Certification path - which way to go?

Hello all,

I know this is a really generic question, but I'm hoping to get a little insight from some more experienced peeps out here in the world to give a little advice.

I'm currently working as a Network Systems Administrator for a local credit union in my area. Pretty much all of my experience has been from hands-on work related issues up until this point. I am hoping to increase my value over the next few years with certifications and other education, but I'm unsure which direction to go.

After doing some research and taking a look at what I've enjoyed doing in IT over the last decade I realized that I want to do a full dive into the CyberSecurity realm. We currently do not have a CyberSecurity position or program at my company, but I know my boss (CIO) has talked about us needing one for a while now. We have a limited budget, and they are really hesitant to hire people from the outside. I believe this is my opportunity to step up and take on a new roll doing something that I enjoy, and something that pays more.

Currently I'm studying for my CCNA (ICND1 & ICND2) I am shooting for late October/November for the ICND1 and Jan for ICND2. After that I want to start drilling down on my security certifications, but I don't know which one to start with. I have heard that the CompTIA Security + is a good place to start. I would like to eventually get my CISSP - Ideally over the next 3-5 years (maybe sooner) I would like to be director over our CyberSecurity division (which doesn't currently exist..) which will require a certain degree of management. Even if this current company does not have the role available I would like to have the certifications necessary to go elsewhere.

I don't have my bachelors degree yet, but I am currently looking into options as far as that goes. I would like to get a Bachelors in Applied Science in Computer Information Technology specializing in CyberSecurity. I have a few undergrad credits for some of the basic classes I took here at a local community college, but not sure how transferable they would be. That same local community college I have a few credits with just so happens to be starting a Bachelors program next spring offering exactly the degree I am wanting to get so the timing may work out perfectly.

My two main concerns right now are time and money. I would love to just enroll in the bachelors program and start taking classes, but I don't want to take out any loans, and I'm pretty strapped for extra income right now. I have looked into WGU and the prices seem pretty competitive, but I haven't seen what my local community college prices are going to run for the program I am wanting to take yet. My next steps there are to meet with a student adviser and see what options I have there.

With that being said - I know my current job will increase my salary as I acquire certifications which may be the first step to getting some extra income so I can pursue my degree.

I have been working right at 6 years with my current employer.
0-1: Desktop Administrator
2-4: Desktop Systems Administrator
4-5: Sr. Systems Administrator
5-6 : Network Systems Administrator

Prior to this I worked 4 1/2 years removing viruses off of computers for GeekSquad at Best Buy.

/end rant

Completely got sidetracked there. . . 🤦‍♂️ -_-
So, what order do you guys recommend taking the CyberSecurity certifications in?

Sec +
CISSP
CISM
CEH
CHFI

etc.

PS
I would really like to keep studying for the CCNA even though I'm heading down the CyberSecurity path. There is allot of information I feel I'm gaining that will be useful regardless of which IT path I go down.

Find more posts tagged with

Comments

the_Grinch

I think Security+ and CCNA is definitely a good place to start. It will build a very solid foundation for you to then go into any direction you like. I'd also recommend that you also look into CISA as I'd imagine there will be some regulations you'll need be in compliance with. I wouldn't get CEH or CHFI. CEH pops on the resume, but otherwise I didn't get much mileage out of it.

As for school, I'd agree you will definitely want to get a degree. I would check to see if your company would be willing to provide some tuition reimbursement (tax write off for them).

sephiroth66

the_Grinch said:

I think Security+ and CCNA is definitely a good place to start. It will build a very solid foundation for you to then go into any direction you like. I'd also recommend that you also look into CISA as I'd imagine there will be some regulations you'll need be in compliance with. I wouldn't get CEH or CHFI. CEH pops on the resume, but otherwise I didn't get much mileage out of it.

As for school, I'd agree you will definitely want to get a degree. I would check to see if your company would be willing to provide some tuition reimbursement (tax write off for them).

Good to know the CCNA and Sec + are good starters to get things going. It seemed like the most viable path.

