Career wise, OSCP or CEH?

kurzonkurzon Member Posts: 20 ■□□□□□□□□□
Hello everyone,

I am about to immigrate to another country and I try to find ways to improve my CV quickly in 4-5 months. I have 12 years of network security and pentesting experience, but I do not have any certification except CCNA and SSCP.

CEH is good to catch HR attention, but OSCP is much more reputable and challenging "IF" the HR knows about it. CEH is also much more easier to get, which is good for me as I am looking for something quick to get.

Which one do you think I should get?

Thanks.
«1

Comments

  • jelevatedjelevated Member Posts: 139
    Neither. CEH will only get you through certain doors. If it isn't called out explicitly in the job reqs you are interested in, it won't get you very far. Less so with OCSP. CISSP offers the best brand name.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    What you need to do is do a targeted job search in the country(ies) you are looking to move to and see what is being asked for. It could be CEH, probably not OSCP unless it's a very specialized position where the hiring manager knows about about the OSCP. Depending on what country, the CREST certifications might be very well known.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • deyavideyavi Member Posts: 23 ■□□□□□□□□□
    If you are going for a pentest role I'd do OSCP.
  • kurzonkurzon Member Posts: 20 ■□□□□□□□□□
    @jelevated, CISSP is not the direction I want to take. I have zero interest in managerial positions.

    Here are two example ads that I might be interested.

    https://ca.indeed.com/viewjob?jk=281e1e6467be002a

    Cyber Security Analyst
  • ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    I ditto what jojo AKA florida gator says....

    We can give you a list of certs to pursue, what really matters is whats being asked for. If you get the CEH, or OSCP and nobody over there is asking for it, well you just wasted money.
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    welcome to Canada :)

    I just hope that for the "Cyber Security Analyst", you are speaking french as Bombardier is a very "french" compagny.
  • ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    kurzon wrote: »
    Hello everyone,

    I am about to immigrate to another country and I try to find ways to improve my CV quickly in 4-5 months. I have 12 years of network security and pentesting experience, but I do not have any certification except CCNA and SSCP.

    CEH is good to catch HR attention, but OSCP is much more reputable and challenging "IF" the HR knows about it. CEH is also much more easier to get, which is good for me as I am looking for something quick to get.

    Which one do you think I should get?

    Thanks.

    reading the job description OSCP or CISSP is the best to get. CEH is a waste compared to OSCP and CISSP.
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    Technical Skills
    • 6+ years of experience in an information security role (offensive or defensive).
    • Expertise in the leading, execution and delivery of information security assessments.
    • Experience with the evaluation and development of security solutions and architectures.
    • A deep understanding of the common software and network security vulnerabilities.
    • Ability to analyze root causes and deliver strategic recommendations during client reviews.
    • OSCP, CISSP, CSSLP, or GIAC certifications an asset.
    • Ability to work internationally an asset.
    • Experience in working as part of an multi-geography team an asset.
    • Recommendations from one or more clients and/or colleagues an asset.


    Based on this alone.... OSCP is the best cert to get. You can choose between OSCP, CISSP, GIAC. So its really up to you. I would stay clear of CEH. Unless you have to get it for the job I would not waste me time with it.
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • DatabaseHeadDatabaseHead Member Posts: 2,753 ■■■■■■■■■■
    50% of all security jobs I reviewed (over 10,000) either required or preferred the CISSP. C|EH was ~10% on average for that same group of security positions. However some of the security certs were around 1 - 2 %, I'd stay away from those......

    OSCP and C|EH were both highly sought after for pen testing positions. In fact it was equal at 45% of all pen testing jobs either required or preferred the C|EH and OSCP (not necessarily together).

    http://www.techexams.net/attachments/forums/jobs-degrees/8124d1479055619-security-job-requirements-degrees-certifications-certification-job-review.jpg
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    kurzon wrote: »
    @jelevated, CISSP is not the direction I want to take. I have zero interest in managerial positions.

    Honestly you'd only be doing yourself a disservice to not go after the CISSP at some point. Far more than managerial positions ask for it.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • DatabaseHeadDatabaseHead Member Posts: 2,753 ■■■■■■■■■■
    JoJoCal19 wrote: »
    Honestly you'd only be doing yourself a disservice to not go after the CISSP at some point. Far more than managerial positions ask for it.

    In fact over 50% of 10,000 security jobs either required or preferred it. I can promise you not all of those were managerial. +1
  • kurzonkurzon Member Posts: 20 ■□□□□□□□□□
    welcome to Canada :)

    I just hope that for the "Cyber Security Analyst", you are speaking french as Bombardier is a very "french" compagny.

    Thank you for the welcome :) I showed those ads just as examples, I will not be applying any jobs for a couple of months as I don't have any intention to move yet.

    Thank you very much everyone for your opinions. The chart is very interesting DatabaseHead.

    I think I will go for OSCP for now. 4-5 months is enough to get prepared. And next year I will upgrade my SSCP to CISSP.

    I presume "CCNA, SSCP, OSCP, on the path to CISSP" would look nice enough to nail a decent job. :)
  • ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    kurzon wrote: »
    Thank you for the welcome :) I showed those ads just as examples, I will not be applying any jobs for a couple of months as I don't have any intention to move yet.

