Security Certification Roadmap

If you are looking at this post right now, it is highly likely you are trying to break into information security or looking for guidance where to go next. Welcome and remember that over the years, certifications will change but the advice will remain fairly consistent.

There are essentially three types of stages for information security certifications in a career: entry-level, specialization, management. (I will briefly touch on degrees at the end.)

Each stage has different objectives and has to be treated differently based on how one wants their career to progress. Each stage will be broken down with various certifications.

Entry-Level (0-2 years):
The entry-level stage is reserved for those who either are changing their career or have been in another segment of information technology and are looking to break into information security. Regardless of which one you are, the advice remains fairly consistent. You should be looking at entry-level certifications that will provide you a solid foundation to build upon.

CompTIA Network+ -> Security+ (A+ = optional before Network+):
These should be the very first certifications you get. These will provide you basic knowledge in how networks operate and security concerns that are related. You will see the information in these certifications later in your career…so yes you need to pay attention.

::Optional::

Depending on the environment you work in, you might have to know a little about areas outside of information security…enter Cisco, Microsoft, and Linux. Although these are optional, I strongly recommend you get at least one of these certifications to make yourself more knowledgable and valuable in an organization.

Cisco CCENT -> CCNA:R&S:
As far as networking is currently concerned, Cisco runs the world. You will learn more in depth how networks work and how to configure network appliances (routers, switches, etc.).

Microsoft MCSA - Server:
Microsoft systems have the majority share in the corporate world. Your job might call on you to verify configurations, GPOs, account permissions, etc. and being aware of how to navigate/configure a server is valuable.

CompTIA Linux+:
Linux shows up in enterprise environments every once in a while, and many information security tools have been developed in this operating system. From an overall knowledge standpoint you should feel comfortable with Linux but I do not believe you will get the biggest bang for your buck getting certified. However, if you need a certification to pass some free time, Linux+ would be a fun adventure.

Specialization (2+ years):
I bet you thought to yourself….”hmm that was easy.” The specialization phase is where things get a little tricky. At this point in your career you have to start deciding what areas you enjoy the most. This can range from network security, system security, forensics, penetration testing…and the list goes on and on. Hopefully at this point you have had broad exposure to a lot of aspects and can make an informed decision. If not, that is ok because people tend to bounce around in this area. Below are the major areas, although more do exist.

Penetration Testing:
EC-Council C|EH -> Offensive Security OSCP -> OSCE

Networking Security:
Cisco CCNA:Security -> CCNP:Security -> CCIE:Security
Checkpoint CCSA -> CCSE

Digital Forensics:
EC-Council CHFI

Auditing:
ISACA CISA

General Information Security:
(ISC)2 SSCP -> CompTIA CASP

In general, the above certifications to specialize in will provide a solid foundation if you choose to go one way versus another. These have been arranged by the years of experience required or recommended (per specialization).

Management (4-5+ years):
Congratulations! You have made the decision to move from the trenches to the big office. Generally, management is involved with policy creation, and management of the information security program. Although these certifications require several years of experience, most offer an “Associate” option for those less experienced until they acquire the needed years of experience.

(ISC)2 CISSP -> ISACA CISM

These are the two major players in information security management certifications. The CISSP does have concentration certifications, but you must be a CISSP before you can pursue them.

DEGREES:
Knowledge is power! A degree really depends on your end goal. If you want to be a highly technical person, a degree might not be necessary…although companies are screening people without degrees from getting interviews so it could be a hinderance.

Generally to get the high level management positions you will need some type of advanced degree (an MBA is common for those who started with a technical bachelors). Degrees can be helpful in providing you with knowledge in a condensed period of time from experts, which can be very valuable. Realize that certifications + degree + experience is the key for the most success. That does not mean you cannot get a good position without a degree, but the certifications and experience have to be in place.

For advanced degrees, get something that differs from your undergraduate degree. If you have a degree in business, get a degree in some type of technology field….and the opposite if you have a degree in technology.

One last thought about degrees and time commitment. They take a lot of time and energy (especially advanced degrees) for coursework. They can be much more time consuming than a certification and you need to take that into account when deciding. As somebody who has spent time solely as a student and then as a full-time employee finishing masters level classes...work + classes means you probably will not get certifications done at the same time. Also consider your personal life such as family, kids, etc.

**GIAC certifications were not mentioned in this post due to the high cost and inaccessibility to most people paying out of pocket. They are however highly regarded and have a path from entry to expert/management.**

Other References:
(IT) Information Technology Jobs & Careers | CompTIA IT Certifications
The GIAC Security Certification Roadmap

(IT) Information Technology Certifications | CompTIA IT Certifications
Certifications - Training & Certifications - Cisco
https://www.microsoft.com/en-us/learning/certification-overview.aspx
Security Training, IT Security, Security Certification, Security Courses, Security Analyst Training, Cert Training, Forensic Training, Information Security Training, Computer Security Training
https://www.offensive-security.com/information-security-certifications/
Training & Certification | Check Point Software
IT Certification - Audit - Security - Governance - Risk | ISACA
https://www.isc2.org/credentials/default.aspx
GIAC Information Security Certifications | Cyber Certifications

Find more posts tagged with

Comments

fuz1on

Great post! I think when it comes down to it - security is really broad and can be catered to your own skill set/intellectual curiosity. You just need to gain that mandatory, foundational knowledge-base and work experience then the sky's the limit.

