This week, I’ll walk you through the ever-growing list of
post-nominal letters you can add to your name through qualifications and
certifications. Being a student myself, I’ll start with exploring the academic
route, then go through the more popular, and best recognised, vendor and
standards organisations’ certifications, highlighting their worth for your CV
and career development. It’s not a comprehensive list, by any stretch of the
imagination, and is geared towards a more general CyberSec professional, rather
than focusing on any one aspect of the industry. I’ll try and shy away from too
much debate by running away very quickly to avoid the one about CEH vs. OSCP,
and leave it to you instead.
*Disclaimer* I am a university student, and haven’t actually
done any of the following certifications, at least not to completion. I have
explored each in a reasonable amount of depth to see their benefits and worth
and consulted with holders of a few to gain their insider opinions. I also have
not been paid by any of the organisations offering certification to advertise
for them.
University
This is usually seen as the default route to any career, and
while it is being seen as less of a required option among the IT community, it
still bears consideration. Universities might only just be catching up to the
game with Cyber Security offerings, but they are doing so with gusto. The
National Cyber Security Centre at GCHQ
has accredited 25 university courses already (both Bachelors and Masters), with
14 other provisionally accredited, and more institutions (such as my own
school, Glyndwr
University) making efforts to achieve that same standard.
These courses differ from previous Network and Security and Computer Science offerings, as they are aimed specifically to provide students a full grounding in CyberSec principles, as well as the soft skills required to enter the job market confidently. University education also has the advantages of alumni networks and industry, links which can help launch and further careers. HR and higher level hiring managers still love degrees, because it’s a) the traditional route they recognise, and b) it shows you can learn specific things in a specific fashion rather quickly. This is a very good thing, because you will be learning for the rest of your life, because it all keeps changing.
These courses differ from previous Network and Security and Computer Science offerings, as they are aimed specifically to provide students a full grounding in CyberSec principles, as well as the soft skills required to enter the job market confidently. University education also has the advantages of alumni networks and industry, links which can help launch and further careers. HR and higher level hiring managers still love degrees, because it’s a) the traditional route they recognise, and b) it shows you can learn specific things in a specific fashion rather quickly. This is a very good thing, because you will be learning for the rest of your life, because it all keeps changing.
Certifications
There are a fair few to choose from here, and this roadmap
from CompTIA,
is an easy to follow visual guide to a full career’s worth of certification,
starting with the basics. While this guide is useful, it’s not advisable to
stick to it solidly. Apart from being a ludicrously expensive thing to do,
taking all those certs is an unnecessary waste of time and opportunity. I’m
going to assume that as you are reading this, you have at least a good
competency in hardware and networks (having either done the A+ and CCNA/N+
courses or have equivalent knowledge), and are looking to move into Cyber Security,
rather than starting from scratch. Should this not be the case, I would
recommend doing either or both of those certifications, or at least the
courses.
Security+/CCNA-Security
As with the A+ and CCNA and similar certifications, these
are foot-in-the-door credentials. An easy way to start off, giving an
introduction to the field as well as a starting point in your career. Expect 1st/2nd
line-equivalent roles, with maybe a slightly higher salary. A good way to gauge
whether or not this is a career-path you want to follow.
OSCP/CEH
These two are more specified to dealing with offensive
security, i.e. ethical hacking. EC-Council’s
CEH
is known more for its focus on the theoretical, and has fallen a little by the
wayside in terms of respectability from Security Practitioners, but is regarded
well by hiring managers and HR departments. It is the more theoretical of these
two certifications, and that background can serve you well.
The OSCP from Offensive Security (the people responsible for Kali Linux) on the other hand, takes a more hands on approach, with the examination consisting of a 24-hour exam in which the student must do their own research, gather intelligence and perform the relevant attacks, documenting everything and submitting a full report. While the lesser known of these two, it is regarded as superior by most due to its more practical nature.
That’s all I’m saying on the matter you guys can battle this
one out for yourselves.
GIAC (The SANS
Institute)
The Global Information Assurance Certification was founded
to make sure there was a baseline standard for CyberSec professionals and offer
a range of certifications that are widely respected and recognised. As a
starting point, GIAC’s Security Essentials (GSEC)
shows a solid knowledge of Cyber Security beyond the entry-level.
GIAC also offer certification in all other fields of Cyber
Security, from secure software development, pen testing, auditing, forensics
and response as well as management. Their top qualification, the GSE (GIAC
Security Expert) is regarded as the most difficult to achieve as it requires
years of experience in all fields and seen as more of a trophy than a
requirement. If you need a goal more than being the top of your field, this
would be a good one.
CREST
As one of only three organisations certified by GCHQ, CREST
run a series of examinations aimed at front-line Red and Blue Team members.
They also accredit partner organisations
who run the training courses for said examinations, which are highly sought
after and are fast becoming the standard for security practitioners in the UK.
Currently, they only run a Vulnerability Assessor
certification at entry-level, however their Registered Threat Intelligence
Analyst provides a perfect opportunity to begin rounding out your knowledge
after a couple of years in the industry.
ISC2
A globally recognised certification provider that offers training programs, networking opportunities and ongoing professional development, ISC2 are dedicated to helping grow excellence within the Cyber Security industry. This is achieved through their membership requirements, which along with a yearly fee, require certain amounts of training be taken/CPE's earned and recertification every 3 years.SSCP (Systems Security Certified Professional) is an above entry-level qualification focusing on 2 security domains. It requires 1 year’s full-time paid work experience within a relevant role , although this can be waived with a appropriate computing degree (this waiver has no time limit either), which makes it an ideal prospect for graduates beginning their careers, as well as those in Systems Administration-type roles looking to improve their security knowledge, or change career direction.
If any certification can be said to be a baseline standard for the Cyber Security profession, it is this: The Certified Information Systems Security Professional (CISSP). The examination for this can only be taken after 5 years relevant experience (4 years with the degree waiver) and consists of questions on 8 domains of security knowledge. Commanding an average salary of £77,500, this qualification is a serious investment.
Again, this is just a small selection of the certifications
available but are among the most recognised out there. Follow the links
provided and see which suit your career path and ambitions, and good luck!
Comments
Post a Comment