My two cents on cybersecurity certifications.

If learning is the objective, you can find most things on the internet for free (or very cheap). You can even purchase official certification study material and learn from that. When you embark on a certification journey, it is either because you need it for clearance, or you wish to validate or prove your skills to a current or future employer.

When it comes to security certifications, there will always be different views. This is largely fuelled by the lack of standardisation in the industry. Some people respect it, while others don’t. Both can make compelling arguments to support their viewpoint. The objective of this article is not to support either viewpoint, but rather to share my opinion based on personal experience.

Entry Level Certifications

If you don’t have any experience in security, starting with an entry level certification such as CompTIA Security Plus or ICS2 SSCP is a good approach. Both are relatively affordable as compared with most top tier security certifications. There are other options such as Microsoft Technology Associate (MTA) Security Fundamentals or ISACA CSX Cybersecurity Fundamentals Certificate, but I have yet to see a job advert asking for them. GIAC Information Security Fundamentals is meant to be an entry level certification, but this is more aimed at millionaires; it costs almost double the price of a CISSP.

Choosing the right certification

If you are committing to certification, you are about to invest a substantial amount of time and money, therefore there must be the prospect of a return on investment. It is unlikely that you are considering a certification because it’s a fun journey.

Certifications should be selected based on what is in demand and popular in the industry. This is important because something only becomes popular and in demand if the industry has accepted and adopted it, and job adverts are asking for it. As an example, I have never seen a job advert asking for a Mile2 certification, but every second job advert is asking for a CISSP, CISA, CEH, or CISM. Naturally, I won’t spend my time and money doing a Mile2 certification; there would be no return on investment for me based on my assessment.

If you are unsure about where exactly you want to be in security, there are certifications that are a good bet regardless of where you eventually decide to specialise. In my opinion, the following certifications are a good idea if you are still finding your way in security: Security +, SSCP, CISSP, and CISM.

Is Certifications Important?

It depends on who you ask. In my view, certifications are and remain important if companies are still asking for them.

Is Certifications worth the investment?

If you select the right cybersecurity certification, and commit to immersing yourself into the content, it will be valuable. Exactly how valuable will depend on how you obtain them; brain dumps vs. actual research and labs; it truly is what you make of it. Personally, I use certifications as a springboard for other learning; I study the syllabus, which then leads to additional research and learning outside of the syllabus.

In summary, to win the game of cybersecurity, you must play the game until you get to a level where you can change the game. If you are trying to break into the cybersecurity field or get promoted in this field, don’t spend your time and energy arguing about whether certifications are important, how expensive it is, and so forth. Right now, most jobs are asking for it, therefore it is important to the job seeker and worth investing in.

Disclaimer: I list examples of specific certifications in this article. I am fully aware that there are many alternatives. I am sharing my opinion based on my experience. I am not considering the cost of certifications, only the perceived value, based on demand in my own experience.