u/Efficient-Drive-810

(Burner account, because, reasons.)

There is a never ending line of posts on here about “How do I get into (insert role here)” or “Will (insert certification here) be the best to land me a job?”

Rightly or wrongly, I feel like there is a number of responses to those type of threads that may **(**or may not) have alternative conflicting incentives, because some of it seems to contradict what both my counterparts in the industry and my staff across organizations have said over the years. I’ve wanted to write this post for a while, and finally found a few minutes to do so.

If there is only one thing you take from this post, it is “With the exception of Security+ should you want a DoD 8140-Compliant Role, NEVER, EVER PAY FOR ANY TRAINING OR CERTIFICATION OVER $150 USD FROM YOUR OWN POCKET UNLESS YOU ARE WELL INTO YOUR CAREER AND IT IS ALMOST GUARANTEED TO OPEN A VERY SPECIFIC OPPORTUNITY FOR YOU”. I will explain why later in the post.

Starting off with those who are either in-school or thinking about a cybersecurity degree:

(TL;DR for this section: With one exception which I will mention, the degree alone will open very few doors these days. Maximize engagement on cyber topics with others outside the classroom.)

A cybersecurity degree on it’s own carries much less value than it did, let’s say, a decade ago, when having such a degree gave you a walk-on role in at least a few organizations, regardless of actual skill. There are still institutions (both public and private) that pitch high salaries and sky high prospects right out of college. The question you should be asking these institutions is “Will you put your money where your marketing mouth is?”. Most won’t. Unless the institution is willing to provide a field-specific IBR (Income-Based Repayment), their marketing means next to nothing. Just like I can sell you a quit-claim deed to Ford Field in Detroit for example, I have no ownership interest in the building so your paper deed is worth effectively zero.

Where in-person educational programs provide value is not in the degree or the course material, but rather in the time you spend with like-minded individuals working on fun projects pushing the boundaries of cybersecurity. When you put together your resume or go into an interview, especially at a junior level, the unique thing you bring to the table is not that you paid for a piece of paper with your name on it, but rather your ability to actually speak to challenges in the cybersecurity space and the things you and others worked on to try solving them.

So what could you do?

1. If you are thinking about going for a degree program, find one with a verifiable track record and realistically one that backs up their claims with either a field-specific (This is important; you making more money in something else because they didn’t open the doors for you in Cyber should not garner them a payment) IBR or an equivalent.
2. If you already locked your money into an existing program, invest as much of your time as possible in learning and collaborating on projects beyond just what’s in the classroom. Some institutions do a very good job at facilitating this, many unfortunately don’t.
3. Internships are much less common than they used to be. If you can get one, great. If not, don’t drain your mental energy on it. The reality is that the vast majority of internship opportunities have pivoted outside of the US (because in many cases those countries actually have incentive programs for the employer to do so).
4. Once you graduate, market your knowledge and skills, not just your degree, and get involved in as many cybersecurity-related groups that you can (even during college). That’s where you will find the unposted job opportunities that people have out there.
5. Never forget that if you are a student in an educational institution, you are the customer. If something isn’t right, reach out to the appropriate institutional resource to get it corrected. Do not accept educational mediocrity.
6. If the cost of a degree is not within your means, read the next section where I talk about pivoting careers.

Like I said earlier, there is one exception to most of what I wrote so far, and it’s not because I have any sort of vested interest in this option, but rather that it has a mostly proven track record in the industry and provides you the extras just by the very nature of the program itself. That would be the SANS undergraduate degree, after which you walk out with nine marketable GIAC certs for the cost of your degree program (If you were going to spend the money anyways; here you get more for it). They tell you that you need to transfer in with at least 70 college credits to start, but those do not need to be at an expensive institution. You can do those at a local community college, or if you hate wasting time and money, earn your base credits via CLEP (which everyone who is taking a degree in any field should be doing anyways in my opinion).

Now pivoting to those looking to shift career paths:

(TL;DR for this section: If your company isn’t paying for your certifications, don’t overpay for them yourself. There are many other options like vendor trainings to get skilled up.)

So you are in IT or another technology role and looking to get into cybersecurity. Many will say “take X,Y, and Z paid cert”. Don’t do it.

