IT Security Certifications Roadmap - CyberSec Nerds

IT Security Certifications Roadmap

Just starting a career in security and need a good foundation?

Are you among the ones from the early stages of a career in IT or anyone from an entirely different niche, and the alphabet soup of credentials is overwhelming you? So many options to choose from, how do you know which certification — or certifications — are the best for you? Which will help you move forward?

Cybersecurity is a rapidly growing field filled with tons of exciting job opportunities. As the threat of cyberattacks looms larger than ever before, companies are scrambling to fill their ranks with professionals who can safeguard their data and networks. From analysts to penetration testers and cybercrime investigators to cybersecurity architects, there’s a role in the field for everyone.

Actually, to be honest, there is no one linear path to a successful career in cybersecurity. Some people enter the security field straight out of college, while others transition from another IT role. In this article, I will try my best acquainting you with a good IT Security Certification Roadmap for better convergence of your dreams and all efforts you put in.

I don’t mean, in any intention, that you should grab all these certifications along the way. Wise is the person who keeps knowledge on all certs topics and only achieves the selective ones.

Are you a tinkerer?

No matter where you start, all cybersecurity careers begin with general IT experience. You need to understand how the technology works before you can learn how to secure and protect it. You can’t, in any way, start enforcing security rules within switches/routers/firewalls without having sound knowledge about their workings and connections. And for a security pro, along with dealing with the threats, he must be equally capable to debug the ever-coming hardware issues.

For that, I recommend the first certification as A+ from CompTIA. Operationally, A+ ensures the competency to install, work, maintain, and modify PCs. These abilities are basically all-inclusive in the information security field, giving this certification wide intrigue among security experts.

Importance of A+

Here’s a quick test for whether to take A+ or not: Have you ever built your own computer, installed your own OS, or messed up your registry because you were tinkering?
Yes = You can skip A+
No = Continue Reading

Being CompTIA A+ certified is definitely worth it when it comes to landing entry-level jobs. It is recognized as one of the very first certifications that prospective IT pros should obtain as it validates enough general knowledge and skills about computers and networking to be useful. Though not intended as a super certification that trumps experience, it shows employers two things.

First, you are willing to learn and advance your career. Second, it shows that you have the ability to study and pass an exam. Like it or not, certifications are a part of the job. Believe it or not, earning CompTIA A+ places you above non-certification holders. That’s nothing to take for granted if you are just starting out.

Point to be noted: If you are entirely new to the IT field or a career-changer(from the non-tech niche), then you may consider having a look at IT Fundamentals (ITF+) certification for building a solid knowledge base.

Acquire Knowledge on Computer Networks

If you’re starting from square one, you need to learn the basics of computer networks first. A network is connected by different devices, each with different services, and connecting different systems so they can communicate. The basics of networking include knowing the devices, the different network topologies, and the different network protocols. Along with learning all the parts, it’s critical to learn the terminology.

Generally, any security learning platforms you come across the Internet will assume you already know the network basics. That’s why a strong foundational knowledge base construction on networking is a must for cybersecurity aspirants.

While talking about the certifications, there is always a constant tension in the market on which one is better-to-start-with: Network+ or CCNA? To be honest, there is no genuine answer to that question. Both have their own approaches but if you would ask me, I will better stick to these one-liner answers:
Network+ — Is broad but only scratches the surface [Vendor-Neutral]
CCNA — Is narrow but presents an in-depth overview [Vendor-Specific]

CompTIA Network+ or Cisco CCNA

If you are starting with zero experience, and just getting your feet wet in the networking world, then, in my opinion, you should start with Network+ certification rather than CCNA. You should get a healthy dose of networking fundamentals, along with a taste of everything before specializing, and that’s what Network+ does. It acts as a foundational networking course that also explores a number of specializations.

Network+ starts with the basics: OSI Model, routers and switches, packets, dives into basic commands, ports, and troubleshooting, and then skims across virtualization, desktop support, cloud, and security. It’s like an IT career sampler platter. In summary, it offers a very broad and general presentation of networking concepts and technologies and is best suited for those just entering the networking field.

On the other hand, the Cisco courses are geared toward those individuals who have already attained a certain level of knowledge and experience in networking and seek to both deepen and validate their skill set by acquiring the CCNA credential.

By learning CCNA one can get the knowledge and skills required to install, operate, and troubleshoot a small to medium-size enterprise branch network. The topics include connecting to a WAN; implementing network security; network types; network media; routing and switching fundamentals; the TCP/IP and OSI models; IP addressing; WAN technologies; operating and configuring IOS devices; extending switched networks with VLANs; determining IP routes; managing IP traffic with access lists and many more that will make you ready for the market out-of-the-box.

My Opinion

After getting Network+, you’ll have a piece of paper that proclaims, “I know what you are talking about — mostly.” Unfortunately, you won’t be able to proclaim, “I know what I am talking about.” You have a lot of hands-on learning to do. But, with CCNA in hand, you know exactly what you are talking about and doing since a lot of labbing works are involved.

