While some people consider certain security certifications a must-have and hence make it their goal to earn that nicely looking piece of paper and/or an electronic badge, others have a completely opposite opinion, thinking that certifications prove nothing about one’s knowledge and only exist to pull money from foolish naive people of the first category.
In this blog post I would like to share my personal take on the certifications in general and the role they play in my own learning path and career development.
A plan to learn
How do you normally go about learning something? Something that is bigger in scope than what a single page article may give you. For example, let’s say you want to familiarize yourself with ins and outs of landscape design. The first thing that comes to mind is that you can Google what you don’t know, so you hit the search engine with things like ‘How to make my backyard beautiful’, ‘How often to water tulips’ and, maybe, ‘Baobab planting for beginners’. You get hundreds of pages back, from which you pick one of the first five results. You read the article, and, in the best case scenario, your concrete question is now answered. Or maybe you go and just open some ‘Landscaping 101’ article – what a find, just follow their ‘10 simple steps’ and you should be as good as Frederick Olmsted (or at least what he was in his early years). The problem is – you probably will not. The articles you read through were very likely written by copywriters for a general audience, with goals more to entertain than educate. And usually they have more or less the same information, and that information is really entry level. So how do you learn further?
What if there was some curated list of topics that, according to certain professionals in the field of study, would be a minimal set of things one has to learn to call themselves specialist in that area? Guess what? That list exists! Go to any more or less serious certification exam and review their certification objectives and/or the syllabus of the exam-preparation course, and you will find what you are looking for.I used this approach for planning out my learning journey when I wanted to become familiar with malware analysis. I built a study plan following the syllabus of the SANS Reverse Engineering Malware course. Just using that plan (and not taking their course that costs a few thousand dollars) I was able to significantly deepen my knowledge in the field of malware analysis, and even ended up passing the corresponding GREM certification exam.
Meeting employer needs
You may have multiple years of experience in a certain area and possess more knowledge about a given subject than some instructors which teach a course on it do. Your colleagues and your employer may recognize and value that, and that is great, but what about your employer’s customers? Any company that has some security product or service to sell (that could be a security solution, support services, consulting services etc.) needs a way to show that the product (or service) they have is backed by a group of talented and smart people, and there are usually few ways to demonstrate that, security certifications being one of them.
When I worked as a Security Consultant, my employer even offered a monetary recognition award for passing one of the exams from the list approved by the management. That was another reason I took the GREM exam, and shortly after – GCFE – Certified Forensic Examiner.
Please do not get me wrong – I am not saying you should invest your time and energy into studying something you have no interest in just to make your boss happy, but if you want to deepen your knowledge in the area, both yourself and the company you work for may benefit from you getting certified. Furthermore, if you do indeed have all that knowledge and experience, passing a certification exam should not be that much of a challenge anyway!
Getting your brain challenged
Like many security engineers, I enjoy it when I have a hard task to solve. However, as it often happens in life, you do not always get to choose, and sometimes a project you are assigned at work is not necessarily as challenging as you would like it to be. There are a few things you can do to compensate for insufficient thinking load, as I discussed in my blog post here, and going for a recognized and reasonably difficult certification is certainly one of the ones I prefer!
Although performing vulnerability assessment / penetration tests has never been part of my work, I heard from many people in the industry that OSCP (Offensive Security Certified Professional) certification is pretty tough, so I knew I’d have to give it a try. It took me about three years total, with a number of sleepless nights studying and two failed exam attempts, but eventually the exam was passed!
There has not been a single day that I regretted enrolling into the OSCP journey, primarily because it was a great exercise to level up perseverance, ability to search and find, ability to apply existing knowledge to new problems and so on. Did it make me a professional pentester? Absolutely not, despite what the certification says. I am pretty sure any more or less decent bug bounty hunter would beat me in finding real vulnerabilities in a real application. But I am totally fine with that, because OSCP for me was not about becoming a professional hacker – it was about getting my brain challenged and proving to myself that I am able to solve complex problems.
I have some non-IT training going on at this time, but as soon as it is wrapped up I am looking forward to selecting some other course from Offensive Security and diving into the wonderful world of next-level challenges, which I most certainly recommend you do too!
Closing thoughts
My LinkedIn profile has about 15 items reported in the “Licenses & certifications” section. Do I have the same attitude towards each of them? Of course not! Half of them I do not even remember exist (yes, even now after I have looked at that page 2 minutes ago).
However, each of those is a result of the work I put in at some point, in desire to familiarize myself with a new topic, deepen my knowledge to the next level, or challenge myself, and having certification badges stored in LinkedIn is a way to quickly demonstrate potential employers and other people in general what my interests, as well my learning abilities, are.
Most definitely I do not consider any certification a sign of mastery or professionalism. Rather, when I see candidates that completed exams I am familiar with, I can make certain assumptions overall about their willingness to learn, to grow, to achieve and to complete.
Certification is not and should not be an end goal, but a way to streamline and organize one’s thought work and self-managed education efforts.
Do you want to learn more about how I come up with a study plan and prepare for the certifications? Or need help identifying what should be the right next step for you in your career?
I am looking forward to hearing from you via LinkedIn or ContactMe form!