+ Reply to Thread
Results 1 to 21 of 21
  1. Senior Member
    Join Date
    May 2013
    Posts
    1,111

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #1

    Default Security Certification Roadmap

    If you are looking at this post right now, it is highly likely you are trying to break into information security or looking for guidance where to go next. Welcome and remember that over the years, certifications will change but the advice will remain fairly consistent.

    There are essentially three types of stages for information security certifications in a career: entry-level, specialization, management. (I will briefly touch on degrees at the end.)

    Each stage has different objectives and has to be treated differently based on how one wants their career to progress. Each stage will be broken down with various certifications.



    Entry-Level (0-2 years):
    The entry-level stage is reserved for those who either are changing their career or have been in another segment of information technology and are looking to break into information security. Regardless of which one you are, the advice remains fairly consistent. You should be looking at entry-level certifications that will provide you a solid foundation to build upon.


    CompTIA Network+ -> Security+ (A+ = optional before Network+):
    These should be the very first certifications you get. These will provide you basic knowledge in how networks operate and security concerns that are related. You will see the information in these certifications later in your career…so yes you need to pay attention.


    ---------------------------------------------------------------
    ::Optional::
    ---------------------------------------------------------------
    Depending on the environment you work in, you might have to know a little about areas outside of information security…enter Cisco, Microsoft, and Linux. Although these are optional, I strongly recommend you get at least one of these certifications to make yourself more knowledgable and valuable in an organization.


    Cisco CCENT -> CCNA:R&S:
    As far as networking is currently concerned, Cisco runs the world. You will learn more in depth how networks work and how to configure network appliances (routers, switches, etc.).


    Microsoft MCSA - Server:
    Microsoft systems have the majority share in the corporate world. Your job might call on you to verify configurations, GPOs, account permissions, etc. and being aware of how to navigate/configure a server is valuable.


    CompTIA Linux+:
    Linux shows up in enterprise environments every once in a while, and many information security tools have been developed in this operating system. From an overall knowledge standpoint you should feel comfortable with Linux but I do not believe you will get the biggest bang for your buck getting certified. However, if you need a certification to pass some free time, Linux+ would be a fun adventure.



    Specialization (2+ years):
    I bet you thought to yourself….”hmm that was easy.” The specialization phase is where things get a little tricky. At this point in your career you have to start deciding what areas you enjoy the most. This can range from network security, system security, forensics, penetration testing…and the list goes on and on. Hopefully at this point you have had broad exposure to a lot of aspects and can make an informed decision. If not, that is ok because people tend to bounce around in this area. Below are the major areas, although more do exist.


    Penetration Testing:
    EC-Council C|EH -> Offensive Security OSCP -> OSCE


    Networking Security:
    Cisco CCNA:Security -> CCNP:Security -> CCIE:Security
    Checkpoint CCSA -> CCSE


    Digital Forensics:
    EC-Council CHFI


    Auditing:
    ISACA CISA


    General Information Security:
    (ISC)2 SSCP -> CompTIA CASP


    In general, the above certifications to specialize in will provide a solid foundation if you choose to go one way versus another. These have been arranged by the years of experience required or recommended (per specialization).



    Management (4-5+ years):
    Congratulations! You have made the decision to move from the trenches to the big office. Generally, management is involved with policy creation, and management of the information security program. Although these certifications require several years of experience, most offer an “Associate” option for those less experienced until they acquire the needed years of experience.


    (ISC)2 CISSP -> ISACA CISM


    These are the two major players in information security management certifications. The CISSP does have concentration certifications, but you must be a CISSP before you can pursue them.



    DEGREES:
    Knowledge is power! A degree really depends on your end goal. If you want to be a highly technical person, a degree might not be necessary…although companies are screening people without degrees from getting interviews so it could be a hinderance.

    Generally to get the high level management positions you will need some type of advanced degree (an MBA is common for those who started with a technical bachelors). Degrees can be helpful in providing you with knowledge in a condensed period of time from experts, which can be very valuable. Realize that certifications + degree + experience is the key for the most success. That does not mean you cannot get a good position without a degree, but the certifications and experience have to be in place.