The approach I would like to recommend is to self-study yourself for Network+ and gain insights on the basic but broader networking knowledge. Then go for grabbing Cisco CCNA cert as this is much practical-oriented and you will get a lot of hands-on.

You Are Now Ready for Security, my Soldier!

After gaining insights on the hardware and physical connections from A+ along with the networking foundations from CCNA/Network+, you are now absolutely equipped to digest the core security.

Perhaps the most well-known entry-level security certification is the Security+, which covers a wide array of security and information assurance topics, including network security, threats and vulnerabilities, access controls, cryptography, risk management principles, and application, host, and data security. The certification meets the U.S. Department of Defense Directive 8570.01-M requirements — an important item for anyone looking to work in IT security for the federal government — and complies with the Federal Information Security Management Act (FISMA).

CompTIA recommends that candidates have two years of relevant experience and achieve the Network+ credential (not obligatory) before taking the Security+ exam. This exam lands roughly midway between least and most expensive, compared to other entry-level certifications. The Security+ leads to such jobs as a security administrator, security specialist, and network administrator, among others.

Blue or Red?

Now its time to ask yourself, “What kind of security am I interested in?”. Up to here, you should have already known that there are mainly two flavors of security: Offensive(we call them Red Team) and Defensive(Blue Team). These terms have been long associated with the military; commonly used to describe teams that use their skills to imitate the attack techniques that “enemies” might use, and other teams that use their skills to defend.

Blue Team(Defensive Side)

Defensive security is something that most companies understand which includes experts who spend a lot of time doing things like vulnerability testing, incident response, risk analysis, and what is affectionately known as “hardening” of assets. It is a field that is extremely undermanned and only getting worse. It is very research and analysis oriented. If this does sound like something you would get excited about, the certification path is well-worn and some of the industry’s most respected credentials lay before you.

Defensively, you would likely move on from Security+ to CompTIA CySA+, an intermediate high-stakes cybersecurity analyst certification, that focuses on the candidate’s ability to not only proactively capture, monitor, and respond to network traffic findings, but also emphasizes software and application security, automation, threat hunting, and IT regulatory compliance, which affects the daily work of security analysts.

CySA+ covers the most up-to-date core security analyst skills and upcoming job skills used by threat intelligence analysts, application security analysts, compliance analysts, incident responders/handlers, and threat hunters, bringing new techniques for combating threats inside and outside of the Security Operations Center (SOC).

At the top, (ISC)2 CISSP certification is like the defensive granddaddy certification which is the most celebrated one in the industry required for a high-level management position responsible for the entire information security division and staff.

Red Team(Offensive Side)

If the most adventurous aspirations like Ethical Hacking and Penetration Testing are what you are excited about, then the red teaming path is for you.

For offensive security-minded, CompTIA offers the Pentest+ credential, which is a good entry-level penetration testing certification that is easier to obtain than the other tough and advanced certs. While talking about certifications, we have now again stuck in another unfair-comparison between two big boys: CEH vs OSCP. For simplicity, I usually like to make an analogy with the Network+ vs CCNA comparison where one was more of a broad-theoretical approach while the other being specific-practical.

Certified Ethical Hacker (CEH) has an abstract approach, with limited hands-on labs, designed for people without great (offensive) security knowledge. Its more like an overview of the attacks, not getting into in-depth, low-level details. But if your offensive security knowledge is limited, then this should be your cornerstone for your ethical hacking career. If you want to understand concepts and attacks, then you should start with this. 

Offensive Security Certified Professional (OSCP) has a self-study (research) hands-on approach. You will rather see tools and attacks in action, than concepts and list of attack types. It’s fully hands-on, you are required to do the attacks yourself as well. You have to hack, you read correctly. No help, no instructor, nobody, only you. No more concepts, real hands-on. Real attacks, real hacking. 

Did you know? OSCP is a 24-hour one-person hackathon designed to test the ability of the candidate to successfully attack, exploit, and exfiltrate data from a secure system. Break out the double espressos and pull on some comfy pants. This is a grueling set of exams designed to separate the hackers from the script kiddies in a real-world scenario.

My Opinion

As a bottom line, both are well known, valued, and appreciated certifications. And in my opinion, the correct approach for a beginner would be CEH, then ECSA (from EC-Council as well), and then OSCP. Or a faster way would be CEH, then OSCP because OSCP is difficult or even impossible without previous offensive knowledge. If you want to understand ethical hacking and offensive security, start with CEH.

Closing Words

So there you have it. These are proba bly the most well-known, well-respected certifications in the IT security industry. And your path may take you in different directions, but keep in mind that security is not just about putting up firewalls, nor is it just about breaking through them.

Cybersecurity is a human industry, and much of what you can and will learn is how people operate on both sides of the network edge. If you’re interested in joining this world, there is a lot of opportunities. Even if you don’t have the experience you think you might need, you can find a path that can work for you. Have a great time ahead, nerds!

Kiran Dawadi

Founder of Electronics Engineer by profession, Security Engineer by passion. I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.

Notify of
Inline Feedbacks
View all comments
Prabal Devkota
Prabal Devkota
3 years ago

Great content