The cybersecurity industry is exploding right now because there is such an urgent need to protect people’s privacy, their personal security, business’s data and operations, and even national infrastructure. It’s really not hyperbole at all to say that “cyber is the new frontier for criminals.”
If you do a simple search for “cyber security breach” you will get an endless stream of headlines:
Obviously, this is a massive and terrifying problem that needs to be solved. The good thing is that business and the government are on RED ALERT to solve it.
What that means for you is that there are literally hundreds of thousands of well-paying positions available to be filled by people who have the right qualifications.
Top 10: Where do I Start?
OSCP, CEH, CISSP, CISM…….OH MY! These seemingly random combinations of letters represent some of the top cybersecurity certifications. Most IT professionals know just how important they are to validate your skills and make yourself stand out to employers. But with so many certifications to choose from, there is a haze surrounding the best path into cybersecurity. Let’s clear that up!
So you know where you want to go: cybersecurity. Great goal, now how do you get there from where you are? Depending on what you do currently, you will need to start at different places.
For every other IT professional that wants to make the move into security, here is the most effective way to get you there.
If you are still debating cybersecurity as a profession, find out for yourself: Is Cybersecurity Right for Me?
Step 1A: CompTIA A+ (Fundamentals)
If you want to get into cybersecurity but don’t have any IT experience, you need to start with your CompTIA A+ certification. This will give you all fundamentals for any career in IT, and will ensure that you don’t try to jump ahead and leave any glaring knowledge gaps.
Step 1B: CompTIA Network+
A lot of people try to skip over this one because it “isn’t what they are trying to do” and “they don’t need it for cybersecurity.” Well, let me be the first to clear this up: Security is founded on networking principles. Even people that already work within networking should take this to make sure there aren’t any knowledge gaps.
If you don’t have a firm grasp of the fundamentals, you are at a huge disadvantage when learning the more advanced material. Do yourself a favor, don’t skip network day…
Step 2: CompTIA Security+
No matter what, the best first security certification is the CompTIA Security+ certification. It builds out ALL of the core knowledge necessary for any cybersecurity job and is a great place to start when moving down any path in cybersecurity.
Sec+ is also an authorized certification for the US Department of Defense as a vendor-neutral credential in compliance with DoD-Directive 8140/8570 (which is just the compliance policy that all users of a DoD Information System need). If it’s good enough for government work—which is actually pretty intense when it comes to security—it’s good enough for you and most employers.
After Sec+, you have what it takes to step into almost any entry-level role in cybersecurity! Your career paths will really open up for you after this. Depending on which direction you want to go (attack, defense, investigation/audit), there are several different routes you can take from here.
The best way to find out what you enjoy is to try several different tasks in different domains, because different people are better suited for a variety of roles. If you enjoy networking and troubleshooting, going the defense route might suit you best. The attack route might intrigue those that enjoy programming and using your creativity in tech. People that are more logical and process-driven are generally attracted to the post-breach investigation side of cybersecurity.
CEH: Certified Ethical Hacker
The CEH is directed towards those aiming for the position of “White Hat Hacker”. This is now entering the realm of intermediate certifications. CEH will teach you the tactics, techniques, and tools that malicious hackers use when attacking a system, which allows you to harden your systems and address vulnerabilities.
If you want to get this certification, you must have at least 2 years of experience working in the information security field. However, there are official courses available for anyone who wants to skip that requirement. Either way, this is a supplement to the fundamentals and shouldn’t be considered for your first certification.
OSCP: Offensive Security Certified Professional
This is the Navy Seals boot camp of certifications. It is the most recognized certification focused on penetration testing. It is issued by the Offensive Security organization, and they consider it their foundational pen tester certification. Once you complete the PWK (Penetration Testing With Kali Linux) course, you have to take a 24-hour exam.
