Which Certification Should I Get?

TL; DR: The answer is probably "none" if you aren't willing to go beyond the book learning.

I’m often asked by students and many people throughout the InfoSec/cybersecurity industry, "which certification should I get?", "which one is going to put me ahead of the game?". If you’re in this thought process, you should be aware that you're not the only one thinking that way. Most people trying to get into the industry can pass a multiple-choice test with some cram-studying. Certifications are the easy checkbox to hit. The much harder to obtain, but infinitely more useful outcome, is to be able to explain, build upon, and ultimately use the knowledge associated with the certification. The paper is for HR, the knowledge and how to apply it really is what you are after, but it seems that many people forget this fact.

The Honest Truth

Let's go ahead and put it out there that any certification you get has both amazing personal benefits but is also rather useless if you can't apply it to your day-to-day work. However, most of that application and takeaway is on a person-by-person basis. What one person gets out of a class someone else may miss entirely and vice versa. The abstract and non-abstract things that people find tangible and useful are not 1:1. Some people hate Digital Forensics; some people love Cyber Threat Intelligence. Some people hate coding; some people absolutely couldn't get by without knowing how to code. It truly does take a large set of diversified skills to have the best team available to you. Oftentimes the best skill you can have pertaining to cybersecurity is adaptability and creativity, which is something that’s incredibly hard to teach or train. Obviously having a high aptitude for learning and staying up to speed is a key skill to try to sharpen as well, but it typically goes far beyond just reading a book, it’s about application.

Reading a book about a firewall is very different than setting up a few devices on a network and trying to figure out what happens when you enable different rules or configurations. Reading about how to code in Python, or watching a YouTube video, is very different than actually coding a small project of your own. Even things such as DNS, nobody is saying you should get RFC 1034 tattooed on your forearm but purchasing and setting up a custom domain (A, AAA, TXT, MX records, etc.) of your own shouldn't be too much to ask. Even something like reading a book about innovation and creativity, it’s only helpful insomuch that you can apply it in some roundabout way to the real world.

In that same vein, if you just brain-dump a training/certification it's fine for resume building purposes, but if you don't really absorb much of it or more importantly understand the why or how you'd use it... What was the point? So many people go for their Security+ when they should just hammer away on networking, PCAPs, malware, reading blogs and articles, and just constantly ingesting anything tangibly related to cybersecurity. If you go study for the Sec+ and pass it, congrats, you're maybe going to get beyond the HR filters but when you're face to face in an interview situation, and you can't answer basic questions that you should be able to with that body of knowledge? Good luck because it's not about to go the way you think it is.

Nobody with a sense of realistic expectations expects anyone to know absolutely everything there is to know about cybersecurity as this field is far too multifaceted. With that said, there are many foundational things that most hiring managers don't have the time to teach or even let sink in, let alone be the one to impart the knowledge of to begin with. We often hear about jobs that should "mentor truly entry level people", but you must consider what you're putting out there. Someone with limited time is supposed to spend that time teaching things that are freely available to anyone with the motivation to look? This is why almost every "entry level" job in cybersecurity is not what most people think of when they think of entry level. It does and should require some level of technical understanding and capability. That technical know-how underpins everything you do as an analyst and above. To ramp someone up on the absolute basics would not be an effective use of time or corporate assets versus simply paying more and hiring them closer to a "ready to go" state. Remember, we truly are only employed with the goal to protect the organization. Spending time or resources outside of that goal isn’t in the best interest of the organization. If we talk about long-term, yes, it is very beneficial for a company to be able to breed their own in-house analysts, but it takes quite a while to achieve that level of effectiveness and is a narrative for another blog.

To answer the question on which certification you should get the best answer I can give is that it's all about where you want to take your career. What narrative do you want to tell about yourself on paper? What knowledge do you hope to bring to the table? What part of this field do you find the most enjoyable and fun? Personally, I see myself as a purple teamer because I understand attacks and defense and how to apply that knowledge to some meaningful security operations. I also enjoy many things required to be proficient at purple teaming such as adversarial emulation, cyber threat intelligence, coding, automation, etc. So, I find the certifications that best tell that story; I get some blue team (GMON, GNFA, GCFA), some red team (GPEN, GXPN) and some purple team (GDAT). In the future I may seek out certifications that would stamp my resume with "Python" somehow, but it's just a stamp, the knowledge that I've obtained for programming and coding is through a lifetime of trial and error at this point.

