Security Certification Roadmap

If you are looking at this post right now, it is highly likely you are trying to break into information security or looking for guidance where to go next. Welcome and remember that over the years, certifications will change but the advice will remain fairly consistent.
There are essentially three types of stages for information security certifications in a career: entry-level, specialization, management. (I will briefly touch on degrees at the end.)
Each stage has different objectives and has to be treated differently based on how one wants their career to progress. Each stage will be broken down with various certifications.
Entry-Level (0-2 years):
The entry-level stage is reserved for those who either are changing their career or have been in another segment of information technology and are looking to break into information security. Regardless of which one you are, the advice remains fairly consistent. You should be looking at entry-level certifications that will provide you a solid foundation to build upon.
CompTIA Network+ -> Security+ (A+ = optional before Network+):
These should be the very first certifications you get. These will provide you basic knowledge in how networks operate and security concerns that are related. You will see the information in these certifications later in your career…so yes you need to pay attention.
::Optional::
Depending on the environment you work in, you might have to know a little about areas outside of information security…enter Cisco, Microsoft, and Linux. Although these are optional, I strongly recommend you get at least one of these certifications to make yourself more knowledgable and valuable in an organization.
Cisco CCENT -> CCNA:R&S:
As far as networking is currently concerned, Cisco runs the world. You will learn more in depth how networks work and how to configure network appliances (routers, switches, etc.).
Microsoft MCSA - Server:
Microsoft systems have the majority share in the corporate world. Your job might call on you to verify configurations, GPOs, account permissions, etc. and being aware of how to navigate/configure a server is valuable.
CompTIA Linux+:
Linux shows up in enterprise environments every once in a while, and many information security tools have been developed in this operating system. From an overall knowledge standpoint you should feel comfortable with Linux but I do not believe you will get the biggest bang for your buck getting certified. However, if you need a certification to pass some free time, Linux+ would be a fun adventure.
Specialization (2+ years):
I bet you thought to yourself….”hmm that was easy.” The specialization phase is where things get a little tricky. At this point in your career you have to start deciding what areas you enjoy the most. This can range from network security, system security, forensics, penetration testing…and the list goes on and on. Hopefully at this point you have had broad exposure to a lot of aspects and can make an informed decision. If not, that is ok because people tend to bounce around in this area. Below are the major areas, although more do exist.
Penetration Testing:
EC-Council C|EH -> Offensive Security OSCP -> OSCE
Networking Security:
Cisco CCNA:Security -> CCNP:Security -> CCIE:Security
Checkpoint CCSA -> CCSE
Digital Forensics:
EC-Council CHFI
Auditing:
ISACA CISA
General Information Security:
(ISC)2 SSCP -> CompTIA CASP
In general, the above certifications to specialize in will provide a solid foundation if you choose to go one way versus another. These have been arranged by the years of experience required or recommended (per specialization).
Management (4-5+ years):
Congratulations! You have made the decision to move from the trenches to the big office. Generally, management is involved with policy creation, and management of the information security program. Although these certifications require several years of experience, most offer an “Associate” option for those less experienced until they acquire the needed years of experience.
(ISC)2 CISSP -> ISACA CISM
These are the two major players in information security management certifications. The CISSP does have concentration certifications, but you must be a CISSP before you can pursue them.
DEGREES:
Knowledge is power! A degree really depends on your end goal. If you want to be a highly technical person, a degree might not be necessary…although companies are screening people without degrees from getting interviews so it could be a hinderance.
Generally to get the high level management positions you will need some type of advanced degree (an MBA is common for those who started with a technical bachelors). Degrees can be helpful in providing you with knowledge in a condensed period of time from experts, which can be very valuable. Realize that certifications + degree + experience is the key for the most success. That does not mean you cannot get a good position without a degree, but the certifications and experience have to be in place.
For advanced degrees, get something that differs from your undergraduate degree. If you have a degree in business, get a degree in some type of technology field….and the opposite if you have a degree in technology.
One last thought about degrees and time commitment. They take a lot of time and energy (especially advanced degrees) for coursework. They can be much more time consuming than a certification and you need to take that into account when deciding. As somebody who has spent time solely as a student and then as a full-time employee finishing masters level classes...work + classes means you probably will not get certifications done at the same time. Also consider your personal life such as family, kids, etc.
**GIAC certifications were not mentioned in this post due to the high cost and inaccessibility to most people paying out of pocket. They are however highly regarded and have a path from entry to expert/management.**
Other References:
(IT) Information Technology Jobs & Careers | CompTIA IT Certifications
The GIAC Security Certification Roadmap
(IT) Information Technology Certifications | CompTIA IT Certifications
Certifications - Training & Certifications - Cisco
https://www.microsoft.com/en-us/learning/certification-overview.aspx
Security Training, IT Security, Security Certification, Security Courses, Security Analyst Training, Cert Training, Forensic Training, Information Security Training, Computer Security Training
https://www.offensive-security.com/information-security-certifications/
Training & Certification | Check Point Software
IT Certification - Audit - Security - Governance - Risk | ISACA
https://www.isc2.org/credentials/default.aspx
GIAC Information Security Certifications | Cyber Certifications
There are essentially three types of stages for information security certifications in a career: entry-level, specialization, management. (I will briefly touch on degrees at the end.)
