Cert Career Map

Hi,
Sorry for the late response, I was having trouble logging in. When I get home I'll attach the .PPT version so we can all make changes and post them.

I added the CASP that Doyen mentioned.

My reading: Skills are modelled by mapping out roles. Employees may work in more than one role. A classic example is the hierarchization of technical support: Customers (or colleagues) have to approach certain departments or teams for support. If you would work in a group handling incidents and you would find out that not the network but the DNS service may be down, you would have to ask another department for support. Then, these people would take over and would report to your as soon as the issue is resolved. You may know what caused the incident and what may resolve it, but you may not have sufficient access or are not allowed to work with the necessary tools. In my view, your should ask yourself whom would you ask on what occasion and would you like to be the one supporting such cases. If so, then ask yourself whether you would have to broaden or deepen your skills.

Thanks user25379082 That is mostly what I had in mind. I also wanted to point out what certifications are begin completed at each level in their career. I will try to squeeze Server+ in. I'm thinking I may need to break each job into separate pictures and make a more generic picture to help conceptualize how each fit together.

daceto

Great idea. Would be cool to flesh it out further to include VM based certs. Hi res would also be awesome.

Thanks again!

auxiliarypriest

Awesome job, but definitely would like to see it in high-res.

My only issue (if I am reading the chart correctly) is that it looks like you have equated CISA/CISM with CEH/CCENT.

My only issue (if I am reading the chart correctly) is that it looks like you have equated CISA/CISM with CEH/CCENT.

That is correct colemic. Its difficult to compare apples with oranges here. So, there is no true comparison. I am just saying that they are about on the same level as one would expect a junior analyst to have.

For example: if I had a junior Penetration Tester I might expect them to have Sec+ and CEH (or at least the equivalent knowledge). A network admin in roughly the same place in their career might expect to have the net+ and the CCENT. I tried to go a bit further by placing the CEH above the GISF in the same general category (IT Security & Networking Foundation) to show that I would expect the course material to be more challenging than the GISF). If two certs cover the same vertical space you can expect to have some material overlap, particularly if they are of the same color.

So the two base comparisons are:
Course Material
General Course dificulty

With those two variables you can conclude that (generally) the higher you go in the chart the more experience and knowledge you need to successfully complete the certification and therefore should best be tackled later in your career. Placing System admins next to Security gives a visual way of comparing one industry to another.

I disagree with the notion that I expect a junior Analyst - or comparable position in any vertical - to have a cert comparable to CISM or CISA. CEH and CCENT are clear entry-level certifications. And there is no comparison in the course material and difficulty between CISM/CISA and CEH/CCENT. Even though they are targeted to different markets, they are also targeted to vastly different demographics within those verticals... anyone can take and be granted the CCENT cert, for example, but for CISM/CISA, there are very specific work requirement that must be met, and some junior positions aren't even enough to meet those requirements.

IMO, CISM/CISA are just as, if not more difficult than the CISSP. They are definitely not in the same galaxy as CEH/CCENT.

Colemic,

I am not suggesting that the CISM is similar to the CEH or CCENT. I am simply saying that the CISM is a stepping stone toward the CISSP or that the CCENT is needed for the CCNA. Again, I am comparing apples to oranges here so there will not be any direct correlation between IT industries.

I am also not suggesting that a junior analyst take the CISM. However, if you are interesting in moving into the management track, I am suggesting it might be worthwhile to peruse the CISM before you tackle the CISSP. If you decide to tackle the CISSP and later decide you want to take the CISM exam, you should find the material a review, at least to some degree. If you decided to pursue the management track, I would consider that a manager with the CISM (or equivalent knowledge) would not be as prepared to manage an IT project as a CISSP would. That’s not to say that the CISM could not perform the task though, only that the CISSP has the higher level of proven IT knowledge.

Also something worthwhile to consider is the management certifications are not as linear as the technical IT certifications are. Some of the management certifications are for niche areas and does not have a clear hierarchy.

Here is an updated version. I tinkered with it a bit. Keep the suggestions coming. I have included the .ppt also.

Links:

The power point slide: HERE

Hi-Res Picture: HERE

On what grounds do you consider the CISM to be beneath the CISSP? The only aspect I have ever seen is that the CISSP is slightly more well-known and HR loves it. From a technical standpoint, there is virtually no difference (to my knowledge) of the exams - if anything, the CISM is more difficult, especially since there are very few resources to prepare for it.

'I would consider that a manager with the CISM (or equivalent knowledge) would not be as prepared to manage an IT project as a CISSP would. That’s not to say that the CISM could not perform the task though, only that the CISSP has the higher level of proven IT knowledge.'

Again - I am not understanding why you think the CISM is, in any way, beneath the CISSP. From everything I have read and seen, it is just as, if not more difficult, than the CISSP. They are both targeted to the exact same demographic group, just different companies get the dollars. They both have extensive experience requirements, and having CISSP and CISA, I can assure you that ISACA's verification policy is a lot more stringent than a random audit.

