Security Certifications Roadmap

Zekie

Hi,

Over the last few weeks I've been reading the different threads in the Security Certifications subforum, and I would like to thank all of you, who give your time to shred some light upon those of us who are starting in the Cybersecurity path.

I've been working as an "Information Security Analyst" for a consulting firm, for the past year, it was my first job in this field. I'm currently working in different projects and Im enjoying them, but most of all, I'm learning.
As it is a consulting job, I work closely with the clients, and I believe my career is moving forward a "Functional" role, which includes definition of "Processes and Procedures", "Risk Management", and "Business Continuity".

Even though I know I'm learning, I began to notice that Im falling behind in technical knowledge, or pure "Security Knowledge".
Thus, I decided to face the situation and get the training I think it will improve my knowledge, and will help me move forward in my career.

I started to do some research about the Security Certifications that are available, and I defined the following roadmap of certifications:

1. COMPTIA Network+
2. COMPTIA Security+ / EC Council Certified Security Specialist (Entry Security Certification)
3. EC Council - Certified Ethical Hacker
4. CISSP (After obtaining the working experience required)

But, I have some doubts yet,

1. Will "Network+" be useful in my current position?, or is it oriented towards future Networking Engineers?,
2. Security+ or EC Security Specialist?, What do you think about the ECSS certification?, Is it worth it?
3. Are there any other certifications I should pursue before?, What do you think?, What would be the road path you would take if you were starting today in the Cyber Security field?,

Appreciate the time you dedicated reading this,
And thanks in advance for your answers, I'm really looking forward towards your thoughts about this.

ramrunner800

Hi there, and welcome to the show. Networking knowledge is critical to working in the security field, so if you don't have a good handle on networking, N+ is a great first step.

The EC Council Certified Security Specialist is a complete waste. The EC Council in general is a scam, and can be a worthwhile scam to participate at times, but that cert is not one of those times. Security+ is a good beginners security cert, and has actual recognition; it is the clear choice between those two.

With CEH, the trick is to know going in what CEH is and what it is not. CEH is basically a review of hacking methods from the 90's if you were limited to hacking from a Windows box, and you will learn very little of value while pursuing it. That said, CEH can be quite helpful in getting you past HR on your next job hunt, or helping you check off required boxes for government positions. Just know that going in.

CISSP is another of those certs where you need to just be cognizant of what it is, and what it is not. CISSP is a management based certification primarily obtained for the purpose of getting the attention of HR and recruiters. Perhaps on the Risk Management side of the house CISSP skills are practically useful, but talk up your CISSP in front of a crowd of pentesters, security operations people, or incident responders, and you're going to have a bad time. Sure they'll all get it because silly HR folks look for it, but they won't consider it something to brag about or mention in polite company.

The roadmap of certifications you've laid out will do a decent job of getting you attention and past the HR front line, but they will not leave you with very much knowledge about how to actually DO anything. It is important that you spend time learning the skills of the craft you intend to pursue, because your CISSP may get you to an interview, but it is not going to carry you through an interview with a hiring manager. I generally believe hacking type courses to be pretty worthwhile for any role, as knowledge of the threats you face is always useful. Beyond that, it depends on what skillset you need to develop for what you want to do.