    Thank you very much everyone for your opinions. The chart is very interesting DatabaseHead.

    I think I will go for OSCP for now. 4-5 months is enough to get prepared. And next year I will upgrade my SSCP to CISSP.

    I presume "CCNA, SSCP, OSCP, on the path to CISSP" would look nice enough to nail a decent job. :)

    i would skip CCNA... its really not needed
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • mgeoffriaumgeoffriau Member Posts: 162 ■■■□□□□□□□
    This is somewhat personal preference, but I'm not a fan of "on the path to" or "planned" or things like that. I might make an exception for something like a degree program where you have a set schedule and expected graduation date, but not for a certification exam. Save things like that for the interview.
    CISSP || A+ || Network+ || Security+ || Project+ || Linux+ || Healthcare IT Technician || ITIL Foundation v3 || CEH || CHFI
    M.S. Cybersecurity and Information Assurance, WGU
  • jelevatedjelevated Member Posts: 139
    CISSP for the name, OSCP for the brain.
  • RaisinRaisin Member Posts: 136
    mgeoffriau wrote: »
    This is somewhat personal preference, but I'm not a fan of "on the path to" or "planned" or things like that. I might make an exception for something like a degree program where you have a set schedule and expected graduation date, but not for a certification exam. Save things like that for the interview.

    I've seen too many screw up were somebody quickly scans a resume and just sees a keyword like CISSP and assumes the candidate has it. That can create some negative feelings when the truth comes out. Better to just wait and not clutter your resume with things you don't have yet.
  • jelevatedjelevated Member Posts: 139
    Raisin wrote: »
    I've seen too many screw up were somebody quickly scans a resume and just sees a keyword like CISSP and assumes the candidate has it. That can create some negative feelings when the truth comes out. Better to just wait and not clutter your resume with things you don't have yet.


    Exactly. Speaking of CISSP, ISC2 absolutely does not allow test passers to mention CISSP anywhere on their resume. Infact if you have it on your resume that is submitted for endorsement you will be asked to remove it before they endorse you. People used to use "Associates of ISC2 working Toward CISSP". I guess too many people thought that was just as good as CISSP (for DoD purposes, it is). A lot of people out there misrepresenting themselves, "Associate of CISSP", "CISSP Associate". No, really, guys. Search google: "site:linkedin.com CISSP associate"... Franken titles that don't exist and are actually against the new rules. It would be like passing CCIE Route Written exam and calling yourself an "Associate of CCIE Security".
  • kurzonkurzon Member Posts: 20 ■□□□□□□□□□
    Thank you all for your valuable advice. Although I didn't have any intention of misrepresentation, mentioning CISSP might be risky.
  • EANxEANx Member Posts: 1,077 ■■■■■■■■□□
    When I scan resumes if I see someone has a certification or education section and they list a certification "in progress", they get tossed. If they list it under "other", they're fine. It annoys the heck out of me how many people try to pretend they have a certification they don't have. Tell me what you're chasing but don't try to sneak it under my nose.
  • ITSpectreITSpectre Member Posts: 1,040 ■■■■□□□□□□
    kurzon wrote: »
    I presume "CCNA, SSCP, OSCP, on the path to CISSP" would look nice enough to nail a decent job. :)

    Actually its not. You either have the cert or you don't and until you have the cert you aren't even allowed to put that on your resume. Also NEVER assume.
    In the darkest hour, there is always a way out - Eve ME3 :cool:
    “The measure of an individual can be difficult to discern by actions alone.” – Thane Krios
  • asuraniaasurania Member Posts: 145
    With all the security jobs i have looked at (including KPMG, Major Banks, and Consulting Firm).


    OSCP = You need this to do your job. Mandatory (Hiring Manager needs it, shows you can do your job)
    CISSP = This will get you past the HR Department. Job might also require this to meet certain standards or obligation.

    At the end of the day, you need both. But I would do OSCP first, since you should be able to get some jobs with that alone.
  • kurzonkurzon Member Posts: 20 ■□□□□□□□□□
    It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

    In my opinion, OSCP+SSCP makes much more sense than OSCP+CISSP.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    kurzon wrote: »
    It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

    Not that we disagree, but it is what it is and if you want to greatly increase your odds of making it past HR and at least landing an interview, then you'll invest $600 or so into your career. Again, with your experience it shouldn't be hard. Some of my former colleagues felt the same way and refused my advice to get it, and a couple of them listened and obtained it. Guess which ones are either still unemployed or stuck where they are....
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • jelevatedjelevated Member Posts: 139
    kurzon wrote: »
    It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

    You can either do it and get it out of the way or continuously try and fight it. I know this is an OSCP or CEH thread but you asked for HR related items and we are telling you what HR (in most cases) is looking for. There is most certainly great talent out there who is not certified and has absolutely no plans to be certified any time soon but not everyone is at this caliber (you may be, I have no idea). If you have software development chops for instance, you will be preferable to a CISSP for many security related roles.. However there are absolutely CISSPs with Dev, opsec, net, red team type experience. And these are the people who get the most interest from hiring managers.

    It isn't as cut and dry as "certified" vs "technical". Nope, thats what some try to make it seem as but its too simplistic. Really its "certified" vs "technical" vs "technical folks who are also certified". The third group is, based on what I've seen, an elite pool because the number of folks who get certified in the first place is pretty small. There are plenty of certified nerds hanging around here, just take a look. Why wouldn't a hiring manager take a look at them first? At worse you interview someone who has atleast a minimum understanding of security concepts (although they shouldn't have been endorsed if it was only "minimal").

    After becoming certified my response rate was 80%. For every five applications for which the CISSP was mentioned, I would get four call backs. Let that sink in. Nowadays its a tiny bit lower since I'm not looking as aggressively but again. You can fight it or just play by the rules. The rules are silly ( I mean, really, I don't think anyone from MIT CSAIL is a CISSP, and no one will question them on that, ever.) , sure, but unless someone proposes an alternative for the cyber security industry, this is where we are at today.
  • EANxEANx Member Posts: 1,077 ■■■■■■■■□□
    kurzon wrote: »
    It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

    In my opinion, OSCP+SSCP makes much more sense than OSCP+CISSP.

    Same issue with degrees as well. Sometimes HR doesn't care what the degree is as long as you have one. I fight that battle every time I do a vacancy announcement "and what degree does this need"? "None, the same as the last 13 times." But if a manager lets HR run the show, there's a good chance a Bachelor's degree requirement slips in and next thing you know, a highly qualified candidate can't get past HR but a newb with a degree in English Literature can.
  • kurzonkurzon Member Posts: 20 ■□□□□□□□□□
    Before we discuss this topic further, I want to make it clear that I will get CISSP, there is no escape from that. I am just sharing my thoughts about the industry.
    jelevated wrote: »
    However there are absolutely CISSPs with Dev, opsec, net, red team type experience. And these are the people who get the most interest from hiring managers.

    This is exactly what I'm talking about. CISSP is clearly a managerial certification which is for people who aim managerial positions. If you consider the fact that a certification program should add something to your experience, what is the purpose having CISSP for someone who has red team type experience? Improving the chance of finding a job, and that's it. I'm not running away from any certification cost; I will gladly pay $700 for the OSCP, but I will always feel every $ I paid for the CISSP is just wasted.

    "Here is your precious certificate dear HR, as it belongs to you, not me." :)
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    kurzon wrote: »
    This is exactly what I'm talking about. CISSP is clearly a managerial certification which is for people who aim managerial positions.

    Again, this is where you're wrong. The CISSP isn't just a managerial certification for people in management. First, it's more of a general security certification that lets HR and hiring managers know that the person has a certain baseline of security knowledge covering many of the security domains. Hence it being an inch deep and a mile wide. Second, it's obviously not just for managers as you'll see every kind of security req asking for it, from security analysts to pentesters and everyone in between.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • DatabaseHeadDatabaseHead Member Posts: 2,753 ■■■■■■■■■■
    kurzon wrote: »
    It is a shame for the industry that I must obtain a certificate which I do not intend to follow its path just to pass the HR.

    In my opinion, OSCP+SSCP makes much more sense than OSCP+CISSP.

    What's a shame IMO is that you have to get multiple certifications...... One should be enough, too bad that's not the case......
  • higherhohigherho Member Posts: 882
    If you want to stay technical and be the top of your pen testing game. Then get the OSCP then OSCE. CISSP is only popular simply because of the DOD 8570 requirements which then a flood of contractors, military, and government civilians got it. It's a high level (1 inch deep 1 mile wide) certification which most people forget half of what they read the moment the exam is over simply because too much content. General baseline knowledge of security? Eh maybe but it really is too high level. I've talked to too many CISSP only holders who can only talk the high level but can barely crawl when you get into the weeds. You want to know why we have a technical cyber security problem? Keep making certifications and studies like the CISSP and you will find out why we don't have good talent.

    I only recommend CEH to individuals who are new to the industry and want to get their foot in the door. Good content but the exam isn't hard at all.
  • asuraniaasurania Member Posts: 145
    higherho wrote: »
    If you want to stay technical and be the top of your pen testing game. Then get the OSCP then OSCE. CISSP is only popular simply because of the DOD 8570 requirements which then a flood of contractors, military, and government civilians got it. It's a high level (1 inch deep 1 mile wide) certification which most people forget half of what they read the moment the exam is over simply because too much content. General baseline knowledge of security? Eh maybe but it really is too high level. I've talked to too many CISSP only holders who can only talk the high level but can barely crawl when you get into the weeds. You want to know why we have a technical cyber security problem? Keep making certifications and studies like the CISSP and you will find out why we don't have good talent.

    I only recommend CEH to individuals who are new to the industry and want to get their foot in the door. Good content but the exam isn't hard at all.

    All the PenTesting Jobs I seen where i live have a mandatory requirement to have CISSP or get it within 2 years of being hired.
    I do agree that most people will forgot what they learned in CISSP
    OSCP is pretty much required
    I do agree to get the OSCE
Sign In or Register to comment.