Security Certification Roadmap

TechGuru80TechGuru80 Posts: 1,535Member ■■■■■□□□□□
If you are looking at this post right now, it is highly likely you are trying to break into information security or looking for guidance where to go next. Welcome and remember that over the years, certifications will change but the advice will remain fairly consistent.

There are essentially three types of stages for information security certifications in a career: entry-level, specialization, management. (I will briefly touch on degrees at the end.)

Each stage has different objectives and has to be treated differently based on how one wants their career to progress. Each stage will be broken down with various certifications.



Entry-Level (0-2 years):
The entry-level stage is reserved for those who either are changing their career or have been in another segment of information technology and are looking to break into information security. Regardless of which one you are, the advice remains fairly consistent. You should be looking at entry-level certifications that will provide you a solid foundation to build upon.


CompTIA Network+ -> Security+ (A+ = optional before Network+):
These should be the very first certifications you get. These will provide you basic knowledge in how networks operate and security concerns that are related. You will see the information in these certifications later in your career…so yes you need to pay attention.




::Optional::


Depending on the environment you work in, you might have to know a little about areas outside of information security…enter Cisco, Microsoft, and Linux. Although these are optional, I strongly recommend you get at least one of these certifications to make yourself more knowledgable and valuable in an organization.



Cisco CCENT -> CCNA:R&S:
As far as networking is currently concerned, Cisco runs the world. You will learn more in depth how networks work and how to configure network appliances (routers, switches, etc.).


Microsoft MCSA - Server:
Microsoft systems have the majority share in the corporate world. Your job might call on you to verify configurations, GPOs, account permissions, etc. and being aware of how to navigate/configure a server is valuable.


CompTIA Linux+:
Linux shows up in enterprise environments every once in a while, and many information security tools have been developed in this operating system. From an overall knowledge standpoint you should feel comfortable with Linux but I do not believe you will get the biggest bang for your buck getting certified. However, if you need a certification to pass some free time, Linux+ would be a fun adventure.



Specialization (2+ years):
I bet you thought to yourself….”hmm that was easy.” The specialization phase is where things get a little tricky. At this point in your career you have to start deciding what areas you enjoy the most. This can range from network security, system security, forensics, penetration testing…and the list goes on and on. Hopefully at this point you have had broad exposure to a lot of aspects and can make an informed decision. If not, that is ok because people tend to bounce around in this area. Below are the major areas, although more do exist.


Penetration Testing:
EC-Council C|EH -> Offensive Security OSCP -> OSCE


Networking Security:
Cisco CCNA:Security -> CCNP:Security -> CCIE:Security
Checkpoint CCSA -> CCSE


Digital Forensics:
EC-Council CHFI


Auditing:
ISACA CISA


General Information Security:
(ISC)2 SSCP -> CompTIA CASP


In general, the above certifications to specialize in will provide a solid foundation if you choose to go one way versus another. These have been arranged by the years of experience required or recommended (per specialization).



Management (4-5+ years):
Congratulations! You have made the decision to move from the trenches to the big office. Generally, management is involved with policy creation, and management of the information security program. Although these certifications require several years of experience, most offer an “Associate” option for those less experienced until they acquire the needed years of experience.


(ISC)2 CISSP -> ISACA CISM


These are the two major players in information security management certifications. The CISSP does have concentration certifications, but you must be a CISSP before you can pursue them.



DEGREES:
Knowledge is power! A degree really depends on your end goal. If you want to be a highly technical person, a degree might not be necessary…although companies are screening people without degrees from getting interviews so it could be a hinderance.

Generally to get the high level management positions you will need some type of advanced degree (an MBA is common for those who started with a technical bachelors). Degrees can be helpful in providing you with knowledge in a condensed period of time from experts, which can be very valuable. Realize that certifications + degree + experience is the key for the most success. That does not mean you cannot get a good position without a degree, but the certifications and experience have to be in place.

For advanced degrees, get something that differs from your undergraduate degree. If you have a degree in business, get a degree in some type of technology field….and the opposite if you have a degree in technology.

One last thought about degrees and time commitment. They take a lot of time and energy (especially advanced degrees) for coursework. They can be much more time consuming than a certification and you need to take that into account when deciding. As somebody who has spent time solely as a student and then as a full-time employee finishing masters level classes...work + classes means you probably will not get certifications done at the same time. Also consider your personal life such as family, kids, etc.





