More than 35% of all cybersecurity positions call for at least 1 Certification. The value of certifications in cybersecurity is a controversial topic. Some people think they are essentially worthless pieces of paper that only help with getting past the HR person and to the second interview. While others believe that they do demonstrate a certain level of competency. Some job postings explicitly request certain qualifications to even begin looking at a candidate. However, one thing they can’t be denied is that people that have a mix of certifications and experience enjoy benefits above those that only have one.
People that do have certifications make between 5-25% more than those that don’t. In addition to better pay certification can introduce you to knowledge and concepts pertaining to certain areas that increase your overall skillset. Some certifications such as the OSCP are highly regarded as a show of skill and expertise in a certain area. I definitely think they are something you should consider whether you’re trying to break into the industry or advance in your career. Here are some of the top industry certifications to consider:
Security+: This is my number 1 recommendation to start with, it’s a vendor neutral certification that covers all of the major areas of security. It is also well respected by employers and establishes core knowledge that can be used in any cybersecurity role. The Security+ certification is approved by the U.S. Department of Defense to meet Directive 8140/8570.01-M requirements. Put simply this means the DOD approves that this is a quality certification.
CEH: The Certified Ethical Hacker Certification is a course offered by EC-Council, which focuses on the core concepts related to computer hacking. Unlike Security+ this certification focuses on a niche within cybersecurity, focusing on pen testing tools and techniques. Despite being more focused this is still an entry level course in my opinion and is a good one to start with.
OSCP: This stands for Offensive Security Certified Professional and is a more advanced version of the CEH. Rather than focusing primarily on theory this exam is almost exclusively hands-on. Requiring the candidate to hack into multiple machines within the given time frame and get the contents of files stored on the computer. Once that is done the candidate is given 24 hours to complete a professional write up of how they hacked into the computer, this is sent to the overseeing body and once it is deemed satisfactory the candidate earns the certification. Due to its difficulty the OSCP is one of more recognized technical certifications. It takes a good amount of persistence because you are given minimum guidance throughout the practice labs, it’s more of a trial by fire type of learning.
CISSP: The Certified Information Security Professional is probably the most common security certification out there. It is considered a Management Level Certification and requires 5 years of IT security experience but 1 year can be waived with a university degree. It is a very comprehensive certification that covers many domains relevant to management. On average a CISSP increases an individual’s Salary by about $15,000. It also has three concentrations areas that you can specialize in:
AWS Security Specialist & Microsoft Azure Security Engineer: Amazon Web Services and Google Azure are two of the largest Cloud Services Providers today and both of them offer certifications specifically for security professionals on their platforms. These certifications are great starting points for someone looking to specialize in cloud security.
SANS DFIR Courses: The SANS institute is considered one of the most prestigious certifications and training bodies in security. One program that is particularly popular is their Digital Forensics and Incident Response Courses(DFIR). These courses prepare you with the latest knowledge and techniques on how to find digital artifacts, threat hunting and incident response procedures. They are quite pricey but they have a reputation for being cutting edge and very well taught.
CHFI: Computer Hacking Forensics Investigator is another certification provided by EC-Council, focusing on the area of Computer Forensics. It teaches investigation techniques used by police, government and corporate entities globally.
Comptia Cysa+: CompTIA Cybersecurity Analyst (CySA) is an intermediate level certification that uses hands on, performance-based and multiple choice questions. It focuses on basic skills like a candidate’s ability to capture, monitor and respond to network findings. But expands it to include more advanced topics like Threat Hunting, Automation, Application Security and Regulatory Compliance. It covers the technical and management skills expected of a mid level security professional. This certification has been approved by the U.S. Department of Defense to fulfill Directive 8570.01-M requirements (like the Security+ certification) and it is compliant with government regulations under the Federal Information Security Management Act (FISMA).
CISM: Certified Information Security Manager, as the name suggests this certification is designed to educate the candidates on the expertise required to be a successful Information Security Manager. The topics covered include Governance, Program Development, Incident Management and Risk Management. The average salary of CISM holders is estimated at $118,000.
CCNA: CCNA is a Cisco certification and stands for Cisco Certified Network Administrator. It focuses on evaluating a candidate’s skills and knowledge of Network Fundamentals, Network Access, IP Connectivity, Security Fundamentals, Automation and Programming Ability. If you work with a lot of Cisco equipment or plan to in the future, this certification could be very useful.
Evidence suggests that security certifications definitely help to advance one’s career. Many job postings specifically ask for certifications and some certifications such as the CISM and CISSP have been directly correlated with 5 figures increases in pay. In addition to that, these certifications do improve an individual’s overall knowledge base in an area, especially if that person doesn’t have a huge body of experience prior to taking the course. While courses are no substitute for work experience they are definitely a good supplement and these certs listed above are some of the most prominent in the industry. I highly recommend looking into one or more of these if you’re looking to improve your chances of thriving in this field.