    For advanced degrees, get something that differs from your undergraduate degree. If you have a degree in business, get a degree in some type of technology field….and the opposite if you have a degree in technology.

    One last thought about degrees and time commitment. They take a lot of time and energy (especially advanced degrees) for coursework. They can be much more time consuming than a certification and you need to take that into account when deciding. As somebody who has spent time solely as a student and then as a full-time employee finishing masters level classes...work + classes means you probably will not get certifications done at the same time. Also consider your personal life such as family, kids, etc.



    ---------------------------------------------------------------
    **GIAC certifications were not mentioned in this post due to the high cost and inaccessibility to most people paying out of pocket. They are however highly regarded and have a path from entry to expert/management.**
    ---------------------------------------------------------------

    Other References:
    (IT) Information Technology Jobs & Careers | CompTIA IT Certifications
    The GIAC Security Certification Roadmap

    (IT) Information Technology Certifications | CompTIA IT Certifications
    Certifications - Training & Certifications - Cisco
    https://www.microsoft.com/en-us/lear...-overview.aspx
    Security Training, IT Security, Security Certification, Security Courses, Security Analyst Training, Cert Training, Forensic Training, Information Security Training, Computer Security Training
    https://www.offensive-security.com/i...ertifications/
    Training & Certification | Check Point Software
    IT Certification - Audit - Security - Governance - Risk | ISACA
    https://www.isc2.org/credentials/default.aspx
    GIAC Information Security Certifications | Cyber Certifications
    Last edited by TechGuru80; 12-12-2015 at 10:20 PM.
    Reply With Quote Quote  

  2. SS -->
  3. ProEthicalHacker.com fuz1on's Avatar
    Join Date
    Dec 2014
    Location
    silicon valley, where we speak that bay area slang
    Posts
    938

    Certifications
    CCNA CCENT ITIL SSCA SSVVP WSQD WSQI Cloud+ Mobility+ Security+ Linux+ Network+ Server+ Project+ A+ HIT LPIC-1 CLA11 ACE ace/PACA SSBBP SSLP CMS SCP
    #2
    Great post! I think when it comes down to it - security is really broad and can be catered to your own skill set/intellectual curiosity. You just need to gain that mandatory, foundational knowledge-base and work experience then the sky's the limit.
    Reply With Quote Quote  

  4. Senior Member Segovia's Avatar
    Join Date
    Jun 2014
    Location
    Seattle, WA
    Posts
    115

    Certifications
    CCENT, A+, Network+
    #3
    Awesome Thread!!!

    Also, why is it recommended to get a different advanced degree?

    Thank you
    Last edited by Segovia; 12-12-2015 at 08:09 PM.
    Reply With Quote Quote  

  5. Senior Member kMastaFlash's Avatar
    Join Date
    Aug 2012
    Posts
    875

    Certifications
    A+, Network+,Security+, EMCISA v2, MCP, MTAx2 , MCPS, CCENT, CCNA R&S,C|EH,C|HFI,MCTS, Linux+,LPIC-1,E|CSS,E|CES,GPEN,OSWP,Server+,LPT,GCIH
    #4
    Great post!! I have had a lot of struggles the past year deciding what I wanted to do and it is not an easy decision as I enjoy a lot of different aspects in IT like networking and pen testing. But I also want to do the CISSP as well but that is more of a management based certification.
    2017:E|CSA E|CSP,E|CIH,eLearnSecurity,CSA+ Courses 2018: C|ND,ICND2,CCSK,CISSP,CCNA-Security 2019: CWNA 2020: LPIC-2
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    May 2013
    Posts
    1,111

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #5
    Quote Originally Posted by fuz1on View Post
    Great post! I think when it comes down to it - security is really broad and can be catered to your own skill set/intellectual curiosity. You just need to gain that mandatory, foundational knowledge-base and work experience then the sky's the limit.
    It is really like many careers where you start with foundational knowledge (the base of a pyramid) and as you progress you start to narrow what you know and specialize.
    Quote Originally Posted by Segovia View Post
    Awesome Thread!!!

