+ Reply to Thread
Results 1 to 17 of 17
  1. Senior Member 636-555-3226's Avatar
    Join Date
    Jul 2015
    Posts
    862

    Certifications
    Lots of security certifications, yet the more I learn, the further I have to go...
    #1

    Default What Information Security certifications should I get?

    So I'm fairly new to the forums here, but it seems like about every tenth post or so is about someone wanting to either break into security or develop their security skills further. Since I'm a helpful Homer, I always would write back to give some points. Sorry to say, though, that I'm getting tired of writing the same thing every time, so I decided to make one big post that I could just refer people to. I know there are stickied similar posts like this floating around, but I thought it'd be easier to link you, curious reader, to my own words. I won't wax lyrical about every single cert out there, mostly because they are being constantly developed and may have changed since I wrote this initial post. Rather, I'll list them, let you do the research to better compare and contrast, and update this list as necessary.


    Please be aware that certs do not make the man. Real skills are required. While there is always debate on the value of certs, I tell people to primarily use certs as ways of supplementing their knowledge and secondarily getting a "leg up" on potential jobs where other candidates may not be certified.


    I'm addressing what I consider to be the "name brands" of certs here. Especially nowadays there are lots of companies offering lots of certs, but these will be the ones people have the most general knowledge of and are created by the most well-known companies. Feel free to add comments below. I'll add useful comments to this first post.


    As a last item, since everybody and their uncle wants to go into infosec management and make the big bucks, I focused the list below on that path. Feel free to ask below for other paths (forensics, for example) and I (or others) will happily keep you from exercising your own free will by giving you the cert roadmap you're looking for without all the extra stuff you don't need.


    ----------


    Entry certifications. If you're just starting out, these are a good way to get your feet wet, learn some introductory material, and see 1) if you want to continue down this treacherous journey and 2) where you may want to focus your attention in the future. Security is a huge field spanning literally every IT realm and crossing over into the business realm if you want to pursue a management path. There are lots of forks in the road. Choose wisely.


    CompTIA Network+ - this isn't technically a security cert, but security inevitably touches upon the network. If you don't have much in the way of networking know-how, I'd suggest starting here. There are no prerequisites.


    CompTIA Security+ - pretty much the de factor intro cert. Covers the gamut at a good level. There are no prerequisites.


    CompTIA Advanced Security Practitioner (CASP) - if you've just passed Security+ or don't need it due to your current level of knowledge, this is my recommended next step. The 201 to Security+'s 101. There are no prerequisites.


    (ISC)˛ Systems Security Certified Practitioner (SSCP) - A sort-of alternative to the CASP. One year of experience is required in a specific security domain listed on the certification's website.


    SANS/GIAC has training/cert options that slot in here. GIAC Security Essentials (GSEC) & GIAC Information Security Fundamentals (GISF) come to mind. These are very expensive, best left to deep corporate pockets, and IMO have no value-add over the cheaper options listed above.


    EC-Council has training/cert options that slot in here. The world-at-large is split on the value of these certs as the company underlying them isn't as well-rounded and professional as, say, (ISC)˛ or ISACA. I won't give my opinion on the subject, but you can search around these forums for plenty of opinions. CEH is their most popular exam and would be suitable to study after Security+.


    ----------


    Mid- to High-level certs. Once you're comfortable with your beginner-level knowledge, start looking into these guys.


    Vendor-specific certs. If you're going to be running technical security controls like McAfee ePO, ArcSight, Splunk, etc. then get work to pay for these certs & associated training. A no-brainer if this is your everyday workload.


    SANS/GIAC has training/cert options that slot in here. As mentioned above, these are expensive and better for corporate worker bees, but they do have lots of hands-on value. Since there are tons of options (and a very dynamic list), I'd recommend browsing the SANS and GIAC websites for the focus area of your choice. Categories include penetration testing, incident handling, forensics, management, audit, etc.


    (ISC)˛ Certified Information Systems Security Professional (CISSP) - In my region this is listed as a desired cert on just about every security job. If you have one end-goal for future job marketability, this should be it. Five+ years of experience is required in specific security domains listed on the certification's website.


    ISACA Certified Information Security Manager (CISM) - You'll see this listed on just about any infosec-manager job posting, mostly because the posters like the name. I consider it complementary to the CISSP. Five+ years of general infosec experience, with three+ years of infosec management experience, is required in specific security domains listed on the certification's website.


    ISACA Certified in Risk and Information Systems Control (CRISC) - while this is technically a risk-focused exam, my belief is that it has lots of value for infosec managers since everything they do (whether they know it or not) is risk-based. A good follow-up to the CISM. Three+ years of experience is required in specific security domains listed on the certification's website.


