Usually, I post in German. This is the exception from the rule ;-)
TL;DR: Even entry level infosec is at least intermediate level IT. Don’t expect any of these certifications to land you a job in information security if you don’t have additional experience.
That said:
- Ignore the Google Cybersecurity Professional Certificate. Get a job in IT, gain some experience as an administrator, get vocational training.
- Once you know a thing or two: take the CompTIA Security+. It’s a solid foundation for all things infosec.
- Later in your infosec journey: Consider the TCM Security Practical Junior Penetration Tester (PJPT), it is fantastic.
Why should I listen to you?
Maybe you should not, that is up to you. Being sceptic about what other people tell you is a healthy trait in infosec, so you’re on the right path ;-).
I’m currently in a CISO role, but I have 20+ years of experience in different IT and research jobs, as well as a master’s degree in industrial engineering. My current job is more on the GRC side of information security, but I did some technical hacks in the past.
I did all the certifications I listed above in the second half of 2023, here’s the proof (click on the badges to verify):
I completed these certifications because I need to figure out how to train my colleagues at work. But I had fun working on them, and there is always something new to learn. What follows is just my personal opinion on these certifications.
What’s wrong with the Google Certificate?
I neither like nor recommend the Google Cybersecurity Certificate — contrary to what some youtubers state. The study material is very well produced, and the labs just work. That said: it overpromises and underdelivers, in my opinion. Here is what my certificate says:
“Those who earn the Google Cybersecurity Certificate […] are competent in beginner-level Python, Linux, SQL, Security Information and Event Management (SIEM) tools, and Intrusion Detection Systems (IDS). They know how to identify common cybersecurity risks, threats, and vulnerabilities, as well as the techniques to mitigate.”
Well, just no. A short introduction to the command line interface of Linux does not make you competent, not even close. Similarly, running some SQL queries in a guided lab environment does not make you understand databases.
It is – as the certificate also states – a “Certificate of Completion”. You can get an understanding what skills you will need as a SOC analyst, but I don’t think you can actually develop those skills with this course alone. In addition, a good portion of the course portrays people from all different backgrounds that landed an entry-level job in infosec. I think this is misleading, because it does not reflect the reality of the job market in 2023.
In summary: skip this course. In the end, you will also get a voucher for 30% off of CompTIA’s Security+ – so even Google acknowledges that you need additional training.
What should I do as an absolute beginner instead?
Just don’t do this:
Instead: focus on your general IT skills. You may see this as “gatekeeping”, but: information security is a highly specialized field. Learn the basics first. Get vocational training (“Ausbildung” in Germany), if you can.
For example: Take a Linux course (I did the LPIC courses a long time ago), learn networking (CCNA/Network+), and learn a programming language (Python). Get a better understanding of how IT systems work in general, and get a job in IT. Get experience. Then, you have a good chance to pivot into information security if you continue to learn.
What about CompTIA’s Security+?
I like it. It’s a solid introduction to the field of information security. It proves that you have
A valid critique of Sec+ is: it is a multiple choice exam that checks mostly for knowledge, not skill. But it does state that you should have prior network knowledge and “two years of experience in IT administration with a security focus”. This feels about right to me. The exam assumes that you have a working knowledge of IT operations. It aims at giving you a broad overview of all the different parts of information security. You end up with a solid understanding of how things relate to each other in information security.
I used the “CompTIA Security+ Certification Kit” books of Mike Chapple and David Seidl for my exam preparation. First I read the course book, taking note of some of the topics that were new to me. Then, I used the online test bank to see whether I understand the subject. If not: back to the book, if yes: move on. That worked quite nicely for me. I studied for six or seven weeks before taking the exam.
The Sec+ was also my recommendation when a colleague asked me for an information security course recommendation. Again, he has several years of experience as an administrator, and the certification seems to be at the right difficulty level for him.
Ok, but I want to do the red teaming stuff!
So does everyone, until they realize how much effort it takes. While it is one of the flashier jobs in infosec, it is also one of the most demanding ones. If you want to be successful here, you should absolutely make sure that you have solid foundational skills in
- Report writing(!)1,
- Windows and Linux system administration,
- Networking and
- Web applications.
Since IT is ever evolving, you need to keep learning constantly as a red teamer. If you enjoy learning, red teaming can be a very rewarding infosec job. But even if you prefer the blue team: by attacking systems, you also learn how to defend them better. In any way: it is a great field to look into.
I wanted to understand the attack surface of Windows systems better, so I took TCM Security’s “Practical Junior Penetration Tester (PJPT)”, mostly to satisfy my personal curiosity. Contrary to the Security+, this is a purely practical exam: You have two full days to perform a real pentest, and then you have another two days to write a report. This is as close as possible to a real-world pentesting engagement, and it certainly feels real. I needed about 7 hours to achieve the pentest objectives, and another 6 hours to write the report.
The PJPT was a lot of fun, but also more work than I expected. The “Practical Ethical Hacking” course — which is included in your voucher — consists of 25 hours of video lectures, with very little written material. This is both good and bad: While the course itself is pretty accessible, you need to make sure to create good notes and do additional research as needed. This reminds me of my old math lectures at university: notetaking is a lot of work, but it is also an effective learning tool. And since you can use your notes during the exam, they quickly become your personal reference for pentesting tools and techniques.
It took me 11 weeks to complete the PJPT. The course support was stellar, and there is a nice discord community around the TCM Security certifications. I would certainly recommend the PJPT to anyone that has the necessary foundational skills. Make sure you have a good understanding of most of the domains listed above. My only criticism of the PJPT is: you don’t get any feedback on your report. I understand that it is costly to provide individual feedback for all reports, but I would gladly pay an extra. It is a missed learning opportunity, in my opinion.
If you’re interested in another review of the PJPT: Kelvin Winborne has one, and here is cham3leon’s review.
Are there other trainings?
Of course! There are lots of trainings. The ones above are just the ones I took in the second half of 2023. I heard great things about Blue Team Level 1 and Level 2. TCM Security has additional certifications like the PNPT that you can consider. The HTB Certified Penetration Testing Specialist seems to be a well-respected cert in the community. In the GRC sphere, you should consider a certification based on the information security management system (ISMS) that your organization uses. I did the ISO27001 certifications and liked them.
You should also consider where you live. If you’re in Germany, you’re most likely starting your IT journey by completing vocational training (“Ausbildung”) or a bachelor/master degree. I would argue that you’re set for Security+ if you have completed the vocational training.
I’m confused/frustrated.
That is completely understandable. I don’t know why, but people seem to think that information security is an easy way to earn lots of money. It is not, it takes a lot of work and dedication. So: Take manageable steps on your journey, have fun, you got this ;-)
Seriously. I failed my first PJPT attempt because I failed to report one detail. ↩︎