GUIDE TO BECOMING A CERTIFIED SECURITY EXPERT

can anyone please guide on what to do to become a certified security expert?
from a non IT experience, what step and certification is the best route?
Also which of the training centers would you recommend?

Find more posts tagged with

cert paths to jobs

Comments

beads

As a career InfoSec practitioner and overall generalist, let me assure you no such all encompassing guide exists as the field is broad enough and changes fast enough never to delude oneself that any of us are truly experts in the field on any topic, any given day. Many specialty books come in small 500-1000 page tomes these days.

What you need to do is figure out or decide what it is you want to do within InfoSec be that: Incident response, disk forensics, telecom, GRC, audit, SoC, threat hunting, penetration testing, assessment, business continuity and disaster recover, I mean we have dozens of sub fields under the same umbrella. We cannot master them all but we do spend alot of time learning, labbing and honing our skills.

Start small and grow into the field. Otherwise, your trying to boil the ocean.

- b/eads

Infosec_Sam

I think @beads is absolutely right here - there is no one-size-fits-all career track for IT security. Could you elaborate as to what you'd like to do in the field? I'd be happy to throw out some recommendations for a career path if you have something specific you're shooting for!

Yinkaar

Thanks guys, i am looking at becoming a certified ethical hacker and then grow from there, so from my enquiries, i got the following steps:

CompTIA Fundamentals+ Exam

CompTIA A+ Exam

CompTIA Network+ Exam

CompTIA Security+ Exam

ITIL Foundation + Exam

CompTIA CySA + Exam

Certified Professional Ethical Hacker (CPEH) Exam with Free Retake

Any other specialist certification…. CDRE, CISSO, CSWAE, CPTE or CIHE +Exam With Free Retake

Please advise if thats the way to go and how best to get in from a business data analyst industry

NetworkNewb

Is this some weird bot?

Yinkaar

I erroneously posted the messages several time.
I don’t understand what you meant by “weird bot”

NetworkNewb

You posted the same message like 5 times in a row. A couple in slightly different format. All within the same minute. Doesn’t seem like a person would usually do that. I’m wrong apparently 👍

Infosec_Sam

Yinkaar said:

Thanks guys, i am looking at becoming a certified ethical hacker and then grow from there, so from my enquiries, i got the following steps:
CompTIA Fundamentals+ Exam
CompTIA A+ Exam
CompTIA Network+ Exam
CompTIA Security+ Exam
ITIL Foundation + Exam
CompTIA CySA + Exam
Certified Professional Ethical Hacker (CPEH) Exam with Free Retake
Any other specialist certification…. CDRE, CISSO, CSWAE, CPTE or CIHE +Exam With Free Retake
Please advise if thats the way to go and how best to get in from a business data analyst industry

I don't think the CompTIA Fundamentals+ exam is really necessary unless you're coming from a background of zero technical knowledge. The A+ would be a great place to start, followed by the Network+ and the Security+. At that point, it's up to you as to which direction you want to go. If you like CompTIA's format, there's nothing wrong with sticking with their pathway. The CySA+ will be more of a blue team (defensive) certification, so you'll learn more about how to keep systems secure. On the other hand, the Pentest+ is your red team (offensive) certification, so you'll learn how systems can be compromised, and how to search for those vulnerabilities.

Paired with entry level IT experience, those certs should be enough to get you into an entry/mid-level cybersecurity role. If that's not where you want to stop, then you have some more options for higher learning. CompTIA's CASP+ cert is their top-level security cert, and will round out your blue team/red team knowledge even more. If you'd prefer to dive even deeper into penetration testing, the OSCP is a great cert for that. The reason I would choose this over the CEH as this point is because this exam involves actually pentesting an isolated network and preparing a pentest report, whereas the CEH is all about theoretical knowledge, making it a more entry level cert. At this point, you should have 3-5 years experience in cybersecurity, and you'll have very little trouble finding the job you want.

So, to summarize:

A+, then Network+, then Security+
CySA+(defensive) OR Pentest+(offensive) AND/OR CEH
Casp+ AND/OR OSCP
Whatever else you want

This is totally just my opinion based on what I've seen in the market and what you told me you're interested in, so keep in mind that there are a TON of other options out there if you ever do change your mind. Anyone else, feel free to critique this cert path!

Yinkaar

I sincerely appreciate your guide and i want the best possible smooth entry coming from a Data analyst role.
Please can you suggest a good and reputable training center where i can train then write exams for certification? I am presently in London but will go for a commercial planning consulting in dubai come August.
I also want to tow your advise.i.e: A+, Network+, security+, Pentest+, Casp+/OSCP.
If I have minimum of 10 hours a week study, do you think i can achieve something tangible in the nearest weeks/months.
I'm asking all this because i'm a lay man in this new journey i want to take.
Your response is of great value to me. Thank you

Infosec_Sam

You're very welcome! So as for where to take your exams, they will generally all be taken through a global company called Pearson Vue. Here's a link to their testing center search site. I see they have some locations in London and Dubai, so you should be good on that front. To answer your other question, the A+, Network+, and Security+ should all go by pretty quickly if you're able to commit 10+ hours/week to them. The higher level exams might take a bit longer, as they'll go much more in-depth and cover quite a bit more material. It may be wise to just focus on one at a time and make incremental career steps towards that ethical hacking/penetration testing role, such as going from service desk to security admin to penetration tester. I will say that even with certifications, it may be tough to enter into a role like that with no direct IT experience.

NetworkNewb

Personally if you are looking to becoming a "certified ethical hacker", assuming you mean a pen tester, I wouldn't get most of the certs... I would recommend first creating a lab and reading a couple books like the following:

https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking-ebook/dp/B00KME7GN8/ref=sr_1_2?keywords=pentesting&qid=1554923281&s=gateway&sr=8-2

https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/ref=sr_1_3?keywords=web+application+hacker&qid=1554923439&s=gateway&sr=8-3

Then:
- Join some security/hacking groups in your area, look for them on MeetUp. (Might want to do this right away too... Also,not sure if that website is a thing in Europe)
- Try out some bug bounties. Look at sites like BugCrowd or HackerOne
- Then go after your OSCP

Those entry level certs (A+, Net+, Sec+) are only good if you are looking for your first job in IT imo. Certs are to just get past HR filters for the most part, look at the jobs you are wanting to get see if they list any of those.

Yinkaar

Thank you All...I will revert on my progress or if i have more questions. Thank you again.