    ISACA Certified Information Systems Auditor (CISA) - This is geared towards auditors, but it very easily slots under the Management section. A good follow-up to the CISM. I recommend doing this immediately before or after the more technically audit-focused GIAC Systems and Network Auditor (GSNA). The CISA requires five+ years of professional information systems auditing, control, or security work experience is required in specific security domains listed on the certification's website.


    My suggested management path - Start your Master of Business Administration (MBA) > Network+ > Security+ > CASP > CISSP > Graduate with your MBA > CISM > CRISC > CISA. By the time you get through working through those (and have the required years of experience) you'll have a dozen new options to choose from!
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    942

    Certifications
    C****, C***, C**
    #2
    Awesome! Just what I am looking for.
    Can moderator make the post a sticky?
    Reply With Quote Quote  

  4. Member
    Join Date
    Jul 2014
    Location
    East Tennessee
    Posts
    75

    Certifications
    CompTIA A+; N+; Sec+;P+; CCNA:R&S
    #3
    sticky please!
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Oct 2014
    Posts
    1,395

    Certifications
    VCAP6-DCV Deploy, VCP6-DCV, MCSA 2012, CCNA R&S, CCNA Sec, Linux+ Storage+ Sec+ Net+ A+ Proj+ ITILF
    #4
    Thanks for this, especially the last paragraph, it helps me align my future goals. I'm kind of surprised about CASP instead of CEH between Sec+ and CISSP but I guess it's more general knowledge, I don't often see CASP mentioned on job listings.

    I think the most difficult part about your suggested path for me would getting the experience and it's out of my control. I've read infosec demand is greater than the supply but I don't see it that way. Nearly every security position I come across is looking for a lot of highly specialized skills. Maybe I'm just in the wrong place.
    2017 VCAP6-DCV Deploy (Oct) 2016 Storage+ (Jan)
    2015 Start WGU (Feb) Net+ (Feb) Sec+ (Mar) Project+ (Apr) Other WGU (Jun) CCENT (Jul) CCNA (Aug) CCNA Security (Aug) MCP 2012 (Sep) MCSA 2012 (Oct) Linux+ (Nov) Capstone/BS (Nov) VCP6-DCV (Dec) ITILF (Dec)
    Reply With Quote Quote  

  6. Senior Member 636-555-3226's Avatar
    Join Date
    Jul 2015
    Posts
    862

    Certifications
    Lots of security certifications, yet the more I learn, the further I have to go...
    #5
    Totally agree about the CASP. I don't think I've ever seen this on a job listing. CASP for me falls into the realm of a beginning user using certification as a way of supplementing their knowledge. CEH would be a comparable cert IMO. Will either get you a job? Probably not. Will either teach you a lot of stuff you don't already know and serve as a good deeper-dive after Security+? Yes.
    Reply With Quote Quote  

  7. Junior Member
    Join Date
    Sep 2012
    Posts
    26

    Certifications
    CISM, CISA, ITIL, ISO 27001, 22301 IA
    #6
    Quote Originally Posted by 636-555-3226 View Post
    My suggested management path - Start your Master of Business Administration (MBA) > Network+ > Security+ > CASP > CISSP > Graduate with your MBA > CISM > CRISC > CISA. By the time you get through working through those (and have the required years of experience) you'll have a dozen new options to choose from!
    I would go like that (apart from MBA, which is up to you):
    Security+ > CISA> CISSP > CISM \ CRISC

    Network+ and CASP are a waste of resources, imo
    And CISA is somewhat simpler than CISM\CRISC\CISSP while it will also give you experience waiver for other certs.

    You don't need to have them all, you just need to show steady advancement in your development.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jan 2012
    Posts
    450

    Certifications
    CISSP, GSLC, GISP, GSEC, GCED, GCIH, GCIA-g, GPEN, GWAPT, GCFA, CEH
    #7
    My recommendation are somewhat similar. I include GISP as it is a really easy way to cheese out a GIAC certs cheese passed HR requirement. I totally forgot about CASP/SSCP, will look into update my site on it; thanks.

    -> (SEC+ - GSEC) - * - GISP - CISSP - CISA/CRISC - CISM

    *CEH and GCIH are good certs that can reinforce some technical knowledge that would be useful in compliance work. Great to pursue if you do not have the 4 years experience for CISSP yet.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    May 2013
    Posts
    1,115

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #8
    It should be noted that every path is different and this is not the one size fits all path. Many factors come into play...undergrad degree, soft skills, experience, etc.