Each stage has different objectives and has to be treated differently based on how one wants their career to progress. Each stage will be broken down with various certifications.
Entry-Level (0-2 years):
The entry-level stage is reserved for those who either are changing their career or have been in another segment of information technology and are looking to break into information security. Regardless of which one you are, the advice remains fairly consistent. You should be looking at entry-level certifications that will provide you a solid foundation to build upon.
CompTIA Network+ -> Security+ (A+ = optional before Network+):
These should be the very first certifications you get. These will provide you basic knowledge in how networks operate and security concerns that are related. You will see the information in these certifications later in your career…so yes you need to pay attention.
::Optional::
Depending on the environment you work in, you might have to know a little about areas outside of information security…enter Cisco, Microsoft, and Linux. Although these are optional, I strongly recommend you get at least one of these certifications to make yourself more knowledgable and valuable in an organization.
Cisco CCENT -> CCNA:R&S:
As far as networking is currently concerned, Cisco runs the world. You will learn more in depth how networks work and how to configure network appliances (routers, switches, etc.).
Microsoft MCSA - Server:
Microsoft systems have the majority share in the corporate world. Your job might call on you to verify configurations, GPOs, account permissions, etc. and being aware of how to navigate/configure a server is valuable.
CompTIA Linux+:
Linux shows up in enterprise environments every once in a while, and many information security tools have been developed in this operating system. From an overall knowledge standpoint you should feel comfortable with Linux but I do not believe you will get the biggest bang for your buck getting certified. However, if you need a certification to pass some free time, Linux+ would be a fun adventure.
Specialization (2+ years):
I bet you thought to yourself….”hmm that was easy.” The specialization phase is where things get a little tricky. At this point in your career you have to start deciding what areas you enjoy the most. This can range from network security, system security, forensics, penetration testing…and the list goes on and on. Hopefully at this point you have had broad exposure to a lot of aspects and can make an informed decision. If not, that is ok because people tend to bounce around in this area. Below are the major areas, although more do exist.
Penetration Testing:
EC-Council C|EH -> Offensive Security OSCP -> OSCE
Networking Security:
Cisco CCNA:Security -> CCNP:Security -> CCIE:Security
Checkpoint CCSA -> CCSE
Digital Forensics:
EC-Council CHFI
Auditing:
ISACA CISA
General Information Security:
(ISC)2 SSCP -> CompTIA CASP
In general, the above certifications to specialize in will provide a solid foundation if you choose to go one way versus another. These have been arranged by the years of experience required or recommended (per specialization).
Management (4-5+ years):
Congratulations! You have made the decision to move from the trenches to the big office. Generally, management is involved with policy creation, and management of the information security program. Although these certifications require several years of experience, most offer an “Associate” option for those less experienced until they acquire the needed years of experience.
(ISC)2 CISSP -> ISACA CISM
These are the two major players in information security management certifications. The CISSP does have concentration certifications, but you must be a CISSP before you can pursue them.
DEGREES:
Knowledge is power! A degree really depends on your end goal. If you want to be a highly technical person, a degree might not be necessary…although companies are screening people without degrees from getting interviews so it could be a hinderance.
Generally to get the high level management positions you will need some type of advanced degree (an MBA is common for those who started with a technical bachelors). Degrees can be helpful in providing you with knowledge in a condensed period of time from experts, which can be very valuable. Realize that certifications + degree + experience is the key for the most success. That does not mean you cannot get a good position without a degree, but the certifications and experience have to be in place.
For advanced degrees, get something that differs from your undergraduate degree. If you have a degree in business, get a degree in some type of technology field….and the opposite if you have a degree in technology.
One last thought about degrees and time commitment. They take a lot of time and energy (especially advanced degrees) for coursework. They can be much more time consuming than a certification and you need to take that into account when deciding. As somebody who has spent time solely as a student and then as a full-time employee finishing masters level classes...work + classes means you probably will not get certifications done at the same time. Also consider your personal life such as family, kids, etc.
