Mark Davis is the Managing Director of Fullstack Cyber Bootcamp, and is the author of Hacking 101 and Breaking Into Cybersecurity. In this post, he gives advice to students at Fullstack Cyber Bootcamp about technical certifications.
As a student at Fullstack Cyber Bootcamp, there are a number of different certifications you can try and earn, either during or immediately after the bootcamp. You can see the certs on the bottom row of the course poster.
One key point is that all of the certs are optional. So a lot of students ask us:
What certs should I try and earn?
In other words, they want to know which certs they should prioritize, and which ones they can potentially skip.
The answer is simple: it depends on your situation, and your career goals.
For example, are you going to work on the red team or the blue team? Are there any infosec niches that you're going to specialize in?
Every situation is different, and so is the perfect mix of certs.
But that being said, I want to provide you with a template that you can use as a starting point to figure out the best mix of certs for you, as a student going through Fullstack Cyber Bootcamp. Then you can modify for your particular goals.
Before I give you my advice, let me be clear about the mission behind Fullstack Cyber Bootcamp.
We are NOT a certification test prep center.
There is no stigma around taking (or not taking) any of the optional certifications. We don't claim to teach everything you'll need to pass each cert exam (and we don't want to); rather, our focus is on training for actual security industry jobs, based on what our hiring partners tell us they want us to teach. In fact, they help us design the curriculum.
So with all that being said, my advice follows. I have written the advice in a format showing what certs I would choose to take if I were going through Fullstack Cyber Bootamp, and trying to break into cybersecurity.
The overall game plan
I'd try to earn the minimum-possible number of certs, making sure that they convey an advanced level of infosec skills to employers.
I would focus on the certs that are most "respected" and in-demand by employers around the world.
I'd use the Pareto Principle to try and get ~ 80% of the value (from certs) for ~ 20% of the effort (and cost!)
If I get only one cert before/after studying at Fullstack Cyber Bootcamp, it would be the CISSP. Why? Because the CISSP is the most in-demand advanced cert out there, and will make me immediately marketable as a technical cyber person.
But here's the rub: you need 5 years of experience to get the CISSP. To get around this, I'd try and earn the CISSP Associate, which is basically the CISSP pending 5 years of experience.
I'd study for the CISSP during the Flight portion of Fullstack Cyber Bootcamp, which would take me another 100-150 hours of studying after I graduate (to learn some additional things that aren't covered during the bootcamp, and to reinforce key concepts). The CISSP would cost me about $700. If I couldn't scrounge up $700 for the exam, I'd probably put it on a credit card, since there should be a pretty quick ROI on this expense (i.e., it will help me get my first cyber job) and I'd want to pay it off as soon as I got hired. My goal would be to earn the CISSP Associate within a month after graduating from Fullstack Cyber Bootcamp.
During Review Week (week 7 of the bootcamp) I'd take the OSCP exam...especially since the tuition at Fullstack Cyber Bootcamp includes my first sitting for this red team cert. So why not?!?! Even if I don't pass the OSCP exam (most people don't on the first attempt) I'd still get some bragging rights for the attempt, plus I'd learn how the OSCP exam experience actually works. After I graduate from the bootcamp, if I plan on working on the red team, then I'd plan to take the OSCP again during Flight (it costs $60 for each additional attempt). I'd keep taking it until I earn the cert, at which point I will be heavily recruited as a red teamer for years to come (from recruiters finding me on LinkedIn).
If I can't sit for the OSCP during Review Week -- e.g. if I have a medical reason and can't take a 24 hour exam -- then I'd do the alternate red team certs shown on the course poster. Specifically, I'd take the Linux+ and PenTest+ exams, to try and earn those certs and demonstrate my red team skills to employers.
During week 12 or 13 of the bootcamp, I might take the exam for the CySA cert. Why? Because I have just learned most of the related material, and I want to take the exam while it's fresh in my mind. Once I have the CySA cert, employers will know that I can hit the ground running if they hire me as a SOC Analyst (which could help me get hired more quickly). I won't decide if I'm sitting for CySA during weeks 12 or 13 until a week or so beforehand (when I can gauge how confident I'm feeling to sit for the exam).
I wouldn't take Network+ or Security+ during Foundations, because I'd want to focus on just the cyber-related aspects of those two courses during Foundations (for example, Network+ has quite a bit of content that's not related to infosec work).
I might circle back and take these certs during Flight, but probably not. Why?
Because I'm planning on getting the CISSP Associate, which will imply that I also have the related skills from Network+ or Security+.
Whatever certs you might choose...good luck, and I hope you find this template helpful!