Career wise, OSCP or CEH?

kurzon

Hello everyone,

I am about to immigrate to another country and I try to find ways to improve my CV quickly in 4-5 months. I have 12 years of network security and pentesting experience, but I do not have any certification except CCNA and SSCP.

CEH is good to catch HR attention, but OSCP is much more reputable and challenging "IF" the HR knows about it. CEH is also much more easier to get, which is good for me as I am looking for something quick to get.

Which one do you think I should get?

Thanks.

jelevated

Neither. CEH will only get you through certain doors. If it isn't called out explicitly in the job reqs you are interested in, it won't get you very far. Less so with OCSP. CISSP offers the best brand name.

JoJoCal19

What you need to do is do a targeted job search in the country(ies) you are looking to move to and see what is being asked for. It could be CEH, probably not OSCP unless it's a very specialized position where the hiring manager knows about about the OSCP. Depending on what country, the CREST certifications might be very well known.

deyavi

If you are going for a pentest role I'd do OSCP.

kurzon

@jelevated, CISSP is not the direction I want to take. I have zero interest in managerial positions.

Here are two example ads that I might be interested.

https://ca.indeed.com/viewjob?jk=281e1e6467be002a

Cyber Security Analyst

ITSpectre

I ditto what jojo AKA florida gator says....

We can give you a list of certs to pursue, what really matters is whats being asked for. If you get the CEH, or OSCP and nobody over there is asking for it, well you just wasted money.

SteveLavoie

welcome to Canada

I just hope that for the "Cyber Security Analyst", you are speaking french as Bombardier is a very "french" compagny.

ITSpectre

kurzon wrote: »

Hello everyone,

I am about to immigrate to another country and I try to find ways to improve my CV quickly in 4-5 months. I have 12 years of network security and pentesting experience, but I do not have any certification except CCNA and SSCP.

CEH is good to catch HR attention, but OSCP is much more reputable and challenging "IF" the HR knows about it. CEH is also much more easier to get, which is good for me as I am looking for something quick to get.

Which one do you think I should get?

Thanks.

reading the job description OSCP or CISSP is the best to get. CEH is a waste compared to OSCP and CISSP.

ITSpectre

Technical Skills

• 6+ years of experience in an information security role (offensive or defensive).
• Expertise in the leading, execution and delivery of information security assessments.
• Experience with the evaluation and development of security solutions and architectures.
• A deep understanding of the common software and network security vulnerabilities.
• Ability to analyze root causes and deliver strategic recommendations during client reviews.
• OSCP, CISSP, CSSLP, or GIAC certifications an asset.
• Ability to work internationally an asset.
• Experience in working as part of an multi-geography team an asset.
• Recommendations from one or more clients and/or colleagues an asset.

Based on this alone.... OSCP is the best cert to get. You can choose between OSCP, CISSP, GIAC. So its really up to you. I would stay clear of CEH. Unless you have to get it for the job I would not waste me time with it.

DatabaseHead

50% of all security jobs I reviewed (over 10,000) either required or preferred the CISSP. C|EH was ~10% on average for that same group of security positions. However some of the security certs were around 1 - 2 %, I'd stay away from those......

OSCP and C|EH were both highly sought after for pen testing positions. In fact it was equal at 45% of all pen testing jobs either required or preferred the C|EH and OSCP (not necessarily together).

http://www.techexams.net/attachments/forums/jobs-degrees/8124d1479055619-security-job-requirements-degrees-certifications-certification-job-review.jpg

JoJoCal19

kurzon wrote: »

@jelevated, CISSP is not the direction I want to take. I have zero interest in managerial positions.

Honestly you'd only be doing yourself a disservice to not go after the CISSP at some point. Far more than managerial positions ask for it.

DatabaseHead

JoJoCal19 wrote: »

Honestly you'd only be doing yourself a disservice to not go after the CISSP at some point. Far more than managerial positions ask for it.

In fact over 50% of 10,000 security jobs either required or preferred it. I can promise you not all of those were managerial. +1

kurzon

SteveLavoie wrote: »

welcome to Canada

I just hope that for the "Cyber Security Analyst", you are speaking french as Bombardier is a very "french" compagny.

Thank you for the welcome I showed those ads just as examples, I will not be applying any jobs for a couple of months as I don't have any intention to move yet.

Thank you very much everyone for your opinions. The chart is very interesting DatabaseHead.

I think I will go for OSCP for now. 4-5 months is enough to get prepared. And next year I will upgrade my SSCP to CISSP.

