Do you really need to get cert’ed up?
Opinions expressed are solely my own and do not express the views or opinions of my employer
I was really humbled by the number of people who took the time to read, comment and like my recent post about Starting out in security. I hopefully inspired a few people to take a few steps closer to a career in security, but more importantly the feedback inspired me to write another post aimed at helping others starting out in this industry. The one area that seems to generate an awful lot of questions is certifications and particularly whether they are worthwhile pursuing at the early stage of your career. Seemingly simple question that is remarkably contentious! So what better topic for my next post!
So um… well it depends…
That may seem like a little bit of a cop out — but of course it depends! It depends on you mostly, but there are a couple of factors that in my opinion can help guide you and you should consider.
What else could you be doing?
The time and effort of doing a certification can be considerable and that time could be spent doing something else to further your career or contributing to some other aspect of your life.
Thinking about what you could be doing instead and really understanding the opportunity cost of the certification is the most important bit of an advice I can provide. Rather than a certification, there may be other opportunities that might benefit you more in the long run — perhaps obtaining practical experience in your area of interest, spending time with a mentor and getting valuable exposure to the in’s and out’s of the industry, browsing through resources or figuring out tools you might need to be successful (this could include books, online resources like Cybrary, Udemy or even Peerlyst, new technology etc) or obtaining other tertiary education. All of these could be more beneficial to your career..
To really understand the opportunity cost, you should explore these alternatives and also be very clear on what you are trying to prove by doing the certification.
What are you really trying to prove?
People do certifications for numerous reasons — most commonly to prove they have the knowledge, experience or even sometimes talent (mistakingly) in a certain technology or practice area.
In my opinion, a certification is generally a great way to prove knowledge in a certain technology or area, and incredibly useful where you may want to highlight your broad and deep knowledge in certain areas.
Certifications can still be effective in terms of proving experience, particularly with those certifications that require some form of sign-off on your experience. However, you should realize that this is really no different from a reference check on your career experience as outlined on your resume.
The worst use of a certification is attempting to use it to prove talent or skills. Sadly some hiring practices mistakenly think it can be a measure of exactly this, and exclude a lot of skilled and talented individuals by having it as a prerequisite to entry level roles.
NOTE TO HIRING MANAGERS: please do look at your prerequisites for entry level roles and think deeply about whether you really are looking for that much knowledge or experience or are willing to take a chance on talent.
A great example of this is if you’re wanting to get into the offensive side of security e.g. ethical hacking, penetration testing or red teaming. A certification like CEH (Certified Ethical Hacker) will prove you have the theoretical knowledge and understanding of what is involved, but won’t demonstrate that you have the skills to actually successfully conduct a penetration test. This is really an area where you need hands on experience and would be better served in your career in getting that invaluable practical experience rather than just being able to speak the lingo.
Does everyone else have it?
Having said all that, the security job market remains highly competitive.
So on one hand, certifications may be a great way to stand out from the crowd; but on the other hand, you may need it simply to keep up with the Joneses.
Completing a certification to prove that you are as good as everyone else is unfortunately a very valid reason to complete a certification. So you should definitely look out for certifications when researching your next role. LinkedIn is a great place to research — check out people in similar roles and job ads for those roles to get a feel for whether a certification is a implicit or explicit prerequisite.
Who is footing the bill?
Obviously it helps the decision making process when someone else is paying for it — It helps a lot actually. Certifications are generally not cheap — perhaps a topic for another day or another rant.
I’ve been fortunate enough that some of the great companies I worked for early in my career were willing to sponsor my professional education, including a number of certifications.
Most companies would similarly have some amount of budget set aside for staff training — so don’t be shy about having this conversation with your current employer.
CFO: What happens if we train them and they leave? CEO: What happens if we don’t and they stay?
You don’t need to get into specifics — it might start off as a conversation that you’re thinking about doing some additional training or education and you were wondering if they offer any support?
What about the certification itself?
Choosing a certification is a topic all on its own, and perhaps something I will explore in later posts. In the meantime , if you decide to get certified, there are plenty of other blogs aimed at helping you choose a certification that is right for you.
Hopefully this advice on its own is useful in making the decision about whether a certification would be the right choice for you early on in your career.
Don’t be afraid to reach out to me personally if I can help out in any way in the meantime.
