Certifications for security professionals
A common question I hear is “What certifications should I go for?” – and if someone is asking me, they probably mean specifically in the security space, so that’s what I’ll talk about here.
Are certifications relevant?
First, I’m going to say that if your employer is sponsoring you to take some training, this isn’t a question you really need to ask yourself; take the training! But if you are footing the bill yourself or you are responsible for recommending training that either you or others should take then you do probably want to think about the relevancy of any certification you’re considering.
A good question to ask is “Is this training relevant to my job role (or the job role that I want)” – if you are, or want to be, a penetration tester then look for certifications that are specifically relevant to that role because you’re going to get the most value out of something like SANS GPEN (GIAC Penetration Tester) or OSCP from Offensive Security and much less value from a certification in Digital Forensics. Likewise, if you have or want a job administering BIG-IPs, you probably want to look at F5s own certifications rather than a generic certification aiming to cover a whole marketplace of products – ditto for any other vendor with their own certification track. For most certifications it is relatively easy to quantify how relevant they’ll be, so it’s quite easy to answer this question.
A better question to ask is “Is this training relevant to my current skill level” – you want a certification that is going to stretch you, not one you can cruise through. Some certifications are many thousands of dollars and – in my opinion – it isn’t worth spending that money just to ‘tick the box’ of having a certification, it needs to be something that enriches your knowledge as well. As an example, if you’ve been a penetration tester for a couple of years, SANS GPEN probably isn’t your bag, but maybe GXPN is?
You might be tempted to ask yourself “Will this certification make me more hirable?” and, well, let’s give that a whole section, shall we?
Do hiring managers look for certifications?
Yes, absolutely, but as always, it depends... both on the role you’re considering and the hiring manager you’re talking to.
If you are looking to move into a strategic role, then hiring managers are often going to be looking for a relatively strategic certification like CISSP or SANS GSTRT (MGT514); I would go out on a limb here and say that the certification I most often hear sought of and most widely recognized is CISSP.
If you are looking at technical roles then certifications are often a great way to get your CV picked up and past the first stage of review – look for certifications specific to the roles you are interested in, or technologies you want to work with. If you are looking at a vendor role, then look at their own certification program.
As someone who has done their fair share of interviewing, though, I must say that I am always looking for technical chops behind the certifications. Certifications give us an idea of where the base level of a candidate’s knowledge should sit, but we are still going to want to see practical demonstrations of competence in an interview setting!
How do you prepare for a certification test?
The answer to this is going to depend a little on which certification you are aiming for, whether it is open-book or not, technical or strategic and so on.
If you are facing an open-book test (like a SANS certification) then my number one tip is: Make an index of the course materials. Number two is: take the practice tests! Take one very soon after the course, and one after you’ve revised the course material, created your index and soon before you sit the final test, using this one to tweak your index where necessary.
You’re going into the test carrying a ton of reference material so that index really is paramount. The “pancakes” system worked well for me - https://tisiphone.net/2015/08/18/giac-testing/ - and although I highly recommend building your own index (if for no other reason than the course materials change regularly!) there are some open source indexes available out there as well (e.g., https://github.com/ancailliau/sans-indexes, which gets bonus points for building the indexes using TeX & LaTeX)
If you are prepping for a technical, practical exam like OSCP then my suggestion would be to spend a lot of time revising the course material and practicing your skills in Capture the Flag style environments (like https://www.hackthebox.com or https://tryhackme.com) or Offensive Security’s own PG Play / PG Practice environments (https://www.offensive-security.com/labs/individual/). You’re also going to want to hit this one when you are well rested, because the OSCP exam is a marathon!
For vendor certifications like our own then time-on-product is going to really help you, as will revising using the vendors own certification guides (like our blueprints - https://support.f5.com/csp/article/K29900360 ). Vendor certifications are often based on specific versions of software so my top tip would be to make sure you are practicing using the right version!
Summary
In summary, certifications can be highly beneficial. They demonstrate to an interviewer or to your organization that you have reached a specific level of understanding or knowledge of that specific field. They can never replace experience, of course, and I personally would not overlook a candidate with years of experience simply because they lacked a certification; but sometimes having those letters in your title can certainly open doors.
Sidenote
If you are a Japanese language reader, my colleague Koichi Toriumi has written a whole book on this subject, which can be found here: https://techbookfest.org/product/6492115844464640