Segovia

Awesome Thread!!!

Also, why is it recommended to get a different advanced degree?

Thank you

[Deleted User]

Great post!! I have had a lot of struggles the past year deciding what I wanted to do and it is not an easy decision as I enjoy a lot of different aspects in IT like networking and pen testing. But I also want to do the CISSP as well but that is more of a management based certification.

TechGuru80

fuz1on wrote: »

Great post! I think when it comes down to it - security is really broad and can be catered to your own skill set/intellectual curiosity. You just need to gain that mandatory, foundational knowledge-base and work experience then the sky's the limit.

It is really like many careers where you start with foundational knowledge (the base of a pyramid) and as you progress you start to narrow what you know and specialize.

Segovia wrote: »

Awesome Thread!!!

Thank you

You're welcome...I hope this post helps people. Frequently people ask about what certification they should get and when...and then how does a degree fit into the equation but the posts are kind of scattered. I wanted to give something that outlines the basics and the timeframes to shift their focus.

kMastaFlash wrote: »

Great post!! I have had a lot of struggles the past year deciding what I wanted to do and it is not an easy decision as I enjoy a lot of different aspects in IT like networking and pen testing. But I also want to do the CISSP as well but that is more of a management based certification.

Specialization can definitely be tough because many of us want to learn several areas. In reality, if you want to truly be great you have to decide and not be afraid to change if needed. There is nothing wrong with going down one path then switching. The only caveat is that it could be more difficult to come back from management because you are unlikely to be getting hands on with the technology...but not impossible.

gncsmith

I agree with the previous comments; Great post! And it looks like I'm "on track".

Justin-

Fantastic thread. This should be stickied!

[Deleted User]

I agree sticky this thread. This is a good one for people who are just starting out or anyone who is in the beginning/middle phases of their career.

Mike7

Great post!

SephStorm

With respect this roadmap is leaving a lot untouched. It might be better to look at some of the older threads that have dealt with this subject and are a bit more comprehensive.

TechGuru80

SephStorm wrote: »

With respect this roadmap is leaving a lot untouched. It might be better to look at some of the older threads that have dealt with this subject and are a bit more comprehensive.

As any roadmap or framework provides a tool to help guide people. Are there more certifications and paths that exist? Obviously...R&D, reverse engineering, etc...but one post won't cover an entire industry because that discussion would last a long long time. The post was meant to give guidance...not a magic bullet that's for Google and deeper more focused posts.

Additionally, the above certifications are what show up in job postings the most. Getting past HR with known certifications is a major part of job hunting.

OctalDump

A couple of others to squeeze into the specialisations:

Incident handling
ECIH, GCIH

Malware analysis [sort of related to forensics, like a subspecialisation]
GREM, OSCE

Secure programming, code auditing
GSSP-NET, GSSP-JAVA, there's also at least one for PHP and Microsoft also has documentations

governance and compliance [higher level implementations of frameworks, internal policy, legal and regulatory compliance]
CISM, CISA, CISSP, GLEG (and likely more)

OS hardening - ie security in Windows, Linux etc
MCSE, RHCE, LPIC2 -> LPIC3-303, RHCESH, GCUX, GCWN, GCED

Wireless security (lots of layer 1 and 2 issues, and layer 3+ solutions)
OWSP -> GAWN

Dollarhyde

I agree to sticky this thread. This is going to help many new people.

NetworkNewb

I think SANS course should be included on here.

Reasons:
- If you are already in Security your company might/should be willing to pay for them.
- There is a work study program most people can afford
or (less likely)
- They person might have a sack of money laying around to invest in them

Good post though!

Remedymp

Good post, but only thing I would say is that, the places where I have worked, anyone with more than 12 months experience is not considered entry-level. Their idea of entry-level is just zero experience. A degree in said line of business and internship counts as experience.

TechGuru80

Remedymp wrote: »

Good post, but only thing I would say is that, the places where I have worked, anyone with more than 12 months experience is not considered entry-level. Their idea of entry-level is just zero experience. A degree in said line of business and internship counts as experience.

Levels vary by organization, and the experience one receives. The main point is to get those certifications and keep moving on up. Being conservative on time requirements is better than being very aggressive and failing.

renacido

Great post/thread. I'll add that for systems/OS security, MCSA/MCSE or RHCSA/Linux+ are just as relevant as CCNA/P:S are for network security.

Yes network security is very important but these days if you think firewalls, IPS, NAC, segmentation, etc., are enough you're gonna get owned a lot. Hackers attack endpoints and end users without needing to circumvent a network perimeter (if that even really exists anymore) all day every day. Just sayin'.

protacticus

TechGuru80, bravo and thank you for this post.Vote for sticky.

waspe3

Great post.

