Security Certifications: Choose Your Own Adventure

Security certs are a hot topic in the security community. The pro-cert and anti-cert camps are both strongly opinionated about where they stand in the “to earn or not to earn a cert” conversation. We talked with some of our Bishop Fox colleagues and got their opinions on the topic, based on their individual experiences. If you’re currently sitting on the fence about whether you should invest the time and money into earning a security cert, we hope this guide will help you make a well-informed decision that proves best for your situation.

THE PROS OF EARNING A CERT

• You can learn a lot from studying for a security cert. Take for example the Certified Information Systems Security Professional (CISSP) cert. One Bishop Fox CAST Operator who earned this specific cert called it out for “opening my eyes to the breadth of work opportunities in the security field, and reassured me that the path I was going down (technical and not policy-oriented) was the right place for me.” Studying for a cert can help you consider your career path to get to your desired long-term goals. Plus, if you prefer a guided approach to your learning and want some help gathering useful resources, earning a cert can serve you better than more free-form training.

• A security cert can help you stand out in your career. This is particularly true for more entry-level folks who are trying to get their application to rise above the rest. Security is becoming increasingly competitive as the field matures and having at least one cert to your name as you start your job search can work in your favor. According to a Bishop Fox consultant, lacking at least one cert in your beginning security career stages “can put you at a disadvantage.” This is one person’s experience, but it bears keeping in mind.

• A security cert shows that you are willing to do the immense amount of work involved with earning one. Usually, getting a cert means hours of study that could take up weeks to even months of your life. Doing this on top of work and/or school and having a personal life is a challenge. Having a cert says volumes about your passion and dedication to your security career.

• Finally, if you’re employed, it’s possible that your employer will help you pay for the cert. This is a great way to maximize your training budget, especially with most security conferences being virtual (and therefore less expensive) these days. For example, the much-coveted Offensive Security Certified Professional (OSCP) will cost you at least $1200. Other certs aren’t far off price wise, so if you can get your job to cover expenses, then by all means accrue as many certs as you can.

THE CONS OF EARNING A CERT

• Like we said earlier, you will likely need to set aside thousands of dollars and numerous hours to obtain a security cert. If you don’t have the money to spend or the time available – and your employer won’t help with the bill – then you probably want to skip earning a cert.

• There’s a lot of discussion in the security community about some certs simply being attempts to scam people out of money. Here’s an example of said discussions on this topic; we’ll let you be the judge, but it’s worth seeing what other people are saying.

• For some people, a security cert may not help much with professional advancement. Then you’ve invested substantial money and time in a cert that will do little for you other than adding “alphabet soup” to your résumé.

• Many of these certs need to be renewed, which can lead to additional time and money spent on them. The need for renewal is understandable since continuous learning is key to being a successful security professional. The organizations issuing the certs want to ensure you are up to date with developments in security (like new attack vectors and emerging threats). But if you think that periodic renewal will only be annoying and costly, then steer clear of certs (or at least any that will require renewal).

• A cert is designed to show that you have a solid base in a certain subject; it is not designed to show that you know everything about a subject. This is why in some cases renewal is needed.

Now, this is where this guide becomes a security cert “choose your own adventure.” If you are still interested in getting a security cert, keep reading for a breakdown of some of the most popular and common certs. But if you are not sold on getting a cert, then fast forward to the So You Decided NOT to Get a Security Cert section, where we’ll discuss alternatives to earning a cert that can still help boost your skillset and make you more appealing to potential employers.

POPULAR AND COMMON SECURITY CERTS

CEH. The Certified Ethical Hacker (CEH) is issued by the EC-Council, a security training-centric organization. The CEH is a good “starter” cert, so it’s a perfect option if you’re just getting your feet wet in security. Once you have the CEH to your name, you can then move on to more advanced certs like the OSCP and SANS certs. You can attempt to earn a CEH with or without official training from the organization. If you choose to forgo the training, you’ll need to pass an application process before taking the official CEH exam. You’ll also need to show proof that you have two years of security experience. The proctored CEH exam is four hours long, and costs approximately $1200. Once you become a CEH, expect to renew your cert every three years for $80.

The Offensive Security Certs: OSCP/OSWP/OSWE/OSED/OSEP (formerly OSCE). This group of certs is offered by the Offensive Security organization, which is responsible for popular security projects such as ExploitDB and Kali Linux. Easily the most well-known of the Offensive Security family of certs, the Offensive Security Certified Professional (OSCP) is highly sought-after. It costs anywhere from $1200 to $2148 depending on the package you pick. You’ll need to complete a 24-hour proctored exam in a lab environment to obtain this cert. The OSCP exam is fairly difficult for anyone who is just starting out in security, but the good news about the OSCP is that it doesn’t require renewal. You’ll spend a significant amount of time preparing for the OSCP – anywhere from several weeks to several months.

If you’re looking for a cert to show your prowess as a pen tester, then simply scoring an OSCP will be enough. However, if you wish to get a more specialized cert(s), Offensive Security has some additional options. The OSWP – the Offensive Security Wireless Professional – is less expensive than other certs, but more for folks interested in network pen testing or wireless security. Meanwhile, the OSCE (Offensive Security Certified Expert) was the next step after the OSCP, but it’s been retired as of 2020 (although the cert remains valid for anyone who previously earned it). The OSCE has since been broken into smaller certs: the OSED, the OSWE, and the OSEP. The OSED (Offensive Security Exploit Developer) is an “intermediate exploit development cert” that will cost you $1200 - $1500. The OSWE (Offensive Security Web Expert) consists of passing a 48-hour proctored exam and will run around the same price as the OSED. And the OSEP (Offensive Security Experienced Penetration Tester) is similarly priced to the OSWE/OSED and earned by passing a 48-hour proctored exam. Like the OSCP, none of the other Offensive Security certs require renewal, so once you are certified, you’re set for life.

CISSP. One of the older security certs available, the Certified Information Systems Security Professional (CISSP) is a cert you’ll want to get if you aspire to be a security leader. This cert is intended to teach you how to “effectively design, implement, and manage a best-in-class cybersecurity program.” So if that sounds like something that aligns with your long-term career objectives, you’ll want to pursue the CISSP. It’s also worth noting that this is a cert more geared for those in the mid-level or senior stages of their security career, especially since you need five years of relevant experience in “two or more of the eight domains of the CISSP CBK” to even take the exam. Issued by the International Information System Security Certification Consortium or (ISC)², a CISSP will cost you a few thousand dollars in official training materials. The exam itself is priced at about $700 and lasts for six hours. As far as the overall time commitment, the CISSP seems to average people a few months of preparation. But once you earn the CISSP, you must pay dues to keep it ($85 per year). After three years, you’ll either need to retake the exam to renew your CISSP or you’ll need to invest in continuing education instead.

SANS GIAC Certs. SANS is one of the most reputable names in security training, so it would make sense that their certs carry a lot of weight. Some of the most in-demand SANS certs are the GIAC Penetration Tester (GPEN), GIAC Web Application Penetration Tester (GWAPT), GIAC Security Essentials Certification (GSEC), and the GIAC Cloud Penetration Tester (GCPN). The GPEN, GWAPT, and GIAC’s purposes are more self-evident: They’re technical deep dives into penetration testing. The GSEC though is meant to cover an array of security areas, like cryptography. These certs tend to be a similar difficulty level to the OSCP. The GPEN is approximately $2500, and should take about four months to complete. The GSEC is the same price and roughly the same timeframe, as is the GCPN and the GWAPT. All of these certs will require continued renewal.

These are only a handful of the numerous available security certs out there. Something to keep in mind as you research and consider certs – no matter what kind – is that earning a cert is more of a means to an end than an actual end. All of these were created to help security professionals stay relevant in a constantly changing industry, and to help substantiate their expertise. Continuous learning, though, is not only limited to the realm of certs. There are many other ways you can add to your “security portfolio,” and stay on the cutting edge of the latest developments in the industry.

SO YOU DECIDED NOT TO GET A SECURITY CERT

You can entirely bypass earning any certs and still have a satisfying security career – and attract the attention of prospective employers. Here are some alternatives for bolstering your pen testing skillset (no matter what career stage you’re in) without devoting time and money to certs.

• Become intimately familiar with the OWASP Top 10. If you want to become an expert pen tester, one of the best places to start is gaining a deep familiarity with the OWASP Top 10 list of vulnerabilities. This will give you the fundamentals you need for success, as it will help you understand the most prevalent issues encountered in the security space.

• Participate in bug bounty programs. Get involved with one of the various bug bounty platforms once you’re more comfortable with your pen testing skills. There’s no better teacher than experience, and one of the best ways to gain experience as a hacker is the wonderfully legal world of bug bounties.

• Earn CVEs. This goes hand in hand with bug bounties, but having a few CVEs to call out on your résumé significantly substantiates claims of your pen testing abilities. And don’t fret if you’re not finding the most glamorous 0-days right out the gate; even accruing low and medium-risk bugs is still a useful way to get started.

• Author blog posts. Having a few write-ups to your name will nicely illustrate both your passion for and understanding of security. Don’t pressure yourself to focus on novel research or groundbreaking techniques – even a well-written piece about a common vulnerability has value.

• Speak at conferences. This might be out of your comfort zone, but give some serious consideration to submitting to conferences. You can always recycle a blog post as a compelling presentation, and you don’t need to focus on the DEF CONs and the Black Hats – even speaking at smaller conferences and meet-ups can add some color to your security CV.

• Engage in the security community. Nowadays, there are so many ways to connect with other security professionals. Social media is a great asset on this front; infosec Twitter is fairly active, and there are countless security Discords, Slack channels, and subreddits you can join to broaden your horizons and expand your network. (Of course, we’d be remiss not to mention our own: /redsec subreddit and the redsec Discord server).

• Devour relevant resources as you find them. Online security courses like those offered on Udemy and Coursera, CTF platforms such as VulnHub and HackTheBox, books on security topics, and even talks from yesteryear’s security conferences can all prove beneficial in further fine-tuning your skillset.

There is no right or wrong answer to the question of whether it’s worth earning a security cert(s). It’ll really come down to what is best for you. If you’re still somewhat unsure, here are some final things to consider before making a decision:

• Working toward a cert will require a commitment of your time, money, and mental energy.

• Some certs have less-than-savory reputations; do some research into your cert(s) of choice to see what other people are saying to ensure you’re not shortchanging yourself. However, If you’re choosing an older more well-known cert like the OSCP or CISSP, you are likely in the clear.

• Certs aren’t the sole gateway of gaining knowledge in the ever-changing world of security. Although they are incredibly robust as resources, as seen above, there are other avenues you can take as well.