There are so many certifications out there that are from vendors and providers these days that unless your employer offers paid certification opportunities (which many, but not all, do if you ask) you should not be paying over $150 for any training or certification.

All the major Cloud Providers (AWS/Azure/GCP/OCI) offer their introductory certifications at no cost if you participate in one of their free training events, and for their higher level certifications, many of them offer you discounts to bring the cost down (AWS for example gives you a 50% off discount after every cert you achieve, bringing the cost under $150). 

Next are the Product Vendors. Some of them charge sky-high prices for training and certification (which to me has always seemed counterintuitive), but others not only offer the certifications for free or low-cost, they also offer the training for free. For those that don’t, you are a Udemy (or equivalent) course away from landing that cert (and you shouldn’t be paying more than $30 there). Also, just because it’s a vendor doesn’t mean that all of their trainings are only about their products. Some vendors offer broader topics as well.

Then there are offerings like Pay-What-You-Can from Anti-Syphon Training. These are low-cost trainings to get in depth with a particular subject matter. The majority of these won’t buy you bonus points on your resume, but they will help you get more acclimated to a given topic.

As for getting the job itself, first thing you should do is look internally. I have brought on people from other parts of organizations over the years because the amount of time we may need to spend to skill up someone who is motivated to be in the role pales in comparison to the amount of time spent getting to know the in’s and out’s of the organization.

If there is nothing internally, connect with your network of friends and colleagues on LinkedIn. Odds are if people trust in the quality you bring to your day to day, some just might move mountains to see if there is a role out there in their connections, especially since you may be able to do the same for them in the future.

So what could you do?

1. Unless your company is paying for it, do not buy pricey trainings and certifications (>$150 USD). There are almost always lower cost alternatives, such as Vendor and Cloud Provider Trainings and Certifications that can open the door to function-specific roles, along with Community-Driven Knowledge Sharing that will broaden what you know about in-depth topics.
2. If (and only if) your company is paying for it, here are the top cybersecurity certs I see companies (and to the core of the hiring process, HR Screeners) caring about:
   1. For Offensive Security, OSCP (From Offsec). No other cert comes close when it comes to acceptance or recognition by a serious employer. CPTS and maybe even PNPT might be even more technical than OSCP, but in the job market it’s not even a contest which one more recruiters are filtering you based on. This may change in the future.
   2. For Defensive Security, GCIH. Again, it’s not even close. (Opinion: My personal take is that GDAT is a much better fit for this; it actually is much more rounded and in depth in my opinion, and the basics of incident handling do not need a SANS-Level-Expense course to learn, but GCIH is what the filters are currently looking for).
   3. (Bonus) For AI Offensive Security, none are mainstream just yet, but OSAI is looking to be the most promising in validating the quality of the candidate’s actual skills.
   4. For Other Topics, it gets a bit too unclear to recommend just a top 1, but those other topics are also not ones you should be trying to hard-pivot to on day one, so you should already be able to get to know what makes sense for you once you are in the field itself.
3. Because of the past 5-10 years of “Do cybersecurity because it pays well” marketing, you are competing with A LOT of people with VERY different levels of actual knowledge. Just like I mentioned in the college section, differentiate yourself with examples of what you can actually do and/or have done, not just that you got any given certification or degree.
4. When going into the interviews themselves, prepare to be able to actually speak about what the role is specifically looking for. That's not to say you will always know 100% of every topic, and If you don't know something, say it. Trying to fumble a random answer that is almost certainly incorrect only shows that if a situation arises in your actual work, you may not end up taking the right course of action and escalate in a timely manner.
5. Interviewers know when you are using AI or looking something up. The screen overlay or separate screen fools very few people. Unless the interview explicitly allows AI usage for a specific reason, don't use it in the interview.

To close out this post, I want to say that the most important thing you can do, regardless of degree or education, is making sure that the financial decisions you make have a high likelihood to actually provide you a meaningful return on your investment of both time and money. Way too many people are pursuing educational paths that will never provide this, and this is a very serious problem (but I won’t get into that topic due to how much it’s tied to politics, even when it really should not be). Lastly, don’t forget that there are other learning paths as well, such as Apprenticeships, Self-Learning, and Trade Schools. There is no “One size fits all” and what may be the right path for you may be very wrong for someone else.