Tips for an Information Security Analyst/Pentester Career - Ep. 93 - Certifications vs Experience, Do You Need Certs At All?
Nowadays, we watch a constant flood of new certifications in the cybersecurity scene.
Every day a new one is created, and making sense of all these acronyms (eJPT, PNPT, OSCP, PJPT, etc.) can be quite confusing.
Not all certs are created equal, and you don't need all of them. I'd advise against collecting certifications for the heck of it.
Yesterday I read on LI about a guy who achieved 18 certifications in a year, which prompted a series of considerations that became this post.
Certifications vs Experience
Are certs worth it compared with working experience and, if so, when are they worth pursuing?
In my opinion, hands-on experience is way more valuable than certifications. Certifications are only worthwhile when they add new skills to a professional profile.
Anyway, as a general rule, I'd recommend moving from these considerations:
- Go for hands-on certs and don't go through multiple choice tests that prove absolutely nothing about the skill level.
- Go only for certs adding to a current skill set and don't settle down for less than that. Don't waste time and money on certs that are below one's current skill level.
- Additionally, the value of a certification can vary based on the recipient's profile.
In other words, if entry level certifications such as PenTest+, or OSCP can be good to have for who wants to break in the penetration testing industry, or has a junior level background, they're pointless for an intermediate to senior pentester.
Yes, I'm saying OSCP is pointless for a professional having a 4-5 years' background. After being in the industry long enough. one's recognized as a professional, regardless if they own some specific certs or not. I mean, I don't want to sound cocky but, unless peculiar situations/settings are in place and sensitive devices are involved, I could run a perimeter pentest in my sleep by now. Other than that, being a good consultant and being able to create rapport with a client is way more important than being technically amazing, because that's what ultimately makes a difference with the final outcome of a project.
Sure, I wish I had OSCP some years ago but I didn't need it to find a job as a pentester.
Do I really need it now, with a 5 years' background? I don't think so.
At this point in my career I find it pointless to pursue certs requiring to go through a password guessing prerequisite to breach the perimeter, or to solve other CTF-y scenarios that a professional's never gonna meet in real-world engagements
Over thousands of engagements in my career, so far I NEVER EVER found passwords like SeasonYear in use on the external perimeter.
This doesn't mean it's impossible, of course, but it's highly unlikely IMHO.
I mean, either I'm extremely unlucky, or my clients are awesome in following best security practices, or this is not so common IRL.
By now, even due to PCI compliance, most organizations enforce a higher password complexity than they did some years ago. This doesn't mean one can't find some HTB-like situations real-world, but I can really count them on one hand.
Weak passwords are way more common in internal engagements, but of course a red teamer would need to breach the perimeter first, or operate under an assume breach scenario.
Work experience matters more than any certs. But there's a tricky side to it.
The Value of Your Experience Changes Over Time
Cybersecurity is subject to non-stop change. New tools are released, existing tools and protocols are relentlessly updated, and a professional needs to keep up with it.
There's no room for complacence, because it means being left behind.
A security professional is a constant learner, and skills that are valuable today could become worthless tomorrow.
That's when training and certifications come into play, not to get a foot in the door this time, but to make sure to be still relevant in the industry.
A professional needs to consistently add new skills and become more valuable.
I always learn new tools and my company puts me through periodical training, which is awesome. I'm very thankful to Optiv for this, and I don't hesitate taking on engagements driving me out of my comfort zone, such as physical security, cloud security or spear phishing.
I can be an asset to my team and become more marketable in the long run, which won't hurt.
Certifications and Career Path
The specific certs worth achieving vary based on your career path.
For example:
- Junior Pentester: eJPT, PJPT, OSCP, PNPT
- Intermediate/Senior Pentester: eCPPT, Web app related certifications (eWPT/eWPTX, Burp Practitioner, OSWE), cloud related certs (AWS Practitioner, etc.), Red Teaming certs (CRTO, CRTP, CRTE), etc.
Wrap Up
Certifications vs experience is a little bit like a chicken and egg dilemma, that can be solved looking at a professional's skill level and experience.
For someone with little to no experience, certifications prove motivation, dedication and a correct mindset, aiming at constant improvement.
For someone with an intermediate to senior level, certifications are important only if they add new skills or update the existing knowledge, otherwise working experience is way more valuable.
The problem, though, is working experience can get quickly outdated if one becomes complacent, so a professional needs to be a constant learner.
Sadly, this is not for everybody, because continuous education is the most challenging part of a penetration testing career.
It becomes easier only when a professional is really motivated, when this is more than a job.
Only in this case the learning experience gets fun and enjoyable, instead of being a weigh.
Now the ball is in your court.
Comments
Post a Comment