Cybersecurity Certifications: To renew or not renew — that is the question
Pondering renewal of security certifications like the SANS GSE
I wrote in the past about how I obtained a SANS GSE (GIAC Security Expert).
The SANS GSE
What’s it like to take one of the hardest cybersecurity certifications in the industry — and pass!
GIAC stands for Global Information Assurance Certification. I explained a bit about that process and why I did it.
GIAC Security Expert (GSE) Certification | GIAC Certifications
GIAC Security Expert (GSE) Certification GSE registration has closed for 2022. Check back in 2023 for GSE registration…
Was it worth it?
I think it that obtaining a GSE was an a helpful experience because it enabled me to meet some really interesting and intelligent people who were instructors or fellow students in my classes. I gained a ton of information about cybersecurity from people who actually work in the field. At the time, it seemed like the best source of information I could find. Cybersecurity programs did not exist in universities and colleges at the time, and SANS was just starting a masters degree program. The certifications were all part of getting that degree. Because it was an accredited masters program I could get compensation for some — but not all — of the cost of attending from my employers.
I think they have since separated the GSE from the masters program but I’m not sure. I also know two people that made multiple attempts at a GSE and gave up but are still gainfully employed in cybersecurity. You definitely do not need a GSE to work in cybersecurity, and the cost of obtaining one is kind of outrageous. But I’ve done that before. I spent what seemed like an egregious amount of money to obtain a masters in software engineering when there was only two such programs in the country. I wanted to learn and get that stamp on a piece of paper that showed I had put some work into obtaining the knowledge.
Was it worth it in dollars and cents? When I look back, how much did I invest versus the return on that investment in salary increases? Not sure from a monetary perspective that it was all worth it. I cannot say that I have had a greater return on investment by obtaining a cybersecurity degree or certification compared to if I had continue to work in software. But from a personal standpoint it was worth it. Sometimes you just do things because you enjoy it and I enjoy learning. I also want to help stop data breaches. Hopefully I can make a difference.
Will a certification or degree lead to a job and more money?
SANS was great for meeting people in cybersecurity, but it’s not where I met everyone in the industry, including some of the people who helped me most. I got involved in IANS because I met George Gerchow at AWS re:Invent where we were both speaking about cloud security. I met my friend Tanya Janca when we were both speaking at Vancouver BSides. We had an amazing vacation in Australia together and saw Kangaroo Island and took a train to the Outback just before the wildfires hit. So sad. Ironically, she moved to the West coast and I moved to the East coast since then. I met Ira Winkler at RSA and many other wonderful people working in security, cloud, and software development while speaking at conferences around the world. I really enjoy talking to the other IANS faculty at IANS events. I’ll be speaking at another in LA in October.
Other people I met when I was seeking out local people to help me with security white papers or projects or to ask them to speak at an AWS Meetup. Thank you to everyone who ever helped me in through all of this, or who attended one of my presentations. Yet other people who are really interesting and amazing in cybersecurity I met through work or just reaching out to local companies and contacts like Defense Storm, Rhino Security Labs, and CI Security when I was living in Seattle. I just had dinner with some former colleagues from Capital One and am itching to read a blog post one of them says he is going to write. :)
Don’t think that you must be certified or go to certain classes to work in security. There are many, many options for learning about cybersecurity and meeting people in the field. Do whatever you can to start learning and building your skills and connections. Go to local events or attend virtually.
I brought up Ira Winkler because I just saw a very insightful and accurate post he published on LinkedIn. He was commenting on a Forbes article which said cybersecurity graduates can make $200,000 per year and how that might be an exaggeration that sets people up with unrealistic expectations. That figure may be a little inflated. Ira would know. As the Chief Security Architect for Walmart, he hires people. He’s also been in the industry a long time and has some very great books and presentations out there I’ve mentioned before. You might want to check them out: https://www.amazon.com/Books-Ira-Winkler/s?rh=n%3A283155%2Cp_27%3AIra+Winkler
Some CISOs do make upwards of $500,000 a year in an article I read from the Wall Street Journal. That is generally at large companies and along with that comes a mountain of risk and stress. Often a CISO will get blamed for a breach and then have a harder time getting future work or at the very least, they pay the price in reputation over things that were outside of their control in some cases. Cybersecurity. Is. Hard. You cannot pay me enough to be a CISO, but I will answer your questions through an IANS research consulting call if you need help with something.
