THE GREAT (CERT) DEBATE!

May 16, 2024

THE GREAT (CERT) DEBATE!

One of the big debates in the cybersecurity field involves the importance of obtaining certifications: what’s more important, having a certification or having real world experience?

In my humble opinion, both are desired. Companies want to hire someone with experience so that the person doesn’t have to spend as much time in “training status” – the person can come in on day one and start being productive.

However, where does this leave a current or recently graduate student who has been focusing on their studies and opted not to get a job that could give them experience? At this stage, I recommend volunteering, or finding internships or student worker jobs at your campus.

Many companies love to have volunteers that can come in a few hours a week. This is free labor for them and can be a great way to gain real world experience.
Internships can be either paid or unpaid and basically are the same as volunteering except this time the company is initiating the request for assistance.
Student worker jobs are small part time jobs on campus that students can work, usually up to a certain max number of hours (on our campus it is 20) that can be another great way to gain some real world experience. Our student works learn about incident response, phishing investigation, and Splunk (plus whatever side tasks we ask them to perform).
Another avenue for students is to complete online training courses. A quick Google search for "free online cybersecurity training" will yield thousands of hits. Each site is different so check a few out and see which is the best fit for your learning style and needs.

Personally, I think certifications are great for those just starting in the field. They show that you have a baseline of knowledge about an area of cybersecurity, while employers see it more as “He/She has the baseline, so we only need to train them on our specific operations and how we do things”.

In every situation is going to have to happen anyway no matter how much experience you have. Every organization is set up and runs things differently to meet their operational goals. So no matter where you come from (school or previous job) you will have to learn the organization’s setup, policies and operations.

Plus, a certification can set you apart from other potential hires! If the job comes down to you and a few other people, and you have a certification that applies to the job and the others don’t, more times than not the company will hire you because you have that much more experience in the field. It may not be real world experience, but when making a new hire the company will always take into consideration how long it should take to get the new hire fully trained. Having a certification means you already have a baseline of knowledge which means the company won’t need to spend time training you in those aspects of the job. This means you will be trained up faster and you can start being more productive to the company faster which the company really loves!

The second part to the certification debate is “so what certifications do I need”? The answer to this is pretty much: it depends.

The first factor to consider is the job you are applying for. Does the company require certain certifications as a prerequisite for hiring consideration. If so, then you NEED to get those certifications.
The second factor is what do you want to do long term? Where do your interests lay? Many people tend to apply for jobs that fall within their interest areas. In this case, you should look at certifications that fall within your personal areas of interest.

The third part of the debate is “which specific certifications should I get?” which falls a little into the first 2 parts where the company requirements and your personal interests will guide you to the answer to this question. But as you will notice when you start researching certifications, there are certs for just about every cyber area you can think of (networking, programming, security, investigations, etc) and many of them are also broken down into experience levels.

There is usually a low-level “Introductory” cert, followed by a mid-level, higher knowledge/more experience “experienced” level and topped off with a high-level, most knowledge/experience “mastery” level.

Most people start with the lower-level certs and work their way up the chain. But you don’t have to. Certs are obtained by passing a “final exam” certification test. Pass it and you’ve earned that certification.

But be careful! Some certifications (at all levels, low mid and high) come with certain prerequisites you must meet or be able to prove!!

Many of the mid- and high-level certifications require you to prove that you have the knowledge or experience to be able to pass. For example, the Certified Information Systems Security Professional (CISSP) certification, which is the high-level certification for security professionals, requires the follow pre-requisites to be met:

- Candidates must have a minimum of five years cumulative, full-time experience in two or more of the eight domains of the current CISSP Exam Outline.

- Earning a post-secondary degree (bachelors or masters) in computer science, information technology (IT) or related fields may satisfy up to one year of the required experience or an additional credential from the ISC2 approved list may satisfy up to one year of the required experience.

- Part-time work and internships may also count towards the experience requirement

(source: https://www.isc2.org/certifications/cissp/cissp-experience-requirements)

Many certifications require the same basic proof of experience. Academic degrees and other certifications already earned can help reduce the number of hours/years of work experience a bit, but won’t remove the requirement completely.

A few things to remember :

- Some certifications are good for life so you only have to take and pass the test once. Most have expiration dates and are usually good for 3-4 years (depending on the cert)

- To renew your cert you have to either take the test again and pass it or earn credits for certain things. These are usually called Continuing Education Units (CEUs) but the term differs with each certification organization.

o You earn these credits in a variety of ways:

- Attending security conferences

- Presenting at conferences

- Reading a security-related book and submitting a book report

- Attending/watching online security webinars

o Each certification company will have a full list of the approved things that can earn you CEU credits.

- These CEU credits can help save you money. All certification tests have a test fee. Some are around $100-$200 while others are $600-$800 or higher! You have to pay this fee each time you take the test so earning CEUs can help you save money on test fees!

- Many employing companies can help as well.

o A lot of companies off full reimbursement for getting a certification (usually only if it applies to your job, but it never hurts to ask before you start the learning process!)

o Some companies off reimbursement for test fees only.

o Each company is different so be sure to ask your company HR department what policy, if any, your company has.

o Some companies won’t reimburse you for getting a certification but when you get it, they will give you a raise in salary!

o This is also a great job interview question. When the interview gets to the part where you are asked if you have any questions, ask about certification reimbursement/salary increase for obtaining a certification.

o Do your research! Make sure you know how long your certification is good for before it expires, how many CEUs are needed to retain it, what annual fees are required, etc.

What certifications are available?

I’ve included links to some of the main certification company sites. These will be great starting points for you. I’ve also included links to a few articles that may answer other questions you have about certifications. You can also shoot me an email with any questions you have and I will do my best to get you the information you are looking for.

Good luck in your certification journey!

Until next time….Code Geek out!!

(the below lists are not all inclusive)

Cybersecurity certification companies:

Articles about certifications:

https://www.columbiasouthern.edu/blog/blog-articles/2021/august/are-certifications-worth-it/

https://www.linkedin.com/pulse/top-5-benefits-professional-certifications-thom-mandl/