To Be, or Not To Be— Certified? That Is the Question. Or, Is It?

By Rick McElroy

I’m lucky. I get to fly all over the world and talk to security teams of all sizes. Regardless of the technology discussion at hand, the one question I seem to get asked the most is, “What certifications should I go get?” A close second is, “Are they worth it?”

I know people who are heavily certified, not certified and currently pursuing certifications. And guess what: All of them are really good at InfoSec. Lots of people were doing InfoSec before it was cool and just never had to prove they knew what they were talking about. For those who are new to the game, many of us having been in the cybersecurity field since the 90’s, and a handful of others have been doing this since even before then. Yes – InfoSec was a thing in the 70’s and 80’s.

I will frame this discussion for those of you who started your careers more recently, and who likely will have to enter your career through the front door, with the proper credentials.

To be, or not to be— certified? That is the question.

In an effort to gather insights from far and wide, I recently asked for the InfoSec community’s thoughts on LinkedIn. My post had over 10,000 views and tons of responses. I hope the collective wisdom, experience and the thoughts of the community help you make a good decision when it comes to certification.

Why get certified?

To help move your career ahead.

This is one of the recurring themes from both the LinkedIn thread as well as conversations I have with industry insiders. For new InfoSec professionals, certifications are resoundingly recommended as a great way to break through HR hiring barriers. HR has a checklist of experience and/or certifications, and right or wrong, if you don’t play the game you will probably have a hard time getting your start in the industry. This is not an absolute rule, but if I were starting my career today I would certainly go get certifications. I may have entered the industry years ago, but that’s exactly what I did at the time. I have held numerous technical, management and leadership certifications over the course of my career. Some I still list on my résumé (CISSP, CISM, CRISC); others simply aren’t applicable to my job any more (CCNA, CCA, MCSE), and others were for vendors that aren’t around anymore. Yes, I have held SUN Solaris certifications and those are almost useless today. The experience gained, however, even with now obsolete certifications, is irreplaceable.

Ultimately, certifications show other people in your industry that you understand a body of work enough to test on it. That’s it. The value of a certification changes over time, and some continue to hold more value than others. Ask anyone who put a bunch of work into becoming an MCSE back in the day only to realize the test was weak and everyone suddenly had it. If everyone is getting a CEH, does it make it that valuable in the end? You may “need” to do it to get a job at first, but how relevant is it after you achieve good work experience?

Some certifications are “prove it” certifications like the OSCP. Most consider this a great certification for security testers and ethical hackers because the barrier for achievement is high. You can’t do a two-day bootcamp and pass this one. I’ve known really good pros who fail it a couple of times before passing. As they state, part of the test is to “try harder” and learn what you don’t know to pass it. Personally, I love this model.

In general, the fewer number of people that have a cert (if it’s been out for awhile) the more valid the certification becomes, and that in turn increases your competitive edge, of course. Never put all your eggs in with just one accrediting basket. Seek out hard certifications. Coursera is a great place to learn more about the today’s most relevant certifications.

For the pure joy of learning and measuring growth.

If you are going to have success in this career you should constantly be pushing yourself to learn new things in the field. Does this always translate to earning a new certification? Not necessarily. Taking classes to keep up on the industry is how you stay relevant and stay up to date. This simply must occur and it isn’t enough to study for certifications. Is there a certification on Machine Intelligence applied to Threat Intel or insider behaviors? No, but there certainly are tons of classes that can help. Tons of books, too. Education and growth should be about making yourself better at your job, regardless of whether or not it comes with a piece of paper at the end.

Someone told me to go get this certification.

The encouragement to gain further certifications can come from a friend or an employer, but in either case, this is a major reason pros go get certified. If the recommendation is from a trusted friend or colleague – go for it. And if it’s your boss, hopefully you have a great employer who will assist you in investing in your growth and knowledge.

There are some things I caution against when it comes to certs.

Don’t falsely think that certifications replace work experience.

They do not. This job takes seat time, and there are no shortcuts for great experience. It’s why experienced pros probably feel less inclined to go get certifications.

Get certifications in the specialties you want.

If you want to become expert at Incident Response, taking a CISSP will probably have little value. SANS certifications, though? That’s a different story. If you want to go into program building and InfoSec management, spend your time going for the CISSP or CISM. For Pentesters, the CISSP doesn’t mean much; in that case, the OSCP is a much more sought after certification.

Don’t just collect certifications to collect them.

If you are doing it to be educated, great. If you are doing it to somehow keep score, I don’t think that’s a sound motivation to get certified. Also, if you have more than a couple certifications, I suggest skipping the long line of acronyms behind your name on your business card – just include the few that will make you stand out.

If you are new, I hate to say it, but the certification game is real and is a thing.

Figure out how to best use the system around you to further your knowledge and career, and less time whining about how the system works. To be in a position of power to change that status quo, you’re probably going to need to make it pretty far in your career – and that will require you getting in the door with a few key certifications.

It's all about balance.

My advice is to balance experience with specialty-appropriate certifications and career-long learning. That will set you up for a successful career – one that is satisfying to you, and at the same time one that provides greater security to the organizations who put their trust in your expertise.

About Rick McElroy

Rick McElroy, security strategist for Carbon Black, has more than 17 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has performed services for the U.S. Department of Defense, and has held positions in several industries, including: retail, insurance, entertainment, cloud-computing, and higher education.

More About Rick