**GIAC certifications were not mentioned in this post due to the high cost and inaccessibility to most people paying out of pocket. They are however highly regarded and have a path from entry to expert/management.**



Other References:
(IT) Information Technology Jobs & Careers | CompTIA IT Certifications
The GIAC Security Certification Roadmap

(IT) Information Technology Certifications | CompTIA IT Certifications
Certifications - Training & Certifications - Cisco
https://www.microsoft.com/en-us/learning/certification-overview.aspx
Security Training, IT Security, Security Certification, Security Courses, Security Analyst Training, Cert Training, Forensic Training, Information Security Training, Computer Security Training
https://www.offensive-security.com/information-security-certifications/
Training & Certification | Check Point Software
IT Certification - Audit - Security - Governance - Risk | ISACA
https://www.isc2.org/credentials/default.aspx
GIAC Information Security Certifications | Cyber Certifications

Comments

  • fuz1onfuz1on Posts: 961Member
    Great post! I think when it comes down to it - security is really broad and can be catered to your own skill set/intellectual curiosity. You just need to gain that mandatory, foundational knowledge-base and work experience then the sky's the limit. icon_cool.gif
    timku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
    Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
    If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
    The only real failure in life is not to be true to the best one knows. - Buddha
    If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
  • SegoviaSegovia Posts: 119Member
    icon_cheers.gif Awesome Thread!!! icon_cheers.gif

    Also, why is it recommended to get a different advanced degree?

    Thank you
    WGU BS - IT Security ... Enrollment Date 10/15 ... Progress 45/124 CU {36%}
  • kMastaFlashkMastaFlash Posts: 1,012Member ■■■■□□□□□□
    Great post!! I have had a lot of struggles the past year deciding what I wanted to do and it is not an easy decision as I enjoy a lot of different aspects in IT like networking and pen testing. But I also want to do the CISSP as well but that is more of a management based certification.
    2018: CCSK
    2019: CWSP,Cloud+,Project+,CASP,PenTest+,CWNA,CCNA Security,GXPN,GREM
    2021: LPIC-2,JNCIS-ENT,eLearnSecurity Courses
  • TechGuru80TechGuru80 Posts: 1,535Member ■■■■■□□□□□
    fuz1on wrote: »
    Great post! I think when it comes down to it - security is really broad and can be catered to your own skill set/intellectual curiosity. You just need to gain that mandatory, foundational knowledge-base and work experience then the sky's the limit. icon_cool.gif
    It is really like many careers where you start with foundational knowledge (the base of a pyramid) and as you progress you start to narrow what you know and specialize.
    Segovia wrote: »
    icon_cheers.gif Awesome Thread!!! icon_cheers.gif

    Thank you
    You're welcome...I hope this post helps people. Frequently people ask about what certification they should get and when...and then how does a degree fit into the equation but the posts are kind of scattered. I wanted to give something that outlines the basics and the timeframes to shift their focus.
    Great post!! I have had a lot of struggles the past year deciding what I wanted to do and it is not an easy decision as I enjoy a lot of different aspects in IT like networking and pen testing. But I also want to do the CISSP as well but that is more of a management based certification.
    Specialization can definitely be tough because many of us want to learn several areas. In reality, if you want to truly be great you have to decide and not be afraid to change if needed. There is nothing wrong with going down one path then switching. The only caveat is that it could be more difficult to come back from management because you are unlikely to be getting hands on with the technology...but not impossible.
  • gncsmithgncsmith Posts: 458Member
    I agree with the previous comments; Great post! And it looks like I'm "on track".
  • Justin-Justin- Posts: 300Member
    Fantastic thread. This should be stickied!
  • kMastaFlashkMastaFlash Posts: 1,012Member ■■■■□□□□□□
    I agree sticky this thread. This is a good one for people who are just starting out or anyone who is in the beginning/middle phases of their career.
    2018: CCSK
    2019: CWSP,Cloud+,Project+,CASP,PenTest+,CWNA,CCNA Security,GXPN,GREM
    2021: LPIC-2,JNCIS-ENT,eLearnSecurity Courses
  • Mike7Mike7 Posts: 1,052Member ■■■■□□□□□□
    Great post! icon_cheers.gif
  • SephStormSephStorm Posts: 1,732Member
    With respect this roadmap is leaving a lot untouched. It might be better to look at some of the older threads that have dealt with this subject and are a bit more comprehensive.
  • TechGuru80TechGuru80 Posts: 1,535Member ■■■■■□□□□□
    SephStorm wrote: »
    With respect this roadmap is leaving a lot untouched. It might be better to look at some of the older threads that have dealt with this subject and are a bit more comprehensive.
    As any roadmap or framework provides a tool to help guide people. Are there more certifications and paths that exist? Obviously...R&D, reverse engineering, etc...but one post won't cover an entire industry because that discussion would last a long long time. The post was meant to give guidance...not a magic bullet that's for Google and deeper more focused posts.

    Additionally, the above certifications are what show up in job postings the most. Getting past HR with known certifications is a major part of job hunting.
  • OctalDumpOctalDump Posts: 1,722Member
    A couple of others to squeeze into the specialisations:

    Incident handling
    ECIH, GCIH

    Malware analysis [sort of related to forensics, like a subspecialisation]
    GREM, OSCE

    Secure programming, code auditing
    GSSP-NET, GSSP-JAVA, there's also at least one for PHP and Microsoft also has documentations

    governance and compliance [higher level implementations of frameworks, internal policy, legal and regulatory compliance]
    CISM, CISA, CISSP, GLEG (and likely more)

    OS hardening - ie security in Windows, Linux etc
    MCSE, RHCE, LPIC2 -> LPIC3-303, RHCESH, GCUX, GCWN, GCED

    Wireless security (lots of layer 1 and 2 issues, and layer 3+ solutions)
    OWSP -> GAWN
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • DollarhydeDollarhyde Posts: 111Member
    I agree to sticky this thread. This is going to help many new people.
    ___________________________________________________________________________________________________________
  • NetworkNewbNetworkNewb They are watching you Posts: 3,123Member ■■■■■■■■□□
    I think SANS course should be included on here.

    Reasons:
    - If you are already in Security your company might/should be willing to pay for them.
    - There is a work study program most people can afford
    or (less likely)
    - They person might have a sack of money laying around to invest in them

    Good post though!
  • RemedympRemedymp Posts: 834Member
    Good post, but only thing I would say is that, the places where I have worked, anyone with more than 12 months experience is not considered entry-level. Their idea of entry-level is just zero experience. A degree in said line of business and internship counts as experience.
  • TechGuru80TechGuru80 Posts: 1,535Member ■■■■■□□□□□
    Remedymp wrote: »
    Good post, but only thing I would say is that, the places where I have worked, anyone with more than 12 months experience is not considered entry-level. Their idea of entry-level is just zero experience. A degree in said line of business and internship counts as experience.
    Levels vary by organization, and the experience one receives. The main point is to get those certifications and keep moving on up. Being conservative on time requirements is better than being very aggressive and failing.
  • renacidorenacido Posts: 387Member
    Great post/thread. I'll add that for systems/OS security, MCSA/MCSE or RHCSA/Linux+ are just as relevant as CCNA/P:S are for network security.

    Yes network security is very important but these days if you think firewalls, IPS, NAC, segmentation, etc., are enough you're gonna get owned a lot. Hackers attack endpoints and end users without needing to circumvent a network perimeter (if that even really exists anymore) all day every day. Just sayin'.
  • protacticusprotacticus Posts: 91Member ■■□□□□□□□□
    TechGuru80, bravo and thank you for this post.Vote for sticky.
  • waspe3waspe3 Posts: 18Member ■□□□□□□□□□
    Great post.

    I'm trying to specialise in pen testing and I'm in the entry level stage cert route right now.

    What do you think about CCENT --> Sec+ --> CCNA Security as an alternative to the net+ --> sec+ route?

    I feel like if I take the CCNA security route though I'll be spending time in the net sec world more than I need to be. Then again, I was told it would be a better career boost than the comp tia path you mentioned as applying to info sec jobs would be relatively easier. Any thoughts on that?
  • TechGuru80TechGuru80 Posts: 1,535Member ■■■■■□□□□□
    Cisco has said that people who take Network+ generally do a little better than those without it. At this point I would say it depends on how comfortable you feel self studying.

    Do you have any experience? These days I would be more likely to recommend getting CCNA + MCSA, and then get Security+. If you want to have pen testing as a speciality, CCNA:Security isn't going to benefit you too much...but having networking and OS knowledge will be valuable. Then once you complete those 3 you will have the foundation knowledge and can start down the pen testing route somewhere around 2 years.
  • ottucsakottucsak Posts: 146Member ■■■■□□□□□□
    For Secure programming, code auditing (I prefer the term application security) you can add CSSLP as well.
  • tmpinsntytmpinsnty Posts: 2Registered Users ■□□□□□□□□□
    I have a conundrum. I had classes for the CCNA but I plan on going into information security. I have also had security+ and CCNA security classes. I am working on a BAS in Information Assurance which is an MIS type degree. So according to what I see for those going into infosec they recommend your route. (I don't know what I will eventually be specializing in.) In your opinion, do I switch cert exams from CCNA to Net+? Should I try CCENT + CCNA Sec?
  • TechGuru80TechGuru80 Posts: 1,535Member ■■■■■□□□□□
    Honestly I would do MCSA > CCNA:R&S...this gives you your foundation, then Security+ > CCNA:Security. I like the CCNA:Security after a small gap because it pushes your expiration date out further and it really focuses on network security instead of being a broad exposure like Security+.

    My opinion on the subject has changed a little since I wrote this post.
  • tmpinsntytmpinsnty Posts: 2Registered Users ■□□□□□□□□□
    Well good thing I had the server class also!

    Why the change? is it b/c net+ is closer to CCNA r&s now?

    why microsoft over linux?
  • chrisonechrisone Senior Member Posts: 1,766Member ■■■■■■■■□□
    Although I do not agree with some of your cert ideas to cover an entire spectrum of some security topics here, I do not come to rationalize or argue the point. So I am not going to criticize you, so it is better to help here :)

    However a cert based "security" guide , especially one with a lot of vendor based (cisco/microsoft) is always going to be tough as not all important security related skills are covered.


    For instance:
    network security portion is lacking skills such as:
    SIEM
    DLP
    Cloud Based Security/Encryption
    NIDS
    NIPS
    HIDS
    HIPS
    SPAN/TAP technologies

    There is nothing regarding Endpoint technologies:
    AV
    Malware
    HIPS/NIPS
    DLP
    Encryption

    Pentesting:
    PowerShell hacking
    Active Directory hacking
    Red Team Adversary tactics

    OctalDump has some good tips too.

    You have a good list, it is just always nearly impossible to cover security with certs. This is not a knock on your post , just some reality of the business. Good work though!
    2018 Goals: SANS Advanced Security Essentials - Enterprise Defender (complete, not going for cert), SpecterOps: Adversary Tactics Red Team OPS (complete), eCPPT (obtained), OSCP PWK (in progress), Demystifying Regular Expressions (in progress), SLAE, OSCE CTP
  • TechGuru80TechGuru80 Posts: 1,535Member ■■■■■□□□□□
    The list was from 2015 and in no way was going to cover everything...it was more of a base for people to help guide them at a low cost for self funding. Microsoft and Cisco are the only two vendors I would openly recommend as they are everywhere...when you start getting into specific vendors, I only recommend the technology if you use it because the list is endless. Additionally, I listed heavy hitters on job boards because it makes little sense to recommend certifications that won’t get you the most looks. Your recommendations are great for add-ons...I did not want to tell somebody go learn a DLP technology because if they don’t have the foundation, they are less likely to get a job...again the list is from 2015 so the industry focus past entry level has even shifted.
  • chrisonechrisone Senior Member Posts: 1,766Member ■■■■■■■■□□
    TechGuru80 wrote: »
    The list was from 2015 and in no way was going to cover everything...it was more of a base for people to help guide them at a low cost for self funding. Microsoft and Cisco are the only two vendors I would openly recommend as they are everywhere...when you start getting into specific vendors, I only recommend the technology if you use it because the list is endless. Additionally, I listed heavy hitters on job boards because it makes little sense to recommend certifications that won’t get you the most looks. Your recommendations are great for add-ons...I did not want to tell somebody go learn a DLP technology because if they don’t have the foundation, they are less likely to get a job...again the list is from 2015 so the industry focus past entry level has even shifted.

    Ah I see, wow 2015 seems so long ago. I did not realize that someone brought this topic back to life :P
    2018 Goals: SANS Advanced Security Essentials - Enterprise Defender (complete, not going for cert), SpecterOps: Adversary Tactics Red Team OPS (complete), eCPPT (obtained), OSCP PWK (in progress), Demystifying Regular Expressions (in progress), SLAE, OSCE CTP
  • mbarrettmbarrett Posts: 397Member ■■■□□□□□□□
    A person with 2 years experience under their belt will be very hard-pressed to get a CCIE Security, just sayin'.
    A CCIE in any track requires a significant investment of time, and a solid technical background that is nearly impossible to obtain within such a relatively short time frame.
  • DtownLionsBarryDtownLionsBarry Posts: 4Registered Users ■□□□□□□□□□
    Great post, only problem I see is that for the CISA certification you need to be able to verify 5 years of experience in either Information Systems, Security, or Auditing. So the 2+ years doesn't really align with that. CISA is considered by many a management level cert anyway. It just focuses on technical abilities rather than the Management overview. I just feel like the CISA should be placed in the 4-5+ years section of your post, because of the required experience to earn the certification. Sure you can take the exam without the experience, but you must gain that experience within 10 years of passing the exam.
  • TechGuru80TechGuru80 Posts: 1,535Member ■■■■■□□□□□
    That's fair...there is always the debate with certs like CISA and CISSP whether to take them before you have the experience or not. Honestly most Information Security jobs can apply to the CISA domains so I don't really see the 10 year mark being a big issue. The job somebody has a lot of impact on which certifications people go for so it's one of those "it depends" arguments.
Sign In or Register to comment.