What cert should I take next?

NetworkSpoon

So I wanted to get some perspective, Im a Network Engineer and I have worked in IT for 8 years. Im now looking to move into the Cyber Security realm. I have several vendor-specific Security Appliance certs as well as Microsoft cert. I went and got my Security + at the beginning of the year and I have been pondering on what cert I want to do next. I've looked at the ISC SSCP cert as I have heard they are similar and there is even some crossover. I've also thought about CEH and continuing with Comptia on its path. I just want to get your opinion on what logically makes the most sense to do next. As of right now the company Im with will pay for certs if they make sense to them. However Im looking for a new job and fully expect to have to pay for the cert at least.

Thanks in advance!

NetworkNewb

CISSP   /endthread

Infosec_Sam

I've thought about this for a while as well, and I ultimately narrowed it down to two certifications: the CySA+ and the SSCP. What I'm ultimately aiming for is either the CASP+ and/or the CISSP, depending on how technical I'd like to get. The CySA+ would essentially pick up where the Security+ left off, and would be a great gateway into a mid-level security analyst/engineer role. After that, I could pick up the Pentest+ for some OffSec training on my way to the CASP+. On the other hand, the SSCP would essentially be a fast track to the CISSP, but the CISSP has a 5-year cybersecurity experience requirement to get certified, which I don't have at this time. That being said, the CISSP does pull much more weight on a resume than the CASP+, so once I finally check that box, I'd be at a significant advantage.

So what would I recommend for you? If you are trying to break into cybersecurity with 8 years of IT experience and a Security+, I think you would find more success by spending less time studying and more time applying/interviewing. You've got everything you need to jump in, so you might as well test the waters! That being said, I'd recommend the CySA+ to you if you really want to grab another cert before leaving your current workplace. You might be able to leverage it into a higher salary when you leave, which never hurts!

NetworkNewb

Infosec_Sam said:

That being said, I'd recommend the CySA+ to you if you really want to grab another cert before leaving your current workplace. You might be able to leverage it into a higher salary when you leave, which never hurts!

I would venture to guess most places aren't asking for the cert or most managers wouldn't even know what that is if they saw it on a resume.   I took the beta exam of that cert and I do think the knowledge is useful on there, but for him looking for a new position soon I can't imagine anything coming even close to the CISSP as far as what employers will be looking for and what would most likely give him a higher salary.   

bigdogz

I think if you want to start obtaining some certifications you should start with

CASP, CEH, SSCP, CISSP

You can still skip the CySa+ as it is like the CEH but the CEH has more recognition.

Trying to hit the CISSP out of the box may throw you off as it is more of a management certification and uses your experience on a great deal of questions.

Good Luck!!!

Infosec_Sam

NetworkNewb said:

Infosec_Sam said:

That being said, I'd recommend the CySA+ to you if you really want to grab another cert before leaving your current workplace. You might be able to leverage it into a higher salary when you leave, which never hurts!

I would venture to guess most places aren't asking for the cert or most managers even knowing what that is if they saw it on a resume.   I took the beta exam of that cert and I do think the knowledge is useful on there, but for him looking for a new position soon I can't imagine anything coming even close to the CISSP as far as what employers will be looking for and what would most likely give him a higher salary.   

That's true - if 5 of those 8 years of IT experience fit into the CISSP domains, then it's a no-brainer. I just know that (ISC)2 is a big stickler for listing the CISSP on your resume when you're still an Associate, even if it's something like -Associate of (ISC)2 (CISSP).

LonerVamp

What do you want to do in cybersecurity? Are you looking for offense, defense/general, management...?

With 8 years in IT and Security+ already done, you should take a strong look at the full CISSP. It is more about management, but there's tons of little technical trivia to know, and it's widely recognized.

Do CEH if you have a reason to do CEH, like you're looking for gov jobs that really adore that cert. Otherwise, you could get better with PenTest+ or just jumping somewhere into the eJPT->eCPT->OSCP/GPEN track. Obviously this is offense heavy.

If your company will pay for it, I'd always look at SANS courses and certs.

NetworkSpoon

Infosec_Sam said:

I've thought about this for a while as well, and I ultimately narrowed it down to two certifications: the CySA+ and the SSCP. What I'm ultimately aiming for is either the CASP+ and/or the CISSP, depending on how technical I'd like to get. The CySA+ would essentially pick up where the Security+ left off, and would be a great gateway into a mid-level security analyst/engineer role. After that, I could pick up the Pentest+ for some OffSec training on my way to the CASP+. On the other hand, the SSCP would essentially be a fast track to the CISSP, but the CISSP has a 5-year cybersecurity experience requirement to get certified, which I don't have at this time. That being said, the CISSP does pull much more weight on a resume than the CASP+, so once I finally check that box, I'd be at a significant advantage.

So what would I recommend for you? If you are trying to break into cybersecurity with 8 years of IT experience and a Security+, I think you would find more success by spending less time studying and more time applying/interviewing. You've got everything you need to jump in, so you might as well test the waters! That being said, I'd recommend the CySA+ to you if you really want to grab another cert before leaving your current workplace. You might be able to leverage it into a higher salary when you leave, which never hurts!

Thanks for the Info, a matter of fact I actually just applied for two openings with local Government for Cyber Security Engineer and Senior Cyber Security Analyst. But I figured it cant hurt to continue to push forward with my certs regardless on whether I hear back or not. I will take a look at CySA+, especially since its literally the next step in the comptia track.

