A Career in Cybersecurity: Starting with the Right Certifications
Certifications are a hot topic when it comes to Cybersecurity, if you scroll through LinkedIn it won't take long to find a post where people are arguing over what’s better: Certifications, a degree, or real-world experience. We are not going to delve deeply into the argument, instead, we are going to discuss a few paths that may apply to you and then talk about a few general Cybersecurity certifications as well as some more specific certifications when it comes to picking a field.
To properly dissect the argument of what’s best, we need to acknowledge that certifications, college degrees, and real-world experience are building blocks of the same pyramid. You as the pyramid are incomplete without all three but all buildings have a foundation so you have to start somewhere. Where you start is going to depend on where you currently are in life.
If you are attempting to move from an unrelated field to Cybersecurity, then getting a college degree might be out of the question. That’s where certifications come into play. There are a plethora of certifications on the market, some of them snake oil and some of them diamonds in the rough. The best certifications come with training that will give you knowledge that you would never have learned in a classroom. Certifications can be expensive though, so that’s when getting experience comes in as a factor. When you hear real-world experience, your mind might jump immediately to having experience from working similar jobs; which is correct but is not the only possibility. There is also the option of internships, apprenticeships, and mentorships. Landing an internship or apprenticeship can be difficult as they are often just as competitive as the job market but come with the possibility that you may get hired on as a full-time employee at the end of your tenure. Of those three mentorships are the least common, but come with the advantage of networking. Depending on the section of the field you are trying to enter some mentors may even let you ride along which will provide the greatest experience to you. Regardless of which building block you decide to pursue first the most important thing you need to know is that you only get as much out of your learning journey as you are willing to put in.
Now let's move on to what you came here for, discussing general certifications for getting started in Cybersecurity. There are a lot of certification vendors and even more certifications out on the market. As I have said previously some of these certifications are snake oil, some are checks on your ability to memorize flashcards and others are downright impractical. Some of you may not agree with what I am about to say but some great examples of certifications to avoid are the ISC2 CISSP and the EC-Council’s CEH certifications. Admittedly the CEH is not as bad as it once was with the introduction of the CEH Practical exam. The CEH base exam and the CISSP are examples of exams that require you to memorize buzzwords of theoretical information and provide you with no way to test your ability to apply the knowledge you should have learned. You’ve likely seen the CISSP on every job posting you’ve looked at regardless of the level of the position, the CISSP is only relevant to those in leadership positions. Enough about those let's talk about some good exams. While not a complete list, Paul Jerimy keeps an extensive list of certifications and their prices are linked and can be seen below:
When it comes to certifications my top organizations to look at are: INE/eLearnSecurity, CompTIA, TCM Security, OffSec, SANS/GIAC, and Security Blue Team. If you are trying to break into Cybersecurity from a non-IT background, I highly recommend you start with a few certifications from CompTIA; namely the ITF+, A+, and Network+. These are great certifications for building a generalized foundation of knowledge, all three are unnecessary but will make the transition to the field much easier for you as they introduce many concepts and basic skills that will likely come up later in your development journey. After that the next stop would be to everyone’s favorite the CompTIA SEC+, alternatively, the eEDA from INE or the GFACT from SANS would be a good next step. The SEC+ and GFACT touch on many generalized security concepts and make for great starting points before beginning to move into an area of specialization in security. The eEDA talks about some general security concepts but is slightly more focused on GRC (Governance, Risk, and Compliance) as well as Access Management. Moving onto more specialized certifications, the BTL1 (Blue Team Level 1) from Security Blue Team and the eCIR from INE are great certifications for getting basic incident response skills for blue team style work. For more advanced incident response training you should look to the GCIH from SANS or the OSDA from OffSec. If offensive security is the section of the field you think you want to get into start with the eJPT from INE or the PJPT from TCM Security. They’re both fantastic beginner-level certifications that will teach you some of the basics of pentesting. Once you’re ready for more advanced pentesting training consider checking out the PNPT from TCM Security, OSCP from OffSec, or the GPEN from SANS. All three offer various levels of difficulty but teach you the same intermediate-level pentesting knowledge.
This list of certifications isn’t comprehensive and doesn’t even begin to touch on the depth of certifications that there are. For example, we have left out vendor-specific certifications or certifications for other sections of cybersecurity such as forensics or GRC. Remember certifications are just building blocks that make up the pyramid of you and are just one of the many ways you can go about getting the knowledge you need to break into security. Ultimately though landing a role or even an interview in security is going to come down to the preference of the hiring manager looking at your resume. Don’t let that discourage you from learning and remember to never stop learning.
Checkout our other recent blogs: