One of the biggest issues I had when I was trying to get into security was that there are no well defined career paths in security that also included relevant certs someone should be getting along the way to help them progress in their career. In this post I am going to try and bridge some of those gaps through my own experience with these certs, open positions, and market demands. This post is going to be aimed at people that are currently working to get into cyber security that may have little experience in IT. Almost daily I have someone reaching out to me asking for guidance in this exact situation. When I was working to get into security there was not much of a defined path and it seemed like hiring managers only wanted people with experience in security to get hired onto a low-level security position. To start let us review the various career paths in Cyber Security. Each one of the following positions will typically have different levels to each which can include junior, mid-level, lead, principle. Based on the size of your company and your security team will typically determine what levels there are to each role.
Security Analyst: the security analyst is typically a beginner level role where most people start out in security (unless you have lots of prior IT experience). This role is typically focused on resolving low level issues throughout the environment and reacting to potential security related issues which could be a compromised account, account lockouts, resolving alerts from the various tools your organization may have. This is where you build your security experience foundation in the industry, this is where you cut your teeth so to speak. I have seen more mature security programs that will use the people in this position to train them up on various technologies that they prefer and then promote them to the relevant engineering teams to help grow their career and hopefully keep the talent within the company.
The certifications for the security analyst should be foundational in nature that cover a wide variety of topics that can not only get the analyst more knowledge in security and its various domains but these certifications can also help that analyst determine where they want to take their career. For example, I recommend all analysts to get the network+ (at a minimum know all the information for the network+), the security+, and cloud+ certifications. The reason being is that these certifications provide foundational knowledge across many domains in security that will help you develop your career and take it where you want to go. Other certifications that may be helpful at this phase in someone’s career would be basic level platform/technology-based certifications. The AWS Certified Cloud Practitioner is a great basic level cert for AWS that will likely be challenging for someone at this level but is still a valuable certification to have to grow in your career. The other cloud providers have similar certifications and those should also be obtained, it will depend on where your company is going (if they are moving to AWS then getting AWS certs will be beneficial) and where the market is going with the demand for various certifications.
Security Engineer: Security Engineers like many other engineers in IT are the ones that are building out the technology & tools that are used to secure the environment. At some companies there will be an entire team of engineers just for one technology or domain in security or even just one team of engineers for everything in security. Typically, these people are the subject matter experts in a specific technology or domain of security. This position is as in the weeds with a technology as you can possibly be without working for the vendor.
The certifications that a security engineer should have or should be working towards getting are the following: any technology specific certification but be aware that these certifications can lock you into that technology within the market. Since these certifications are typically highly sought after you can find yourself in a position where you only work on CyberArk for instance. Engineers should also obtain certifications that are more hands on like various SANs certifications (GMON, GCWN, GCDA, GPEN and others). Other certifications you should investigate are platform specific certifications such as AWS specialty certifications and the AWS Solutions Architect Associate certification. The reason why I am mentioning these certifications is because they are very hands on within a platform/technology. If you are working to get more experience within a domain or technology and you are an engineer, then you need more hands-on certifications at this point in your career. Obviously, other cloud providers have their own versions of those certifications that are equally as valuable and difficult, I only stated the AWS certifications because those are the ones, I am currently working on myself. While this training is occurring, you should also have it in mind to begin studying for the next level certifications for Architect roles. Obtaining certs for the level that is above you will help propel you ahead in your career at the right time. It is not essential but as you become a lead or a principle you should start identifying and working towards the relevant certifications required for your next career jump/promotion.
One certification that I would like to point out is the CEH, as a blue team security engineer you will not need this certification, but you will need to know everything that those with this certification know. The reason I say this is because the CEH is a good mid-level certification for someone that wants to go more offensive in their career, but this cert is not very hands on. It is extremely basic in terms of the knowledge you would gain from it compared to what you will do on the offensive side of security. However, if you are a lead on a red team then you should be working towards more advanced offensive based certs such as the OSCP, OSCE, OSWE, OSEE, GSE and OSWP. These certifications are known to be top tier certifications for offensive security professionals, these are very hands on certs that test your understanding and skill sets in every aspect of offensive security.
Security Architect: Architects are the people that have years of engineering experience behind them across several domains but typically have a specialty in one or two domains. The architects are the ones that review the environment as a whole and identify areas that the organization is excelling at and more importantly identify gaps in the security posture of the organization, provide recommendations on how to remediate those areas, review relevant technologies that the organization can use to increase their security posture and ensure that all security controls in place are meeting all relevant compliance & regulatory requirements.
Architect level certifications are broader and have more experience requirements than most other certifications. The certifications that are widely known to have for architects and management are the ISC2 certifications. CISSP, CISM, CCSP are all top-level certifications that require a minimum of 5 years of experience in various domains of security for you to be issued the certification. This means you can pay for the test, pass the test, and not be issued the certification if you do not have the experience requirements for these certifications. They will issue you an Associate level certification but once you have the experience you will have to retake the test to obtain the certification. These certifications are not for the faint of heart, these are difficult certifications, and many people take these tests multiple times and still fail them.
So how do I determine which is best for me? The best way that I can advise anyone on figuring this out is by taking the foundational level certifications so that you have a foundation of knowledge about the various security domains. Once you have that base knowledge do some market research and figure out what is in demand now within security and what will be in demand within the next 5 years. Once you determine that and if your interests align with the demands then start going down that path of obtaining those certifications. If they do not align then don’t worry, cyber security is a hot field right now and it isn’t expected to slow down especially with the shortage in available talent. Take the areas that interest you the most and dive deep into them. If reverse engineering malware interests you then dive into it, buy as many books on it as you can, set up a home lab to test various things to learn more and you will likely be able to turn that into a full time job at a company like Symantec as a malware reverse engineer (it will likely be a different title but hopefully you follow). I don’t recommend getting every single certification that any one organization may have, the reason is because time is finite and when I see that someone has every Comptia certification on the market it makes me question whether they know what they are doing or not? Are they just trying to get everything out there to say they have it? Are they trying to gain all the knowledge that Comptia has? I am not completely sure of the value of obtaining every certification that a company offers, I would rather get certifications that are in line with my career path and career interests. Granted, there are some people that are organization-based experts that have every ISC2 certification available and do amazing jobs of teaching others about the exams, running boot camps and everything else that may go along with that. If that is you then all the power to you, but as a security analyst, engineer and/or architect it isn’t required to have all of them, only the ones that are for your interests and career path. I hope this blog post helps someone in their cyber security journey. If you have any questions, thoughts or comments please leave it below in my comments section. Thank you for reading, good luck on your journey.