    Not to mention you might end up in various roles that hold different certs higher because they are more relevant than others.

    Last, the MBA is not the holy grail degree as the value has decreased over the years because so many people have it yet are worthless. You definitely should have business knowledge and a business degree either undergrad or masters definitely doesn't hurt. Your overall value comes from the total package and you have to always look at this closely.
    Reply With Quote Quote  

  10. Woohoo! It's over 1000!
    Join Date
    Aug 2015
    Location
    Australia
    Posts
    1,680

    Certifications
    RHCSA, Linux+, ACSA, ACTC, ACSP, MCSA:7, MCTS, ITIL F, Prince2 Pract, AgilePM Practioner, VCP-DCV, Storage+, CCNA R+S, CCNA Sec, Security+, CEH, CASP
    #9
    The other things for a visual overview are the CompTIA roadmap and the GIAC roadmap. Both put the certifications into a broader context.

    The CompTIA roadmap takes a variety of certifications, CompTIA and others, and tries to put them into "levels". It's not 100%, but gives you an idea about how hard things are, how they might fit together in a career path. It doesn't include all the certifications, but enough to be useful.

    The GIAC roadmap is only GIAC certifications, but they offer so many that it almost doesn't matter. This roadmap is better for getting an understanding of the potential specialisms within Info Sec, as well as how GIAC certs relate to each other.

    There's also this wikipedia page on Computer Security Certifications, which gives a nice long list of various certifications. Not comprehensive, but long.

    And some links to other certifying bodies pages for completeness:
    ISC2
    ISACA
    EC Council
    Mile2
    Offensive Security
    2017 Goals - MCSA 2008, CISSP, CCNP:R+S, Agile PM
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Apr 2014
    Location
    South Florida
    Posts
    857

    Certifications
    CISSP, CISM, CISA, CRISC
    #10
    Endorsed for sticky!
    Reply With Quote Quote  

  12. Junior Member Registered Member
    Join Date
    Feb 2013
    Posts
    3
    #11

    Default as a guide

    this is just what i need. And I will use this as a guide as we have different circumstances. Thanks for this TS!
    Reply With Quote Quote  

  13. Junior Member Psydrox's Avatar
    Join Date
    Mar 2016
    Posts
    24
    #12
    Very nice thread, very helpful too! I sent you a private message OP, did you get it? Because for some reason I am sending the private messages but I can go to the "sent" tab and see nothing in it
    Reply With Quote Quote  

  14. Junior Member Registered Member
    Join Date
    Jul 2017
    Posts
    5

    Certifications
    Security+
    #13
    If you've heard of DoD 8570 then you know why CASP should be on your radar IMO.
    Reply With Quote Quote  

  15. Member
    Join Date
    Jan 2017
    Posts
    96
    #14
    The OSCP should be at the higher end.
    Its one of the most difficult and practical (hands on) certs out there.
    Reply With Quote Quote  

  16. Member
    Join Date
    Dec 2011
    Posts
    57

    Certifications
    Project+, A+ CE, Net+ CE, Sec+ CE, C|EH
    #15
    Quote Originally Posted by qcktap23 View Post
    If you've heard of DoD 8570 then you know why CASP should be on your radar IMO.
    Agreed. It shows up more than any other cert if you're referring to "the table."
    Reply With Quote Quote  

  17. Not a Senior Member
    Join Date
    Apr 2010
    Location
    Alberta, Canada
    Posts
    130

    Certifications
    WGU BSIT, VCP 5, MCITP: EA W2K8, MCITP: Enterprise Technician, A+, Security+, MCTS: Exchange 2007, MCTS: Win 7,MCTS: SCCM,CEH, CCNA,VCAP5-DCA
    #16
    I am doing two certificate
    OSCP = technical skills for IT Security (what the hiring manager would want)
    CISSP = pass the HR filter, to get resume to hiring manager (what HR would want)
    Reply With Quote Quote  

  18. Tecnomancer trojin's Avatar
    Join Date
    May 2013
    Location
    Ireland
    Posts
    105

    Certifications
    A+,S/S/S+,N+, CASP,CSA+,CCNA R/S & Sec & Cyber OPS, SSCP,EMC NetWorker Specialist,SNIA SCSE,Prince 2,EITCA-IS,F5 BIG-IP CA/ASM, Intel Sec NSP
    #17
    Most proposed options finished in CISA or CISM certs.
    What are more technical certs at this level apart from OSCP?

    How about Intellectual Property and Information Technology Law (LL.M.) instead of MBA?
    Good horse is expensive... A Trojan horse even more
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks