Kristoffer Marshall is a cyber defense team lead at Secure-24. He has the Certified Ethical Hacker (CEH) cybersecurity certification and recently earned CompTIA PenTest+. We asked him a few questions to learn more about what a cyber defense lead does, his opinion on Certified Ethical Hacker (CEH) vs. PenTest+ and how IT and cybersecurity certifications have helped him get into IT and advance his career without a college degree.
1. What does a cyber defense team lead do?
A cyber defense team lead orchestrates penetration tests, identifies current and immediate threats to the organization and its clients, and is a subject matter expert on vulnerabilities.
A lot of companies simply run vulnerability scans and patch, not really knowing which vulnerabilities pose a threat. While a quarterly pen test report is normally needed for compliance reasons, conducting mandatory pen tests puts us in a position where we know what the actual threats are, rather than reviewing vulnerability reports and having a soft priority on remediating items. It’s one thing to know that a vulnerability exists, and another to know whether or not it’s easily exploitable.
Outside of testing known vulnerabilities, a large value to pen testing is to find things that current vulnerability scanning software simply cannot catch. Social engineering paired with open-source intelligence is one of the largest threats to organizations today, and no number of technological safeguards will stop adversaries from exploiting individuals. Without someone actively testing employees, the largest threat to the organization is often left in plain sight, with little to no testing or adequate training.
Pen testing actively tests not only employees, but the organization’s processes and procedures that should be in place to protect the company’s assets and operations.
2. What pen testing skills do IT pros need today?
Here’s how I look at it; the best lockpickers are often locksmiths. This is because they’re intimate with their craft and know both the how, and more importantly, why locks can be manipulated to fail. I find that the best penetration testers have some sort of background or training from the operations or development side.
I’ve seen some people spin their wheels, finding vulnerabilities in environments where an adversary would have a hard time getting into in the first place. An administrator would know this, and that’s where background knowledge is key. Some of the best security-conscious people I’ve worked with aren’t even on a security team, and that’s perfectly fine, because that means that they’re defending at a lower level.
Familiarity with networking and operating systems is also a must and are basic skills that all penetration testers should have.
Pen testing across multiple disciplines is often ideal, but because there are so many facets to IT, it’s unrealistic to be a rock star at everything. I highly encourage people to pick one thing they want to be good at and run with it.
3. Why did you decide to take CompTIA PenTest+?
I’ve been in security for a while now, and it felt good to validate my knowledge, especially since I am in a leadership role. Even though I’ve been working at the same company for over 10 years, it’s good to have the security of professional certifications on my resume.
While I’ve been at my company for a very long time, I like having this token, if you wish, in my career as a safety net. It’s a one-up for my resume. Professional security is definitely a thing, and I highly recommend people look to cybersecurity certifications to show provable validation.
While college is the solution for some people, it wasn’t the path for me, and certifications are a quick and inexpensive way to get one step closer to an IT career without a degree. IT moves so quickly that sitting in an art history class just doesn’t make sense when one could be studying for something for their future career.
4. How did you prepare for your certification exam?
I’ll be honest, I primarily read one book and researched topics that I wanted more information about. Even so, the book only covered maybe half of the topics on the exam.
If it weren’t for my experience, I certainly wouldn’t have passed it. I don’t have any formal academic training in the area, which would have given me a lot more confidence, but learning from an additional book would have certainly helped as well.
I also went over practice tests. I didn’t realize the book had practice tests online, which I found the night before the exam. If confidence is what you need closer to the exam date, practice tests are definitely the cure.
5. How did you feel about CompTIA PenTest+ after you took it?
I felt like the CompTIA PenTest+ exam deserves a lot more attention, because it was challenging, yet fair. It was about on-par with what I was expecting for difficulty.
There were definitely a few questions that I had no answer for, but that’s normal, and there’s no reason to beat myself up about it. It’s inevitable that I was going to come across questions that I simply had no experience with, which is where a lot of my knowledge was coming from.
The topics aligned pretty well with what I experience day-to-day at work penetration testing, although most of my job is a bit heavier on the social engineering side.
6. How does CompTIA PenTest+ compare to other similar certifications, such as CEH?
For years, Certified Ethical Hacker (CEH) has been the standard for getting into penetration testing, and I’m glad that there’s finally an alternative. Many of us did not place much value on CEH, but it was the only thing out there that seemed like validation.
CompTIA PenTest+ tests items that are applicable to the real world, rather than testing for memorization. Sure, I learned a lot studying for CEH, but the exam did not really reflect the functions of a professional pen tester.
At the end of the day, a certification needs to reflect one’s knowledge rather than one’s ability to memorize things. I feel like CompTIA PenTest+ truly validates my knowledge.
Certifications are supposed to be validation that you know your stuff, so that employers and peers have no doubt that you have the knowledge and drive to get the job done. If anyone tells you otherwise, that a certification is just a fee you have to pay to get into a field, they’re sorely mistaken.
7. What advice would you have for someone who is considering CompTIA PenTest+?
Do yourself a favor and go for CompTIA PenTest+. Try not to get stuck on the “everyone’s doing it” bandwagon of CEH, because paying too much for the alternative just leaves you with empty pockets and an expensive piece of paper. The money you’ll be saving with CompTIA PenTest+ will easily pay for any prep material and training.
If you’re just breaking into information security, I highly recommend getting CompTIA Network+ and CompTIA Security+ as well or having ample experience. I feel like those two, especially CompTIA Security+, are good foundational IT certifications that will make CompTIA PenTest+ easier to handle.
Want to know what’s on CompTIA PenTest+? Download the exam objectives to see how it can validate your skills.