tools is no minor challenge.
“The cloud certifications are typically aligned to the most senior technical cloud security roles or any security roles that have been moved to exist primarily in the cloud due to recent migrations to cloud services,” says Keatron Evans, principal security researcher at Infosec Institute.
However, you may find a more general cloud certification to be equally useful.
“The Certified Cloud Security Professional (CCSP) from (ISC)2 is highly respected due to the requirement that the candidate have a number of years of paid work experience in the infosec field that actually relates to the cloud security, risk, and compliance,” says Chuck Everette, director of cybersecurity advocacy at Deep Instinct and an experienced hiring manager.
In any case, achieving cloud certification can take anywhere from many months to years.
“The path someone takes to become a certified cloud security professional can vary widely, but it is certainly a journey taken over time, not overnight,” says Will Carlson, director of content at Cybrary.
And what jobs do cloud certifications lead to?
“These certifications are seen in various roles, including cloud security engineers, cloud security architects, application security engineers, cloud architects, and many more,” Carlson says. “Every company with significant workloads in the cloud would be well served to have these skills on staff or at least on speed dial.”
Best Certifications for the Offensive Side of Security: OSCP and OSCE
Responding security hiring managers cited OSCP (certified professional) and OSCE (certified expert) as the best certifications for red-teamers and penetration testers. Both are widely considered the gold standards in ethical hacking, and both are offered by Offensive Security.
While current holders can rest assured that the OSCE certification will always be respected, there are some recent changes you need to know about. On Oct. 15, 2020, the official OSCE certification course called “Cracking the Perimeter” (CTP) was retired. That course has now evolved into three new courses: “Advanced Web Attacks and Exploitation,” “Evasion Techniques and Breaching Defenses,” and “Windows User Mode Exploit Development.”
The three courses present more than double the amount of security training and testing. Successful completion of all leads to the new OSCE3 certification.
"The Offensive Security certifications continue to be the gold standard in the offensive security world. However, they are not the only name in the game anymore,” says Kent Blackwell, threat & vulnerability assessment senior manager of Schellman & Co., a global independent security and privacy compliance assessor. “Pentester Academy offers a huge range of courses on a number of topics, everything from using Python for security scripting to advanced network penetration that requires you to exploit and pivot your way through realistic corporate networks.”
In any case, be prepared for a long, tough slog to earn any of these achievements.
“I once had an intern who passed the OSCP exam after three months of studying and practice labs,” Netskope’s Barnes says. “Others take much longer to prepare, or never pass it at all. In any case, the experience from preparing for the exam with the valuable training from the great people at OSSEC will make you a better security professional.
Best Certs for the Defensive Side of Security: GCIH and GCFA
On the defensive side of security, the two hottest certifications are GIAC Incident Handler (GCIH) and GIAC Certified Forensic Analyst (GCFA). Both are widely accepted by employers as proof of competency across a standard body of incident handling and digital forensics. They test for both knowledge and practical application.
“These certifications require proctored, high-stakes, timed practical exams. Their difficulty lies in their reliance on preparation and practical experience,” Barnes says. “Not only must one understand the technical aspects of exploitation, incident handling, and digital forensics, but [they] also [should]be able to put on a creative hat and think far outside of the box.”
To successfully achieve either certification, you’ll need to complete a week-long training course from SANS and a few months of studying and practice.
While these advanced certifications are all highly technical and take a very long time to complete, most employers today are willing to hire now and wait for employees to complete the certification later. Some employers will even pay all or part of the training and test costs. Be sure to look for resources available to you on the job as part of your certification planning.
Next Step: Applying What You've Learned
While it's great to be "book smart," it's what you do with what you've learned that truly matters.
“Certificates are important to show a candidate's potential for retaining knowledge, but what certificates don't clearly reflect is the candidate's ability to apply that knowledge to real-world applications,” Deep Instinct's Everette says.
Take every opportunity you can to illustrate your real-world skills because ultimately that’s what would-be-employers want to know about you. Certifications can certainly aid in showcasing your skills but only if they point to demonstrable competencies more than mere knowledge in theory. Focus on certifications that require on-the-job experience and that clearly demonstrate your ability to apply what you’ve learned.
“For hiring managers, the biggest delineation between certifications remains the test format. Tests such as the CEH, CISSP, or other security certifications that only require a multiple choice exam in lieu of a practical, hands-on test have significantly diminished in their appeal as they only demonstrate you can memorize information for a test rather than apply what you know in a realistic environment,” Schellman's Blackwell says.
There is consensus in the industry that the Certified Information Systems Security Professional (CISSP) certification is a good baseline as it signifies a solid understanding of the various components of security. But you also need to stay on top of technology and threat trends. Each of the above certifications was repeatedly noted by responding hiring managers as a certification in hot demand.