How to Pick Your First/Next Cyber Certification

Stephen C. Semmelroth
7 min readMar 13, 2020

--

The Cyber Work Role landscape is incredibly broad. So are certs. Even this isn’t accurate.

Welcome to cyber security. There is no singular entry point, plan, pipeline, or training workflow to prepare you for cyber: there are many.

Cyber security is incredibly broad, increasingly specialized, and each of the many diverse work roles within the landscape require their own training . To emphasize how broad the cyber domain is, at the time of this writing, SANS offers 40 different cyber-related certifications ranging in categories from cyber defense, to penetration testing, to management, to legal, to incident response.

Well that doesn’t help. So what next?

There’s a ton of hype around certs. Don’t get caught up in them. The correlation between certifications and performance is a correlation, not causation. So let’s get into it. Often, asking what cert to get is the wrong question. Bottom line: cloud/virtualization certs probably make more sense initially than cyber certs for most people.

First - does a cert even make sense? Each candidate has their on particular variables: timeline, budget, family situation, clearances, ability to relocate, previous education/experience, volunteering, participation in industry events, and grit. Often, candidates can better invest time and money into something other than a cert. For example, a couple GitHub projects in C with a bunch of pointer math and direct memory manipulation can often be much stronger than CISSP…for the right job.

When and if a certification does make sense, we re-visit many of the variables above but tack on “Who’s paying and what will they pay for.” Consider the following two candidates that have no current certifications: One is currently employed, has little time to spare, wants a stable job, isn’t quite sure what role they prefer, their employer will pay for certifications, and the candidate is considering Federal work so may need 8570 requirements. Another candidate is out of work, is self-funding certifications, has a lot of free time, knows what role they want, doesn’t need 8570, has been a help desk analyst for a year before the company went through a workforce reduction, and has been competing in capture the flag events for the past year. These two candidates are in very different positions. Note: If you’re in the Military, check out this article on 8 Paths to Free College Credit and this article on what to do if you’re planning on transitioning out within the next few years and want to focus on cyber security.

There’s another factor: What path within cyber are you taking? If you know that you want to go into threat intelligence, a cert in networking security probably won’t help you much. If you’re not sure which direction you want to go, then read How to Learn Cyber Over the Weekend: An Orientation in 48 Hours. This article covers some of the basics you should know like:

  • What an APT is and a couple examples of APT campaigns
  • The MITRE ATT&CK Framework
  • How to prioritize protection using the ASD’s Essential Eight Maturity Model

As you read though a couple campaigns, you will naturally gravitate towards something within the campaign such as network segmentation, intelligence, strategy, development, misinformation, project management, and even customer relationship manager and sales — someone has to sell the products that attack and defend!

There’s also two really big distinctions for cyber companies:

  • Companies that require cyber professionals to protect their assets
  • Cyber companies

These are HUGE differences. Often, cyber companies don’t care or care much less about certifications than companies that need cybersecurity professionals. If you are trying to transition into the cyber industry, I often recommend keep doing what you’re great at, just learn a bit more and apply for a similar role at a cyber-branded company. If you have a bunch of Front-End developer experience…apply for a Front-End developer role at a you-pick-the-flavor cyber company. Get the cyber merit badge and then try to pivot roles within the company. However, you still better be able to talk through an APT campaign because even a front end developer at a cyber company should still be threat focused!

Certifications within cyber security are generally broken into two categories: certifications that test what you KNOW and certifications that test what you can DO. Guess which category employers prefer. Many focus areas within the cyber work role landscape have few, no, or immature certifications which means experience is unfortunately (or fortunately) more important. Some examples of cyber roles that require no certifications include sales engineering, exploit developer, customer success engineer, field engineer, DevSecOps engineer.

The market will tell you to start with CEH and Sec+. We’ve literally never had a company come to us and ask for someone with Sec+ and CEH. Both of these certification test what you KNOW. If you are in help desk and want to move into security within your company and the company will pay for them, take them. Why not? If you want transition from non-technical project management to technical project management, CEH and Sec+ will probably help your case. We’ve found that balancing technical proficiency with something like a cloud or virtualization cert AND understanding the threat tends to go much further. Unless you need 8570 requirements. You can usually get through these with a couple hundred dollars and a couple weeks of studying.

