Cert Career Map

DrackarDrackar Member Posts: 47 ■■□□□□□□□□
I often get the question “Which certification path should I take?”. Unfortunately, every answer I end up giving boils down to “it depends” which never really answers the question. Instead, I have created a map of the IT certification landscape. It is definitely not all encompassing and would like to start drilling down a bit further. For now though it should serve as a general way forward for those interested in progressing through their career.

Please feel free to add constructive criticism. I’ll make changes and additions as we go.

Map Explanation:

From bottom to top – The higher up the chart you go the more demanding and difficult the certification should be. Certifications of different colors on the same level are supposed to be of equal difficulty. I tried to extend the bubble of each cert over the categories for each knowledge base.


For example if you wanted to be a top level forensic analyst you would need to follow the forensics path in addition to experience and degrees that would naturally be required for the higher level positions. Some bottom level certifications can be skipped; others are skipped at your own peril.


I really hope this will give a graphical view of what cert you should pursue within your own goals.

Again, I would love some constructive criticism to make it better and to give further insight into some of the other areas of IT that I am not as familiar with.
To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
-- Kokoro by Natsume Sosek, 1914, Japan
«1

Comments

  • DoyenDoyen Member Posts: 397 ■■■□□□□□□□
    Thank you for sharing this with us. It shows that you put a lot of thought into it. I like this a lot better than the CompTIA career roadmap. I like how you have overlap (the dotted lines) between the fields and certifications. Where does CASP fit in? It is almost 3 years old (Sept. 2011) and it has been recognized by the DoD as an approved baseline certification.
    Goals for 2016: [] VCP 5.5: ICM (recertifying) , [ ] VMware VCA-NV, [ ] 640-911 DCICN, [ ] 640-916 DCICT, [ ] CCNA: Data Center, [ ] CISSP (Associate), [ ] 300-101 ROUTE, [ ] 300-115 SWITCH, [ ] 300-135 TSHOOT, [ ] CCNP: Route & Switch, [ ] CEHv8, [ ] LX0-103, [ ] LX0-104
    Future Goals: WGU MSISA or Capital Technology Univerisity MSCIS Degree Program
    Click here to connect with me on LinkedIn! Just mention your are from Techexams.net.
  • NyblizzardNyblizzard Member Posts: 332 ■■■■□□□□□□
    This is great and will be passing it along icon_thumright.gif
    O
    /|\
    / \
  • user25379082user25379082 Member Posts: 19 ■□□□□□□□□□
    Drackar wrote: »
    ...

    Please feel free to add constructive criticism. I’ll make changes and additions as we go.

    ...


    Since you have offered us so much, I would like to contribute as well.

    My reading: Skills are modelled by mapping out roles. Employees may work in more than one role. A classic example is the hierarchization of technical support: Customers (or colleagues) have to approach certain departments or teams for support. If you would work in a group handling incidents and you would find out that not the network but the DNS service may be down, you would have to ask another department for support. Then, these people would take over and would report to your as soon as the issue is resolved. You may know what caused the incident and what may resolve it, but you may not have sufficient access or are not allowed to work with the necessary tools. In my view, your should ask yourself whom would you ask on what occasion and would you like to be the one supporting such cases. If so, then ask yourself whether you would have to broaden or deepen your skills.

    Basically, it comes down to who calls whom if something cannot be fixed. Support may even be given by the vendor or a supplier.
  • user25379082user25379082 Member Posts: 19 ■□□□□□□□□□
    @Drackar

    I suggest to add Server+ to System Admin because that person most certainly will be the one who has to work with the equipment as well. Also, I think A+ serves well as a foundation for Server+. Both are sysadmin certs.
  • MSP-ITMSP-IT Member Posts: 752 ■■■□□□□□□□
    I'd be hesitant to put the SSCP on the same level as the Security+. I'd think it'd be closer to the GSEC/CASP.
  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
  • DrackarDrackar Member Posts: 47 ■■□□□□□□□□
    Hi,
    Sorry for the late response, I was having trouble logging in. When I get home I'll attach the .PPT version so we can all make changes and post them.

