Introduction: The Certification Dilemma
It seems like everyone has their own opinion when it comes to whether or not a budding security professional requires certifications, but what is correct to believe? While many people in the infosec industry agree that security certifications (such as the Security+ exam and other CompTIA certified courses) is the correct and only way to go about entering the field, we have to consider one very important group that often gets looked over:
Students!
According to numerous sources, the number one concern of university-level and graduate cybersecurity professionals is the struggle to obtain security certifications in order to qualify for a professional role in information security. However, many college-level kids are unable to do that due to the hefty cost of obtaining a CompTIA certification, in addition to purchasing the associated bootcamps, textbooks, and other instructor-led materials that result in better passing grades for exams. While it is usually hoped for that companies will help out fresh new-hires by paying for certifications, let's face it: The economy isn't doing so hot at the moment, which means that even the cyber job market (while better than most other job prospects), is getting competitive.
Many employers are looking for highly technical individuals with seasoned experience in the cyber field, and a lot of times, those standards don't apply to baby-faced college students (sorry kiddos). According to some insider sources, many HR representatives don't even look at a job application if it does not include basic security certifications like Security+, Network+, or the CISSP. So what do we do about this "certification dilemma"? Students beyond measure are frustrated with the struggle of whether they should spend loads of money on obtaining their certifications before getting a job and employers are frustrated because they are missing out on viable new recruits and talent.
COLLEGE/GRAD STUDENTS LISTEN UP! This is what you need to do in order to score a great cybersecurity job after school and get your certifications WITHOUT breaking the bank:
1. Shop online for the best deals and discounts.
Guess what: You don't have to spend all of your hard-earned university dollars on certification materials! There are so many great discounts and deals out there to help students obtain their certifications for lower the cost, so take advantage of it! CompTIA has a few discounts for students if you put in your university email. See all of the great deals here. By shopping around for the best deals, we guarantee that you will find some good options available for your specific price range and needs.
2. DO BUY THE BOOK
At Silicon, we realize that a lot of the certification materials out there are very expensive (many are over $3000), which is why we like to promote all of our cybersecurity material for free! Therefore, we definitely don't recommend paying that much money for an entire certification bundle. A bundle usually includes the textbook, study guide, practice exams, self-guided or instructor-led courses, and usually an exam voucher plus an exam retake. While difficulty levels vary, most people who have passed security exams found that they did not need to waste their money on all of those resources. We aren't saying that you shouldn't buy the resources that you feel would most benefit you, but the book is definitely non-negotiable! Case in point: BUY THE BOOK and the rest is up to you to buy what you need.
3. Make a rigorous study schedule.
If anyone has ever been a student before, we all know that when we say we're going to "study hard" every day, things don't actually go according to plan. When it comes to studying for security certs, you need a study schedule and you have to stick to it. Do whatever you need to do in order to make it happen. Schedule your exam, put it on your calendar, put study hours on your calendar, go to a coffee shop, study by yourself, study with a group, WHATEVER YOU NEED TO DO and you will get the grade you want. Even if you aren't a major studier, trust us when we say that for these exams, you need to study. If you don't feel like studying every week leading up to the exam, some people have found that blocking off two weeks to cover the material works out well for them. It's all about your personal preferences and figuring out which study schedule works for you.
4. Advertise your certification progress on resumes and LinkedIn
It is true that some companies may lose interest in job candidates who do not yet have their security certifications, so that just means you need to show them that you are serious about getting a cert and that you are taking active steps to achieve it. Post it on LinkedIn and throw it at the bottom of your resume when you are expected to obtain your certification and hold yourself accountable to fulfilling that future goal. However, this does not mean that you should not be honest about your current progress! So many employers complain about candidates who have lied about their skills on resumes and LinkedIn, SO DO NOT BE GUILTY OF THIS! Know when to push your luck on how much skill and knowledge you actually possess (certifications do not apply).
5. If you're feeling confident, buy a one-time exam voucher.
Some important questions you may need to answer before you schedule your cert exam:
How well do I know myself? Am I a studier, or a procrastinator?
How much existing knowledge (outside of certification material) do I currently have about information security?
Am I confident in my ability to get good grades? If so, what did I do to make myself successful in that area?
If you answered positively overall to these questions, then you should be fine buying a one-time exam voucher and passing your exam in one try. Like we mentioned earlier, exam bundles tend to be pretty pricey, and while that bundled re-take voucher may help to ease your anxiety about taking the test, you may not even need it! If you've been dabbling in the cyber field for a few years now, you could pass Security+ and Network+ in one try no problem and save major bucks. However, if you don't want to chance failing the exam, then you don't have to buy a one-time voucher. Do whatever you feel comfortable with because that is the best plan.
6. Utilize free online resources
Just because something is free doesn't mean that it's not valuable! Here at silicon, we love free stuff and we think everyone deserves to try it! There are so many great certification resources out there that don't require many dollars, so take advantage of them. We've included a short list of materials here, but don't be afraid to scour the amazing Internet for more!
examcompass.com - Free multiple choice CompTIA practice exams
Professor Messer - Free CompTIA certification training
Ian Neil's Security+ Website - Author of Security+ training book, but his website offers definition breakdowns, flash cards, labs, and mock exams! Definitely check this one out.
reddit CompTIA forums- May be nice to get some opinions from people who have already taken the exam!