I presume "CCNA, SSCP, OSCP, on the path to CISSP" would look nice enough to nail a decent job.

ITSpectre

kurzon wrote: »

Thank you for the welcome I showed those ads just as examples, I will not be applying any jobs for a couple of months as I don't have any intention to move yet.

Thank you very much everyone for your opinions. The chart is very interesting DatabaseHead.

I think I will go for OSCP for now. 4-5 months is enough to get prepared. And next year I will upgrade my SSCP to CISSP.

I presume "CCNA, SSCP, OSCP, on the path to CISSP" would look nice enough to nail a decent job.

i would skip CCNA... its really not needed

mgeoffriau

This is somewhat personal preference, but I'm not a fan of "on the path to" or "planned" or things like that. I might make an exception for something like a degree program where you have a set schedule and expected graduation date, but not for a certification exam. Save things like that for the interview.

jelevated

CISSP for the name, OSCP for the brain.

Raisin

mgeoffriau wrote: »

This is somewhat personal preference, but I'm not a fan of "on the path to" or "planned" or things like that. I might make an exception for something like a degree program where you have a set schedule and expected graduation date, but not for a certification exam. Save things like that for the interview.

I've seen too many screw up were somebody quickly scans a resume and just sees a keyword like CISSP and assumes the candidate has it. That can create some negative feelings when the truth comes out. Better to just wait and not clutter your resume with things you don't have yet.

jelevated

Raisin wrote: »

I've seen too many screw up were somebody quickly scans a resume and just sees a keyword like CISSP and assumes the candidate has it. That can create some negative feelings when the truth comes out. Better to just wait and not clutter your resume with things you don't have yet.

Exactly. Speaking of CISSP, ISC² absolutely does not allow test passers to mention CISSP anywhere on their resume. Infact if you have it on your resume that is submitted for endorsement you will be asked to remove it before they endorse you. People used to use "Associates of ISC² working Toward CISSP". I guess too many people thought that was just as good as CISSP (for DoD purposes, it is). A lot of people out there misrepresenting themselves, "Associate of CISSP", "CISSP Associate". No, really, guys. Search google: "site:linkedin.com CISSP associate"... Franken titles that don't exist and are actually against the new rules. It would be like passing CCIE Route Written exam and calling yourself an "Associate of CCIE Security".

kurzon

Thank you all for your valuable advice. Although I didn't have any intention of misrepresentation, mentioning CISSP might be risky.

EANx

When I scan resumes if I see someone has a certification or education section and they list a certification "in progress", they get tossed. If they list it under "other", they're fine. It annoys the heck out of me how many people try to pretend they have a certification they don't have. Tell me what you're chasing but don't try to sneak it under my nose.

ITSpectre

kurzon wrote: »

I presume "CCNA, SSCP, OSCP, on the path to CISSP" would look nice enough to nail a decent job.

Actually its not. You either have the cert or you don't and until you have the cert you aren't even allowed to put that on your resume. Also NEVER assume.

asurania

With all the security jobs i have looked at (including KPMG, Major Banks, and Consulting Firm).


OSCP = You need this to do your job. Mandatory (Hiring Manager needs it, shows you can do your job)
CISSP = This will get you past the HR Department. Job might also require this to meet certain standards or obligation.

At the end of the day, you need both. But I would do OSCP first, since you should be able to get some jobs with that alone.

kurzon

It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

In my opinion, OSCP+SSCP makes much more sense than OSCP+CISSP.

JoJoCal19

kurzon wrote: »

It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

Not that we disagree, but it is what it is and if you want to greatly increase your odds of making it past HR and at least landing an interview, then you'll invest $600 or so into your career. Again, with your experience it shouldn't be hard. Some of my former colleagues felt the same way and refused my advice to get it, and a couple of them listened and obtained it. Guess which ones are either still unemployed or stuck where they are....

jelevated

kurzon wrote: »

It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

You can either do it and get it out of the way or continuously try and fight it. I know this is an OSCP or CEH thread but you asked for HR related items and we are telling you what HR (in most cases) is looking for. There is most certainly great talent out there who is not certified and has absolutely no plans to be certified any time soon but not everyone is at this caliber (you may be, I have no idea). If you have software development chops for instance, you will be preferable to a CISSP for many security related roles.. However there are absolutely CISSPs with Dev, opsec, net, red team type experience. And these are the people who get the most interest from hiring managers.

