A thread recently came up on TechExams.net forum about the order one got their certifications and which ones helped their career or were unnecessary. I typically don’t try to regurgitate my life story in random places, but I liked the question enough to ruminate on it a little bit. My certification path is a “stop and start” type and requires a few extra timeline points to explain some things.
~1998/1999 – Started blogging – Just a personal milestone for me.
2001 – MIS 4-year degree – A career milestone. I may have felt a little obligated to get this; I mean, after high school, you go to college, right?
2001 – Found a deep interest in information security – Several factors came together to this realization (writing a gaming site post about finding a career by using your PC gaming skills and getting into Linux distros, for instance), but the singular event that really informed me was picking up a random thick book from Barnes & Noble in my earliest efforts to keep learning after school: Hack Attacks Revealed by John Chirillo. The knowledge and attack/defense tools stoked a fire that will not be going away.
~2001/2002 – Started blogging about tech/security & first vanity domain – At some point, I started blogging regularly about tech stuff and security topics, mostly just interesting links and tools. Many of these posts are either lost or buried in another data file backup somewhere along with personal blog postings. After leaving school and leaving their nice hosting, I also picked up my first vanity domain.
2002 – First “real” job – Basically, the real start of my career!
2002-2006 – Lull #1 – My 4 years at this job marked two things. First, I learned an absolute ton and had an absolute blast doing it. I grew by leaps and bounds during this period. Which probably is the reason this period is also marked by no formal learning of certification. I was underpaid by a company that also wouldn’t pay for training, but I didn’t much mind it since I was learning so much on the job. So, this was my first lull in learning, but it didn’t really feel like it. I have a strong nostalgia factor from these years of my career, work- and enthusiasm-wise.
2006 – Security+ – A job change later and I wanted to demonstrate my interest in security better. Before LinkedIn, you really only had in-person networking and your resume to demonstrate security acumen. If your job title was generic, but you managed security devices, it was difficult to show it. Also, I wanted to learn more. Security+ worked great for this. Spent personal time studying books and passed the exam. At the time, this was also a lifetime cert, which was a bonus I wouldn’t understand at the time.
2006 – terminal23.net domain – At this point, my technical blogging eclipsed my personal stuff in both effort and frequency, so I separated them with a second vanity domain. I took some effort to pull old technical posts into this blog, but some much older stuff I wouldn’t bother with.
2009 – CISSP – I also pursued this one on my personal time using self-study books. I would happily pass on my first attempt. Even at this time, there were threads of CISSPs being derided for not actually knowing anything (one guy at my testing center that I talked to was a sales guy on his third attempt, because it was required for his sales position…), but there was and probably still is no better certification to demonstrate interest in and at least some wisdom about security. In fact, this cert probably opened the most doors and got me the most recruiter attention of anything else I’ve picked up, by far. It’s definitely a gateway cert, and I think everyone in security should at least have this on their roadmap. Sure, you can skip it if you have good demonstrable security work and/or good networking, but for most of us, this makes a statement itself. Even now, almost 10 years later, I’m not sure when I will burn it or let it lapse… On the down side, I didn’t get a raise for this, paid for it myself, and didn’t use it to springboard into another job. Maybe a wasted opportunity for me, but I like where I am today for it.
2009-2017 – Lull #2 – During this period, I grew quite a bit with my skills during work hours, but for the most part, I did not pursue any formal education. I signed up for the PWK/OSCP (PWB at the time) cert, but work threw me, well…work, and I didn’t have the time to devote to it, so I let it slide. It didn’t help that my company did not really budget for training nor encourage it; in fact, I had a manager whose teams always seemed to stagnate and work behind the times with old tech/code/habits. I wouldn’t say I coasted during this period, but I was very comfortable and my days were filled with work at a manageable pace.
2017 – OSCP – Finally started getting that bug to get better jobs and re-find my enthusiasm and learning passion that I had in my first “lull” and early years. I decided to pursue the OSCP again on my own time and dime, and achieved it after about 4 grueling months. Of all of my certs so far, this one gave me the most street cred, and for hiring managers who know it, it definitely gets their attention. Particularly the 24-hour exam.
2017 – OSWP – I knew I wanted to keep learning, and I remember the hey-days of war-driving and backtrack wireless cracking, so I wanted to revisit those activities with what I knew was a much lighter cert in the OSWP. Took about 2-3 fairly casual weeks from start to finish. Really enjoyed it, and left me hungry for more.
2018 – CCNA Cyber Ops – I don’t remember how I learned about this, but Cisco basically gave out free training and certification exams for lots of people who already had various industry certs, so I got this certification for free, though I did have to devote plenty of personal time to get it. This didn’t improve my resume at all, but I did like the experience. And I have to be honest, while I kept up with security blogging over many years, from about 2015-2016 I got a little out of touch with the security industry. And taking the Cyber Ops course filled in some gaps of new ideas and things like “threat hunting” and the “cyber kill chain” and “diamond models” which had been basically introduced at the time. Ultimately, this course pursuit got me back up to speed of the buzzwords of a SOC. Unless Cisco builds something compelling around it, I don’t plan to renew this one.
2018 – GCFA – For me, this is the first time in my career I’ve had corporate backing for education, and also marks a culmination of the next part of my career where I have strong, specific goals for growth. Also, a point where I stepped just slightly outside my comfort zone to formally learn something new that I identified as a weak spot.
One thing I will notice in my timeline compared to some other postings in that thread is how some people earn certs and are immediately rewarded with it leading to a new job or a raise of some sort. But, my timeline has almost none of that; many of my certs were earned and I would not say they directly led to a future job. Maybe a few interviews, but certainly not in the same calendar year as the cert was earned. I’ve also had the luxury of not having jobs that required extra study.
I also noticed that I never had (until this year) company or managerial backing for growth like this, and I also never had peers or colleagues who pursued certs or further formal education. That certainly makes a difference, as I do become influence by those around me, as most do. I had to find the effort to self-start, most of the time.
There’s really no way to say it without sounding conceited, but all of my certs came from my own motivation and my own desire to learn and/or demonstrate knowledge in security. That’s not any less or more than other reasons to get certs, but I found that enlightening for me. It also helps illustrate what makes me happy, what drives my passion for this industry, and informs my plans for the future.