It is hard to look at an information security job posting without seeing some certifications desired. Some make sense and others not so much. I have looked at junior helpdesk positions asking for CISSP, and some of the roles at some of the most respected companies do not ask for any certifications. There are some certifications that in having them demands instant respect: OSCP, OSCE, GXPN, and GREM, to name a few. Dave Kennedy has stated that anyone with an OSCE that applies to TrustedSec will at least get an interview.
So, as a n00b, where do you start? Honestly, there is no right or wrong answer. I am sorry to disappoint you. Before you exit this article, I have some insight for you.
Let’s start with the discussion of to get certifications or not to get certifications.
Off the bat, if you plan to work for the US Department of Defense or Federal Government (as a contractor or civilian), you need certifications. Starting with CompTIA Security+, then EC-Council’s C|EH, then (ISC)2 CISSP, then a variety of other certifications from CompTIA, SANS, etc. DOD Directive 8140.01 mandates this.
What about outside the government? There is no specific right or wrong answer, as I stated above. I know this is anti-climactic, but not all jobs require certifications. Some employers/hiring managers will hold some certifications to a high esteem and may hold grudges against others, thus hurting you for having it. In the absence of the job posting saying not to apply if you have insert certification here, there is no way to know.
Having a certification should differentiate (not define) you as a candidate. If you are equally experienced and qualified as another person, the certification may put you over the top in getting that offer letter, but there are other factors in play.
Regarding certification vendors, not all are created equal. Some focus on non-technical material primarily, others have excruciatingly challenging exams while others are best for entry-level certifications. Some certifications, like the AlienVault Certified Security Engineer (ACSE) or Cisco Certified Networking Associate (CCNA), are focused on a specific vendor.
Full Disclosure: I hold the ACSE certification and have previously taught AlienVault USM for Security Engineers.
My certification story is odd. I got A+, Network+, and Security+ via self-studying as I was getting out of the Navy to secure my first job on the outside. While in the first role, I was offered a CISSP voucher if I could get 90% on a practice test. I took it 4 times in a row, got a 92% then successfully sat for the exam about 6 months later after aggressively self-studying.
My next role required an auditor certification. While truthfully, I wanted CISA, they had SANS vouchers, so I took Audit 507 from SANS and passed the GSNA. My next role offered me an (ISC)2 course and exam, so I took a CISSP Management Concentration (CISSP-ISSMP) bootcamp. A few years later, I needed to renew my GSNA and the easiest way to renew a SANS/GIAC certification at the time was to take another class, so my employer sent me to SEC504/GCIH. I had to pass ACSE and teach back to teach ACSE, so my employer (I think, maybe it was AlienVault) put me through that course.
Finally, I self-funded my successful OSWP training and my Pentesting with Kali course. I have not passed OSCP yet. After I finish OSCP and C|EH, I plan to take OSWE.
Most certifications are theoretical, meaning you only have to possess the knowledge, not the skill. Notable deviations are the entire library of Offensive Security Certifications and SANS/GIAC Security Expert (GSE) that require you to attack and/or defend systems. EC-Council has added a Practical Endorsement to Certified Ethical Hacker (C|EH) and EC-Council Security Analyst (ECSA).
Full Disclosure: I have a working relationship with EC-Council in the fact that I am the sole author and instructor for their Social Engineering and OSINT Workshop. Additionally, I sit on the speaker committee for HackerHalted, their conference, and I am in the process of becoming a C|EH instructor.
If you are currently employed, I recommend having a conversation with your supervisor and mentor (not necessarily at the same time) and explain to them where you want to be in 5 years and express interest in certifications. Ask for their feedback on what you should do to meet your current career objectives in addition to moving on (if that is what you want to do). Most importantly, be respectful and listen to their feedback, taking it into account for your future.
If you’re a student or unemployed, talk to your professor(s) or mentors. If you don’t have a mentor, find someone you trust that is doing what you want to do and ask them. Be active on Twitter. There are tons of people who have been there and done that who are willing to give you honest feedback to help you. Also consider local security groups like ISSA Chapters, Defcon groups, DerbyCon communities, 2600, ISACA, and OWASP chapters. Some have student chapters or associate levels. Some colleges have clubs for infosec, as well. Penn State World Campus Technology Club (organized by Wondersmith Rae) is one that is thriving.
I boil the decision to get certified to this. Are you passionate about the material of the course? Will you be able to advance your career from taking the course and passing the test? Chances are, the answer is yes. If it doesn’t interest you or help you through your career path, I would recommend finding a different certification to target. The exception is if it is required to keep you gainfully employed.