One of the most common online discussions in the security industry is about security certifications. This normally starts when someone asks what they should work towards or is Cert X better than Cert Y. As you can imagine, the answers are mixed.
The cold hard truth is that there is no real way to say one cert is better than another. It is 100% down to personal opinion. As security is a very broad field, you can find amazing practitioners who have zero certs and you can meet very bad professionals who have the full catalogue of security certifications. The certification itself is rarely an indicator of how good someone will be for your team.
People will always have a preference. Some will like the more management approach, some want them to be more technical. Some think “open book” certs are cheating, others think closed book certs are a needless test of how well people memorise trivial information.
There isn’t a right answer for any of this. All education is good. If you want the tl;dr it is that you need to do the research to find out what is offered by various security certifications and pick the one that is best for you. There is a caveat here because it depends on what your motivation is.
You might be looking to learn something new and the cert itself is just a way to test your own understanding. This is good and if this is your motivation, pick any cert and you will learn something.
However, for lots of people, the cert is there to meet a professional need. Often this to land a job, keep a job or get a promotion. If this is your motivation then it really does matter which one you go for.
Security Certifications as a Gatekeeper
The reality for most job seekers is that you need to get through some strange HR / corporate practices. In the example job advert (found on jobserve.co.uk), there is a clear statement that “Professional Industry Recognised Certifications” are an essential requirement and it goes on to list some security certifications.
However, there is no logic behind this. The cert requirement is simply a way to eliminate people they don’t want to hire and make it harder for applicants. If you need a CISSP, you need someone with a very different skill set and knowledge than a CISM (which is mostly management, projects and stakeholder engagement) and drastically different from a CEH – which is a pentester qualification. If any of these security certifications are acceptable, then it should also be OK to apply with none. It’s not feasible to believe that they want either a junior pentester or senior program manager for the role. The only explanation is that they’ve asked for security certifications to act as a gatekeeper and eliminate a percentage of candidates.
If HR departments and hiring managers had any sense, life would be easier and fairer but it simply isn’t. As a result, you may be forced to get certificates you don’t like for no reason other than the job requires it. In the UK in 2019, the most common qualification this applies to is the CISSP.
This is not an intrinsically bad security certification. CISSP holders range from super skilled and knowledgeable to people you can’t believe passed the exam. This is true of every single qualification in the world, so don’t think it is a criticism of the CISSP. The marketing efforts which have gone into pushing the CISSP means that if you hold it, you can pretty much apply for any security role from pentester, to incident handler, to forensic investigator to management. Now you may think this makes no sense, and it doesn’t, but that doesn’t matter. It is the way the world is.
One other consideration
Most certs come in two big bucket flavours. Ones where you go and learn a lot of stuff and then sit an exam and ones where you should already know a lot of stuff before you go for the exam.
To explain this, these are examples:
- CISSP / CISM: Both certs where you need 5 years experience before you sit the exam. You can get “bootcamp” courses but these are largely sold as refreshers rather than teaching brand new knowledge.
- OSCP: This is largely a cert where you learn lots of new stuff then sit a very challenging practical exam. Yes, some people will already know everything before they start the course, but that is 100% not what is expected. The course is designed to teach new things, not simply refresh knowledge.
This can lead to a lot of the dissatisfaction with some security certifications, especially as the courses are often expensive. People frequently attend a CISSP bootcamp and complain the cert is lacklustre because they learned nothing new on the course. This should never be the purpose of the course.
What does this mean?
The upshot is that if you are looking for one qualification to rule them all, it probably doesn’t exist.
You really need to decide what matters to you. Is it for personal development or to influence your career? If it is the latter, the best thing to do is search for job adverts. Find the ones you are interested in and check what qualifications they ask for. Whichever qualification is asked for the most, is the one you really want.
In the UK, in the first half of 2019, for security roles, this is unquestionably the CISSP. But don’t take our word for it. Research it yourself. Find the jobs you like, find the career path you want and see what (if anything) is the required qualification.