Hands-On or Performance-Based Certifications vs Skills-Based Certifications

Posted by Pat Tovo

81% of hiring manager prefer hands-on certificationsNot all certifications are equal. And when you’re starting out in your career it’s helpful to understand some of the differences to move your career in the right direction.

A 2016 Cyber Security Survey that polled 3,000 professionals in the industry found that 63% of hiring managers think it’s hard to identify whether applicants have an adequate level of skills to do the job.

81% stated they are more likely to hire cyber security job seekers who have a hands-on or performance-based certification. That means certs that require hands-on knowledge of how to do the work. Many think it’s a better indicator of ability to do the job vs ability to study and take a test.

Examples of skills-based certs include:

  • Certified Information Systems Auditor (CISA)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • Certified in Risk and Information Systems Control,
  • Certified Secure Computer User
  • EC-Council Certified Security Specialist
  • Security+
  • GIAC cyber security essentials

Examples of performance or hands-on certifications:

  • Certified Ethical Hacker (CEH)
  • Offensive Security Certified Professional
  • Offensive Security Web Expert
  • GIAC Web Application Defender
  • GIAC Certified Forensice Analyst
  • CSX Practitioner

Those are by no means complete lists, but include the most widely achieved beginner cyber certs.

Degrees Are a Foundation, But

Cyber security degrees are foundational and demonstrate an aptitude for the profession.

However many professionals in the industry recommend starting with skills-based certifications, though many require 3-5 years experience. If an entry-level job seeker has passed the exam, it does demonstrate to a potential employer that the job seeker is committed to the industry. As an entry-level professional you can also take performance-based certs, but will likely find it extremely challenging to be successful.

What Then

What else can you do beyond getting an education? Become involved in the community. There are many professional organizations such as OWASP, ISACA and ISSA. Volunteer for everything you can, whether it’s for the local chapter or the national organization. That’s your opportunity to network with professionals in the industry, and to start making your mark.

Participate in any and all competitions available to you. You’ll learn, show a dedication to the community, and meet other like-minded professionals.

The most popular certifications overall are:

  • Certified Information Systems Security Professional (CISSP)
  • Global Information Assurance Certification (GIAC)
  • Certified Information Security Manager (CISM)

But the CompTIA Advanced Security Practitioner (CASP) is included in the DoD 8570, so it’s becoming  popular with government employees and contractors.

Security+ is still a heavyweight entry-level cert, as DoD accepts Security+ for its most basic information assurance cert requirements. A single exam is required for passing.

Entry level certs with the most weight are:

  • Security+
  • GIAC Information Security Fundamentals (GISF)
  • Systems Security Certified Practitioner (SSCP)

Security Certification Career Path

This is a possible career path for those starting in the cyber security industry:

1. Entry-level Certifications

CompTIA Security+ CompTIA’s Security+ certification has become the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. Security+ meets the Department of Defense entry level info assurance certification requirements. A single exam is required.

(ISC)² Systems Security Certified Practitioner (SSCP) ISC2 also administers the CISSP – arguably the most popular senior-level cert in the industry. If CISSP is your ultimate goal, this is a good starting point. SSCP requires one year of experience and an exam. If you don’t have the experience yet, you can get the Associate of ISC2 cert.

SANS GIAC Information Security Fundamentals Certification (GISF) SANS GIAC certifications are seeing wider acceptance. The GISF is the first step in the SANS GIAC program. A single exam is required.

2. More Advanced Certifications

The next step typically requires three plus years of experience, a paper submission or research results, classes, and an exam. Three of these stand out, and are a progression of the previous three entry-level certs.

CompTIA Advanced Security Practitioner (CASP) CASP is a follow-on to Security+. It require 3+ years of direct hands-on information security experience. CASP has a continuing ed requirement or you must retake the exam every 3 years. CASP is ranked the same for many Department of Defense IT positions, but costs less than the CISSP.

ISC2 Certified Information Systems Security Professional (CISSP) The CISSP is probably the best know information security certification, and requires five years of paid experience – four if you have a degree.

SANS Global Information Assurance Certification (GIAC) GIAC requires training and a length two-part exam. If you’re planning to take the GIAC Security Engineer cert, this is the path for you.

Sources: TechTarget’s Your Guide to Security Certifications

Pat Tovo guides job seekers in conducting successful employment searches through targeted prospecting, effective resume writing, and polished interviewing skills. She enjoys facilitating workshops and working one-on-one in career counseling.

This entry was posted on Monday, January 08, 2018 6:04 am

One thought on “Hands-On or Performance-Based Certifications vs Skills-Based Certifications”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.