NetworkSpoon

bigdogz said:

I think if you want to start obtaining some certifications you should start with

CASP, CEH, SSCP, CISSP

You can still skip the CySa+ as it is like the CEH but the CEH has more recognition.

Trying to hit the CISSP out of the box may throw you off as it is more of a management certification and uses your experience on a great deal of questions.

Good Luck!!!

I keep hearing good things about CEH, I know its obviously geared towards a more offensive skill set. But I feel I want to get a well rounded base before Im willing to say which branch in Cybersecurity fits me. At the moment my Skillset is more proactive and defensive in nature. Thanks for the info!

NetworkSpoon

LonerVamp said:

What do you want to do in cybersecurity? Are you looking for offense, defense/general, management...?

With 8 years in IT and Security+ already done, you should take a strong look at the full CISSP. It is more about management, but there's tons of little technical trivia to know, and it's widely recognized.

Do CEH if you have a reason to do CEH, like you're looking for gov jobs that really adore that cert. Otherwise, you could get better with PenTest+ or just jumping somewhere into the eJPT->eCPT->OSCP/GPEN track. Obviously this is offense heavy.

If your company will pay for it, I'd always look at SANS courses and certs.

Honestly still on the fence on which Branch best suites me. Most of what I do now is configuring Security Appliances(Watchguard XTM, SonicWall, Meraki MX). I also have quite a bit of Experience with Mimecast and Knowbe4 on the email security side. The Jobs I applied for are local utility\government. In terms of cost-effectiveness and study Material would you say CEH is the way to go?

Several folks havent mentioned CISSP, and I constantly see job postings with it listed. Im not sure I would have the requirements to meet it. I feel like I have more than enough to takle SSCP though. how does re-certification work with ISC2? It seems like in the past I've heard it can be difficult .

Thanks!

NetworkSpoon

For those of you that have completed or mention SSCP, Ive noticed there isn't a lot of highly decorated self-study material out there for it. What did you use or did most of you skip it and got straight to CISSP?

imnewbie

LonerVamp said:

What do you want to do in cybersecurity? Are you looking for offense, defense/general, management...?

With 8 years in IT and Security+ already done, you should take a strong look at the full CISSP. It is more about management, but there's tons of little technical trivia to know, and it's widely recognized.

Do CEH if you have a reason to do CEH, like you're looking for gov jobs that really adore that cert. Otherwise, you could get better with PenTest+ or just jumping somewhere into the eJPT->eCPT->OSCP/GPEN track. Obviously this is offense heavy.

If your company will pay for it, I'd always look at SANS courses and certs.

Quick question, I am curiosity to know; can you provide from hard to easy certification? I also want to explore to get some good certification. I have some time i did not get a promotion. I want to pass some good certification to find another better or get promotion within the company

bigdogz

@NetworkSpoon
The GCIH is a purple certification. That is to say, you had some red team, and some blue team. The training is great but expensive. 

LonerVamp

imnewbie said:

LonerVamp said:

What do you want to do in cybersecurity? Are you looking for offense, defense/general, management...?

With 8 years in IT and Security+ already done, you should take a strong look at the full CISSP. It is more about management, but there's tons of little technical trivia to know, and it's widely recognized.

Do CEH if you have a reason to do CEH, like you're looking for gov jobs that really adore that cert. Otherwise, you could get better with PenTest+ or just jumping somewhere into the eJPT->eCPT->OSCP/GPEN track. Obviously this is offense heavy.

If your company will pay for it, I'd always look at SANS courses and certs.

Quick question, I am curiosity to know; can you provide from hard to easy certification? I also want to explore to get some good certification. I have some time i did not get a promotion. I want to pass some good certification to find another better or get promotion within the company

I think when answering this, the first thing that comes to mind is this graphic. And every time I think about it, it's a pain to track down who maintained/made it.   (It's not me!)

imnewbie

LonerVamp said:

imnewbie said:

LonerVamp said:

What do you want to do in cybersecurity? Are you looking for offense, defense/general, management...?

With 8 years in IT and Security+ already done, you should take a strong look at the full CISSP. It is more about management, but there's tons of little technical trivia to know, and it's widely recognized.

Do CEH if you have a reason to do CEH, like you're looking for gov jobs that really adore that cert. Otherwise, you could get better with PenTest+ or just jumping somewhere into the eJPT->eCPT->OSCP/GPEN track. Obviously this is offense heavy.

If your company will pay for it, I'd always look at SANS courses and certs.

Quick question, I am curiosity to know; can you provide from hard to easy certification? I also want to explore to get some good certification. I have some time i did not get a promotion. I want to pass some good certification to find another better or get promotion within the company

I think when answering this, the first thing that comes to mind is this graphic. And every time I think about it, it's a pain to track down who maintained/made it.   (It's not me!)

Thank you. Very color chart.

SteveLavoie

NetworkSpoon said:

For those of you that have completed or mention SSCP, Ive noticed there isn't a lot of highly decorated self-study material out there for it. What did you use or did most of you skip it and got straight to CISSP?

I used Darril Gibson's All in one book. It cover 99% of what you need and there is a 75% overlap with Sec+. The other 1% is from the official ISC2 CBK (awful book, but it is the main reference)

In your case, you should see SSCP only a stepping stone for CISSP.