    Thank you
    You're welcome...I hope this post helps people. Frequently people ask about what certification they should get and when...and then how does a degree fit into the equation but the posts are kind of scattered. I wanted to give something that outlines the basics and the timeframes to shift their focus.

    Quote Originally Posted by kMastaFlash View Post
    Great post!! I have had a lot of struggles the past year deciding what I wanted to do and it is not an easy decision as I enjoy a lot of different aspects in IT like networking and pen testing. But I also want to do the CISSP as well but that is more of a management based certification.
    Specialization can definitely be tough because many of us want to learn several areas. In reality, if you want to truly be great you have to decide and not be afraid to change if needed. There is nothing wrong with going down one path then switching. The only caveat is that it could be more difficult to come back from management because you are unlikely to be getting hands on with the technology...but not impossible.
    Last edited by TechGuru80; 12-12-2015 at 08:11 PM.
    Reply With Quote Quote  

  7. Senior Member gncsmith's Avatar
    Join Date
    Jul 2015
    Location
    Missouri
    Posts
    451

    Certifications
    Network+, Security+, CloudU, MCP, MCTS: Win 7, MTA: Server Admin
    #6
    I agree with the previous comments; Great post! And it looks like I'm "on track".
    2017 Certification Goals: 70-410 []

    View My LinkedIn profile
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    May 2014
    Posts
    290

    Certifications
    MCP, MTA:N+, Network+, Security+, ITIL Foundation
    #7
    Fantastic thread. This should be stickied!
    Reply With Quote Quote  

  9. Senior Member kMastaFlash's Avatar
    Join Date
    Aug 2012
    Posts
    875

    Certifications
    A+, Network+,Security+, EMCISA v2, MCP, MTAx2 , MCPS, CCENT, CCNA R&S,C|EH,C|HFI,MCTS, Linux+,LPIC-1,E|CSS,E|CES,GPEN,OSWP,Server+,LPT,GCIH
    #8
    I agree sticky this thread. This is a good one for people who are just starting out or anyone who is in the beginning/middle phases of their career.
    2017:E|CSA E|CSP,E|CIH,eLearnSecurity,CSA+ Courses 2018: C|ND,ICND2,CCSK,CISSP,CCNA-Security 2019: CWNA 2020: LPIC-2
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    942

    Certifications
    C****, C***, C**
    #9
    Great post!
    Reply With Quote Quote  

  11. Sith Lord SephStorm's Avatar
    Join Date
    Dec 2009
    Location
    Atlanta, GA
    Posts
    1,706

    Certifications
    GPEN, GCIH, SFCP, CPT, CEH, QND
    #10
    With respect this roadmap is leaving a lot untouched. It might be better to look at some of the older threads that have dealt with this subject and are a bit more comprehensive.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    May 2013
    Posts
    1,111

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #11
    Quote Originally Posted by SephStorm View Post
    With respect this roadmap is leaving a lot untouched. It might be better to look at some of the older threads that have dealt with this subject and are a bit more comprehensive.
    As any roadmap or framework provides a tool to help guide people. Are there more certifications and paths that exist? Obviously...R&D, reverse engineering, etc...but one post won't cover an entire industry because that discussion would last a long long time. The post was meant to give guidance...not a magic bullet that's for Google and deeper more focused posts.

    Additionally, the above certifications are what show up in job postings the most. Getting past HR with known certifications is a major part of job hunting.
    Reply With Quote Quote  

  13. Woohoo! It's over 1000!
    Join Date
    Aug 2015
    Location
    Australia
    Posts
    1,680

    Certifications
    RHCSA, Linux+, ACSA, ACTC, ACSP, MCSA:7, MCTS, ITIL F, Prince2 Pract, AgilePM Practioner, VCP-DCV, Storage+, CCNA R+S, CCNA Sec, Security+, CEH, CASP
    #12
    A couple of others to squeeze into the specialisations:

    Incident handling
    ECIH, GCIH

    Malware analysis [sort of related to forensics, like a subspecialisation]
    GREM, OSCE

