How to Pick Your First/Next Cyber Certification

Welcome to cyber security. There is no singular entry point, plan, pipeline, or training workflow to prepare you for cyber: there are many.

Cyber security is incredibly broad, increasingly specialized, and each of the many diverse work roles within the landscape require their own training . To emphasize how broad the cyber domain is, at the time of this writing, SANS offers 40 different cyber-related certifications ranging in categories from cyber defense, to penetration testing, to management, to legal, to incident response.

Well that doesn’t help. So what next?

There’s a ton of hype around certs. Don’t get caught up in them. The correlation between certifications and performance is a correlation, not causation. So let’s get into it. Often, asking what cert to get is the wrong question. Bottom line: cloud/virtualization certs probably make more sense initially than cyber certs for most people.

tldr0: ONLY DO TECHNICAL CERTIFICATIONS IF YOU HAVE A GOOD ROI FOR YOUR TIME AND MONEY. This goes back to the personality assessment part.

tldr1: only go down the technical route if a technical route makes sense!

tldr2: do cloud certs first, then security certs.

First - does a cert even make sense? You all have your own particular life variables: timeline, budget, family situation, clearances, ability to relocate, previous education/experience, volunteering, participation in industry events, and grit. Often, you can better invest time and money into something other than a cert. For example, a couple GitHub projects in C with a bunch of pointer math and direct memory manipulation can often be much stronger than CISSP…for the right job.

When and if a certification does make sense, we re-visit many of the variables above but tack on “Who’s paying and what will they pay for.” Consider the following two candidates that have no current certifications: One is currently employed, has little time to spare, wants a stable job, isn’t quite sure what role they prefer, their employer will pay for certifications, and the candidate is considering Federal work so may need 8570 requirements. Another candidate is out of work, is self-funding certifications, has a lot of free time, knows what role they want, doesn’t need 8570, has been a help desk analyst for a year before the company went through a workforce reduction, and has been competing in capture the flag events for the past year. These two candidates are in very different positions. Note: If you’re in the Military, check out this article on?8 Paths to Free College Credit?and this article on?what to do if you’re planning on transitioning out within the next few years and want to focus on cyber security.

There’s another factor: What path within cyber are you taking? If you know that you want to go into threat intelligence, a cert in networking security probably won’t help you much. If you’re not sure which direction you want to go, then read?How to Learn Cyber Over the Weekend: An Orientation in 48 Hours. This article covers some of the basics you should know like:

• What an APT is and a couple examples of APT campaigns
• The MITRE ATT&CK Framework
• How to prioritize protection using the ASD’s Essential Eight Maturity Model

As you read though a couple campaigns, you will naturally gravitate towards something within the campaign such as network segmentation, intelligence, strategy, development, misinformation, project management, and even customer relationship manager and sales — someone has to sell the products that attack and defend!

There’s also two really big distinctions for cyber companies:

• Companies that consume cyber resources
• Companies that provide cyber resources

These are HUGE differences. Often, cyber companies don’t care or care much less about certifications than companies that need cybersecurity professionals. If you are trying to transition into the cyber industry, I often recommend keep doing what you’re great at, just learn a bit more and apply for a similar role at a cyber-branded company. If you have a bunch of Front-End developer experience…apply for a Front-End developer role at a cyber company. Get the cyber merit badge and then try to pivot roles within the company. However, you still better be able to talk through an APT campaign because even a front end developer at a cyber company should still be threat focused!

Certifications within cyber security are generally broken into two categories: certifications that test what you KNOW and certifications that test what you can DO. Guess which category employers prefer. Many focus areas within the cyber work role landscape have few, no, or immature certifications which means experience is unfortunately (or fortunately) more important. Some examples of cyber roles that require no certifications include sales engineering, exploit developer, customer success engineer, field engineer, DevSecOps engineer.

No discussion on cyber certs would be complete if we don't highlight the amazing work that Paul Jerimy continues to do on his Security Certification Roadmap! Paul continues to do an amazing job outlining the cornucopia of certifications that exist. Keep reading before you get overwhelmed but remember that this resource exists - and provides transparency around pricing!

The market will tell you to start with?CEH?and?Sec+. I founded and sold a recruiting company. I literally never had a company come to me and ask for someone with Sec+ and CEH. They're generally not super valuable: they test what you KNOW. That being said, if your company will pay for them, take them. Why not?

Now, if you want transition from project management to TPM (technical project management), CEH and Sec+ could help your case in some large organizations.

If you're in sales, sales engineering, or are non-technical Vets, Sec+ might be a good place to start learning about the cyber domain. But Sec+ costs a bunch of money and time. I often recommend just reading books like Andy Greenberg's Sandworm, and Kim Zetter's Countdown to Zero Day. THEN, once you've wrapped your head around the threat, read Sounil Yu's Cyber Defense Matrix which ties the threats to your organization through a practical framework. THEN start looking at taking certs.