I'm trying to specialise in pen testing and I'm in the entry level stage cert route right now.

What do you think about CCENT --> Sec+ --> CCNA Security as an alternative to the net+ --> sec+ route?

I feel like if I take the CCNA security route though I'll be spending time in the net sec world more than I need to be. Then again, I was told it would be a better career boost than the comp tia path you mentioned as applying to info sec jobs would be relatively easier. Any thoughts on that?

TechGuru80

Cisco has said that people who take Network+ generally do a little better than those without it. At this point I would say it depends on how comfortable you feel self studying.

Do you have any experience? These days I would be more likely to recommend getting CCNA + MCSA, and then get Security+. If you want to have pen testing as a speciality, CCNA:Security isn't going to benefit you too much...but having networking and OS knowledge will be valuable. Then once you complete those 3 you will have the foundation knowledge and can start down the pen testing route somewhere around 2 years.

ottucsak

For Secure programming, code auditing (I prefer the term application security) you can add CSSLP as well.

tmpinsnty

I have a conundrum. I had classes for the CCNA but I plan on going into information security. I have also had security+ and CCNA security classes. I am working on a BAS in Information Assurance which is an MIS type degree. So according to what I see for those going into infosec they recommend your route. (I don't know what I will eventually be specializing in.) In your opinion, do I switch cert exams from CCNA to Net+? Should I try CCENT + CCNA Sec?

TechGuru80

Honestly I would do MCSA > CCNA:R&S...this gives you your foundation, then Security+ > CCNA:Security. I like the CCNA:Security after a small gap because it pushes your expiration date out further and it really focuses on network security instead of being a broad exposure like Security+.

My opinion on the subject has changed a little since I wrote this post.

tmpinsnty

Well good thing I had the server class also!

Why the change? is it b/c net+ is closer to CCNA r&s now?

why microsoft over linux?

chrisone

Although I do not agree with some of your cert ideas to cover an entire spectrum of some security topics here, I do not come to rationalize or argue the point. So I am not going to criticize you, so it is better to help here

However a cert based "security" guide , especially one with a lot of vendor based (cisco/microsoft) is always going to be tough as not all important security related skills are covered.

For instance:
network security portion is lacking skills such as:
SIEM
DLP
Cloud Based Security/Encryption
NIDS
NIPS
HIDS
HIPS
SPAN/TAP technologies

There is nothing regarding Endpoint technologies:
AV
Malware
HIPS/NIPS
DLP
Encryption

Pentesting:
PowerShell hacking
Active Directory hacking
Red Team Adversary tactics

OctalDump has some good tips too.

You have a good list, it is just always nearly impossible to cover security with certs. This is not a knock on your post , just some reality of the business. Good work though!

TechGuru80

The list was from 2015 and in no way was going to cover everything...it was more of a base for people to help guide them at a low cost for self funding. Microsoft and Cisco are the only two vendors I would openly recommend as they are everywhere...when you start getting into specific vendors, I only recommend the technology if you use it because the list is endless. Additionally, I listed heavy hitters on job boards because it makes little sense to recommend certifications that won’t get you the most looks. Your recommendations are great for add-ons...I did not want to tell somebody go learn a DLP technology because if they don’t have the foundation, they are less likely to get a job...again the list is from 2015 so the industry focus past entry level has even shifted.

chrisone

TechGuru80 wrote: »

The list was from 2015 and in no way was going to cover everything...it was more of a base for people to help guide them at a low cost for self funding. Microsoft and Cisco are the only two vendors I would openly recommend as they are everywhere...when you start getting into specific vendors, I only recommend the technology if you use it because the list is endless. Additionally, I listed heavy hitters on job boards because it makes little sense to recommend certifications that won’t get you the most looks. Your recommendations are great for add-ons...I did not want to tell somebody go learn a DLP technology because if they don’t have the foundation, they are less likely to get a job...again the list is from 2015 so the industry focus past entry level has even shifted.

Ah I see, wow 2015 seems so long ago. I did not realize that someone brought this topic back to life :P

mbarrett

A person with 2 years experience under their belt will be very hard-pressed to get a CCIE Security, just sayin'.
A CCIE in any track requires a significant investment of time, and a solid technical background that is nearly impossible to obtain within such a relatively short time frame.

DtownLionsBarry

Great post, only problem I see is that for the CISA certification you need to be able to verify 5 years of experience in either Information Systems, Security, or Auditing. So the 2+ years doesn't really align with that. CISA is considered by many a management level cert anyway. It just focuses on technical abilities rather than the Management overview. I just feel like the CISA should be placed in the 4-5+ years section of your post, because of the required experience to earn the certification. Sure you can take the exam without the experience, but you must gain that experience within 10 years of passing the exam.

TechGuru80

That's fair...there is always the debate with certs like CISA and CISSP whether to take them before you have the experience or not. Honestly most Information Security jobs can apply to the CISA domains so I don't really see the 10 year mark being a big issue. The job somebody has a lot of impact on which certifications people go for so it's one of those "it depends" arguments.