Please enjoy this blog post authored by Ken Fishkin, CISSP, CCSP, CIPT, CIPM, CIPP/US, CISM, CEH, and many others.
Since 1996, I have been pursuing industry certifications. I have always found them to be an essential part of my career growth, because I use them as entry points to learn new skills that seem challenging. While I know that practical experience is much more important than obtaining these certificates, I have found that the process of obtaining certificates first, gives me the confidence boost I need to immerse myself in whatever area I am studying. For example, in 2007, I passed the gold standard of cybersecurity certifications, the Certified Information Services Security Professional (CISSP) with little experience in the cybersecurity field, but a strong knowledge in network engineering.
I look back at that decision and I can see that passing the CISSP before gaining the experience was a key factor in helping me make the transition from a network engineer to a cybersecurity professional. This method of taking certifications before gaining experience is not for everyone, but I have recently seen many of people pass this exam with little or no prior knowledge of cybersecurity, just a lot of determination. Now, after years of obtaining several certifications using this method and reaching out to various cybersecurity professionals throughout my career, I feel that I can assist others in navigating through the current cybersecurity certification landscape.
Where to Start
I always felt that for one to be an adequate cybersecurity practitioner, one must learn the basics of computer networking first. While there are dozens of entry-level certifications in today’s market, it appears that CompTia is one of the more respected entry-level certification organizations within the industry. They offer beginner certifications in both Networking and Cybersecurity. These two certificates will give an aspiring cybersecurity professional a solid foundation that could be leveraged for an information security analyst position. From there, I recommend that one start experimenting in different areas within the cybersecurity field to see where their interests lie. One of the reasons why I love the cybersecurity field is that it is accessible to individuals who are either technical, non-technical or somewhere in between, like myself.
The Technical Route
For the more technically inclined individuals, the hot cybersecurity jobs are usually penetration testers, incident responders and any position related to securing the “Cloud”.
One of the most highly sought entry-level certifications in the field of penetration testing, is the Offensive Security Certified Professional (OSCP), which is given by Offensive Security. In order to receive this certification, one needs to pass a grueling 24-hour exam, where one has to hack into several servers, while documenting their actions, just like a professional penetration tester would. Some may find this type of exam to be a bit too daunting to take for an entry-level exam, so for those people, I would recommend taking the Pentest+ certification from CompTia before taking the OSCP.
For those individuals that want to tackle Cloud Computing security, I recommend having a good technical grasp of the various Cloud platforms first, before learning how to secure them. All of the major Cloud Service Providers, Google, AWS and Microsoft offer Cloud Architect certifications. While these courses are not prerequisites to the exams, I would be hard pressed to think that one could properly secure these services without fully understanding the fundamentals of the platform.
SANS is another organization that offers many technical certifications as well. Since their certifications are expensive (average class is 7-8K), usually they are paid for by a professional’s organization. These courses are a great way to go for someone who wants to either enter the cybersecurity field, or achieve certifications as a GIAC Penetration Tester (GPEN) or as a GIAC Certified Incident Handler (GCIH).
The Non-Technical Route
For those who are looking to get a better understanding on how to perform cybersecurity risk assessments and compliance audits, ISACA provides courses in these areas with their Certified Information Systems Auditor (CISA) and Certified Risk and Information Systems Control (CRISC) certifications. For those want to learn the basics of Cloud Computing from a less technical and more holistic approach, I suggest the Cloud Computing Security Professional (CCSP) exam from (ISC)2.
The Management Route
For those that are aspiring to become cybersecurity managers or officers, there are some great certifications, such as the Certified Information Security Manager (CISM) from ISACA, the CISSP from (ISC)2 and the Certified Chief Information Security Officer (C|CISO) from EC-Council. Each certification provides unique perspectives on management’s role within the cybersecurity field. Studying for any of these certifications will give one the tools they need to understand cybersecurity risk management.
It is a Journey
While the direction of my professional learning will change course many times over the years, my journey will never end. For example, I have spent the last few years focusing much of my educational studies on the field of Data Privacy. Now I am able to apply this knowledge to my current job and share my experiences with the cybersecurity community.
Try not to get discouraged after a failed attempt or two. For me, failure is a wakeup call telling me that I underestimated the amount of studying that I needed to pass the exam. If necessary, purchase additional study guides and/or practice questions to reinforce the information one needs to learn. There is no shame in getting supplemental assistance outside of the official coursework. I also recommend obtaining certifications only if the knowledge gained from them can be applied to either a current or future job, since one can only retain knowledge for so long without applying it, especially vendor certifications. Lastly, cybersecurity is a field where one needs to always stay current or risk becoming irrelevant. For me, certifications are a great way to force myself to continue down the path of continuous learning.