Penetration Testing, Experience or Education? by Olsi Selfo

The recent security breaches (such as Target, Adobe, Sony and Ashley Madison) have highlighted to companies the need to hire innovative and skilled security professionals. There is clearly incentive to train more cyber security professionals and the main question to ask is how should cyber security professionals be educated and trained? For some roles I’m currently recruiting for at the moment, obtaining a particular cyber security certification is a must to even be considered from my clients. This article will focus particularly on two main Penetration testing certifications (OSCP and CREST CRT) and will explain the importance of cyber security certifications.

In the current IT market, penetration testing is in high demand. Organisations seek ethical hackers to identify vulnerabilities in their systems before external hackers do. Attaining certifications, such as CREST and OSCP, is generally a matter of personal or employer choice. Whilst money certainly isn’t everything, many cyber security professionals who are weighing up the pros and cons of different security certifications would no doubt factor potential salary earning capability into the decision-making.

Both CREST and OSCP require a great deal of effort in your spare time – the question is do they provide a return on your investment?

CREST was founded in the UK in “early 2008” but now it has expanded to Australia. Most of the Security Consultancies I’m working with in Australia and the UK ideally require CREST Certified Testers (CRT & CCT).   “The exam consists of both theory and practical assessments – the practical exam involves cracking multiple platforms of servers, workstations, and routers and switches, based on a set of questions.”

CREST is conducted on-site with very limited Internet access whereas the OSCP is a 24 hour exam done remotely. The issue surrounding the OSCP certification is that anyone could potentially participate in your exam and pass the certification on your behalf.

If we compare both certifications, OSCP has more challenges to overcome as it’s a 24 hours exam whereas CREST CRT is only a couple of hours long. Perhaps the challenge of the CREST exam is to evaluate how professionals work under pressure. In my opinion, CREST is well recognised in the UK and recently in Australia while OSCP is more popular globally.

Early this year Offensive Security put out a promotional video, as well as a motivational song, in praise of its flagship Penetration Testing with Kali Linux certification, the OSCP.

 To conclude: OSCP provides enough of an advantage to be considered by cyber security employers whereas CREST is more attractive to Senior Penetration Testers because the certification supports their knowledge, skills and experience. My advice to Junior Penetration Testers will be to start with OSCP, build a solid penetration testing foundation and experience before stepping up to becoming certified in CREST.

Certifications are one way to prove your knowledge and, as someone who hires Penetration Testers for clients globally, I look for experience beyond certifications that showcases practical skills and experience that candidates possess. More certifications not only raise company awareness but also show commitment of the penetration testers to the security field. Gaining and obtaining OSCP and CREST shows you respect the industry and you are passionate in your profession. As a recruiter who has been focusing in the IT Security space for five years, I believe certifications such as OSCP and CREST are not as important as experience, however, the two combined are a powerful and appealing combination to cyber security employers around the world.

Source: LinkedIn

About the Author: Olsi Selfo

Screen Shot 2016-05-12 at 11.59.57With over 5 years experience in IT recruitment, Olsi Selfo is an expert in the specialised area of security recruitment. AHavin
g delivered incident response and penetration testing teams to many of Australia and New Zealand’s major banks, Olsi also recruits on a global platform, reaching leading IT specialists in the UK, wider Europe and the United States

Notify of
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013