IANS publishes what is likely a more realistic CISO salary survey. You can read the latest here:
You can contribute to the next survey here:
CISO Compensation & Budget Benchmark Study | IANS Research
This year marks the third edition of our annual CISO Compensation and Budget Benchmark study, developed in partnership…
A CISO is obviously not an entry level job. You’re probably going to need to work in the industry for years to get to that level at a big company.
How many CISOs have cybersecurity certifications that have not expired? I don’t know. I’m guessing they are a little busy. That would be an interesting statistic.
What does a cybersecurity entry-level position really pay?
When I was considering switching from software to cybersecurity I inspected job postings and salary charts. The typical cybersecurity analyst made far less than a typical software programmer. What was I thinking trying to switch to a new field? With the help of Paul Henry whom I did meet through SANS and acknowledged in my book, I was able to make it work. I have a passion for cybersecurity and really want to help people improve their cybersecurity knowledge and practices so I made the leap.
I heard cybersecurity instructors at SANS talk about how much money you can make in cybersecurity. That depends on your experience and what it is, exactly, that you are doing in cybersecurity. Make sure you understand the different roles and review salary charts.
For those who want to make the switch without paying close to $50,000 like I did, consider how you might switch to a cybersecurity role in your current company. How long will it take you to repay that $50,000 versus trying to start learning and getting paid at the same time? You might not need a certification to get started. I’ve written before about how jobs in IT or on help desks can be a starting point to transition into a role as a cybersecurity analyst. Programmers and QA professionals can often transition to penetration testers or security engineers.
At the time I was researching, salaries for cybersecurity analysts were under $100,000 and I was making more than that. Moving into cybersecurity was definitely going to be a pay cut. In fact, as a cloud architect, my pay would basically be cut in half or more to become a security analyst. That wasn’t feasible.
When companies complain about not being able to hire people, maybe they just aren’t paying enough. But the fact is, they weren’t paying as much for a security analyst as a software developer at the time. Now those two roles maybe merging in some cases, which could increase the value both for the employer and the employee.
Is a degree worth it? It depends
Back to IRA’s comment on LinkedIn. If you are going to get a cybersecurity degree, consider the credentials and experience of the people teaching the classes. Have they worked in the industry, or is the college just jumping on the cybersecurity bandwagon?
I met a woman at my meetup when I was in Seattle who had just gotten a cybersecurity degree from a local college in a smaller town. I felt sorry for her because I went back and reviewed the program. The people running it had absolutely no experience in cybersecurity. A degree like that is a line on a piece of paper with little meaning. She can still make it work by getting the relevant experience. The degree shows she wants to work in cybersecurity. However, that degree alone isn’t going to make her a lot of money. It might even hurt more than it helps. Training from organizations like SANS and 2nd Sight Lab delivered by professionals working in the field will offer more credibility.
Although a school might not have leading industry experts, if they can regularly bring them in to speak physically or virtually and provide some training or guidance that can help. Check to see what sort of events and opportunities they offer and who is on their board of advisors. I was initially on the SANS board of advisors for their cloud curriculum and some of my material was in the initial class. I don’t know if it still is as I don’t teach there anymore — I teach my own cloud security classes. (And my website is currently way out of date because I’ve been too busy.)
Bringing in outside professionals to speak that may help enhance the program. That reminds me — someone did offer to pay me to come to an event but I’ve been so busy I couldn’t decide at that moment. I need to revisit that request. I made a virtual presentation in the past for a school on getting a job in cybersecurity. You can check it out here and are free to share it via the video linked in this post:
So You Want a Job in Cybersecurity?