I am going to setup a meeting with a student adviser at the local community college soon so I can see what kind of expense I'm looking at overall. The current tuition rate for In-district is $85/credit hour which is pretty cheap. Unfortunately my company doesn't offer any tuition/training incentives. It would be super nice if they did!

The CISA looks like it might actually be really beneficial for my day-to-day environment. What kind of study time frame is needed for an exam of that nature?

mikey88

SSCP is a good option also from ISC2.

nevermore

Degrees are great as they help establish that foundation for security concepts. If you have a desire to move up in the Security path (i.e. management or higher) you may likely need a BS or MS degree to be considered at certain organizations. Sometimes you can get by with an appropriate certification such as the CISM or CISSP. The CISM and CISSP are very nice certifications to help to provide a path, keep in mind there is professional work experience requirements for both. ISACA requires someone to sign off that you have the required experience and CISSP requires that you are endorsed. CISSP requires 5 years experience, but you can get credit of one year for meeting certain educational requirements.

I think the SSCP is a good option to consider as it has a bit lower experience requirement. If you are willing to invest some money into yourself, you can evaluate the SANS work study program to see if you gain access to discounted training. Top notch stuff and some of the certifications (such as GSEC and GCIH) are great options to consider. It really depends on what space you ultimately want to get into. I also suggest looking at options to pursue your degree and there are many colleges now offer opportunities to earn credit based on your prior work history. It can help save some money and time.

LonerVamp

So, looking at you wanting to be a CyberSecurity Director, I see two issues. However, both issues can be bypassed if your company just gives you the green light for doing it. Otherwise... First, you have no specific security mention/experience in here. Granted, this isn't a resume or cover letter, but just keep in mind that there is a slight difference between being a "security-minded admin" and being in "information security." I will honestly say, give me 1 security-minded admin for about every 3 security professionals...

Second, and you mentioned this already, but being a Director should confer some management experience or knowledge. And this comes in two parts: direct reports experience and upward management interaction. A degree will help on the latter path, but only if you're also going to take this into an MBA. Of everything, this might be your heaviest and hardest lift. And a bit longer term, too. Still, at some point until you land in the career space you want to stay for your foreseeable future and get that first 5 years' of experience, that lack of a degree may be a sticking point when HR looks at your resume. So, I'd suggest keep pursuing conversations about that possibility, even if you scoff at the MBA/Masters level education.

Personally, I absolutely love when someone with a technical background wants to get into security. There really are three pieces to so many security positions: security mindset, technical acument, and general experience. You can't teach the first, and it's annoying to have to teach the second. So you have that going for you quite nicely!

Will the CCNA help you with your security track? Not really, if you already understand the basics of networking. Will it help you on the Director track? Only if you're managing/leading the network team. Will it help you be a Network Admin? Obviously.

And since that sounds like it's your day-to-day right now, paying the bills, I think that's a good spend.

With your background and assuming you've had at least a passing interest in security topics to some degree over the past 10 years, Security+ should be easily achievable for you. Makes for a good start for other certs on your list, and gives you something on your resume/linkedin to show you're interested in security.

I would also say start looking at doing the CISSP sooner than later. You've had plenty of time in at least 2 domains (accounts, passwords, permissions, firewalls, and so on...) to make a case for qualifying. This should also give you a great taste for many other things you could do that are not necessarily hands-on-keyboard all day.

If you feel up to it and still want to do more, CISM is a great next step as well, and will overlap a lot.

The CEH, by this point, should only be something you do if a job requires it. It's a bit spendy, you won't learn much at this point, and many security professionals deride it pretty quickly. Feel free if you want, but I don't see the value. If you want something cheaper with similar-ish topics, the Pentest+ will be a better choice.

I'm actually not familiar with CHFI.

As you progress past each cert or stage in your learning/career growth, re-evaluate what you want to do. Do you still want to stay with the credit union you're with, or go elsewhere? Maybe you want to play in a SOC more (CCNA Cyber Ops, CySA+...) or go into pentesting (eJPPT, eCPPT, OSCP...) or something else that lets you re-plan your path gently to get there.