    I added the CASP that Doyen mentioned.
    My reading: Skills are modelled by mapping out roles. Employees may work in more than one role. A classic example is the hierarchization of technical support: Customers (or colleagues) have to approach certain departments or teams for support. If you would work in a group handling incidents and you would find out that not the network but the DNS service may be down, you would have to ask another department for support. Then, these people would take over and would report to your as soon as the issue is resolved. You may know what caused the incident and what may resolve it, but you may not have sufficient access or are not allowed to work with the necessary tools. In my view, your should ask yourself whom would you ask on what occasion and would you like to be the one supporting such cases. If so, then ask yourself whether you would have to broaden or deepen your skills.

    Thanks user25379082 That is mostly what I had in mind. I also wanted to point out what certifications are begin completed at each level in their career. I will try to squeeze Server+ in. I'm thinking I may need to break each job into separate pictures and make a more generic picture to help conceptualize how each fit together.
    To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
    -- Kokoro by Natsume Sosek, 1914, Japan
  • dacetodaceto Member Posts: 63 ■■□□□□□□□□
    Great idea. Would be cool to flesh it out further to include VM based certs. Hi res would also be awesome.

    Thanks again!
  • auxiliarypriestauxiliarypriest Member Posts: 59 ■■■□□□□□□□
    Awesome job, but definitely would like to see it in high-res.
    2020 Goals: [x ] C|HFI [x] CySA+ [x ] MSCSIA
    Connect with me on Linkedin, just say you're from TechExams
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    My only issue (if I am reading the chart correctly) is that it looks like you have equated CISA/CISM with CEH/CCENT.
    Working on: staying alive and staying employed
  • DrackarDrackar Member Posts: 47 ■■□□□□□□□□
    My only issue (if I am reading the chart correctly) is that it looks like you have equated CISA/CISM with CEH/CCENT.

    That is correct colemic. Its difficult to compare apples with oranges here. So, there is no true comparison. I am just saying that they are about on the same level as one would expect a junior analyst to have.

    For example: if I had a junior Penetration Tester I might expect them to have Sec+ and CEH (or at least the equivalent knowledge). A network admin in roughly the same place in their career might expect to have the net+ and the CCENT. I tried to go a bit further by placing the CEH above the GISF in the same general category (IT Security & Networking Foundation) to show that I would expect the course material to be more challenging than the GISF). If two certs cover the same vertical space you can expect to have some material overlap, particularly if they are of the same color.

    So the two base comparisons are:
    Course Material
    General Course dificulty

    With those two variables you can conclude that (generally) the higher you go in the chart the more experience and knowledge you need to successfully complete the certification and therefore should best be tackled later in your career. Placing System admins next to Security gives a visual way of comparing one industry to another.
    To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
    -- Kokoro by Natsume Sosek, 1914, Japan
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    I disagree with the notion that I expect a junior Analyst - or comparable position in any vertical - to have a cert comparable to CISM or CISA. CEH and CCENT are clear entry-level certifications. And there is no comparison in the course material and difficulty between CISM/CISA and CEH/CCENT. Even though they are targeted to different markets, they are also targeted to vastly different demographics within those verticals... anyone can take and be granted the CCENT cert, for example, but for CISM/CISA, there are very specific work requirement that must be met, and some junior positions aren't even enough to meet those requirements.

    IMO, CISM/CISA are just as, if not more difficult than the CISSP. They are definitely not in the same galaxy as CEH/CCENT.
    Working on: staying alive and staying employed
  • DrackarDrackar Member Posts: 47 ■■□□□□□□□□
    Colemic,

    I am not suggesting that the CISM is similar to the CEH or CCENT. I am simply saying that the CISM is a stepping stone toward the CISSP or that the CCENT is needed for the CCNA. Again, I am comparing apples to oranges here so there will not be any direct correlation between IT industries.

    I am also not suggesting that a junior analyst take the CISM. However, if you are interesting in moving into the management track, I am suggesting it might be worthwhile to peruse the CISM before you tackle the CISSP. If you decide to tackle the CISSP and later decide you want to take the CISM exam, you should find the material a review, at least to some degree. If you decided to pursue the management track, I would consider that a manager with the CISM (or equivalent knowledge) would not be as prepared to manage an IT project as a CISSP would. That’s not to say that the CISM could not perform the task though, only that the CISSP has the higher level of proven IT knowledge.

