Let’s talk about the best cyber security certification path for an awesome career.
I’m going to try my best to not make this a “Best InfoSec Certifications for 2020!” article. There will be plenty of them already out there, and many more to come in the next 2-4 months. They will, by and large, be a rehash of every “Best InfoSec Certifications for 2019!” article you likely read last December/January. That’s because they haven’t substantially changed in the last 12 months, or 12 years, really. There are the foundational certifications (CompTIA Security+, (ISC)2 SSCP, ISACA CSX Fundamentals, etc.), some intermediate defensive certifications (CompTIA CySA+, (ISC)2 CCSP, etc.), some offensive certifications (CompTIA PenTest+, and others), and then the granddaddies like (ISC)2 CISSP, ISACA CISM, CompTIA CASP+, and Offensive Security OSCP/OSCE. The fact is, they can all help a security professional advance their career, but it also depends on where that professional wants to go.
The first thing to ask yourself is, “What kind of security am I interested in?” If you don’t know, stick to the basics. I haven’t run across many basement hackers that don’t know if they want to be Red Team or Blue Team. The reality is that there is a massive world that media (both traditional and digital) do not cover regularly, and when they do, they usually get it wrong when it comes to cyber security (yep—two words—@ me). First, and most logically, it can be broken into two major camps: Offensive and Defensive. Defensive security is something that most companies understand, and they are likely to seek administrators and engineers that are skilled, experienced, and certified in this type of security. Often referred to as Blue Team, defensive security experts spend a lot of time doing things like vulnerability testing, incident response, risk analysis, and what is affectionately known as “hardening” of assets. It is a field that is extremely undermanned and only getting worse. According to its annual Cybersecurity Workforce Study, (ISC)2 estimates the global gap in the workforce at over 4 Million (over 500,000 in the U.S. alone).
This means that there is a lot of room for new and motivated professionals to break into the industry.
Defensive security is very research and analysis oriented. I often tell my students, “If you like reading log files, defensive security may be for you.” That’s not to say it is all humdrum and dry reading. Forensics and vulnerability scans can be extremely fascinating exercises, and things can quickly spill over into more offensive skills and experiences, like penetration testing. But if this does sound like something you would get excited about, the certification path is well-worn and some of the industry’s most respected credentials lay before you:
Start here. Unless you don’t have any networking experience, in which case, consider starting with CompTIA’s foundational networking certification, Network+. It’s not a requirement, per se, but without a solid understanding of networks, some of what Security+ covers may be a bit challenging to grasp. If you do have some networking knowledge (or if you’re just a cyber thrill-seeker), Security+ is a fantastic starting point. The class is a five-day, comprehensive dive into a lot of foundational security concepts. There is much to gain from the technical knowledge shared – especially for candidates who already possess a decent amount of technical knowledge of their own. While there are no pre-requisites for this class or certification exam, CompTIA recommends (and I heartily concur) about 2 years of experience in general IT with some security exposure.
There are some great benefits to this certification as your introduction into cyber security. First, industry recognition for both the certification and the authority (CompTIA) is exceptionally high. In fact, this lone certification can be used across much of DoD IT to satisfy Directive 8140.01 (replacing 8570). Second, once you’re inside the CompTIA ecosystem, you understand how their certification training and exams are structured, and you can ride that wave through their top-tier certification, CASP+ (more on that later). Finally, this is a very hands-on approach to both learning and evaluation of knowledge. Companies have, for many years, recognized CompTIA as providing highly practical training and evaluation of candidates, meaning people that achieve these certifications can apply knowledge, not just regurgitate facts and acronyms.
What about other foundational certifications? There are other cyber security certification paths to tread, and you may find that these are more suited to your goals and experience. While any of these foundational certifications are valuable for a burgeoning security professional, the intended audience and industry recognition may vary.
SSCP from (ISC)2. This certification is aimed primarily at experienced analysts and administrators who are looking to improve their credibility (and value) either within their organization or in a position at a new company. This certification does require evidence of at least 1 year of direct experience within one of the seven domains covered by the certification, otherwise you can take the exam and receive the Associate of (ISC)2 designation, giving you 2 calendar years to achieve the necessary professional experience to receive the full certification.
CSX Fundamentals from ISACA. This is an entry level certification offered by one of the world’s foremost authorities on governance and risk assessment. As you might guess, their security courses and certifications are tilted in that direction. Which is a good thing. A great deal of information security depends on these two vital concepts. If you are in a highly regulated industry, this cyber security certification path may be an attractive option. Also, there is no experience requirement for this credential. Of note, however, this particular certification does not meet the DoD CIO Directive 8140.01 for any IT positions.
Next Steps on Your Cyber Security Certification Path
So, once you get some fundamentals under your belt, your path may diverge. If you plan to remain squarely in the technical world, CompTIA offers a cyber security certification path to advanced-level certificates which are recognized across the globe, and they are well regarded throughout the industry.
Defensively, you would likely move on from Security+ to CySA+, which is directed at professionals who wish to build and maintain security infrastructures. This intermediate level certification has been accepted for several different designations within DoD CIO Directive 8140.01, and it once again provides a high level of practical knowledge and evaluation for candidates.
If you are more offensive security minded, CompTIA offers the PenTest+ credential, which was developed for so-called white hat professionals, whose primary focus is to find and exploit vulnerabilities in systems, applications, infrastructures, and organizations in order to help improve overall security, and reduce exposure to attacks. While this is a certification aimed in that direction, there is also a great deal of value to defensive security professionals, as these same techniques will inform them on how to better protect their environments.
(ISC)2 also serves up several intermediate certifications, each with specific purpose:
- CCSP is specific to cloud security and carries a 5 year experience requirement
- CAP is aligned with the Risk Management Framework, aimed at federal workers and contractors; this certification requires 2 years of experience
- CSSLP is directed at software development lifecycle (SDLC) security, and it has a 4 year experience requirement
Then there is the CISA credential offered by ISACA. This certification is highly specialized, focusing almost entirely on security audit. If you work in an audit/compliance capacity within your current organization, or if this type of work calls out to you, I would highly recommend pursuing this certification. It is less technical in nature, instead focusing on the process of auditing systems of authority, documentation, and general policies and governance within a security practice.
Advanced Cyber Security Certification Path
For those with both skill and experience in the field of cyber security, there are several top-tier certifications that are definitely worth the time and effort to pursue:
CompTIA has its capstone CASP+ credential, aimed at the well-rounded, but still highly technical security professional wishing to prove her/his value and skills. This is CompTIA’s highest level of security certification, and those pursuing it can expect to have a resume rise to the top of many job openings in the realm of security architecture and engineering. As with each of CompTIA’s offerings, the CASP+ is a practical course and exam, and it requires well-rounded knowledge and experience across all aspects of cyber security.
For those looking to move into a management role, ISACA offers CISM, an in-depth course and exam which focus on the planning, establishment, and operational management of an organization security practice. This credential is less technical in nature than others mentioned in this article, but the material is deeply focused on governance, risk management, and compliance (GRC), making this a great certification for program/project managers, security managers, and members of leadership wanting to dedicate themselves to developing a top-notch security practice.
This leaves what are, arguably, the two most challenging cyber security certification paths in the industry. First, if you are a security professional looking to gain the highest level of recognition and respect in the corporate world, there is no more recognized certification than the (ISC)2 CISSP designation. Easily one of the most formidable exams in any IT discipline, the CISSP stands as the gold standard, year in and year out, of the information security world. Almost a baseline requirement to be considered for a position as a CISO, this credential covers 8 domains in cyber security ranging from risk analysis to cryptography, data governance to security controls, and every conceivable wrinkle in between. The experience requirements are nothing to sniff at: 5 years in at least 2 of the 8 domains, with the possibility of a one year exemption for education.
The last, and possibly hardest certifications to achieve come from Offensive Security. The OSCP and OSCE credentials stand alone in this list as purely practical, exceptionally technical, and even physically draining, exercises. OSCP is a 24-hour one-person hackathon designed to test the ability of the candidate to successfully attack, exploit, and exfiltrate data from a secure system. Not to be outdone, the OSCE doubles the length (yep, 48 hours straight of nothing but hacking) and increases the difficulty level, putting the candidate into a black box penetration test. Break out the double espressos and pull on some comfy pants. This is a grueling set of exams designed to separate the hackers from the script kiddies in a real-world scenario.
So there you have it. These are probably the most well-known, well-respected certifications in the cyber security world. And your path may take you in different directions, but keep in mind that security is not just about putting up firewalls, nor is it just about breaking through them. Cyber security is a human industry, and much of what you can and will learn is how people operate on both sides of the network edge. If you’re interested in joining this world, there is a lot of opportunity. Even if you don’t have the experience you think you might need, you can find a path that can work for you. Give us a call. We can help you get started, continue the path you’ve already begun, or even reach that top-tier status you’ve wanted to achieve for some time.