Lastly, all of the above advice and generalizations and "rules" are meant to be broken, so feel free to break them.

sephiroth66

Personally, I absolutely love when someone with a technical background wants to get into security. There really are three pieces to so many security positions: security mindset, technical acument, and general experience. You can't teach the first, and it's annoying to have to teach the second. So you have that going for you quite nicely!

Will the CCNA help you with your security track? Not really, if you already understand the basics of networking. Will it help you on the Director track? Only if you're managing/leading the network team. Will it help you be a Network Admin? Obviously. And since that sounds like it's your day-to-day right now, paying the bills, I think that's a good spend.

With your background and assuming you've had at least a passing interest in security topics to some degree over the past 10 years, Security+ should be easily achievable for you. Makes for a good start for other certs on your list, and gives you something on your resume/linkedin to show you're interested in security.

I would also say start looking at doing the CISSP sooner than later. You've had plenty of time in at least 2 domains (accounts, passwords, permissions, firewalls, and so on...) to make a case for qualifying. This should also give you a great taste for many other things you could do that are not necessarily hands-on-keyboard all day.

If you feel up to it and still want to do more, CISM is a great next step as well, and will overlap a lot.

The CEH, by this point, should only be something you do if a job requires it. It's a bit spendy, you won't learn much at this point, and many security professionals deride it pretty quickly. Feel free if you want, but I don't see the value. If you want something cheaper with similar-ish topics, the Pentest+ will be a better choice.

I'm actually not familiar with CHFI.

As you progress past each cert or stage in your learning/career growth, re-evaluate what you want to do. Do you still want to stay with the credit union you're with, or go elsewhere? Maybe you want to play in a SOC more (CCNA Cyber Ops, CySA+...) or go into pentesting (eJPPT, eCPPT, OSCP...) or something else that lets you re-plan your path gently to get there.

Lastly, all of the above advice and generalizations and "rules" are meant to be broken, so feel free to break them.

First off - thank you for the detailed analysis!

I'll try to go over each of your points so I can format a good response here. I don't know how to break apart a response to reply to specific parts of a comment yet so I'll just italicize them for now.

The first part of this - I really am hoping that since we lack any type of specified security titles in our department that I can sell this idea to my boss. We are getting a huge change in upper management here soon (next year), as most of our senior management team is retiring. My current boss (CIO) will likely be gradually transitioning into a less hands-on role during the next few years while passing his title down to our current network engineer. There have been talks about dividing our IT department into more specialized roles once this happens as we will most likely be on-boarding more employees over the next 3-5 years as we expand our department. To give you an idea there are currently 8 of us in total including our CIO. 3 of us are networking/server/everything else including our CIO and the others range from desktop support/call support to application support for our core system. - Of course this is just one company, but since we are currently really small this may be a great opportunity to scale up quickly as we expand given my tenure and overall standing with upper management.

As far as security-specific experience. I have been managing our desktop/server endpoint security for the last 6 years, and also our user security policies via Windows group policy. I have helped write a few of the company policies regarding application security etc. as well. I also help manage our firewalls, message-gateway, web-filter, WSUS, etc. We are also looking to start running user security test internally (phishing tests, user security training etc.) within the next year. I will probably have a huge part in designing (possibly by myself) and performing the tests to provide metrics for management to help us with our security compliance. It's difficult to remember everything I have a hand in sometimes since we are such a small department. I know I will likely need more specific security experience over time to achieve my goal, but I think I have had at least enough general experience to really decide the path I want to head towards.

Second, and you mentioned this already, but being a Director should confer some management experience or knowledge. And this comes in two parts: direct reports experience and upward management interaction. A degree will help on the latter path, but only if you're also going to take this into an MBA. Of everything, this might be your heaviest and hardest lift. And a bit longer term, too. Still, at some point until you land in the career space you want to stay for your foreseeable future and get that first 5 years' of experience, that lack of a degree may be a sticking point when HR looks at your resume. So, I'd suggest keep pursuing conversations about that possibility, even if you scoff at the MBA/Masters level education.

I agree about the management experience. I do plan on getting my MBA eventually.