A Short Vendor Discussion

SANS/GIAC is very expensive (oftentimes 5-10x of other training offerings), and even though I begrudge them sometimes for this fact, they do have the most polished/streamlined offerings available today. Especially regarding Forensics based classes there are very few that rival SANS at the moment, but is it worth the money? That's for you to decide. Hands-on labs, thorough knowledge, multiple physical books for each class, tools, etc. However, it should still be noted that a large majority of the knowledge base of even a training outlet such as SANS is freely available if you know where to look. They greatly expedite that "where to look" by packaging it up for you. That's what most of the vendors in the cybersecurity training space are doing and oftentimes why you'll hear people in the industry be curmudgeonly about a lot of them.

There’re other trainings and certifications that are "industry standard" that will get you in the door at places that don't have someone that can knowledge check you. Your Security+, your CISSP, etc. They do have a decent amount of name value, but they likely won't give you the direct applicable knowledge that most people are looking to get from some training or certification without you going the extra mile yourself. More importantly they also likely won't impart the skills hiring managers are normally looking for without you doing the same.

ISC2 is sort of the opposite of SANS/GIAC and many of the “newer” training/certification providers mainly for the fact they typically have almost no labs. The content and knowledge are very book or “experience” oriented, and it would mainly be on you to gain that practical know-how. Many people can just cram-study, take the test, and pass it. At least in my experiences. Even their CCSP (Cloud) certification lacks true practical use cases and more so are geared towards policy/compliance/best practices, which is fine for certain roles, but many roles require a much more technical base.

OffSec and BlueTeam Security are great for their respective team colors but may not be as transferrable of knowledge as say a SANS course like GCIH. The same could be said if you take very specific SANS courses as well though, might be overboard, might be helpful. It's all about how well you can digest the training and extrapolate how to use the training day-to-day more than anything else. I have no experience with CREST, NICE, or many other training peddlers. Most security appliance vendors you interact with at an industry level will likely provide their own specific training on their platform and solutions (SIEM, EDR, TIP, etc.). Any time you can get vendor specific training you should absolutely do it because it shows that you are ready and willing to do that for your future employers as well.

Wrapping Up

If you have no inclinations to do anything truly penetration testing or red teaming, I think OffSec's course load is a little too hands-on for most blue teamers. It's a good experience, but maybe a little overboard. Similarly, if you want to red team, I'm unsure how much extra value you'd get from say BlueTeam Security Operations offerings. At least in the beginning of your career it's difficult to find the crossover and how to apply one side to the other. It really does depend on what you want to do with your career more than anything else. However, much like sports and other adversarial games, understanding the opposite side can be paramount to true success. Never forget the adage that the best attacker is likely a great defender and vice versa.

Never forget that while certifications and paid training are great opportunities there exists a plethora of free or very low cost resources such as: attending conferences like your local (or remote) BSides, HackTheBox/TryHackMe, building your network, speaking with your networked connections on ideas, reading books both inside and outside the cyber industry, building collaboration groups and communities, or a mountain of other things. You should utilize these opportunities at every turn to continue to keep yourself sharp and continuing to expand on your skill set. These things often prove that you are going above and beyond just the notion of achieved pieces of paper.

To summarize, should you get a certification? Yes, you should. Should you continue to get more certifications once you get into the field? Absolutely, that's the best time to do so as the company you’re employed by will normally pay for the training instead of it coming out of your pocket. What you should not do is be hyper focused on studying for and passing the test to obtain the piece of paper versus digesting and trying to truly understand how to use the information you're being exposed to. Most people can read a book and get a general idea around how to answer a multiple-choice question, but that is very rarely the prompt you're faced with when trying to get or perform a job.