AWS, VMware, CISSP, OSCP, Splunk, CCIE Security, CHFI, and, of course, SANS certifications tend to be the most attractive for employers. Most pure cyber roles other than SOC analyst are for people that have been in an adjacent field for a few years and are finally putting on their cyber hat.

Virtualization: AWS and VMware are huge and fundamental to many different areas within the industry because virtualization defines much of the infrastructure that runs modern networks and systems. Certifications in both of these platforms open up a number of opportunities for security practitioners in many different markets. Prices vary. Sorry, Azure and GCP: the truth is that AWS still owns the marketplace.

CISSP by ISC2: CISSP validates that security professionals can choose the best option out of a series of imperfect alternatives (because that’s life) and communicate associated risk to business executives. Yes, you’ll have to know the difference between different types of asymmetric cryptography, but more importantly you need to be able to explain why you might choose to implement one over another. What about the 5 years of experience to qualify? Read the fine print. ISC2 is a business. They’d be crazy to not take your money if you want to sit for the exam. You only need five years of paid experience in two of the mandated eight Domains to qualify for the full CISSP. If you don’t have the combined five years, you can still take the exam and become an “Associate of ISC2” when you pass. Read more here. Between the certification and prep, CISSP usually costs around $1000. Note: Military folk, read the qualifications closely because you probably qualify for more time than you realize. No, it’s not a beginner certification, but if you are coming in from an adjacent industry, you’re probably not a true beginner. We are big fans of the Sunflower CISSP Study Guide and the ISC2-provided practice tests. If you can crush the practice tests (especially the last two!) and you can explain every little thing on the Sunflower guide you are probably headed in the right direction. Free for Veterans through Syracuse’s Onward to Opportunity program. Note: If you have CISSP/Associate of ISC2 and no experience in an adjacent field like IT then congratulations are in order because you’re now a cyber consultant, not a practitioner. If you’re a consultant, you better understand the threat.

OSCP by Offensive Security: This is a challenge for beginners and tests what you can DO. OSCP is the outcome of the Penetration Testing with Kali (PWK) course which includes learning material and lab-based learning environment. Candidates work through the learning material and build a portfolio documenting their work, then VPN into a lab environment and hack virtual machines for a few months and build a professional engagement report of their work in the lab, and then take a 24-hour exam that consists of a VPN into an exam network, a few boxes to get root on, and then a, you guessed it, engagement report. Usually candidates can get through OSCP for about $1500 by the time they buy back in to more timeline and take the certification a couple times. For candidates that might not be quite gritty enough to jump straight into OSCP, we recommend Virtual Hacking Labs and Heath Adam’s Practical Ethical Hacking — The Complete Course. Offensive Security has additional certifications as well but OSCP is usually the best place to start.

Splunk: Splunk is a data analysis engine that can ingest a variety of data (like security alerts coming from a SIEM) and produce insights. Splunk certifications are free for Veterans.

CCIE Security by Cisco: Most security focused IT roles require at least CCNP. The IT industry is much, much larger than the cyber industry. Low demand drives high experience/certification requirements. This route is really long, relatively expensive for junior cyber entrants, and if often reserved for people that already have 4–10 years of IT experience and want to make the jump. Most candidates here take ICND1 then ICND2 (1+2 is the CCNA), and then CCNP and blah. You should note that all of these Cisco certs are for the Cisco ecosystem so only portions of the content transfer to other vendors.

SANS: SANS certifications are expensive. Multiple thousands of dollars per course/certification. However, SANS courses are taught by top industry leaders. Try to get a scholarship or your employer to pay for the certification. If you can/do go the SANS route, make sure you pick the right certification that aligns with your goals. You won’t be disappointed.

CHFI by EC-Council: Computer Hacking Forensic Expert is a good way to go for the forensics pipeline. Forensics is one of the stranger areas within cyber security but from what we hear CHFI helps. If that’s the route you know and love, let us know how it impacted your job search!

--

--

Stephen C. Semmelroth
Stephen C. Semmelroth

Written by Stephen C. Semmelroth

VP Cyber at StrataCore. I talk to the bits so the customers don’t have to.

Responses (1)