Cyber Security Certifications are USELESS if You Don’t Do These Things…

Credits to https://pauljerimy.com/security-certification-roadmap/

I am seeing a lot of people who work on achieving certifications in the cyber security field mainly because of the following:

1. Increase their chance of getting hired because some of it are requirements for the position
2. To keep up with the other cyber security experts because they think it is a race and they’re getting left behind
3. To learn about the topic since it tickles their curiosity
4. And many more…

In this article, I will share my observations about the people chasing multiple certifications in the cyber security field and how some of those people still fail and how the other people succeed further on their career.
Certification is good if used correctly so I hope my observations will add value to you.

Here are my Observations:

1. A lot of the people who have certifications still do not pass the technical exam filtering
   .
   There are common pattern that I saw why they failed.
   Here’s the list:
   a. Most of those people have certification exam that is only multiple choice so when they’re doing the technical exam, they have the theoretical idea but they cannot do it and play around the challenge because they are not completely confident on getting their hands dirty about the topic.
   b. Even though some of them have practical certification exam, most of them do not continue to use it afterwards and develop it further. Every skills you do not use within those certifications will fade away so when the technical exam comes for them, they are not confident anymore to do it.
   .
   Surprisingly, I still see some few people who aced the technical exam even without certifications because they focus on gaining hands-on experience about the topic instead of chasing multiple certifications whether it is on their home lab, on the job or however they can apply it legally.
   .
   I also see some people who aced the technical exam that has certification because they continue to use it after the certification training and keep on honing it as the time goes by. This makes them confident about the topic so throwing these technical challenges to them is achievable to them.
2. They made certification as the ranking in the field of cyber security
   .
   I remember when I opened my LinkedIn, there are a lot of guys that keep on coming back again and again to view my profile. When I asked them why, they said they’re checking and comparing my certifications to some of their cyber security friends and to themselves as well. Then few days from that moment, I saw some posts that those guys were so proud that they already surpassed me in the field and so on…
   I’m happy that they achieved those well respected certifications but to make it as a measurement of surpassing someone is not right for me. Here are the following ideas why I think of that:
   .
   a. TIME : Not everyone have time to chase certifications. Most of the best people I know in the cyber security field is too busy in practicing their profession and digging deeper on their field by gaining real life experience than chasing countless certifications.
   There is this guy that I hired way back 2016 in my own company that was really good in hacking web applications and he does not have any certification, he said that his time is mostly consumed in bug bounty hunting or reading some other findings from other bug bounty hunters.
   .
   b. MONEY : Not everyone is interested to spend thousands of dollars for expensive certifications. Some of them prefer to spend it on a house, car, investments, businesses, for their children’s future or any other things that must be their priority in their personal life (some of them spent it in other way where they can practice their cyber security skills more effectively than having those certifications). Also, not everyone of them have the opportunity to afford those or have an employer that will pay for those. You having a generous employer that helps you pay for a lot of certifications does not equate for you in surpassing other cyber security people in the field that has less certifications than you.

What Should We Do to Not Make Those Certifications Useless?

Here are the things I am focusing on that might be also helpful to you:

1. Continue on practicing and applying all of what you learned in the certifications even after the exam. Keep on developing it into a much more sharpened weapon.
2. Chase practical experience on your specific field rather than chasing certifications. If the certification exam is practical then it can be also a good thing to have but it is still better to have real life experience if there is a chance to have it. There are also cheaper practical certifications and trainings out there which is less than a thousand dollars like CPTS, CRTO, CRTP, MalDev Academy etc.
3. There are also a lot of cheaper alternative labs online where you can continuously apply and hone your skills in cyber security like HackTheBox’s Machines and Pro Labs for offensive security and BTLO/LetsDefend/CyberDefender for defensive security. For my experience, creating your own lab to practice can also be helpful to learn more practically and realistically in-depth and to know what you are securing or attacking.
4. You can contribute to the community by creating something on your chosen field that can benefit everyone. You might be criticized, yes, that’s part of the game but although a lot of the people are just trash talking, there are still few people who will tell you properly what you can improve and this will become a great lesson for you to grow rapidly compare to a lot of people who are afraid to take risk and get criticized then do nothing.

Conclusion

The goal is to be really good in real life scenarios and not in some kind of CTFs or exams. Use certifications to gain new insights and to sharpen your skills not because you want to keep up with others. Lastly, even if you don’t have those fancy certificates, if you really know what you are doing then you will get a job since at the end of the day it’s much better to be hired on a company that value those people who really know their craft instead of those people who just rely on certifications.

I have a lot of other observations but to keep this article short, I will save it for later. I don’t want to spend my whole day writing an article because you know, I must practice and honed those skills I got on those certifications and on my chosen field continuously ;)

Happy Hacking!