Certification Roadmap
Securing the Path
Hello everyone. Welcome to my first ever post! We’re going to discuss cyber certifications (certs for short) and how you can land that dream job.
I should preface that what I’m about to talk about is mostly my opinion. I have done the research for you and will provide what I have managed to culminate. I will also link references and learning tools for you to explore on your own.
Let’s begin.
Certs Vs Degrees
In a nutshell, certs are verifiable proof that you know something. To an employer, they are worth more than a degree. Why? Certs and degrees prove different learning capabilities.
I talked to one of my former professors about certifications and degrees. He said to me:
“Degrees tell your boss that you can follow instructions. If they ask you about something you don’t know, simply say ‘I don’t know, but if you give me the manual, I can learn it’.”
Take a look at any entry-level/internship job opening for a company like Boeing/Raytheon/NASA. They require a very high GPA (3.5+) to even apply, let alone be considered. The reason they do this is that they want rule followers (a “Yes-Man”). These companies don’t care about your skills, they care about how well you listen to authority.
If you want to work for Boeing/Raytheon/NASA, I won’t stop you, but you should be aware of what you’re getting into. Climbing that ladder to a managerial position will take you decades. The optimal route from having a job at these places is that it gets you an extra look at your resume/CV. “You worked at NASA? Wow that’s cool!” - Your NGMI friend/recruiter.
What Certs Do I Pick?
There are thousands of certs. Getting them all is a waste of time, so you need to prepare your roadmap (LINK).
What do you want to do?
It’s up to you. You can decide what you want to explore and apply it into your skillset. Saying “I want to learn cybersecurity” is a complex statement. Find a niche that resonates with you (for me, it’s Malware Analysis).
Certs don’t teach you everything. They usually cover a small subset of knowledge in a certain field and test that you can comprehend the subject either through a paper test or hands-on lab (or both).
Secondly, most certs expire after a certain time (3-5 years). You shouldn’t worry too much about this as it should not take you 3+ years to land a job after getting a cert. If you need to renew a cert, you’ll need to either take the test again or redeem some organizational credits (you should research this for each cert).
Now back to the ones you should get, based on your pre-existing knowledge.
Common Certs
NGMI Cyber Noob
Let’s say you’re a NGMI cyber noob. The first thing you should do is subscribe to BowTiedCyber to get your skillset rolling.
CompTIA Security+ (Sec+)
“Inch deep, mile wide”. Sec+ is easily one of the most popular certifications for novice/beginners. Sec+ comes after Network+ (Net+). You can skip Net+, but if you know absolutely nothing about computers/networks, you may want to at least read up on the course material.
Sec+ is a basic overview of Information Security (infosec) and its applications. Sec+ will get you an extra look at any entry-level position, even if you don’t have a degree. It is also one of the few certs that is broad enough to encapsulate multiple different concentrations.
CompTIA A+
Extremely basic computer information. If you have no idea how anything on a computer works and managed to make it to this page by sheer luck, A+ is for you. If you have some knowledge (e.g. know what a BIOS is), you definitely don’t need it. If you want to be the best IT helpdesk guy at your company, it can’t hurt.
Novice Hacker Bro
Everybody and their mom wants to be a hacker/pentester. If you’re thinking offense (red-team). You’ll definitely need some specialized certs to even be considered for a job.
Certified Ethical Hacker (CEH)
All the red-team startups have a rage boner for this cert. I’m not the biggest fan of it (I’m a blue-team guy). It’s a bunch of a questions about tools. If I ever took it (I won’t), it’d be mostly memorization (kinda like a degree haha).
Offensive Security Certified Professional (OSCP)
Another red-team cert like CEH, but you will learn multitudes more about red-teaming and pentesting before the exam. Instead of brainless questions (e.g. “What port is Telnet hosted on?”), you will be given questions about applied knowledge.
To summarize if you want to be a hacker: CEH for credentialism, OSCP for knowledge. CEH gets you past those pesky job screenings, but OSCP really opens doors.
Infosec Manager/Executive
Managing an infosec team for a companies shows that you know your shit. And yes, you’ll be paid well too.
Certified Information Systems Security Professional (CISSP)
Imagine IT management, risk assessment, threat intelligence, and secure development wrapped into a single cert. You need 5+ years of experience (and a written letter of recommendation IIRC) to even attempt the cert.
Cert Organizations
Certifications are hosted by a variety of organizations. As mentioned before, there are thousands of certs. Getting a really obscure one because it’s cheap isn’t a good idea as it probably isn’t worth much to an employer.
Below are some orgs with a good reputation that employers and hiring managers are looking for in applicant resumes. Some orgs have their own training material too.
CompTIA
Host of the “Plus” certifications. CompTIA is recognizable by about every company. Their website has training material and practice tests for their exams. They are an excellent choice for novices looking to start their cybersecurity journey.
Global Information Assurance Certification (GIAC)
GIAC provides certs for a variety of subjects (Offense, Cloud, Forensics, Management). They are highly coveted by employers for mid-senior level positions. You’re practically guaranteed a $100k/yr position, but the catch is that the certs are expensive. The exams usually cost $2000USD and the prep courses (SANS) cost $4000. You can take the exams without the prep courses, but you will have a much more difficult time.
A nice option would be to ask your employer to pay for the course+exam in exchange for working for them for an extra year or 2. Most companies have some sort of education budget, and asking won’t hurt.
eLearnSecurity
eLearnSecurity is not quite as reputable as the above 2 orgs, but I’ve listed them as their training courses are top notch. They use INE as their exam prep. If you pay for the premium subscription, you’ll have access to the training for all of eLearnSecurity’s certs.
You won’t usually see these certs listed on a job board posting, but you can spot them since they all start with a lowercase “e”.
Information Assurance Certification Review Board (IACRB)
IACRB was a part of some controversy a few years ago, but their certs are still good. I don’t know much about them, but I have seen their certs listed under job postings.
Mossé Cyber Security Institute
Based out of Australia, Mossé’s certs are appealing to many because they don’t expire. Secondly, all of your work is done via virtual labs which are checked by hand by the members of the institute. I’ve used them before and highly recommend them if you need to work on your writeups.
Other Training
To pass certs, you need to be trained. Here are a few companies/orgs that provide training.
Pluralsight
Pluralsight provides training for several cyber programs. I like them because they have an offline video player program which I use sometimes. A lot of their material is free, which is another reason why I like them.
Cybrary
Cybrary is well known and has tons of information. When you sign up, you’ll have a few days of free premium access, so be sure to capitalize on this!
Summary
In conclusion, you don’t need to have a resume full of certs to get the job you want, nor will you be able to get the certs you want in only a few weeks. Certifications are investments in yourself and your capabilities contrary to degrees.
If you don’t have a lot of experience, play around with some basic, free training tools and feel around to see what concentrations you like. Once you have the basis for a certification and career path, then you can start your training dedicated to your preferred skills, and you can finally land that dream job.
The post above is my opinion. Please treat it as such.
Link with the roadmap is very helpful. I'm glad I subscribed