Well.. I just typed out the rest of this long response.. edited it, posted it.. and then it disappeared! lol

I will have to get back with you on the other stuff. I do want to thank you for taking the time to respond and give the pointers/direction. I really appreciate the info. I will continue the rest of this later.

EDIT: I just realized there was a character limit for comments :C

sephiroth66

Continuing on my response.

Thank you very much! I have always been security-minded even outside of the professional level. I enjoy thinking critically and creatively. I am a very skeptical and cautious person by nature so security really "clicks" for me on a personal level. I believe with a little more training and knowledge I would have no problem implementing and architecting a security program for my company.

And since that sounds like it's your day-to-day right now, paying the bills, I think that's a good spend.

I had originally planned to scrap the CCNA and start pursuing the CISSP and other security certifications, but I really think the CCNA will benefit me overall.

This is one of the reasons I was thinking of adding this to my cert list. I think it would be beneficial to have and be a great starter security certification that wouldn't require too much studying to achieve.

I think with all of my broad experience I can probably cover several of the domains without any issues. It's good to know that this one should be on the top of the list.

If you feel up to it and still want to do more, CISM is a great next step as well, and will overlap a lot.

I was definitely considering the CISM if I want to pursue the management route. I think I will have to evaluate how much into management I really want to get into. I currently manage our optical system on top of my normal duties, but I don't "directly" manage any employees. I do however manage what people need to do and delegate tasks etc. I do think that management is a possibility in the future however.

The CEH was just going to be for building up my resume more than anything. With the track I want to go down it was just an extra cert.

I think at this point I'm pretty comfortable with the area I want to pursue. I think I can scale up well at my current job, but I know there are several other similar opportunities nearby that pay better. My father-in-law is also really well connected in the industrial engineering space here locally. He has mentioned several times that there are several big players in the oil industry that are needing more CyberOps/Cybersecurity in the networking systems that run the SCADA and PLC components. Also the oil/gas industry pays really..really well.

Again, thank you for the input! I am always looking for pointers/advice to help make better career decisions.

My initial response was way better put, but I couldn't bring myself to type it all a second time! lol

MarioKart64

I got the CEH and CHFI for the WGU MSCSIA. A lot of hiring managers really like the CEH but it is fairly expensive so I would recommend against it unless you are getting it for school or your work is paying for it. That said I highly recommend against getting the CHFI as it is very expensive and relatively unheard of by hiring managers.

denisehilton

I personally find the Network security field to be very interested. Probably because it's evolving faster than any other field and there's always so much to learn.

sephiroth66

This may fall on deaf ears, but I wanted to post a quick update on my progress over the last year.

Employment Update
Over the past year my company has went from having no security training, designated security staff, or initiatives that pertained strictly to security -- to now having a Information Security/Cybersecurity team, cybersecurity training, monthly cybersecurity newsletters, and a large focus on security best practices, risk assessments, policies, and security compliance. Not to mention a new strikingly handsome Information Security Manger that is in charge of leading the security team😉....hint hint that's me!

Education Update
I'm now in my 4th semester at the local community college working my way towards my AAS in LAN Systems Cybersecurity Specialization. I plan to finish up the AAS by next fall and start my BAS in the spring of 2022. I am going a little slow, but with a fulltime job and kids I don't have the time to do more hours. I have also not had time to really focus on certifications with putting so much extra time and effort in at work, but I really feel like that has paid off, so no regerts there.

Personal Update
I just turned 30 over the summer... ouch.
I bought one of my dream cars over the summer to - 1974 Corvette Stingray
I have gained weight unfortunately. Somewhere between putting in extra hours at work, and the stress of school. I'll be honest I pretty much switched gym for school so the results speak for themselves 😆

This forum has given me a nice little place to reflect and allow me to work towards accomplishing my goals. I am really grateful for the advise others have given, and also to other forum members that I may or may not have been following their stories for motivation.

itdept

Congrats on the new role. The Corvette Stingray is pretty cool. Growing up I think one of my neighbors use to own one and found a way to get enormous amount of beer into it.