Maximimizing international employability for pentester through certs
0b3lix
Posts: 9Member ■□□□□□□□□□
Good morning everyone,
due to my girlfriend's job in academia, we will be living in 4 different countries in the next 5 to 6 years: two Western European ones, the US, and one Middle Eastern one.
From people moving internationally I know how tough it can be to find a job in IT, even if highly qualified, if you don't speak the local language (which I don't). To reduce the financial strains heading our way I want to increase my attractiveness to potential employers in these countries, hoping to maximize the chances of finding a sufficiently paying job quickly enough.
I work as a penetration tester (5 years experience) and want to keep it that way if possible. At the moment I'm certified as CISSP, OSCP and OSCE. I also hold a Master's in CS.
Any ideas which certificates might increase my attractiveness as a penetration tester to future employers the most? I was thinking CISA but maybe someone has a better idea?
In general, it needs to be affordable out of my own pocket, so SANS and OffSec's AWE/AWAE are out.
due to my girlfriend's job in academia, we will be living in 4 different countries in the next 5 to 6 years: two Western European ones, the US, and one Middle Eastern one.
From people moving internationally I know how tough it can be to find a job in IT, even if highly qualified, if you don't speak the local language (which I don't). To reduce the financial strains heading our way I want to increase my attractiveness to potential employers in these countries, hoping to maximize the chances of finding a sufficiently paying job quickly enough.
I work as a penetration tester (5 years experience) and want to keep it that way if possible. At the moment I'm certified as CISSP, OSCP and OSCE. I also hold a Master's in CS.
Any ideas which certificates might increase my attractiveness as a penetration tester to future employers the most? I was thinking CISA but maybe someone has a better idea?
In general, it needs to be affordable out of my own pocket, so SANS and OffSec's AWE/AWAE are out.
Comments
For team lead roles you could take PMP, but almost all places will have it as optional.
PMP would be a good one to tack onto your technical experience and demonstrate your project/time management skills to employers.
Crest for UK.
I'm going to say it and don't bash me: ECC CEH and LPT. Obviously won't expand your knowledge but hits those HR filters
Seems like it would be a decent thing to try if you know you are going to be moving around a lot though.
As for relevant certs - other than CREST, the only other one that you may want to consider as a remote pent tester may be PCI QSA. Even if are you not able/willing to travel to a customer site or if you are not interested in doing PCI assessments, the PCI cert may possibly help you stand out since penetration testing can be an important requirement for PCI compliance.
Is there a reason why you can't stay at your current job? Maybe your current employer will let you work remotely.
I do bug bounties as a hobby when I have time (~5 to 10 hours a week) and it is an excellent way to make money. I know people who do it part time (~20 hours/week) as well as people who do it full time. There's definitely money to be made in bug bounties so if you have the skills, I strongly suggest it.
Working remotely for my current employer is unfortunately not an option due to the labour laws in two of the countries. Both my employer and me would've preferred that but unfortunately it wouldn't work legally.
CREST/CHECK won't be beneficiary as none of the countries is the UK.
Bug bounties would be an option as a side gig for a while to save a bit of money for the transition periods. Thing is that they're not a steady source of income. Sometimes an effort of digging deeper pay off, sometimes it doesn't and I don't want to rely on that.
I read up on PCI QSA cause it seemed like a really good idea as there's demand for PCI audits and accompanying pentests everywhere. Turns out though that there are multiple steps in the process of getting and remaining certified that require a primary point of contact in a PCI QSA accredited company. The process does not seem to allow for individuals that want to acquire and maintain their certification independently. Also the obligatory training is 3k USD (VAT not included)... If there was a way for an independent individual to acquire and maintain that status, though, I would actually go for it.
Re. PMP: I'm too much of a techie, not intending on picking up a role with too much responsibility for projects (other than the ones I'm deployed on myself) for the time being.
I had been contemplating the CEH and LPT shortly, but only very shortly. I know it helps with a few HR filters but fortunately wherever a CEH is required usually a CISSP is also accepted. And, though you may call me stupid for that, I simply refuse to do business with the scammers from EC-Council. People are blowing way too much money up EC-Council's b*tts for shitty training and shitty exams which prove no skills and no useable knowledge whatsoever.
Several posters mentioned that CISA wouldn't exactly help in my situation. Why do you guys think so?
Again, thanks for the input so far!
Also - depending on what country you are coming from - finding a job in the US for a US based company may be tougher than trying to find a job that will let you work from anywhere in the world.
Some people in the US do know what it is - but as a pentester with OSCP and OSCE - it probably won't matter unless you want to do it for fun.
Yes - I probably should have mentioned that part. Also - you don't have to be a QSA to do the pent-test portion. A QSA is really an assessor of compliance to PCI standard.
Not at all - your OSCP is generally going to be much better received. Your opinion about CEH isn't uncommon among pen testers (at least among the folks that I know).
Yah - I was one of them. The CISA is a non-technical cert. It's typically held by auditors who have a risk, governance, and/or compliance background. These are folks generally doing audits like SSAE16/18 which are non-technical audits. ISACA has a version for security professionals called the CISM. But given your interest in pent testing and the fact that you already have a CISSP, I doubt that the CISA or CISM is probably not worthwhile. Unless you just want to do it for fun or you suffer from insomnia. Their material is a great cure for insomnia.
Echoing what others have said, I think you have enough certs. Build up experience, perhaps work on bug releases...or diversify your experience and add some consulting/risk assessment blue-team stuff?
English speaking countries, i don't think you'll have a problem landing a job
Maybe I'll really just ditch the idea of getting another cert for the time being. There are so many beautiful, interesting areas one can deep dive into that I still have on my "bucket list"
As I said though the motivation for this thread was employability, hence the thought of getting something "in demand" internationally.