    Secure programming, code auditing
    GSSP-NET, GSSP-JAVA, there's also at least one for PHP and Microsoft also has documentations

    governance and compliance [higher level implementations of frameworks, internal policy, legal and regulatory compliance]
    CISM, CISA, CISSP, GLEG (and likely more)

    OS hardening - ie security in Windows, Linux etc
    MCSE, RHCE, LPIC2 -> LPIC3-303, RHCESH, GCUX, GCWN, GCED

    Wireless security (lots of layer 1 and 2 issues, and layer 3+ solutions)
    OWSP -> GAWN
    2017 Goals - MCSA 2008, CISSP, CCNP:R+S, Agile PM
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    May 2015
    Posts
    104
    #13
    I agree to sticky this thread. This is going to help many new people.
    Reply With Quote Quote  

  15. They are watching you NetworkNewb's Avatar
    Join Date
    Feb 2015
    Location
    Off the grid
    Posts
    2,552

    Certifications
    A+/Net+/Sec+, CCENT, CCNA:Sec, CCSK, GCIH
    #14
    I think SANS course should be included on here.

    Reasons:
    - If you are already in Security your company might/should be willing to pay for them.
    - There is a work study program most people can afford
    or (less likely)
    - They person might have a sack of money laying around to invest in them

    Good post though!
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Nov 2011
    Posts
    810
    #15
    Good post, but only thing I would say is that, the places where I have worked, anyone with more than 12 months experience is not considered entry-level. Their idea of entry-level is just zero experience. A degree in said line of business and internship counts as experience.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    May 2013
    Posts
    1,111

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #16
    Quote Originally Posted by Remedymp View Post
    Good post, but only thing I would say is that, the places where I have worked, anyone with more than 12 months experience is not considered entry-level. Their idea of entry-level is just zero experience. A degree in said line of business and internship counts as experience.
    Levels vary by organization, and the experience one receives. The main point is to get those certifications and keep moving on up. Being conservative on time requirements is better than being very aggressive and failing.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    May 2015
    Posts
    383

    Certifications
    CISSP, GMON, C|EH, MCSE, MCSE:Security, Sec+, ITIL
    #17
    Great post/thread. I'll add that for systems/OS security, MCSA/MCSE or RHCSA/Linux+ are just as relevant as CCNA/P:S are for network security.

    Yes network security is very important but these days if you think firewalls, IPS, NAC, segmentation, etc., are enough you're gonna get owned a lot. Hackers attack endpoints and end users without needing to circumvent a network perimeter (if that even really exists anymore) all day every day. Just sayin'.
    Reply With Quote Quote  

  19. Member protacticus's Avatar
    Join Date
    Mar 2015
    Posts
    91
    #18
    TechGuru80, bravo and thank you for this post.Vote for sticky.
    Reply With Quote Quote  

  20. Junior Member
    Join Date
    Sep 2017
    Location
    Toronto, ON
    Posts
    18
    #19
    Great post.

    I'm trying to specialise in pen testing and I'm in the entry level stage cert route right now.

    What do you think about CCENT --> Sec+ --> CCNA Security as an alternative to the net+ --> sec+ route?

    I feel like if I take the CCNA security route though I'll be spending time in the net sec world more than I need to be. Then again, I was told it would be a better career boost than the comp tia path you mentioned as applying to info sec jobs would be relatively easier. Any thoughts on that?
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    May 2013
    Posts
    1,111

    Certifications
    GWAPT, GSEC, Associate of (ISC)2, C|EH, CCNA:Security, CCNA:R&S, CCENT, Security+, Network+
    #20
    Cisco has said that people who take Network+ generally do a little better than those without it. At this point I would say it depends on how comfortable you feel self studying.

    Do you have any experience? These days I would be more likely to recommend getting CCNA + MCSA, and then get Security+. If you want to have pen testing as a speciality, CCNA:Security isn't going to benefit you too much...but having networking and OS knowledge will be valuable. Then once you complete those 3 you will have the foundation knowledge and can start down the pen testing route somewhere around 2 years.
    Reply With Quote Quote  

  22. Junior Member
    Join Date
    Feb 2016
    Posts
    7
    #21
    For Secure programming, code auditing (I prefer the term application security) you can add CSSLP as well.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks