A casual letter from me to you about your career in cybersecurity
Cybersecurity Education and Certification is, like any other profession, filled with plenty of options for you to choose from. To people new to the profession (and sometimes to those of us who have been in for a long time), it is sometimes difficult to chart a path forward. Which certification do you start with? Which one is better? Which one will make you more employable? How does one certification compare with another?
Of the big three cybersecurity certification bodies, each of us has a marketing department that will craft any number of blog entries and promotional brochures claiming to answer those questions for you. I’m not in marketing. I head up a different department (more on that in a different blog post). While I’m not in marketing, I do have 20 some odd years in cybersecurity education. This means; if you have recently graduated high school and are entering the workforce or starting your advanced education; then I taught my first hands on hacking course before you were born. And while age and experience isn’t a guarantee on wisdom, it does provide a certain perspective. But this isn’t about me or the company I work for, this is about you. Grab a cup of your favorite beverage and let’s talk about careers in cybersecurity and certifications.
The Short Version
The best certification is the one that starts or moves your career forward. Not sure which one that is? There are a couple ways to arrive at an answer to this question.
- Ask a friend or mentor who is already doing the job you want to do. How did they get there? What skills do they have? What recommendations do they have for you?
- Jump on your favorite job site and search for jobs that sound like something you want to do. Look at their qualifications and look at your skills. If there is a gap, then plan accordingly.
Trying to identify the ‘best’ certification in a vacuum is useless. Where do you want to live? Do you want a job in the public or private sector? Are you working as a freelance or independent contractor? Do you want a job that will let you work from a beach in Bali? What about benefits, job security, vacation time, work/life balance? No certification in the world will make a job you dislike better.
Take an active role in your career development. Identify where you are. Identify where you want to be and then choose the certification that is best for you to get there. If that’s one of ours; then great! I hope to meet you at Hacker Halted. If it is not one of ours; then great! In either case do what is best for you, your career and your family. Now, if you would like more details or are still not sure where to start, then read on for ‘the Long Version’.
The Long Version
Step 1: Stop Comparing the Price of Certifications
Head to head comparisons written by their own certification body are marketing pieces designed to separate you from your cash. These comparisons are useless in helping you choose a certification. Remember; the ‘best’ certification is the one that helps you pursue the career of your dreams. Comparing the price of two programs and claiming one is ‘better’ than the other because it is cheaper adds nothing to the conversation.
Let me give you an analogy: You need transportation. You can buy one car for $346 or another one for $1299. Both will get you to work, so you should go with the cheaper one, right? In a vacuum, sure. But we don’t live in a vacuum. Let’s take a look at those two cars. The cheaper one is a brand new model and on its first rev. The more expensive one has been around over a decade and completed 10 revisions. Spending $346 may save you $953 today. But what happens when the less expensive car breaks down all the time or is retired by the manufacturer after three years?
Like a car, a certification is the transportation to employment (either a new job, a lateral or vertical move). Choosing one with a proven track record in the field is important. New or niche certifications come and go.
Step 2: Professionalism vs Ethics
Cybersecurity is conflict management. There is a reason our culture pulls imagery from martial arts; martials arts is individual conflict management at its best. I’ve trained and taught in a wide variety of dojos in my time and it is within the experience of the dojo that we find the best way to describe the differences between professionalism and ethics.
Professionalism is the culture of formality within the dojo. This culture dictates the process of how you learn, teach, practice and progress in skill and it varies from school to school. I have attended some classes that are very formal. Proper dress, etiquette, and even language are heavily prescribed to the point of near ritual. Likewise, I have attended classes outdoors, in street clothes; where the language is casual and the process open and organic. One is neither better nor worse than the other.
This spectrum of culture exists in the cybersecurity realm. Employment in the military, government, or the contracting houses that support them are heavy on protocol and formality. These jobs have clearly defined (and documented) processes and procedures for everything. Your career progression track is well defined and will clearly identify what certifications, education and years of experience you need. All you need to do is grab a copy of the career path from Human Resources and follow it. The choice of which certification to pursue in these environments is not up to you.
The best practices, policies and procedures (the ‘professionalism’ of your employer) will vary from place to place and maybe even project to project. Being able to adjust your conduct to match takes time and experience, not something that is easily tested or taught in a seminar.
Ethics and ethicality are different from professionalism. Whereas professionalism will vary, ethics do not. Let’s go back to the dojo example.
In a dojo, you learn how to fight and defend. These skills by themselves have no moral value. A middle punch is a middle punch and stands alone as such. Every dojo I’ve been in, as a student or teacher, teaches when it is right or wrong to throw that punch. A framework is provided to help students understand that the circumstances (time, place, relationship between the combatants) will dictate whether you are the hero or the villain for throwing that punch. This ethical framework helps the young student understand when they should or should not do harm to another person. No matter the professionalism or formality of the school I was in, ethics were a part of every class.
The skills acquired during a career in cybersecurity may be used for good or ill. Exploiting a 0-day in a server, like the middle punch, has no moral value. The ‘E’ in the C|EH provides the practitioner an ethical foundation within which to practice their art. No amount of professionalism or business process can help you with right or wrong. Multinational hacker groups have lots of best practices, but it doesn’t make their actions any less illegal.
Step 3: Understanding how your Employer Uses Certification
The best certification is the one that helps you along your career path. If you are currently employed, speak to your immediate supervisor or human resources department about what they recommend. If you are looking to land your first job and don’t know where to start; then head over to your favorite job site and enter the names of the various certifications in the search bar. Now take an hour or two and go through the results. Regardless of your entry, you will find thousands of job openings listing the certification you entered. Take a look at the companies, where are they, what industries do they support? Do your research, look at big and small shops, public, private and academic sectors. Look at pay scales, locations, telecommuting options. Find your dream job(s), look at what they want in a candidate and adjust accordingly.
One of the best documented employer certification uses is the US Department of Defense. In order to operate on a US DoD network (either as an employee of the US government or as a contractor) you must obtain and maintain certain certifications. These certifications are contained in DoD 8570.01-m and DoD 8140.01. 8570 was the original mapping of industry certifications to DoD job roles. 8140 has updated some things, however the original 8570 mappings remain and can be found here: https://iase.disa.mil/iawip/Pages/iabaseline.aspx. If you really want to read up on how the DoD is doing things, check out: https://dodcio.defense.gov/Cyber-Workforce.aspx).
You may have read or heard about the NIST/NICE Framework. From the NIST website:
‘The NICE Framework, NIST Special Publication 800-181, is a national focused resource that categorizes and describes cybersecurity work. The NICE Framework, establishes a taxonomy and common lexicon that describes cybersecurity work and workers irrespective of where or for whom the work is performed. The NICE Framework is intended to be applied in the public, private, and academic sectors.’
This framework provides a standard 7 categories mapped to 33 speciality areas and 55 work roles. In turn, each of these work roles is mapped to KSAs, Skills, Abilities and Tasks. The DoD Cyber Workforce Framework does leverage the job roles from the NIST/NICE Framework (see the link to the DoD CIO). However, the ultimate authority for the mapping of cybersecurity certifications to job roles within the DoD is 8140, NOT the NIST/NICE framework. In the future, we may see subsequent versions of 8140 pull in more of the NIST/NICE framework, but for now, the original 8570 mappings are the standard.
To understand the scope of NIST/NICE and what it takes to fully map to it, click here. Yes, it is a 350+ page document mapping the entire EC-Council offerings with the framework. This is the level of detail and effort required to bring together training and the framework. It is a bit more than ‘we map to NIST/NICE’.
According to the DoD certification maps out the certificate needed to perform at a specific level. In every case, the employee has several certificates to choose from for each job category and level. You, the employee, need only one of the listed certs to perform. The C|EH certificate will qualify you for:
- CSSP Analyst
- CSSP Infrastructure Support
- CSSP Incident Responder
- CSSP Auditor
This is no more and no less than any other vendor listed for those same 4 positions. Possession of either certificate qualifies you for the exact same four jobs. In this context, the NIST/NICE (or any other framework) has NO bearing on your employability.
If you have made it to here, then congratulations! You have passed the first step of taking control of your own career destiny. This is the first in a line of career blog posts aimed at helping you take control. And don’t take my word for it. Go out there and do your own research. Look beyond the marketing materials. Look at course outlines, talk to other practitioners. Be proactive in managing your own destiny. You are your own best advocate and only you can make the best decisions on what happens next.
One Last Thing: The Value of Testing
To date, the market is flooded with ‘performance based multiple choice’ exams (we are no exception). Understand that testing method for what it is, a limited view into a vast skill set. Multiple choice does not require you to know the correct answer out of four distractors. Multiple choice tests only require that you be able to identify the three incorrect answers. My team and I are working hard to address that (and more on that much later). Despite its limitations, it is what the industry has adopted.
Taking a course and passing a test may get you in the door. But they are no substitute for skill, passion, and a dedication to lifelong learning. Spending money (even if your employer is paying for it) for education should be done with care. Take ownership of your future, explore options and make a decision that is best for you and yours. Like I said, if that is with us, then welcome to the EC-Council family. If not, that’s ok too. Just be sure you are making a sound decision based on your own research.
Now go do good things in this world.
About the Author:
Tim Rosenberg is a well renowned cyber gamification expert and the Executive Director of EC-Council Research. Tim was the Associate Research Professor at the George Washington University where he taught Information Warfare and Computer Security courses as well as an Adjunct for Georgetown University’s Security Studies Program. He designed, built, and delivered every aspect of cyber exercises including a comprehensive scoring engine capable of scoring offense and defense players across multiple exercises. Tim also uses his love of tech education and travel to support charity work at Hackers for Charity and Beyond the Mountain. Through these two charities, he has traveled to Jinja, Uganda, and the Solukhumbu District of Nepal helping to build tech-driven educational solutions to remote and austere environments.