I’ve done my cybersecurity certification training, should I take the exam?
One of the popular questions I’m asked from students following completion of a certification training course is whether or not they should take the exam.
The answer isn’t a simple “yes” or “no”, as every student’s needs and goals are different.
With that in mind, let’s take a look at the reasons both for and against booking your exam once you’ve passed your course training.
Question 1: Who are you and what do you want to do?
This is this question you need to ask of yourself. What turns your crank? Do you prefer offense or defense? Red team or Blue team? Tactical or Strategic?
As a red team member, you love the attack. In the game of cops and robbers, you want to be the most bad-ass robber there is. Imagination and ability are your strengths.
Not only do you come up with inventive ways to attack a network, an application or a person, you know how to execute it.
As a blue team member, you are the sheepdog. I know this term is loaded these days on social media, but the blue team are the true protectors of company IT assets.
An enterprise can’t expect Larry or Jane from marketing to defend themselves from advanced attackers using spear-phishing as a weak link into the corporate network.
You defend the company assets from all threats, seen and unseen.
Red Team or Blue Team?
Red Team is highly tactical in nature. Blue Team can be either tactical or strategic.
Red Team Certifications
There are a handful of Red Team certifications available in the market.
In all honesty, any advanced subject matter changes so frequently that certification in this discipline won’t address latest attack patterns.
In fact, I think learning in this environment consists of learned knowledge.
To get you prepared for this field, I’d recommend investigating the following certifications as starting points:
- EC-Council Certified Ethical Hacker (CEH)
- EC-Council Certified Ethical Hacker – Practical exam
Blue Team Certifications
There are numerous Blue Team certifications available.
Is your focus on Cyber Security defenses, Information Risk Management, or Audit?
I think it’s easiest to just lay out the organizations and let you explore their various offerings:
- ISACA Certification Training
- ISC2 Certification Training
- Cloud Security Alliance Certification Training
- EC-Council Certification Training
- CompTIA Certification Training
Strategic or Tactical?
Do you want to create the plan or execute the plan?
This is the difference between strategic and tactical initiatives.
If you’re currently tactical and are thinking about climbing the corporate ladder and being more strategic, just be aware of what you’re getting into.
You’ll be expected to manage people, not systems.
Everyone thinks it will be different for them. It likely won’t be. This is the natural progression that happens in most enterprises.
In the certification market, there are many more Strategic offerings than there are Tactical offerings.
As I mentioned previously in the red team vs blue team section, I think this is because tactical activities happen at such a fast pace that courseware and certifications really can’t keep up.
Question 2: Are employers looking for this certification?
Not all certs are created equally. Does anyone care about your obscure bitcoin wallet security certification?
Not very likely.
“But it’s the hardest and most advanced cryptographic course ever, Graham!”
Don’t care. Nobody cares.
That was a personal interest and that’s cool, just don’t expect it to get you an interview.
They (being employers) are trying to demonstrate how their people are qualified to prospective customers and/or to regulators. When it comes to the regulator side, almost every standard or regulation I have ever read states that IT employees must be “qualified”.
How does one gauge such an ambiguous term? A combination of experience and certifications come to top of mind. Employers need to be able to state “this person is qualified as a cyber security professional because they have x years of experience and the following relevant knowledge (certifications)”.
Think about the customer who is asking about a prospective supplier’s security program and workforce. Do your bosses say “hey, why not speak with Pat to see just how qualified they are!”. Not going to happen. It’s more defensible if they can say “Pat has 6.5 years of experience and has their CISSP certification”.
Fact is, you have to understand what employers are looking for in potential candidates. They are looking for defensibility.
From a relevancy perspective, it comes back to the two questions posed before:
Question 3: Does this certification aid my career?
Sure, great if you can get a job with the cert, but does it get you the right job?
Are you looking at getting your foot in the door and asking if the CISSP is a good certification for an entry level position?
No, it’s not (and the 5 year experience requirement likely isn’t met).
You’re going to want to look at something such as Security+ from CompTIA if you’re just starting out. If you want to go tactical red team after that, investigate the C|EH from EC-Council. Looking at having a blue team strategic career? Follow up with the SSCP instead.
Likewise, if you are a risk management professional, taking a class such as Certified Ethical Hacker might be beneficial, but it might also make you look scattered.
There are multiple books available for such certifications. I personally recommend the McGraw-Hill All-In-One certification guides. (Disclosure: I wrote the CCSK All-In-One book, so I’m likely biased).
One last note should be the number of certifications a person has. I’ve never been a fan of “cert chasers”. You know the person who has like 25 certifications across 20 different disciplines? It could impress some employers, but it could very well turn off many others.
If you do have many certifications, I’d recommend tailoring your resume (and email signature) to only reflect the certifications you have that address the job opening you’re looking for.
Question 4: Do you want to advance your career at this time?
Is your employer sending you to certification training?
If so, you need to realize they have identified you as a potential star.
Take advantage of the situation! After all, why wouldn’t you take the certification exam, be the rising start the employer identified and earn more?
There could be many reasons. Maybe you have a new baby on the way, or some other major life change. Health and family should always be the priority. That said, I hope it’s not because you don’t believe in yourself as much as they do and you’re trying to justify why you aren’t good enough?
Want to know why many companies are hesitant to supply their staff with certification training? Because they are afraid that staff will leave for more money once they are certified.
Don’t take my word for it. Here are some recent stats on salaries (courtesy of payscale.com):