Choosing a Security Certification
Last week I realized how valuable certifications are in the information security industry. Most security jobs now-a-days require them or value them in choosing a candidate.
When I first started my search looking for a certification to start with, I thought “might as well start on the CISSP”. It is the gold standard in information security. Why should I work my way up, spending hours studying and preparing for smaller tests when I could knock it all out with the big one. That was until I started reading up on it.
After watching YouTube videos and testimonials on the internet, turns out the CISSP is the gold standard for a reason. With a pass rate of only 20% - the test takes 6 hours (or at least that is how much time they give you) and covers 8 domains. I think the YouTube video that really convinced me it wasn’t the test for me was one outlining the study routine of someone who “barely passed”. The YouTuber said they spent over 6 hours per day studying on the weekdays and between 8-10 hours on the weekend.
Simply put, I just don’t have the time to take something like that on right now. Right now, spending an hour at the gym after work is required. After making dinner and walking the dog, I have about 2 hours per night I can dedicate during the week to studying. On the weekends, I work on the house I am flipping at least 8 hours per day Saturday and Sunday. Once the house is complete later this year, I could dedicate more time.
Given the amount of time I have to spend on an effort like this, I needed to look at smaller certifications. Not only would the certification be something I could add to the resume, it would sharpen domains that I have little experience with in preparation for a bigger test (like the CISSP).
After a few hours of research, I slimmed it down to three “entry-level” certificates: SSCP, Security+, and CEH. Same thing here, I downloaded the material I could find on the web around what I’d be learning, watched YouTube videos, and even took some practice tests to get a feel for what kind of questions they would be asking.
They all seem great, but given the domain coverage and popularity, I’m going to start with the Security+ cert. I think I will go back and get the SSCP after (mainly because I think staying with certs in ISC2 will get me ready for the CISSP in the future).
I added some information that I found in my research for you to use in your own selection. I’ll report back on how I’m going to study for this cert.
Sources:
https://www.isc2.org/Certifications/SSCP
https://resources.infosecinstitute.com/certification/certified-ethical-hacker-ceh-certification-overview-of-domains/
https://www.comptia.org/certifications/security
https://www.youtube.com/watch?v=9Ci8QPpKXzQ&ab_channel=JonGood
https://www.youtube.com/watch?v=O2VstOGBHbU&ab_channel=ILikeToHackThings
SSCP (Systems Security Certified Practitioner)
Domains
Access Controls
Security Operations
Security Operations
Risk Identification
Monitoring
Analysis
Indicent Response
Recovery
Cryptography
Networks & Communications Security
Systems / Applications Security
$250
CEH (Certified Ethical Hacker)
Domains
Network and Communication Technologies
Information Security Threats and Attack Vectors
Information Security Technologies
Analysis/Assessment
Information Security Controls
Tools/Systems/Programs
Procedures/Methodology
Regulation/Policy
Ethics
Comes up a lot on job postings
Might be right if you are looking getting into pen testing or ethical hacking
~$600
Security+
Domains
Network Security
Compliance & Operational Security
Threats & Vulnerabilities
Application/Data/Host Security
Access Control
Identity Management
Cryptography
$339
More companies look for this certificate for entry-level roles