The truth is that the industry has lied to us about the value of certifications. No one cares if you’re CEH, CHFI, or ISO 27001.
An average “certification” course in security costs around USD $1,000 — that’s equivalent to three legal minimum monthly wages in Colombia. On top of that, some require annual membership fees ranging from $25 to $50 USD, and eventually you’ll need to renew them — often just by paying more money.
When I got my first certification, I did it because I wanted to work as a forensic investigator. I had been working in pentesting (hacking) for a couple of years, but cybercrime investigation simply fascinated me. I borrowed money because my salary wasn’t enough to pay for the course. I sat in a classroom for five days, took the exam, and got certified. Sadly, I didn’t achieve my goal of landing a job as a forensic investigator 😔.
The most frustrating part was that I didn’t actually learn how to investigate cybercrimes during those five days, despite the course promising to “acquire the necessary skills to effectively investigate cybercrimes.” What a big lie — and now I was in debt, without my dream job, and without the skills I was promised. I felt like I had wasted both my time and money.
I’m telling this story because if you’re new to security, it will likely happen to you too. You’re going to believe someone who tells you that if you get certified in something related to “cybersecurity,” you’ll get a job. You’ll trust the system, you’ll “invest” money in a course, you’ll study for the “exam,” and you might even get the certification. But you probably won’t get the job — if you’re lucky, maybe a few interviews.
Save that money. Don’t go into debt. Do you want that first job as a pentester, security analyst, forensic analyst, or risk analyst? Here are my recommendations:
Buy a book (or more) on the topic or certification you want to pursue. (Average cost: $40 USD)
Read the damn book — thoroughly!
Deepen your understanding of each topic using free resources. Go to YouTube and find content that reinforces each subject.
Create projects for each topic. If they’re technical, build labs with virtual machines; if they’re not, write reports or articles on your blog.
Create a blog, or use platforms like WordPress, LinkedIn, Medium, etc., and share what you’re learning. 99.99% of the world might not care, but over time, it will help you.
Instead of wasting time on TikTok or Instagram, create YouTube content about the topic you’re learning.
Update your résumé.
After going through these steps, if you’re asked in an interview whether you have security certifications, say no — but explain that you’re ready to certify as soon as you get the job. If the interview goes well, they might hire you anyway, and the company might even pay for your certification exam — because certifications aren’t for the employee. Certifications are for the employer — they’re the ones with money (I’ll go deeper into this in Part 4).
Do you see now why certifications aren’t worth it?