    Also something worthwhile to consider is the management certifications are not as linear as the technical IT certifications are. Some of the management certifications are for niche areas and does not have a clear hierarchy.


    To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
    -- Kokoro by Natsume Sosek, 1914, Japan
  • DrackarDrackar Member Posts: 47 ■■□□□□□□□□
    Here is an updated version. I tinkered with it a bit. Keep the suggestions coming. I have included the .ppt also.

    Links:

    The power point slide: HERE

    Hi-Res Picture: HERE
    To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
    -- Kokoro by Natsume Sosek, 1914, Japan
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    On what grounds do you consider the CISM to be beneath the CISSP? The only aspect I have ever seen is that the CISSP is slightly more well-known and HR loves it. From a technical standpoint, there is virtually no difference (to my knowledge) of the exams - if anything, the CISM is more difficult, especially since there are very few resources to prepare for it.

    'I would consider that a manager with the CISM (or equivalent knowledge) would not be as prepared to manage an IT project as a CISSP would. That’s not to say that the CISM could not perform the task though, only that the CISSP has the higher level of proven IT knowledge.'

    Again - I am not understanding why you think the CISM is, in any way, beneath the CISSP. From everything I have read and seen, it is just as, if not more difficult, than the CISSP. They are both targeted to the exact same demographic group, just different companies get the dollars. They both have extensive experience requirements, and having CISSP and CISA, I can assure you that ISACA's verification policy is a lot more stringent than a random audit.

    The main issue I have with your assumption regarding preparedness to manage a project is that the CISSP and CISM are not designed to be effective yardsticks for measuring leadership qualities. Experience makes breaks success (to a large degree), not certifications. And if it's all subjective, I'd say the CISM is (on paper) much more likely to succeed leading a project than a CISSP, just based on what I have seen comparing the objectives for each.
    Working on: staying alive and staying employed
  • DrackarDrackar Member Posts: 47 ■■□□□□□□□□
    Dude, I don't care about it that much. If you insist that the CISM is better / higher than the CISP then you can change your copy of it. I have no interest in turning this into an argument on the merits of CISSP vs CISM. Better yet, post your version of the ppt that I posted and we can move past this.
    To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
    -- Kokoro by Natsume Sosek, 1914, Japan
  • UltimasUltimas Member Posts: 27 ■□□□□□□□□□
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
  • DrackarDrackar Member Posts: 47 ■■□□□□□□□□
    Thanks Ultimas.

    SephStorm:

    I really like your roadmap. It includes many more certifications than mine. Just to be sure I am reading it correctly, are higher level certs on the top?
    Do you mind if I try to incorporate some of these ideas into the one I have posted ?
    To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
    -- Kokoro by Natsume Sosek, 1914, Japan
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    Drackar wrote: »
    Thanks Ultimas.

    SephStorm:

    I really like your roadmap. It includes many more certifications than mine. Just to be sure I am reading it correctly, are higher level certs on the top?
    Do you mind if I try to incorporate some of these ideas into the one I have posted ?

    Feel free. In general, yes, the higher the cert, or more important in the field, it should be higher in its section.

    I had problems thinking of things for CND- D. Its a tough one to feel out. Advice for anything I missed would be useful.
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Drackar wrote: »
    Dude, I don't care about it that much. If you insist that the CISM is better / higher than the CISP then you can change your copy of it. I have no interest in turning this into an argument on the merits of CISSP vs CISM. Better yet, post your version of the ppt that I posted and we can move past this.

    No worries, not looking for an argument, I just don't understand your rationale. And thanks btw for taking the time to put this all together.
    Working on: staying alive and staying employed
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    SephStorm wrote: »
    My version, published for review.

    Should Six Sigma be added in the management section? Thanks for putting this together.
    Working on: staying alive and staying employed
  • dacetodaceto Member Posts: 63 ■■□□□□□□□□
    I noticed this was originally a powerpoint doc so I went ahead and recreated in Visio for those who like that better. Here is what mine looks like.

    Here is the VSD file if anyone wants it.

    https://dl.dropboxusercontent.com/u/12781860/Sec-path.vsd


    Great roadmap BTW. Hope you dont mind me working on it as well.
  • DrackarDrackar Member Posts: 47 ■■□□□□□□□□
    Awesome deceto! Thanks.

