To cert or not to cert? That is the question!
Over the weekend I sat for and passed the exam for CompTIA's SY0-601 Security+ certification.
In my previous blog post, I talked about the resources I used to study and different strategies. Out of all the sources I used, I enjoyed CompTIA Security+ Get Certified Get Ahead SY0-601 Study Guide by Darril Gibson the most. As the date approached I had to consolidate and concentrate on only one, and I chose this book.
Before registering for CompTIA's Security+, I had already received Certified in Cybersecurity by ISC2, which I feel is a true entry-level certification compared to Security+. Certified in Cybersecurity gave me a strong foundation, and I guess you can say having received this certification in June 2023, means I have been studying for Security+ for 3 months.
A month before taking the exam, I started reading CompTIA's official study guide. I used the lesson summaries and review scenarios to write my notes. As I stated before, as the date kept getting closer I had to switch my strategy.
Darril's book contains 15 practice questions at the end of each chapter, as well as a pre and post-assessment. Before I read the complete chapter, I would read the summary, answer the practice questions, and then go over the sections I answered incorrectly in those practice exams.
Certifications are a very polarizing topic when it comes to the cloud and cybersecurity industry. The main two camps: To Cert camp, and Not To Cert Camp.
Because companies are still trying to figure out what cybersecurity is, job descriptions are as diverse as the amount of cybersecurity certificates that exist on the market.
The To Cert camp firmly believes that certifications are mandatory, as they ensure that the candidate has the theoretical knowledge necessary for the position. But sometimes the To Cert camp includes people who are not very knowledgeable about cybersecurity at all, this could be HR department or anybody else in the organization, and based on surface-level research, they determine that CISSP, as an example, is a requirement for a position that is entry-level or pays less than what somebody who possesses the CISSP should be earning. This could lead to somebody believing that the CISSP, or CCSP, is for beginners and not for established industry professionals who have at least 5 years of experience.
Not To Cert camp holds the position that certifications are a waste of time, and do not actually mean anything because anybody can just read a book and pass an exam. People on this side of the debate believe that skills trump all, this leaves those who are trying to break into the industry in a difficult situation
How can people without certifications prove to employers that they have the knowledge they say they have? How can they get potential employers to trust them based on their claimed skills?
I am somewhere in the middle when it comes to certifications. I think that these certifications are a roadmap, a helpful tool that can guide people through the process of learning the skills needed to be a cybersecurity professional. But certifications alone are not what will land a person a job. Upskilling requires creativity and the ability to supplement theory with praxis.
To use myself as an example, I am currently working through TryHackMe's SOC Level 1 training, and plan to start the Pentest+ path towards the end of the year. I am doing these in addition to obtaining the CySA+ and Pentest+ from CompTIA. Being able to practice using tcpdump, Splunk, or even Wireshark will help reinforce the material I am using to study for the certificates. Keywords: in addition to. Not "instead of".
Always remember, that everything needs to be balanced. Certifications give you the language needed to speak when interviewing, and when you need to effectively communicate with your fellow workers. Getting creative with your home labs is what will give you the confidence to tell people that you know how to perform the tasks, and the theory, you learned from any certifications you have under your belt.
In my next blog post, I will discuss the resources I am using at home to learn new skills.
If you are just like me, starting in this industry, do not be scared, do not be worried. Just remember something very important: every CISO had to start from the bottom just like the rest of us!
Until next time!