The main issue I have with your assumption regarding preparedness to manage a project is that the CISSP and CISM are not designed to be effective yardsticks for measuring leadership qualities. Experience makes breaks success (to a large degree), not certifications. And if it's all subjective, I'd say the CISM is (on paper) much more likely to succeed leading a project than a CISSP, just based on what I have seen comparing the objectives for each.

Dude, I don't care about it that much. If you insist that the CISM is better / higher than the CISP then you can change your copy of it. I have no interest in turning this into an argument on the merits of CISSP vs CISM. Better yet, post your version of the ppt that I posted and we can move past this.

Ultimas

@Drackar
Great work man.

My version, published for review.

roadmap.jpg

Thanks Ultimas.

SephStorm:

I really like your roadmap. It includes many more certifications than mine. Just to be sure I am reading it correctly, are higher level certs on the top?
Do you mind if I try to incorporate some of these ideas into the one I have posted ?

Drackar wrote: »

Thanks Ultimas.

SephStorm:

I really like your roadmap. It includes many more certifications than mine. Just to be sure I am reading it correctly, are higher level certs on the top?
Do you mind if I try to incorporate some of these ideas into the one I have posted ?

Feel free. In general, yes, the higher the cert, or more important in the field, it should be higher in its section.

I had problems thinking of things for CND- D. Its a tough one to feel out. Advice for anything I missed would be useful.

Drackar wrote: »

Dude, I don't care about it that much. If you insist that the CISM is better / higher than the CISP then you can change your copy of it. I have no interest in turning this into an argument on the merits of CISSP vs CISM. Better yet, post your version of the ppt that I posted and we can move past this.

No worries, not looking for an argument, I just don't understand your rationale. And thanks btw for taking the time to put this all together.

Security Certification Progression Chart.jpg

SephStorm wrote: »

My version, published for review.

Should Six Sigma be added in the management section? Thanks for putting this together.

daceto

I noticed this was originally a powerpoint doc so I went ahead and recreated in Visio for those who like that better. Here is what mine looks like.

Here is the VSD file if anyone wants it.

https://dl.dropboxusercontent.com/u/12781860/Sec-path.vsd

Great roadmap BTW. Hope you dont mind me working on it as well.

Awesome deceto! Thanks.

I'm working on adding some of the certs that SephStorm has listed. I should have something tomorrow.

Colemic -- how would you list out the management section? I can add your thoughts as i add SephStorms list.

Can't add the attachment right now and am heading out of town for a couple of days but here's what I had...

ISSMP/AP still on top
CISM CISSP
CGEIT CRISC
CISA CAP

-all are in middle category, ISSMP etc on top category
Foundational management ones are GSLC and CASP.
Entire category is called IT Security Management.

Thinking about a different section for certs that don't fit anywhere else in a tech category like ITIL and Six Sigma, PMP, etc.

Just my thoughts. When I get in finished in a few days I'll post it up.

Is 6S still a thing?

Yeah, I didn't include them on my list because They aren't directly IT certs TMK, but feel free to add them. Honestly I've never met anyone who attempted to use either in a way that benefited an organization.

LionelTeo

Awesome Work.

I think Forensics should be split into two.
Forensics - GCFA, GCFE
Malware Researcher - GREM

I also think that Penetration Tester should be split into two
Penetration Tester - GPEN, GWAPT, OSCP, OSWE
Exploit Developer - GXPN, OCSE, OSEE

Reason being a penetration tester may not necessary had to branch into exploit development, he can move up being a project manager/team lead for penetration testing firm.

I also think that the Security Operation Center Path is missing. SOC Analyst Path
SOC Analyst - GCIH, GCIA + 1 Forensic Cert

Auditor Path can also be added
Auditor - GCIH, GSNA, CISA

Hey LionelTeo,
You make a good points, I like the idea about splitting Malware analysis from the typical forensics. We manage them separately where I work as well. Let me see what I can come up with ...

LionelTeo

I think you should draw one line in the center stating compliance or technical. Compliance for those paper work type of certifications, usually into the mangerial roles while technical for those hands on role to be clear.

Some colleagues I speak to preferred the compliance path, as such certs like SSCP, SEC+ comes into mind.

I always had these certs recommendations for compliance path

Tier 1
SEC+
SSCP (requires 2 years experince but can be taken at 1.5 years experience, you got 9 months to submit your credentials)

Tier 2
GSEC
GISP
CASP
G2700

Tier 3
CISSP, CRISC, CISA

Tier 4
CISM
CISSP Concerntrations

I had a good reason why CISM would be a higher tier than CISSP, the requirements for CISM if I am not wrong requires 4 years of managerial experience where CISSP requires 4 years of IT Security Experience. Thus making it more logical to obtain CISSP first over CISM.

Aso for the rest of the path, some certs can branch into other path. Like for example

Penetration Test
CEH -> GCIH -> GPEN -> GWAPT -> OSCP

Incident Handler
CEH -> GSEC -> GCIH -> GCED -> GCFA

System Administrator
GSEC -> GCWM -> GCUX

SOC Analyst
GCIH -> GCIA -> GCFA

Others would be forensic, malware researcher, auditor, exploit developer

You see um, some certs can link up with other path, so I suppose you would requires arrow here and there to show the relationship.