How to prepare for cybersecurity certifications?
The complete cybersecurity guide to preparing for certifications like CompTIA, OSCP, CySA+, CISSP, et al.
As with anything practice and determination are the key, but it helps to know what even to focus on. I have previously written in detail on how to start a career in cybersecurity. If you have already read that post, you likely have a pretty good understanding now of where you want to be — what kind of role you see yourself in on an everyday basis and to figure out the next steps.
I prepared this guide to further answer some of the frequent questions I receive on my career counseling page. In this article I specifically cover what certifications you need for each types of cybersecurity roles and more importantly, how to prepare for them.
Ideally, it is best to identify a few roles that you believe you would be a good fit for, and look at their job descriptions. This gives you an idea of what skills or certifications you need to work on.
If your employer offers educational subsidy or tuition reimbursement as a part of your benefits package, ask them to cover the cost of your trainings and certifications! It is a win-win for your professional development and the employer when you become more skilled.
Penetration Testers & Ethical Hackers
When it comes to earning a certification to demonstrate your knowledge of ethical hacking and penetration testing, surely there’s plenty that will test you on theory and your knowledge of acronyms, and might be even more popular — such as Certified Ethical Hacker (CEH).
But I’m personally biased towards Offensive Security Certified Professional (OSCP) for one simple reason: You don’t take quizzes on paper to pass OSCP. Instead, you are actually given 4–5 systems (IP addresses) to hack and be creative — to craft your own exploits, within a 24 hour exam period. You are also given lab access to test systems that you can fiddle with, to prepare for the exam. That way you can rightfully claim, in a dignified manner, the title of being a “hacker.”
Hackers don’t merely pass tests, they hack systems — ethically or otherwise. But for that, you need to have a solid grasp on the concepts and be able to walk the walk. OSCP, for that reason, is upfront proof of your credibility as a hacker and penetration tester, and anyone with an OSCP typically earns instant respect of peers in the industry.
Now you are wondering, “how to prepare for OSCP?”
A lot of test takers — not all, but a significant number, fail OSCP on their first attempt mainly due to lack of preparation, or the inability to act on their feet in a limited time.
Surely, you can take a chance with preparing with OSCP using only their course materials and lab access. These may be enough for someone who is already familiar with the concepts and hacking in the real world, for example, at a full-time pen-tester job. But, I personally recommend The Complete Ethical Hacking Course Bundle because not only it covers the practical aspects of what you need for OSCP, the bundled courses also cover Wi-Fi hacking, web-app hacking, networking concepts, social engineering tricks and using Android as a hacking tool. This will not only help you with OSCP but other Offensive Security courses as well — and make you a better hacker by enhancing the breadth and depth of your knowledge.
SOC Consultant, Security Analysts & ‘Defenders’
There is a plethora of certs available in this category and the choice largely depends on your experience level. Beginners with absolutely minimal or no knowledge of the concepts may benefit from CompTIA’s Network+ and Security+ certifications — again, I want to emphasize these are basic level certs. If you are good with your fundamentals and need more thorough feel for being a full-time analyst, CySA+ maybe the next step. If you are ready to go advanced, CASP would be the ideal step. CompTIA’s website claims, “CASP is the only hands-on, performance certification for practitioners — not managers — at the advanced skill level of cybersecurity.”
The spot on recommendation here would be The Complete Course Bundle to Help You Pass the CompTIA Cybersecurity Analyst+ (CS0–001) exam on your 1st attempt. For one sweet price, discounted to $26, you now have access to 5 courses including practice tests exclusively geared towards the CySA+ (CSA+) certification from credible instructors.
Since CASP is a more of a hands-on certification, I recommend actually having worked as an Analyst first for a cybersecurity consulting firm, even if for a few months, to test the waters and to learn what might be expected. You may do fine without it but you’ll be far more confident taking the test if what the exam questions ask is essentially what you do at your daily job.
Networking & Information Technology (IT)
For obvious reasons, going for a vendor-neutral certification, especially in the beginning of your career, may be the smarter idea rather than going for a vendor-specific one. The exception to this rule would be if you have years of working experience with Cisco or Juniper devices and to substantiate that skill, you decide to go for a Cisco CCNA/CCNP certification, for example.
For Cisco CCNA specifically, I recommend the Cisco CCNA NEW R/S (200–125): The Complete Course. (Update: I don’t think one can enroll in this course anymore, but it is still being offered to the VIP members of the website). When it comes down to computer networking concepts in general, it sure is best to know your TCP/UDP and OSI stack — but there’s value in understanding the hardware and software technologies deployed in the industry as well and how they work. The multiple courses cover in detail Cisco technologies and help you prepare for these certifications as well.
Governance, Risk & Compliance (GRC), Policymaking, Security Assurance
There is no one certification when it comes to policymaking. A lot of it comes from business and managerial experience. Even though the certification may greatly help you become familiar with legal compliance terms, policies, technology and how to go about GRC, the actual experience, as with anything, comes from interacting with the clients daily.
GRC-specific certification: There’s a long list of certifications available in the GRC field, but at this point I’m not able to authoritatively comment on their credibility, simply because I haven’t been as involved with GRC up until this point.
To establish credibility in the Security field at C-level/Managerial roles :
The ultimate goal of most Cybersecurity professionals — especially C-level executives, is to earn a CISSP® at some point in their careers. CISSP® is proof of your years of security experience, seniority and credibility as a security professional. You do need to have 5 working years of experience in listed a few areas of cybersecurity before you may even sit the exam. Good news is, with a college degree, you only need 4 years of experience — but that in no way simplifies the material that’s going to be on the exam.
CISSP® is the best theoretical certification for advanced professionals because, no matter what your level or role at a company is, CISSP® is a solid evidence of your veteran status in cybersecurity.
I have thus far found the CISSP® Exam Preparation Training Course very helpful as it’s specifically designed for the CISSP® test. This one’s only available as part of the complete VIP course bundle though and not by itself.
You can surely take these courses individually for a specific certification or training goal you have (it’s cheaper that way if you only need to take a one-time course). My take, however, as stated in my previous post is, I personally have the VIP Bundle as it provides year-long access to 91 of the courses for one fixed fee — for beginners, pros and those preparing for CompTIA, OSCP and other popular certifications. The VIP bundle catalog is also periodically updated with fresh material and courses, which is very beneficial in learning new skills from time to time! So, if you are planning on preparing for multiple certifications or upgrading your skills from time to time, the bundle ends up being a much, much cheaper deal.
I don’t recommend anything without trying it for myself first, and likewise you should only get your training in a manner which suits you best. Ultimately, there is no shortcut to success and no matter how you choose to prepare for your certifications, you need to know and understand the subject material by heart. Without it certifications are just decorative.