We’ve found that balancing technical proficiency with something like a cloud or virtualization cert AND understanding the threat tends to go much further. Unless you need 8570 requirements. You can usually get through these with a couple hundred dollars and a couple weeks of studying.

FOR TECHNICAL PEOPLE - AWS,?VMware,?CISSP,?OSCP,?Splunk,?CCIE Security,?CHFI, and, of course,?SANS?certifications tend to be the most attractive for employers. Most pure cyber roles other than SOC analyst are for people that have been in an adjacent field for a few years and are finally putting on their cyber hat.

Heck, if you're already a channel partner, Trusted Advisor, large telco, or VAR, you probably have a ton of certs and training available to you that you don't even know about. Seriously. Companies like Cloudflare, Thrive, Fortinet, Splunk, Cato, and many other have great trainings and certs that you can take. Check your partnerships and see if you have access. For some of my mentees in those areas, they didn't even know their org had a security department and all I had to do was make an intro and they got access to TONS of free training.

Virtualization:?AWS?and?VMware?are huge and fundamental across the industry because virtualization defines much of the infrastructure that runs modern networks and systems. Certifications in both of these platforms open up a number of opportunities for security practitioners in many different markets. Prices vary. Sorry, Azure and GCP: the truth is that AWS still owns the marketplace. That being said, Azure is catching up in corporate companies because of their obvious deep integration within M365. If your org is deep into Azure, obviously start with Azure!

CISSP?by ISC2: CISSP validates that security professionals can choose the best option out of a series of imperfect alternatives (because that’s life) and communicate associated risk to business executives. Yes, you’ll have to know the difference between different types of asymmetric cryptography, but more importantly you need to be able to explain why you might choose to implement one over another. What about the?5 years?of experience to qualify? Read the fine print. ISC2 is a business. They’d be crazy to not take your money if you want to sit for the exam. You only need five years of paid experience in two of the mandated eight Domains to qualify for the full CISSP. If you don’t have the combined five years, you can still take the exam and become an “Associate of ISC2” when you pass. Read more?here. Between the certification and prep, CISSP usually costs around $1000. Note: Military folk, read the qualifications closely because you probably qualify for more time than you realize. No, it’s not a beginner certification, but if you are coming in from an adjacent industry, you’re probably not a true beginner. I am a big fan of the?Sunflower CISSP Study Guide?and the ISC2-provided practice tests. If you can crush the practice tests (especially the last two!) and you can explain every little thing on the Sunflower guide you are probably headed in the right direction. Free for Veterans through Syracuse’s Onward to Opportunity program. Note: If you have CISSP/Associate of ISC2 and no experience in an adjacent field like IT then congratulations are in order because you’re now a cyber consultant, not a practitioner. If you’re a consultant, you better understand the threat.

OSCP?by Offensive Security: This is a challenge for beginners and tests what you can DO. OSCP is the outcome of the Penetration Testing with Kali (PWK) course which includes learning material and lab-based learning environment. Candidates work through the learning material and build a portfolio documenting their work, then VPN into a lab environment and hack virtual machines for a few months and build a professional engagement report of their work in the lab, and then take a 24-hour exam that consists of a VPN into an exam network, a few boxes to get root on, and then a, you guessed it, engagement report. Usually candidates can get through OSCP for about $1500 by the time they buy back in to more timeline and take the certification a couple times. For candidates that might not be quite gritty enough to jump straight into OSCP, I recommend?Virtual Hacking Labs?and Heath Adam’s?Practical Ethical Hacking — The Complete Course. Offensive Security has additional certifications as well but OSCP is usually the best place to start. Also, get gritty because you'll need to...Try Harder.

Splunk: Splunk is a data analysis engine that can ingest a variety of data (like security alerts coming from a SIEM) and produce insights. Splunk certifications are free for Veterans.

CCIE Security?by Cisco: Most security focused IT roles require at least CCNP. The IT industry is much, much larger than the cyber industry. Low demand drives high experience/certification requirements. This route is really long, relatively expensive for junior cyber entrants, and if often reserved for people that already have 4–10 years of IT experience and want to make the jump. Most candidates here take ICND1 then ICND2 (1+2 is the CCNA), and then CCNP and so on and so on ad nauseam. You should note that all of these Cisco certs are for the Cisco ecosystem so only portions of the content transfer to other vendors.

SANS: SANS certifications are expensive. Multiple thousands of dollars per course/certification. However, SANS courses are taught by top industry leaders. Try to get a scholarship or your employer to pay for the certification. If you can/do go the SANS route, make sure you pick the right certification that aligns with your goals. You won’t be disappointed.

CHFI?by EC-Council: Computer Hacking Forensic Expert is a good way to go for the forensics pipeline. Forensics is one of the stranger areas within cyber security but from what I hear CHFI helps. If that’s the route you know and love, let me know how it impacted your job search!