*On that note, you could also see if you can get a free textbook or study materials from someone you know that has already taken the exam!
EMPLOYERS LISTEN UP! This is what you need to start doing in order to secure the BEST cybersecurity talent for your company:
1. Don't let HR choose cybersecurity job candidates.
To a college student's great distress, the main thing that we worry about is an HR rep who doesn't know squat about security looking at our resumes and saying "No certification? Welp, let's just throw it in the trash!". Companies often deny that this is the case, but we know for a fact that it happens all the time and it's really frustrating. We aren't saying that HR shouldn't be a part of the recruiting process because most of the time, that's what they do best! However, when it comes to picking the right person for a security job, HR misses out on the perfect candidate because they don't check the certification box.
Most security professionals understand that just because you don't have a certification it doesn't mean that you aren't technical or don't have the right skill-set. That's why when looking for the perfect cyber candidate, you should match up a security person with another security person so that they can talk real security. Or, if your security personnel doesn't want to help with the recruiting process (because it's a lot), train your HR teams to specifically recruit cybersecurity personnel. Help them understand what kind of potential they should be scouring for and draw out a clear outline for what you expect out of a cyber candidate.
2. If a job candidate doesn't have their security certification yet, still give them a chance!
The old saying of "never judge a book by it's cover" relates here. Even though it may be frustrating that a job candidate doesn't have their certification yet, don't pass them over right away. They may have great potential to contribute to your security team and company years to come! If anything, many employers complain that after hiring someone with a required cert, they aren't right for the job at all and they wished that they casted a wider net. Therefore, try giving someone a chance before you dismiss them for not having a certification, and at least ask if they are planning to get one anytime soon.
As we previously discussed, education is really expensive and obtaining certifications falls under this umbrella of money. The great thing about the cyber industry is that employers tend to be more understanding towards those who have not had a traditional educational upbringing. Since people can learn technical skills predominately from the Internet and other public resources, just keep in mind that self-taught training can sometimes be better than a certification title.
3. Soft skills are just as important as technical know-how.
It's important to keep in mind that while technical skills make up pretty much all of the infosec industry, you can't always teach someone to have that "special something" that makes everything go smoothly. Soft skills are just as -if not more important- than technical knowledge because when things explode (which it does quite often in this business), we need team players who are used to cooperating and communicating well to get stuff done. Ask yourself during the interview process if the candidate you are interviewing possesses these qualities:
Strong yet respectful communicator
Cooperative (works well on a team)
Has the potential to be a great leader
Has the potential to support people and get the job done
Good at listening
Takes criticism well and applies corrections
4. Find people who think outside of the box: not people who check all of your boxes.
For most security people, certifications are an after-thought; not the main event. It's just how we operate! We love to think outside the box, we love to be challenged, mess with things, and overall you have to know, we are very creative. Although it's very easy to dismiss a potential candidate who doesn't check all your boxes, maybe it's a good thing that they don't. Finding highly qualified security professionals is never an easy task, but if you're able to find someone who is a creative thinker, problem solver, and is eager to be challenged, that could be just as good as a unicorn who graduated from Harvard with a PHD in Artificial Intelligence (we are calling them unicorns because they simply don't exist). There are a lot of experimentally creative individuals in the cyber world, and that's what makes them great at what they do. You don't want to tamper that creativity by forcing people who are naturally out-of-the-box thinkers into a boring checklist.
Conclusion
Some people approach their cybersecurity careers with high enthusiasm and creativity, and they believe that obtaining a certification can put a damper on all the fun that comes with being a hacker. On the other hand, there are those no-nonsense professionals who believe that a certification is a non-negotiable requirement for getting your foot in the door and establishing your career. Despite these polarizing opinions, we can all agree that lacking a cert should not be the end of anyone's career in information security. Therefore, whether you are a student or an employer, we could all be a little more open-minded and understanding when it comes to the recruitment process.
Employers shouldn't just focus on checking the "certification box" if they are looking for an amazing team member. Technical skills can be taught, but you know what you can't teach? The act of someone loving cybersecurity with all of their heart (awww). If you find someone with incredible qualities for the security field but they don't yet have a cert, ask them to get it soon or on the job to satisfy the requirement. For students, check out these after-college job tips to help you land your dream-cybersecurity position! Remember that your potential is only as good as what you make of it, but while you're on the hunt for a good opportunity, you should probably get your certification at some point. Don't let anybody hold you back if you don't have one yet, but be realistic when picking your battles. Goodluck out there and tune back in to silicon for future advice on what to do after-college in the cyber field. ;)
Other Job After College Tips:
Attend in-person company recruiting events.
Never burn bridges.
Study up on current events and topics that don't have to do with class.
Find a mentor!
Make friends in the industry.
Don't rely on LinkedIn for finding a job. (Most people don't ever get a reply back)
Comments