“The 24-hour exam is a hands-on penetration test in our isolated VPN network. You’ll receive the instructions for an isolated network for which you have no prior knowledge or exposure. Earn points for each compromised host, based on their difficulty and level of access obtained.” – OSCP course description
SSCP: (ISC) 2 Systems Security Certified Practitioner
This is more hands on with the technical skills and practical knowledge of information security. It covers a wide range of topics from the perspective of defense, including access control, network and systems security, cryptography, and even risk identification and incident response.
Candidates also must have one or more years of experience dealing with one of those skills to qualify for the certification. You can also qualify with a degree in cybersecurity (BS or MS). You are still able to take the test without the proper experience, but you have to wait to fill the requirements before getting the actual certifications.
The SSCP is often compared to the CISSP (see below), but is specifically geared towards professionals in more technical roles. It dives into the nitty gritty of the day to day skills, whereas the CISSP is geared towards more managerial positions.
CISSP: Certified Information Systems Security Professional
This is a vendor-independent certification that is one of the most sought after certifications in cybersecurity. It requires a minimum five years experience within the industry, and once completed, it is one of the best assets you can have. The CISSP is one of the highest level certifications you can achieve. It is designed to show not only can you do the job, but you can lead and manage security teams. All security pros should want to get this certification.
Every single tech recruiter is looking for a candidate with a CISSP certification, and it leads into roles such as Security Director, CIO, and IT manager. You also have to get endorsed by an ISC2 professional within nine months of passing the exam.
CISM: Certified Information Security Manager
This certification is created by the Information Systems Audit and Control Association, an organization specifically created for IT auditing. The CISM requires a minimum of five years industry experience. While it focuses on information security, the CISM is built for IT professionals that want to lead.
The CISM is very similar to the CISSP because both are focused around leadership within cybersecurity. The difference is that CISSP focuses more on the functional, operational side, while the CISM is geared more towards the strategic aspect of cybersecurity where it relates to business goals. Even though this is much further down the road, if you want to take your technical skills to the executive level, this is the certification for you.
CISA: Certified Information Systems Auditor
From the same people that brought you the CISM, we have the CISA, which is somewhat similar but still distinctly different. This is a bit more of a specialty certification for auditing, control, and security. Candidates must have a minimum of five years experience specifically in information systems auditing, control, or security.
This is a great certification for a very specific type of cybersecurity (IT Auditor). If you aren’t an IT auditor or interested in becoming one, you will most likely never come across this certification. It becomes extremely important if you start working as an independent cybersecurity contractor doing work on other company’s information systems.
CICP: Cyber Investigation Certification Program
This is the only certification that has to do with cyber investigations, created by the FBI and the International Association of Chiefs of Police. It is a four-part course designed to teach law enforcement how to investigate a crime with digital artifacts, addressing digital harassment, online fraud, child enticement, and identity theft.
It is only available to law enforcement officers that have an active login with the FBI LEED portal and it is free to take. Unless you are actively in law enforcement, you don’t need this.
CFE: Certified Fraud Examiner
If you are more interested in cyber fraud, the CFE is the certification that is widely recognized for accountants, auditors, and financial investigators. It requires a bachelor’s degree and two years of experience in the field. This certification makes you invaluable in the eyes of most companies dealing with financial risk but only if you are interested in cybercrime investigations.
This certification focuses almost exclusively on fraud. It accepts candidates from many different professions, as long as they relate to fraud in some way. It covers fraud prevention and deterrence, financial transactions, fraud schemes, investigation, and law. According to the Association of Certified Fraud Examiners, companies that employ CFEs uncover fraud 50% sooner!
CIA: Certified Internal Auditor
This is one of the most common certifications for accountants and auditors. Unlike the CFE, only one section focuses on fraud, and it does not necessarily qualify you to investigate fraud. It mostly covers auditing, business analysis, information technology, and business management skills.
This certification is for a specific type of person. It might not be you, but who knows? Perhaps running internal audits is your true calling!
Have you caught the cybersecurity bug yet?
If you made it all the way through 10 cybersecurity certifications, then you are probably interested in earning one or all of these. At the very least, its worth talking to a career advisor about what your next best step is. Click below and let us know what you are interested in talking about!