A video to help you understand some of the different types of jobs and work available in the field
Also, make sure the school gets you hands-on experience. That’s what gives SANS an edge over some programs. It’s why the GSE is such a great demonstration of knowledge. You can’t just read a book. You have to go take a two-day hands-on test. I do still use a few of the tools that I used during that test, though not all the information was relevant to my current work.
What do certifications (and awards) do for you?
Getting certified in the first place is great if you are new to the industry. A certification can definitely help you feel more confident in your skills. As a consultant or security auditor it is sometimes helpful to show that you have certifications and knowledge in a particular topic.
I recently taught an Azure security class to almost 40 auditors at a company and provided them with Certificates for CPE credits at the end. CPE credits help the company and their auditors maintain their CISSP, which is another well-know security certification. The company can tell customers that all of their auditors have a CISSP, for example. CPEs can help people maintain certifications.
What’s the trade-off? All the time spent on studying for recertification is time that could be put to other use. I’m torn on this right now. In my case, all the things I learned at SANS were hugely valuable in obtaining a base of cybersecurity knowledge. However, in the end, a great deal of what I did to pass the GSE last time was mostly not relevant to the work I do every day as a cloud cybersecurity professional. For some people, it will be highly relevant and closely aligned with what they do. In my case, I focus on cloud security and none of that was covered in the GSE the first time I took it. Maybe it is now.
Some of the attacks I learned in penetration testing classes don’t work in certain cloud environments like the one I wrote about here:
Why one of your favorite pen testing techniques doesn’t work on AWS
One of the first techniques I learned for penetration testing was something called Arp Cache Poisoning…
I tend to be a bit forward looking in my research. I was writing about and speaking about cloud security at SANS when there were no cloud security classes in papers and presentations mentioned here:
In fact, SANS gave me an award for this work in 2017 which I really appreciate for innovation in cybersecurity. I am generally researching the next thing, not focused on the current state of the industry.
Ironically, my employer at the time did not see the value of the award so much. That was apparent by a subsequent turn of events. The award is very nice, but did it give me credibility? I have no idea. It certainly did not lead to a pay hike or appreciation from my current employer.
My boss said BlackHat training was better than SANS training. Note: He did not have any SANS certifications and I worked for him and was about to obtain my 9th certificate (because I had to at the time to get my degree, not because I love certification.) Could it be he felt insecure, or is he right? I don’t know because I never took a class at BlackHat. I didn’t really care. I wasn’t getting the degree for him or that job, I was getting it for myself. The award was an unexpected bonus.
Do the awards and certifications help me make more money? I don’t know. I guess they look good on a bio. Regardless, it’s a huge honor to be recognized. While I was at the event to pick up this award, a person responsible for that award asked me what I did so he could send referrals my way. I didn’t get any referrals. That’s OK. It’s still nice to be appreciated.
The same thing happened when I became an AWS Hero. I told my boss at the time, and he didn’t tell anyone else. Once again, I was wondering about the jealousy factor, but who knows. OK, I’m going to tell you all a story now that’s not going to sound very good and I shouldn’t talk about but this is pretty much how corporate America has treated me and why I’m not interested in going back.
Honestly, it was clear he didn’t like me because I was warning him about issues with a current project rather than being a “yes-woman.” I later turned out to be correct. I think he blamed me for sabotaging it, but I did no such thing. I tried to support the team building it but they clearly didn’t want my help so I didn’t butt in. I recommended that my boss get guidance from the security team which he did, and someone was trying to help them.
But in the end, one member on the team simply didn’t listen to my guidance on network IP allocations and blew up an AWS account. He’s no longer at the company. He’s not a bad person and I’m sure he learned from that experience and will do much better in the future. He was acting on the encouragement of my former boss and wonder if he got thrown under the bus. I don’t really know. Besides that incident, I heard later that the project failed miserably. I had nothing to do with it as I was no longer at the company and am not happy about that. I tried to help prevent it. I wanted to help solve the problem. No one was listening. I could see it wasn’t going to work.
I also found out that person was saying negative things about me to my new potential boss at the company when I was trying to switch departments. It didn’t work. I eventually got transferred, but then I was recruited away for a lot more money.
I hate politics. My boss said I didn’t “play the game right.” What game? OK I’m not stupid. I know the game. I just don’t like it. Awards and certifications don’t help me with all of this. Could it be that the awards and certifications made those around me feel intimidated and actually hurt me in an organization? I’m not sure but one reason a company gave for their actions was that I was “overqualified.” Was that relative to my boss? Was I a threat? I didn’t want his job. Overqualified to do what? Provide value to an organization?
Yes, I could work really hard to try to fix everything everywhere I work and spend hours trying to explain and convince people that something isn’t going to work, but sometimes the effort just feels like it’s wasted and people never want to hear that something isn’t going to work. I’d rather just go somewhere else, which is what I did. Call me the avoidant type. I don’t like vying for position and trying to convince everyone to go my way. I just want to help the people who are willing to listen.
The company (or at least my boss at the time) didn’t seem to care if I was recognized for my contributions or not. I mentioned it to someone on my team as I was leaving the company where I worked at the time — Capital One — and he was excited about it and told a few people. I may have written a blog post on my way out the door.
Most people, even at AWS, don’t even know what an AWS hero is. But my husband likes to drink out of the glasses they sent me :) and one of my favorite things at AWS re:Invent is the AWS Heroes dinner and the people who run the program. That and Werner Vogel’s keynote are probably the main reasons I attend, though I’m also re-evaluating this expense now that I’m coming from the East coast. I actually got to have dinner with Werner Vogels and about 20 other CTOs one year at AWS re:Invent and that was pretty cool. I’ve always admired his work and linked to his blog a long time ago on an old programming blog I used to write. So it did open the door to some really interesting experiences and amazing people.
Teri Radichel | AWS Community Hero
Teri Radichel has helped 1000's of companies with cloud security through consulting, writing, research, and training…
I don’t go after awards to earn a living or make more money. In some cases I see people lobbying for awards and some of them seem more like popularity contests more than anything else. I don’t put too much credibility into awards for that reason, even though I have some. In both cases, I didn’t even know those awards existed. I thought the AWS Heroes email was phishing initially.
The certifications have impressed a few people who understand how hard they are to obtain. But not everyone does. Some people try to knock people down for listing certifications. I usually notice those are the people who don’t have them.
Certification. To renew or not to renew.
My GSE expires in about one year. Should I renew? I’m just rolling off so much work I didn’t have time to think. I have a minute. I imagine I’ll have to spend hours and hours writing up lists of terms and practicing with tools I don’t use regularly to pass. It would be a really interesting experience but will definitely take some time. I just talked to someone who failed to pass on the first round because he got sick and couldn’t put enough time into it. He passed the second time.
The question is, what else could I be doing with all those hours? I could be investing them into a new project I want to work on and write about. I just finished the start of a new pentest reporting engine. This engine could also be used for cybersecurity metrics reporting — a topic I wrote about in my book and recently spoke about at an IANS research event. I’m even pondering some open source code related to that and future presentations. I haven’t spoken at the big conferences lately because I haven’t felt like I had the time to do some good research into a new topic.
The last presentation I gave at RSA before the pandemic hit was on a fuzzer I used to pentest APIs. I want to further that research and incorporate the results into my reporting engine. I’m also working on some pretty cool enhancements to that fuzzer. I want to help people with cybersecurity metrics through writing and open source tools. I need to finish the work I started on helping people with their home networks and maybe some bug bounties if I ever have time.
If you want to see what I’m working on at the moment in relation to batch jobs for cybersecurity check this out:
How Batch Jobs Can Help Cybersecurity
Batch jobs for penetration testing, security metrics, incident response, and more
Clearly I haven’t made up my mind yet. A part of me feels that I’ve made such an investment that I should just renew it. Another part of me feels like the recertification process is just a revenue stream for companies that offer that service and the question is — will the recertification drive any revenue for me personally versus other things I could be spending my time on? It’s definitely not that I can’t do it, assuming enough time and the systems don’t go down like the did during one of my SANS certification attempts in Seattle. I still passed, but I think my score was at least a couple points lower. What to do what to do. I’ll decide later.
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2022
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts