EPISODE 55
WHICH CYBERSECURITY CERTIFICATIONS SHOULD YOU GET?

WHICH CYBERSECURITY CERTIFICATIONS SHOULD YOU GET?

About this episode

In this episode, we are focused on the ever-divisive question of the importance of certifications in the cybersecurity industry. The answer to this question has changed over time from certifications being unimportant, to them being extremely important, to well, it depends.

 

Certifications can be extremely important for several reasons, including their ability to help your resume get through the Applicant Tracking System (ATS) filters used by the human resources and recruiting team, but they are not a silver bullet that will instantly land you a job.

 

As Jason Dion (Lead Instructor of Dion Training) shares with us in this episode, certifications can be your ticket to getting an interview, but they alone won’t get you the position. That said, without having that certification on your resume, you can easily be filtered out of consideration before a hiring manager even gets a chance to look over your resume. This makes having the right certifications and experience imperative if you want to land your dream cybersecurity position.

 

Just as a certification isn’t a substitute for a college degree, you will also learn that a college degree is not a substitution for having the right certifications. This is often not an “either-or” thing, but a “yes-and” type of thing that you must achieve for many cybersecurity positions.

 

What you’ll learn

  • Why certifications are important in the cybersecurity industry?
  • Are certifications or experience more important to a hiring manager?
  • Are certifications or college degrees more important to a hiring manager?
  • Which certifications should you be getting to advance in your career?
 

Relevant websites for this episode


Episode Transcript

Kip Boyle: 

Hi, this is Your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle, and I’m here with Jason Dion, our new cohost, and we’re experienced hiring managers of cybersecurity professionals. So today we’re going to help you know which cybersecurity certifications you should get. And Jason is the certification expert here. So I’m so glad that he’s with us. And I’m so glad that he’s going to walk us through this whole question of what certifications do I need.

Jason Dion:

Yeah. So we’re going to talk about certifications here today. And the first thing I want to say to the audience is make sure you realize I’m not here to sell you on certifications. That’s not my goal here. If you want to buy them, that’s great. I sell them. That’s fine. But I’m not here as a sales pitch. So just want to put that out up front. I want to tell you why certifications are important, which ones are important, and if any of them are really important, and why you should really start going towards these things.

And I want to be up front with you guys here because I’m going to talk about all the reasons these things are important from the side of a hiring manager, as I’m looking at your resume or going to interview you. But remember, certifications aren’t like Pokemon cards. You don’t have to collect them all. And I see a lot of students making that mistake. So I just want to make sure we talk about that as well. So as Kip said, my business is certifications. I’ve helped 3 to 400,000 students in the last couple of years to be able to pass their different certifications. And so, yes, I think certifications are important, which probably brings up the question, Kip.

Kip Boyle: 

Yeah. Well, but let me first… Before we continue with the material that we want to cover, I just want to be super, super clear about something you just said, which is it actually is in the best interest of Dion Training Incorporated for people to get every certification under the sun. Right?

Jason Dion:

Yep.

Kip Boyle: 

Because then they can buy all the prep courses from you and that’s going to make your business take off. But today, you’re wearing your hiring manager hat, and from that position, you’re telling people like, “No, you don’t need every certification under the sun.” So all right. So let’s unpack that. First of all, let’s be clear. Why are certifications important, Jason? Why do they even exist?

Jason Dion: 

Yeah. So certifications are really important, especially in the hiring side. So when you think about the way hiring works, generally you’re going to have somebody who says, “I need a new position.” So they go and they get the budget, they get the position description approved, and they send it over to HR. And HR goes out and finds you candidates. The problem is HR doesn’t understand cyber. They don’t understand IT. So it makes their job really easy when they can say, “Hey, I need somebody who has a CISSP. I need somebody who has a CompTIA Security+. I need somebody who’s ITIL Foundation certified. Whatever that thing is, it makes their job easy. And so employers love it from that perspective. Another reason employers love it is because it tells them that you’re current and you’re still relevant. Now, what I mean by that is this. Kip, tell me. When did you graduate with your college degree?

Kip Boyle:

Do I really have to say it so loud? It was in 1990.

Jason Dion: 

1990. Have computers changed since 1990 just a bit?

Kip Boyle: 

Just a bit.

Jason Dion: 

Just a bit, right?

Kip Boyle:

And I can’t resist telling you that the internet has changed too, by the way.

Jason Dion: 

Yeah. 1995 is when commercial internet really started. Before that, it was the DOD and it was academic institutions, right?

Kip Boyle: 

And you were not allowed to sell anything online. And when I first started using the internet, God, I feel old saying this, but there wasn’t even a domain name system. You had to go download the hosts file, the hosts file for the internet.

Jason Dion: 

And I have a similar background there. Not quite as back as 1990. I didn’t realize you were that much older than me, Kip. Geez.

Kip Boyle: 

All these things that come out when you start a podcast with someone.

Jason Dion: 

I’m telling you, man. But yeah, so I graduated with my first degree in 2005, which was actually in human resources. And my master’s degree is in IT with a specialization in information assurance, which we now call cybersecurity. But that was 2011. And in 2011, that was my master’s degree. And I was very relevant in 2011. But if I had done nothing else this 2011, what I learned is not really relevant anymore.

When I went to school in 2011, we didn’t even talk about cloud servers, for instance. That wasn’t a thing. And now that’s everywhere. And so this is why employers like certifications because unlike a degree, certifications expire usually every three years. And by doing that every three-year renewal, they either know that you went back and retook the exam, showing that you’re still relevant, or you’ve done continuing education such as when you have your CISSP, you have to do 40 hours per year of continuing education, and that’s a chance for you to learn something new and keep your skills current. And so this is one of the reasons why employers really like certifications in this world.

Another reason they’re really important is, again, going back to the hiring manager side, before the resume gets to the hiring manager, it goes through a little three-letter system known as ATS, the applicant tracking system. And guess what? Those things use machine learning and filtering to go through resumes and take it from the thousands of resumes that got for that job down to the 50 or 60 that are going to actually be looked at by a hiring manager. And one of the ways they do that is by looking for certifications. So these are the kinds of things that make it really important. And if you don’t have the right certification on your resume, guess what? You’re not going to make it through the filter and somebody like me or KIPP is not going to see your resume no matter how good it is because of the position description said, you must have a CompTIA Security+, and those words aren’t on your resume, it’s never going to get in front of me.

Kip Boyle: 

Well, certainly not if it goes through applicant tracking. Now there’s other ways to get a resume into a hiring manager’s hand. But for today, let’s just continue to focus on how certifications can open doors through the traditional channel through human resources. I got to say, as a hiring manager, I really like the aspect of continuing education. I mean, that’s really the value that I see there. I’m not all that interested in its function to get through HR gates. And I know people really find that to be an awful thing like, “You mean I got to go earn this certification just so I can get through this HR gatekeeper?” Yeah. I mean, yeah, that’s one reason. But don’t forget, the other reason is because it’s also a signal to me, the hiring manager, that you are current, and I like that. I actually think there’s value in that.

Jason Dion: 

Yeah. One of the other things, this is going to go again between the difference between my background and your background. You’ve been in the commercial sector for the last 20 years. And so certifications are looked at differently in the commercial sector than the world I’m in. I come from the defense, military, and contracting world. And in that world, we have an instruction called the DOD 8570. And in that instruction, it specifically says, “For this position, you must have this certification.” And so if you don’t have that certification, you have to get it within six months of being hired or you lose your job. So what happens is a lot of people don’t even want to hire you unless you already have that certification because they don’t want to risk onboarding you, getting comfortable with you, and then having to fire you six months later. So it is something that becomes very important as far as if it’s in the regulations and in the hiring instructions of that organization.

Kip Boyle: 

That’s a great point. It’s completely discretionary for private industry as to whether they are going to require certifications at all and which ones. And you’ll find that different employers are going to require different certifications for the very same jobs that they’re hiring for. So that’s a really important thing you have to pay attention to.

Jason Dion:

Most definitely.

Kip Boyle: 

Okay. So that’s why certifications are important. So now let’s shift the conversation and let’s ask this question because I get asked this questions a lot. Is it more important that I have certifications, maybe a lot of them, or is it more important that I have experience? And so people sometimes think of that as like an AB switch, but what do you think, Jason?

Jason Dion: 

Yeah, so it can be an AB switch depending on the amount of experience you have. So if you’re somebody who’s been working for 20 years in the industry, you are probably going to be able to get a job without having a certification because you already have 20 years worth of relationships. If I’m looking for a job, I can call up Kip and Kip’s going to be able to go, “Oh, I know Jason. He’s awesome. Even though he doesn’t have his AWS certification, I know he can do that job. Let’s put them in that job anyway.” So in that case, sure, you don’t need a certification necessarily because you’re going to bypass the ATS system.

But when it comes down to it, while experience is primary, even with experience, a lot of companies want to see that you have the certification going back to, are you current? And this is an objective measure of can you do a job or know about job functions that everyone is on the same playing field. So it’s almost like when you applied to college, you had to go get the ACT or the SAT. And based on that, they could compare everybody on the same playing field because everybody had a numerical score that made it very easy to compare.

Kip Boyle:

Right. And although we know that there are inherent biases in there and that stuff’s getting worked out, I think that’s an important thing to keep in mind is when it comes to hiring people, if you have to hire a lot of people, well, you’ve got to find some way to scale that process of hiring people. And this is one of the ways that do, in fact, scale our hiring processes.

And I’ll add too that I got my CISSP in 1997. And by 2010, I had accumulated enough continuing education credits that I could keep it valid until 2013. And then when that time rolled around, I had to make a decision if I was going to go continue to keep my certification current. And I made the conscious decision to not keep it current anymore, and I did it for the reason you just described, Jason. By that point, I had accumulated so much experience and I had such a network of people that I knew in the industry that it didn’t matter anymore. It did not matter in the slightest whether I had a current CISSP or whether I could just say I had one and I kept it active for this long, and I don’t even bother to keep it active anymore. And it just wasn’t a thing anymore.

Jason Dion:

Yeah. I’m on the other side because I’ve been in this government, military, DOD world for so long that I keep my CISSP active, and I have for the last 12 or 13 years that I’ve been a CISSP. Now to keep it active is not that hard though, right? You get 40 hours of continuing education, which basically I take some other cert or some other course once a year. I get a black hat, and that’s a week, and that gets me my 40 hours. And then you pay your $85 fee and it keeps it active.

And again, the reason I do that is because in the contracting world, you need CISSP. In the government civilian world, you need CISSP. In the military context, you need CISSP. For anything that’s a level two or level three management job or a level three technician, which are all the high paying jobs that you’re going to want anyway. And so even if you are a [sisyo] type person in the DOD, you still have to have it. And so it’s an important thing from that perspective. And going back to the experience versus certifications, every time that somebody asks that question, I always tell them, yes, experience is primary, but certifications help as well because again, it’s that quantitative measurement that you have that thing.

Kip Boyle: 

Right. Okay, cool. So we’ve just now unpacked this whole certifications versus experience question. I hope that helps the audience know why those two things exist, how they compare with each other, and how hiring managers think of them. So let’s continue on with the AB comparisons. Now, let’s do AB certifications versus college degrees. What do you think, Jason?

Jason Dion: 

Well, this is one I could talk about forever, and I know the podcast listeners probably have other things to do. So we’re not going to talk about it for hours and hours today. We could probably do a separate episode on this later on. But briefly, when it comes down to certifications versus degrees, it really comes down to they’re both important, but for different reasons and at different times in your career, right? More and more these days, we’re seeing that certifications are starting to replace a traditional four-year college degree, especially in technical roles, not as much in management roles. So again, it depends on where you are in your career.

For instance, ISACA, they just did a state of cybersecurity report in 2021. And they said the perceptions of university degrees in cybersecurity are remaining very mixed among the survey respondents. In the latest survey, 46% of respondents said they neither agree nor disagree that cybersecurity degrees prepare graduates well for their future organizational challenges. And what’s happening is… I can tell you talking to other hiring managers in the field… they don’t look at a degree and go, “Ah, this guy is perfect,” or, “This gal is perfect. I can put them right into work and they’re going to be useful from day one.” Not going to be that coming out of a four-year degree. And they look at the exact same thing on certifications. Either way, it’s saying you have a level of some knowledge that we can now build upon in our particular organization. Sorry. Go ahead.

Kip Boyle: 

Well, I was just going to add one thing that I… There’s a big thing about going to college that I actually respect. There’s actually two things. Let me tell you what they are. The first thing is college is not easy. All right? It takes years and you have to keep coming back. And really, nobody’s making you come back. And so when you complete a college degree, one really important thing that that tells me is you can finish things that you start and you can do it because you’ve committed to it, not because somebody is holding you hostage to it or requiring you to do it. And I think that says something about the strength of somebody’s character that they have that integrity, that they finished what they started. Now, whether they did it in four years or five years, that’s not really a part of it for me. I just think the fact that they finished it, I think is super important.

The other thing that I believe that a college degree tells a hiring manager is this person knows how to learn. And in cybersecurity, that is invaluable. If you’re not willing and able to learn the new technologies that are coming out, the new attacks that we’ve got to deal with, I don’t think you’re going to do well. I think you’re probably going to get into… You’re going to turn into a cog in a giant machine somewhere. You’re going to do the same thing every day. That might be okay for you. But I think if you really want to excel, if you want to go into management or you want to become a solutions architect or something like that in the future, you have got to have a demonstrated ability to learn, and I think that a college degree does say that about you.