    I'm working on adding some of the certs that SephStorm has listed. I should have something tomorrow.

    Colemic -- how would you list out the management section? I can add your thoughts as i add SephStorms list.
    To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
    -- Kokoro by Natsume Sosek, 1914, Japan
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Can't add the attachment right now and am heading out of town for a couple of days but here's what I had...

    ISSMP/AP still on top
    CISM CISSP
    CGEIT CRISC
    CISA CAP

    -all are in middle category, ISSMP etc on top category
    Foundational management ones are GSLC and CASP.
    Entire category is called IT Security Management.

    Thinking about a different section for certs that don't fit anywhere else in a tech category like ITIL and Six Sigma, PMP, etc.

    Just my thoughts. When I get in finished in a few days I'll post it up.
    Working on: staying alive and staying employed
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    Is 6S still a thing? :p Yeah, I didn't include them on my list because They aren't directly IT certs TMK, but feel free to add them. Honestly I've never met anyone who attempted to use either in a way that benefited an organization.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Awesome Work.

    I think Forensics should be split into two.
    Forensics - GCFA, GCFE
    Malware Researcher - GREM

    I also think that Penetration Tester should be split into two
    Penetration Tester - GPEN, GWAPT, OSCP, OSWE
    Exploit Developer - GXPN, OCSE, OSEE

    Reason being a penetration tester may not necessary had to branch into exploit development, he can move up being a project manager/team lead for penetration testing firm.

    I also think that the Security Operation Center Path is missing. SOC Analyst Path
    SOC Analyst - GCIH, GCIA + 1 Forensic Cert

    Auditor Path can also be added
    Auditor - GCIH, GSNA, CISA
  • DrackarDrackar Member Posts: 47 ■■□□□□□□□□
    Hey LionelTeo,
    You make a good points, I like the idea about splitting Malware analysis from the typical forensics. We manage them separately where I work as well. Let me see what I can come up with ...
    To be a warrior is not a simple matter of wishing to be one. It is rather an endless struggle that will go on to the very last moment of our lives. Nobody is born a warrior, in exactly the same way that nobody is born an average man. We make ourselves into one or the other.
    -- Kokoro by Natsume Sosek, 1914, Japan
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    I think you should draw one line in the center stating compliance or technical. Compliance for those paper work type of certifications, usually into the mangerial roles while technical for those hands on role to be clear.

    Some colleagues I speak to preferred the compliance path, as such certs like SSCP, SEC+ comes into mind.

    I always had these certs recommendations for compliance path

    Tier 1
    SEC+
    SSCP (requires 2 years experince but can be taken at 1.5 years experience, you got 9 months to submit your credentials)

    Tier 2
    GSEC
    GISP
    CASP
    G2700

    Tier 3
    CISSP, CRISC, CISA

    Tier 4
    CISM
    CISSP Concerntrations


    I had a good reason why CISM would be a higher tier than CISSP, the requirements for CISM if I am not wrong requires 4 years of managerial experience where CISSP requires 4 years of IT Security Experience. Thus making it more logical to obtain CISSP first over CISM.

    Aso for the rest of the path, some certs can branch into other path. Like for example

    Penetration Test
    CEH -> GCIH -> GPEN -> GWAPT -> OSCP

    Incident Handler
    CEH -> GSEC -> GCIH -> GCED -> GCFA

    System Administrator
    GSEC -> GCWM -> GCUX

    SOC Analyst
    GCIH -> GCIA -> GCFA

    Others would be forensic, malware researcher, auditor, exploit developer

    You see um, some certs can link up with other path, so I suppose you would requires arrow here and there to show the relationship.
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    Hmm. I see this split happening, not sure how prevalent it is. My experience from the government side, forensics/malware research/ and incident handling is almost always performed in the same group. Private practice may be different.

    As for SOC analyst, on my path, its under CND - D, again, as a current SOC Analyst, all of my work is in intrusion detection and analysis, no forensics, that is done by another team. I suppose you could diverge into different paths, but then you get way more complicated than necessary. Maybe we need to do a poll of the industry, or look at job postings, are the duties usually converged or separate?
Sign In or Register to comment.