**GIAC certifications were not mentioned in this post due to the high cost and inaccessibility to most people paying out of pocket. They are however highly regarded and have a path from entry to expert/management.**
Other References:
(IT) Information Technology Jobs & Careers | CompTIA IT Certifications
The GIAC Security Certification Roadmap
(IT) Information Technology Certifications | CompTIA IT Certifications
Certifications - Training & Certifications - Cisco
https://www.microsoft.com/en-us/learning/certification-overview.aspx
Security Training, IT Security, Security Certification, Security Courses, Security Analyst Training, Cert Training, Forensic Training, Information Security Training, Computer Security Training
https://www.offensive-security.com/information-security-certifications/
Training & Certification | Check Point Software
IT Certification - Audit - Security - Governance - Risk | ISACA
https://www.isc2.org/credentials/default.aspx
GIAC Information Security Certifications | Cyber Certifications
0
Comments
Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
The only real failure in life is not to be true to the best one knows. - Buddha
If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown
Also, why is it recommended to get a different advanced degree?
Thank you
2019: CWSP,Cloud+,Project+,CASP,PenTest+,CWNA,CCNA Security,GXPN,GREM
2021: LPIC-2,JNCIS-ENT,eLearnSecurity Courses
Specialization can definitely be tough because many of us want to learn several areas. In reality, if you want to truly be great you have to decide and not be afraid to change if needed. There is nothing wrong with going down one path then switching. The only caveat is that it could be more difficult to come back from management because you are unlikely to be getting hands on with the technology...but not impossible.
2019: CWSP,Cloud+,Project+,CASP,PenTest+,CWNA,CCNA Security,GXPN,GREM
2021: LPIC-2,JNCIS-ENT,eLearnSecurity Courses
Additionally, the above certifications are what show up in job postings the most. Getting past HR with known certifications is a major part of job hunting.
Incident handling
ECIH, GCIH
Malware analysis [sort of related to forensics, like a subspecialisation]
GREM, OSCE
Secure programming, code auditing
GSSP-NET, GSSP-JAVA, there's also at least one for PHP and Microsoft also has documentations
governance and compliance [higher level implementations of frameworks, internal policy, legal and regulatory compliance]
CISM, CISA, CISSP, GLEG (and likely more)
OS hardening - ie security in Windows, Linux etc
MCSE, RHCE, LPIC2 -> LPIC3-303, RHCESH, GCUX, GCWN, GCED
Wireless security (lots of layer 1 and 2 issues, and layer 3+ solutions)
OWSP -> GAWN
Reasons:
- If you are already in Security your company might/should be willing to pay for them.
- There is a work study program most people can afford
or (less likely)
- They person might have a sack of money laying around to invest in them
Good post though!
Yes network security is very important but these days if you think firewalls, IPS, NAC, segmentation, etc., are enough you're gonna get owned a lot. Hackers attack endpoints and end users without needing to circumvent a network perimeter (if that even really exists anymore) all day every day. Just sayin'.
I'm trying to specialise in pen testing and I'm in the entry level stage cert route right now.
What do you think about CCENT --> Sec+ --> CCNA Security as an alternative to the net+ --> sec+ route?
I feel like if I take the CCNA security route though I'll be spending time in the net sec world more than I need to be. Then again, I was told it would be a better career boost than the comp tia path you mentioned as applying to info sec jobs would be relatively easier. Any thoughts on that?
Do you have any experience? These days I would be more likely to recommend getting CCNA + MCSA, and then get Security+. If you want to have pen testing as a speciality, CCNA:Security isn't going to benefit you too much...but having networking and OS knowledge will be valuable. Then once you complete those 3 you will have the foundation knowledge and can start down the pen testing route somewhere around 2 years.
My opinion on the subject has changed a little since I wrote this post.
Why the change? is it b/c net+ is closer to CCNA r&s now?
why microsoft over linux?
However a cert based "security" guide , especially one with a lot of vendor based (cisco/microsoft) is always going to be tough as not all important security related skills are covered.
For instance:
network security portion is lacking skills such as:
SIEM
DLP
Cloud Based Security/Encryption
NIDS
NIPS
HIDS
HIPS
SPAN/TAP technologies
There is nothing regarding Endpoint technologies:
AV
Malware
HIPS/NIPS
DLP
Encryption
Pentesting:
PowerShell hacking
Active Directory hacking
Red Team Adversary tactics
OctalDump has some good tips too.
You have a good list, it is just always nearly impossible to cover security with certs. This is not a knock on your post , just some reality of the business. Good work though!
Courses: Real World Red Team Attacks- AppSec Cali 2019 (complete), Active Directory Attacks for Red and Blue Teams Advanced Edition - BlackHat,
Certs: SLAE, Certified Red Team Professional - Pentester Academy (in progress), Certified Red Team Expert - Pentester Academy
Ah I see, wow 2015 seems so long ago. I did not realize that someone brought this topic back to life :P
Courses: Real World Red Team Attacks- AppSec Cali 2019 (complete), Active Directory Attacks for Red and Blue Teams Advanced Edition - BlackHat,
Certs: SLAE, Certified Red Team Professional - Pentester Academy (in progress), Certified Red Team Expert - Pentester Academy
A CCIE in any track requires a significant investment of time, and a solid technical background that is nearly impossible to obtain within such a relatively short time frame.