Jason Dion: 

Yeah. I agree with you. And when it comes to college degrees, the other thing that I think that it shows employers is that you know how to do critical thinking because with certifications, you are learning… When you’re taking CompTIA Security+, you’re learning the CompTIA way, and you’re going to be tested based on A, B, C, D answer. And so you have to memorize that the answer is A, B, C, or D. And college degrees are a little bit different than that. So again, it’s a different skill set. And so when I’m hiring somebody for a management position, I want to see they have a college degree. If I’m hiring somebody to be a junior SOC analyst, I may be okay with just somebody who has a couple of certifications and three to six months worth of experience.

As we start looking at organizations around the world, depending on where you are in the world also really matters when it comes to degrees. So according to the ISACA survey I was talking about before, in Africa, they’re actually the number one place where they want a degree. 78% of jobs want a degree if you’re working in Africa, Middle East 67%, Latin America 64%, Asia 62%. When we get down to North America, 54%, You get down to Europe, 46%.

Now, why are we seeing it so much lower in North America and Europe? Because again, there’s this change that’s happening over the last couple of years, especially in North America and Europe, where we’re saying, “These are more technical roles and they don’t necessarily need to have a college degree to be a SOC analyst or a penetration tester.” Instead, you can have experience coupled with some certifications and go down that road. They’re valuing the hands-on skills and certifications over the traditional four-year college degree in a lot of these particular jobs. But at some point, you’re going to have to go back and get that degree to either get to a higher pay band or get to that management level job. So it’s important as you start thinking about your career, you start figuring out where and when are these things important. And a lot of that’s based on where you want to work and where you live.

Kip Boyle: 

Yeah. And I think employer too. It almost always comes back to the employer because 54%, it makes it sound like, “Oh, well, only slightly half of all the employers in North America are looking for a college degree.” But you’ve really got to dig into that because what I know is that technology companies are the ones that are deemphasizing college degrees, whereas mainstream American companies that are very hierarchical aren’t necessarily deemphasizing the need for a college degree. So you’ve really got to do your research in order to find out, okay, where are these 54% versus the 46%? So absolutely do your homework on this.

Jason Dion:

Yeah. That’s a great point because if you’re going to go work for a big company like, I don’t know, General Dynamics or General Motors or IBM or somebody like that, they tend to be more traditional and they’re going to want to see that you have a degree. [crosstalk]-

Kip Boyle: 

Yeah. But I know that Google has deemphasized it.

Jason Dion:

Exactly. And they’ve really focusing on certifications, including their own certifications that they’ve been adding.

Kip Boyle:

That’s right.

Jason Dion: 

So I think those are really important things to consider as well. The other thing you have to think about is that when you’re looking at these college degree programs, a lot of them now are tying themselves to certifications as well. So as you’re working towards your college degree, you would be going through classes that are teaching you the certifications. If you take the time to go take that extra step and get the certification by taking the exam, you’re going to have both, and both is obviously better.

Kip Boyle: 

Yeah, definitely. Definitely. We’ve got a community college here in the Seattle area where I live, and that’s exactly what they did is they said, “All right. We’re going to do a bachelor’s degree in networking and computer security. And when you graduate, you’re also going to have all these certifications.” And I thought, “That’s just brilliant.” Right? Why not bundle them together like that? Because there’s so much overlap, so much synergy between what you’re going to learn anyway, why not just pack all that together? So yeah, if you haven’t gotten a college degree yet, and you haven’t gotten your certifications yet, look for a program like that. It’s going to save you so much time and so much energy and a little bit of money. So I think that’s a great point. So let’s go ahead and continue to evolve this conversation. What I want to ask you now, Jason, is which certifications should somebody be aiming at? Because we said they don’t need all of them. So how do they know which ones they need?

Jason Dion: 

Well, what I always tell my students is you need three to five key certifications when you’re beginning your career and starting to get into that entry-level position. Now the challenge here is what are the three to five? And people ask me that all the time. And the first thing I say is, “What do you want to do?” Right? If you want to be in the help desk, that’s one thing. If you want to be a penetration tester, that’s a different thing. If you want to be a risk analyst or an auditor, that’s different as well. But in general, the first three that everyone should get is going to be your A+, your Network+, and your Security+. And we call that the CompTIA trifecta.

Now A+ is going to focus on software and hardware because that’s essentially everything we start out with. It’s looking at how does Windows operate? How does Mac operate? How does Linux operate? What is RAM versus hard drives? And how do you fix these things? Mobile devices. All of that is covered in A+. Then you move to Network+, which is the foundation of all cybersecurity is our networks. And so you start learning, what is a router? What is a switch? How do they communicate? What does a split horizon do? What does a poison DNS do? All those types of things to figure out how our networks are going to operate.

Then we go up to Security+, and that gives you the foundation of cybersecurity and starting to understand defenses. You cover things like Nmap a little bit. You cover Wireshark. You cover the CIA triad. All those foundations. And once you have A+, Network+, and Security+, you now have the ability to hold a basic conversation with an employer about pretty much anything on the hardware, software, networking, or security side. So having that foundation just really helps you when it comes time for interviewing as well. And we can put you… I call them the handyman, right? You’re a generalist. You’re a little bit of everything. And I can put you in any position I need to if you have those three positions, those three certs, and then build you up from there.

Kip Boyle: 

Yeah. As a hiring manager these days, I really like these three certifications together because I think of them in exactly the same way that you described them. Now, if you already have a lot of experience being on help desk, I may not need you to have an A+ because you’re going to have the experience, but I’m certainly going to look to see that you have the Network+ and the Security+, right? So sometimes I think you can swap out experience for certification, but it’s not going to hurt you at all in front of a hiring manager to have all three of these. So, okay. So we’ve got those three. All right. But a minute ago, you said three to five key certifications. So what else?

Jason Dion: 

So the next one I really like people to get is ITIL4 Foundation. And I will tell you when I deal with new people in the cybersecurity industry, they go, “Why the heck would I get an ITIL4 Foundation?” [crosstalk]-

Kip Boyle:

[crosstalk].

Jason Dion: 

Yeah. So ITIL is the service management. It’s how we run help desk and IT organizations, right? It’s all about processes and rules and procedures and what is value and risk versus outcome and all these kinds of things and how things tie together. And that’s why large employers really love ITIL, because it means that you as a cybersecurity professional know how to work with the business side. You know how to work with the help desk. You know how to work with the system admins when you need to get them to patch something, and you understand how the change management process works. You understand how the request management process works. All of these things all work together in an organization. There’s 34 practices that we use to run our IT organizations, and ITIL is what brings all of those together.

So the other reason I really like ITIL is when talking with hiring managers, it starts pulling their resume out and it’s something that’s different that most people don’t get. So if you go through WGU, Western Governors University, they have this as part of their degree program. They have A+, Network+, Security+, ITIL4 Foundation as part of that. But most places, when they go to the community college, like you mentioned, usually it’s going to be A+, Network+, Security+, and then they start moving toward something like CCNA or CDH or something like that. But by getting that ITIL4 foundation, it’s one of the things that differentiates you.

And this is something that I didn’t think of myself until I started teaching it. And my students, again, I have 3 to 400,000 students worldwide. And I started having students who said, “I’ve had my A+, Net+, Security+, and I’ve been applying and applying for months and I couldn’t get a job. I then went and took your ITIL4 Foundation, and five days later I got hired.” And I’m like, “Wow, that’s weird.” And I started talking to the people who hired them. They said, “Yeah, we appreciate people who have this because they understand how these organizations work together inside our larger company.”

Kip Boyle: 

Okay. Yeah. That makes a lot of sense. Now, one of the things that I want to point out here is that while there’s no harm in getting this particular certification, if you’re listening to this podcast, I want you to think about one thing, which is ITIL is something that slews towards larger organizations. So if you are saying to yourself right now like, “No, I don’t see myself working in a giant enterprise. I want to work in a mid-sized company or I want to work at a startup,” or something like that, then this may not help you at all. It might not make any difference. In fact, it could possibly backfire on you because if you’re going to go get a job at a startup, well, startups don’t like ITIL. Startups are scrappy, get things done type organizations. They don’t like a lot of bureaucracy. They don’t want a lot of overhead. They don’t want a lot of procedures and processes.

And so I just want you to be really, really thoughtful about where do you really want to work so that you don’t accidentally end up promoting something that your potential employers are not interested in. Or on the other hand, as Jason said, if you’re applying to a giant enterprise and they use ITIL, then yeah, you’re going to want that because it’s going to do exactly what he said is going to make you stand out.

Jason Dion:

And I think this also goes into when you’re applying for a job and you’re crafting your resume. If I’m going for a large company, I’m going to highlight the fact that I have ITIL. If I’m going for a hiring at Kip’s small, little IT consulting firm, I’m probably not going to highlight that. I might leave it off my resume. And so you’re going to add things or take things away because one of the dangers is I’ve had some people who when they apply, they have 20, 25 certifications on their resume. And the employer looks at this and goes, “Huh. This guy has done nothing but school. All he’s done is studying for exams. When did he ever go to work?” And that hurts you.

Kip Boyle: 

And this person has no focus. This person has no focus. I mean, the impression I get is exactly that it’s like, this is some random person that just can’t stop going bouncing from one thing to the next, and it makes me nervous. It makes me think like, “My gosh, am I going to spend a lot of time just trying to get this person to calm down and focus on one thing for an hour or two?” So yeah. So avoid that. Even if you have every certification under the sun, only put-

Jason Dion: 

Don’t list them all.

Kip Boyle: 

No. Don’t list them all. Just put the ones that are appropriate for the job you’re applying for. Okay. So that gives us three certifications: A+, Network+, Security+, ITIL4 Foundation. There’s four. But you said there could be as many as five key certifications. So what else?

Jason Dion: 

Yeah. So this goes back to… At this point, now we’ve built the foundation, right? We have our software or hardware or networking or security and our process management. So now that we’ve got those four down, we can now figure out what is the path we want to pursue. So if I want to be a junior SOC analyst, I’m probably going to go and get my CySA+ certification, which is a cybersecurity analyst plus. This is one that’s from CompTIA. It was started in 2017 and it really hit the ground running. It’s got support from big companies like IBM, Microsoft, and many others. And it’s very, very well sought after by a lot of these companies. They all jumped in behind it.

Now, if you want to go be a pen tester, then you’re going to be looking at either PenTest+, which is the CompTIA one, or CEH, which has been around for about two decades. CEH right now still has more clout in the marketplace even though it’s not as good… Anybody who has both CEH and PenTest+ will tell you PenTest+ is harder. It’s a better cert. It tells me people actually can do some pen testing. CEH is just really a knowledge test in my opinion, but they had a 20 year headstart. So [crosstalk]-

Kip Boyle: 

What does CEH mean?

Jason Dion: 

Sorry. CEH is certified ethical hacker. So it sounds really, really cool. Right? But really it’s Security+ plus some tools sprinkled on top. So it’s really not that much harder than Security+. But it just has this clout in the industry because it’s been around for 20 years. And so it’s still in a lot of job postings. You’ll see CEH or certified ethical hacker listed.

Kip Boyle: 

This really opens up something really important that I think we have to tell people, which is… Okay, so you really have to think hard about… Let’s say you’re going to be a pen tester. You’re dead set on that. And you’re sitting here and you’re saying to yourself, “Do I get PenTest+ or do I get CEH? And you’re trying to figure it out, and you’re trying to figure out like, “Well, which one’s better for Kip? So should Kip get the PenTest+ because it’s going to actually make me better or should Kip get the CEH because it’s just got better clout?” And none of that matters. What matters is who do I want to work for and what are they looking for?

Jason Dion: 

Exactly.

Kip Boyle: 

And some people don’t like hearing what I just said because they’re like, “Well, why should I spend all my money getting CEH when it’s not going to really make me a better pen tester because it’s not that rigorous? I should go get PenTest+.” Okay, you go get PenTest+, and you sit at home without a job.

Jason Dion:

And this goes back to the ATS and what are people asking for as it goes through this process. Right? And this is one of the things I tell students all the time, because I teach PenTest+ because I think it’s a better cert. I think in two to three years, it’s going to take over and bypass CEH. PenTest+ only came out in 2018. So at the time of us recording this, it’s only about three years old. And so it is still making inroads and trying to chip away market share from CEH, which has been out since 2001, 2000, somewhere around there. So it’s been out for 20 years. So all the HR position descriptions all say CEH because that was the only ethical hacking cert. Now there are many others. There’s OCP, there’s PenTest+, there’s some European ones like CREST. There’s lots of them out there. But it depends where you are and what employer you’re targeting. So keep that in mind as well.

The next thing you want to think about is are you going to be a forensic technician? Well, if you want to be a forensic technician, then the cert you need to get is either going to be EnCase or FTK. And which of those two should you get? The one that your employer uses. Because there are certification on a specific piece of software, EnCase forensic suite, or the Forensic Toolkit. Those are the two pieces of software, and there’s a certification for each. It’s like saying, “Should I get AWS or Azure cert for the cloud?” Which one does your employer use? That’s the one you go for, right?

Kip Boyle: 

Or should I drink Coke or should I drink Pepsi? What’s in the vending machine?

Jason Dion: 

Exactly. Right? You just got to go what’s there. Right? And then the other one that if you want to be in project management or development, then you might be looking at something like Scrum or DevSecOps certifications, and there are certifications for both of those as well. And so this is why I say it’s the three to four key ones at the beginning. And then you start funneling out into where you’re going to go.

The other nice thing is as you’re doing all these certifications, remember, every certification you get has requirements for renewal every three years. Like Kip, said he had CISSP. He decided he didn’t want to keep paying $85 a year and doing the 40 hours per year of continuing education to keep it current because it wasn’t relevant for him. So A+ may be very relevant as you get your first job in a help desk. It’s not going to be relevant five years from now for you. As long as you have a Security+, you can let A+ and Network+ go away. But the other nice thing is if you stay in that plus family, the CompTIA family, whatever your highest cert is, if you renew your highest cert, it also renews all the other ones below it. So for instance, if I get my CySA+, that renews Security+, Network+, and A+ as well. So you only have to renew one to get all four renewed as well. So these are the kinds of things to think about.

Kip Boyle: 

Yeah. I didn’t even know that. That’s helpful. And actually, it creates a little bit of lock-in, right? It’s like why should you leave CompTIA when you get that much benefit when it comes to recertification? So [crosstalk]-

Jason Dion:

And it’s cheaper too. Right?

Kip Boyle: 

Yeah.

Jason Dion: 

Because every time you get a new cert from a new company… For instance, I have CEH. I have a bunch of CompTIA ones. I have a bunch of ITIL ones. I have to renew with each one. And most of them do this… The highest levels [inaudible] have to renew to get all of them. But there’s a different fee for every single one. And so I’ve got five or six or seven different families that I have to do. And I do that because I teach this for a living, so I have to be certified in these. But if I wasn’t doing this for a living, I would let some of those lapse because I wouldn’t need them anymore.

Kip Boyle: 

Right. Okay. So this is great. So let me just recap. So Jason’s saying there’s three to five key certifications, and it starts with A+, Network+, Security+, and ITIL4 Foundation. If you’re going to go work at a larger organization, especially if you’re going to go work at a large consulting organization, I think they’re definitely going to want to see that.

Then you have to pick which job you want, and then you need to go find out what are the employers who I want to work at, what certifications are they looking for there? Because there’s a lot of competition. And I think Jason’s right. There’s going to be more competition. It’s like a horse race, right? CEH is out in front, PenTest+ coming up on the inside, but then some other one’s going to come out of nowhere and take over. So watch that. Be careful. Do your research. Figure out which one employers value the most.

Okay. So that’s all of that in a nutshell. But there are some other nuances here too, right, Jason? I mean, we’ve said, “Look, you need to decide what position it is you want to pursue.” You’ve already made also some caveats about where you live or where you work geographically. Right? Tell us about how geography really affects which one you choose.

Jason Dion: 

Yeah. But before we go into that, I do want to say one other thing, though. When we’re talking about certifications, remember, you don’t want to overcertify yourself. So if you start seeing that you have 15, 20 certs lined up, you’re going to start dropping some of those off your resume. And the other thing is, remember that a certification doesn’t necessarily mean you can do the job. It just means you can pass the test. Right? I can put anybody through a bootcamp and within 40 hours, one week, I can fill your brain with everything you need and you can pass the exam on Friday, but it doesn’t mean on Monday morning, you’re going to be able to do the job. And so when people say, “Which search should I get to get a job?” that’s not the way to think about certs.

When you think about a certification, remember, this is your ticket to an interview. It’s a ticket to get your resume in front of the hiring manager and through the system. It tells them you have a minimum baseline of knowledge, but this is why experience and other things in your resume are going to matter as well.

All right. So that said, let’s go and talk about which certifications you go for based on different factors, right? And geography is one of them. The first thing is you always want to start with the end in mind. What is the position you’re targeting? So again, are you going for an analyst position? Are you going for an auditor position? Are you going for a forensic position? Once you know that, you can start targeting in what you want. Then you’re going to figure out where you live or where’s the organization based that you want to work for. And this is a really key thing because I have students all over the world, and I get the question all the time, “Should I take this cert or that cert?” And the first thing I ask them is, “Where do you live and where do you want to work?” Because those are two key factors here.

Some certifications are more popular than others based on where you live. So for example, if you’re in the project management space, there’s a big duopoly between two major certifications. One is the PMP and the other one is PRINCE2. Now, depending on where you live in the world, you probably have heard of one of those two certifications and you may not have heard of the other one. Kip, have you heard of both of those or one of those?

Kip Boyle: 

No. I’d heard of the PMP quite a bit, but no, I didn’t know anything about PRINCE2 until just recently.

Jason Dion: 

Yeah. And the reason for that is you’ve done most of your work in the United States, right?

Kip Boyle: 

Mm-hmm (affirmative).

Jason Dion: 

There you go. So if you’re in the US or Canada, PMP is dominant. Everybody knows about PMP. And if you work with companies, they’re looking at other places of the world, but their headquarters are back in America. For instance, if you’re working with a bunch of oil companies or people in the Middle East area, they work with a lot of companies out of Texas and a lot of oil refineries and things like that. So they use PMP as well, which is the project management professional. But if you’re in Europe or you’re in Asia, PRINCE2 is much more dominant than PMP. In Canada, it’s a toss-up because they have roots to both Europe and the US. So depending on the company, if they have a European headquarters, they’re in PRINCE2. Otherwise, they’re in PMP. So these are the kind of things we’re talking about.

Now let’s bring it back to cybersecurity. Pen testing is another great example of this. If you’re in the US or Canada, there’s three main pen testing certifications that people look for: either CEH, PenTest+, or OSCP. And I listed them in that order because that’s the difficulty level. CEH is the easiest of the three PenTest+ is a little bit harder, OSCP, really hard. It’s a 24-hour hands-on exam. When you pass that, it means you actually know how to break into boxes and write a report on it because that’s what you get tested on doing.

In the UK, though, what they look for is something known as crest, C-R-E-S-T. And so, again, this goes back to geography. Where do you live? What companies are you going for? Because different certifications are popular, even though they’re covering the exact same thing. They’re all covering pen testing, right?

Kip Boyle:

Yeah. Okay. That makes sense. And so CREST is not just a toothpaste. If you’re in the UK, it’s probably not a toothpaste at all. But that’s the first thing I thought when you said CREST, I was like, “Oh, that’s weird.” Okay. So I’m an ugly American and that was the first place I went to. Okay, cool.

All right. Well, my gosh, we’ve covered a tremendous amount of ground here all under the banner of which cybersecurity certifications should you get. That’s what this episode is all about. And man, well, I hope that was helpful. That’s what we really came here to share with you today. So as we wrap up the episode, I’ll just ask Jason if there’s any closing remarks.

Jason Dion: 

Yeah. I think it’s just really important to remember that always start with the end in mind. Know where you’re going because that’s going to help build your path, whether that’s knowing the job you want and the two or three jobs you’re going to need to get in between now and then to get to that ultimate goal, or in the case of certifications, knowing what job you want so you can build the path to your certifications and start ticking them off one at a time.

The other thing I’ll point out with certifications is I understand a lot of people don’t want to do them. They think, “I don’t need to do it. I shouldn’t have to do it.” But the reality is in the industry, a lot of jobs require these certifications, especially if you’re going to go on the government, the contracting, the military side. They have contractual requirements to say, “If you’re going to be our contractor, you must have these certifications.” I was looking at one contract recently and it said, “If you’re going to be on our help desk, you must have ITIL4 Foundation. If you’re going to be on the help desk and you have system admin credentials, you must have Security+.” And so these things can actually be a thing that require you to get them if you want to get that job.

Kip Boyle: 

Okay. Cool. That’s a great summation. Well, listen, everybody, we’re going to wrap up this episode. But if you like our podcast, you might want to consider doing something next, which is take our free quiz. So Jason and I created a simple survey. And what it does is you go through it and it’s going to help you figure out what’s going wrong with you and the hiring process. So if you’re having trouble landing a job, or if you think you’re going to start looking for a job soon, you might want to take this quiz because there’s different places in the hiring process that you can get tripped up. Your resume may not be tuned correctly. Your interviewing skills may not be quite right. You may not be negotiating your compensation correctly, or there could be something about which certifications you have, which is what we just talked about here, or maybe something with a college degree.

But whatever it is, if you go and take our free quiz at hiredin21days.com, you’re going to get immediate response to an immediate diagnostic. And you’re going to get some advice from us about how you can make an improvement and how you can then make a couple of changes. And then you can land the cybersecurity job of your dreams. And so that’s what we’re all about here. You’re just one path away from your dream cybersecurity job, and we’re going to help you get on that. Thanks for being with us. We’ll see you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.