To Cert or not to Cert?
To Cert or not to Cert? Yay or Nay?
Okay hear me out … I have no issues with getting certifications in Cybersecurity.
I think they are a great way to baseline your knowledge AND prove that you have the requisite knowledge needed for an exam and possibly the role.
If you are newer to the field then getting a few certifications under your belt will definitely help.
That being said, the saying goes “Certs will get you the interview, but skills will get you the job”
In other words, certifications can help you land the interview but ultimately you will have to pass those interviews to be able to land the job.
The problem here is when people become certification churning factories doing one cert after another and thinking this is the ultimate path to get in the field or for career growth.
If I am interviewing someone, see their resume, and see 5+ certs in a short span of time, it raises some eyebrows. (Mainly if they are entry-level certs)
Ask anyone who has conducted interviews at scale about this.
It could point to an abundance of theory and a lack of practical knowledge, (and cert dumps are common nowadays as well), and we’re not even mentioning GenAI here.
If you are pursuing a certification, then you have probably heard of the CompTIA, SANS, AWS, GCP certification bodies. All of these differ in what they are aiming for, but we’ll briefly discuss how they look like.
CompTIA Security+
The CompTIA Security+ certification is an entry-level certification that is for professionals who are newer to the cybersecurity field.
The certification covers essential cybersecurity concepts, including network security, governance, risk, and compliance, threats and vulnerabilities, access control, and identity management.
The exam consists of 90 multiple-choice questions over a time of 90 minutes, and candidates must achieve a score of 750 or higher to pass the exam.
GIAC Security Essentials (GSEC)
The GSEC certification and the SANS certs in general, are sought after in the field.
The certification covers essential security concepts, including access control, networking, cryptography, and risk management. To qualify for the exam, candidates must complete a training course or have at least one year of work experience in information security.
The GSEC exam consists of 180 multiple-choice questions, and a score of 73% or higher is required to pass the exam.
Note: I would recommend pursuing this certification but only if your employer/school is covering the cost.
AWS Cloud Practitioner
This certification covers essential AWS cloud concepts, including AWS core services, security, pricing, and support. For the exam, candidates must have at least six months of AWS cloud experience.
The exam consists of 65 multiple-choice and multiple-response questions, with a passing score of 700 or higher. It is the entry level cert for AWS.
This was an overview of some of the most pursued certifications in the field.
However if you are already a certified professional then instead of only focusing on the next certification.. focus on these skills.
Problem-Solving
No certification is going prepare you for some of the non-technical challenges you will face on the job.
From management who might be too far removed from the hands on work, to the cutting of budgets ... you need to have the soft skills necessary to succeed in the long term.
Cybersecurity often requires you to deal with unexpected and unique types of problems that a certification will not cover. You will often times be in uncharted water.
Start building a growth mindset that helps you to see problems as learning opportunities rather than issues to solve.
Problem solving improves with practice and is a skill that you need to develop over time.
You can use problem solving frameworks like the 5 Whys that can give you a structured approach to problem solving and start applying them to Cybersecurity problems.
Another tactical thing you can do is check out operator ran newsletters.
These offer more real-time and accessible knowledge to readers than most books. Think about it, you’re getting weekly (or some other cadence) posts about something practical in the field you want to learn more about.
Who better than the practitioners themselves to learn from?
See how they approach problems and challenges.
Some examples for Newsletters of this kind to check out
Software Design: Tidy First?
For Software Architecture and the creative thinking needed
The Cybersecurity Pulse
For security startup market news and coverage
Communication skills
Easily one of the biggest issues with Cybersecurity professionals starting out is their lack of communication skills.
Certifications probably won’t teach you how to explain technical issues to non-technical people. It is essential to be able to articulate these problems in a way anyone can understand.
If you can only explain the technical pieces to an engineer, or you can only explain at a very high level for management, then you will only get so far.
When you have to write a project plan, or a post-mortem review you will need to be able to communicate this to different audiences.
If you can effectively communicate verbally, AND through writing, you’re going to be okay. The technical skills will come.
Technical skills
Security and privacy risks are evolving at a fast pace and certifications won’t always be up to date.
Whether it be Cloud Security, Detection writing, Python, there is always something else to learn in this field.
Apart from learning about new technologies, there is a major shift in Cybersecurity due to AI and how much of an impact it will have in the future of work.
Again, there is no issue with studying and getting certs, it’s just the continuous churning of them that might cost you in the long run.
There’s plenty of subreddits and forums that go deep into this topic, and whether it is mostly good or bad, I’ll leave that up to your discretion.
Wrapping Up
In the end, it’s an individual decision, and an investment if you want to focus your time in pursuing certifications.
Remember, certs can get you the interview, but skills will get you past the interview.
Hope this helps in your decision making for where to place your focus in.