It isn't as cut and dry as "certified" vs "technical". Nope, thats what some try to make it seem as but its too simplistic. Really its "certified" vs "technical" vs "technical folks who are also certified". The third group is, based on what I've seen, an elite pool because the number of folks who get certified in the first place is pretty small. There are plenty of certified nerds hanging around here, just take a look. Why wouldn't a hiring manager take a look at them first? At worse you interview someone who has atleast a minimum understanding of security concepts (although they shouldn't have been endorsed if it was only "minimal").

After becoming certified my response rate was 80%. For every five applications for which the CISSP was mentioned, I would get four call backs. Let that sink in. Nowadays its a tiny bit lower since I'm not looking as aggressively but again. You can fight it or just play by the rules. The rules are silly ( I mean, really, I don't think anyone from MIT CSAIL is a CISSP, and no one will question them on that, ever.) , sure, but unless someone proposes an alternative for the cyber security industry, this is where we are at today.

EANx

kurzon wrote: »

It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

In my opinion, OSCP+SSCP makes much more sense than OSCP+CISSP.

Same issue with degrees as well. Sometimes HR doesn't care what the degree is as long as you have one. I fight that battle every time I do a vacancy announcement "and what degree does this need"? "None, the same as the last 13 times." But if a manager lets HR run the show, there's a good chance a Bachelor's degree requirement slips in and next thing you know, a highly qualified candidate can't get past HR but a newb with a degree in English Literature can.

kurzon

Before we discuss this topic further, I want to make it clear that I will get CISSP, there is no escape from that. I am just sharing my thoughts about the industry.

jelevated wrote: »

However there are absolutely CISSPs with Dev, opsec, net, red team type experience. And these are the people who get the most interest from hiring managers.

This is exactly what I'm talking about. CISSP is clearly a managerial certification which is for people who aim managerial positions. If you consider the fact that a certification program should add something to your experience, what is the purpose having CISSP for someone who has red team type experience? Improving the chance of finding a job, and that's it. I'm not running away from any certification cost; I will gladly pay $700 for the OSCP, but I will always feel every $ I paid for the CISSP is just wasted.

"Here is your precious certificate dear HR, as it belongs to you, not me."

JoJoCal19

kurzon wrote: »

This is exactly what I'm talking about. CISSP is clearly a managerial certification which is for people who aim managerial positions.

Again, this is where you're wrong. The CISSP isn't just a managerial certification for people in management. First, it's more of a general security certification that lets HR and hiring managers know that the person has a certain baseline of security knowledge covering many of the security domains. Hence it being an inch deep and a mile wide. Second, it's obviously not just for managers as you'll see every kind of security req asking for it, from security analysts to pentesters and everyone in between.

DatabaseHead

kurzon wrote: »

It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

In my opinion, OSCP+SSCP makes much more sense than OSCP+CISSP.

What's a shame IMO is that you have to get multiple certifications...... One should be enough, too bad that's not the case......

higherho

If you want to stay technical and be the top of your pen testing game. Then get the OSCP then OSCE. CISSP is only popular simply because of the DOD 8570 requirements which then a flood of contractors, military, and government civilians got it. It's a high level (1 inch deep 1 mile wide) certification which most people forget half of what they read the moment the exam is over simply because too much content. General baseline knowledge of security? Eh maybe but it really is too high level. I've talked to too many CISSP only holders who can only talk the high level but can barely crawl when you get into the weeds. You want to know why we have a technical cyber security problem? Keep making certifications and studies like the CISSP and you will find out why we don't have good talent.

I only recommend CEH to individuals who are new to the industry and want to get their foot in the door. Good content but the exam isn't hard at all.

asurania

higherho wrote: »

If you want to stay technical and be the top of your pen testing game. Then get the OSCP then OSCE. CISSP is only popular simply because of the DOD 8570 requirements which then a flood of contractors, military, and government civilians got it. It's a high level (1 inch deep 1 mile wide) certification which most people forget half of what they read the moment the exam is over simply because too much content. General baseline knowledge of security? Eh maybe but it really is too high level. I've talked to too many CISSP only holders who can only talk the high level but can barely crawl when you get into the weeds. You want to know why we have a technical cyber security problem? Keep making certifications and studies like the CISSP and you will find out why we don't have good talent.

I only recommend CEH to individuals who are new to the industry and want to get their foot in the door. Good content but the exam isn't hard at all.

All the PenTesting Jobs I seen where i live have a mandatory requirement to have CISSP or get it within 2 years of being hired.
I do agree that most people will forgot what they learned in CISSP
OSCP is pretty much required
I do agree to get the OSCE