As an information security instructor, I often get asked the question “What certification should I get (next)?” Great question, difficult answer. There are many certifications out there and the answer will depend on your current level of knowledge, your area of work desired, and your future goals. All of this will likely be tempered by your employers’ understanding the value of the certification, as they will hopefully be footing the bill for the training.
When it comes to personal development ask yourself “What are my goals?” Are you in this for the money, personal interest, or employability?
If money is your goal, you should look at the following security management certifications which all average over $120,00 a year according to a 2017 survey. The top security certifications are (in order from highest to lowest paying):
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
These three are also listed in order of how many people currently maintain the certification. All three certifications are focused on security management and have a minimum level of years of experience. As management certifications, they focus less on the technical aspects of security, instead focusing on the risk posed by improper security processes. I don’t care how the lock works, but if I leave the front door open what is likely to happen and what will be the impact on the company as a result? Once you have a good understanding of the risk you can find a way using people, processes, and technology to most appropriately maintain an acceptable level of risk while continuing to use the business asset. Security management is primarily about allocating resources wisely.
Do you find yourself saying “I am a techie and I like it”? If so, then a more technical approach to security might be a good fit for you. There are again several avenues to pursue.
If you would like to focus on forensics – digging into past events and how they affected computers, files, etc., then the GIAC Certified Forensic Analyst (GFCA) which is an incident response based or (GIAC) Certified Forensic Examiner GCFE which is more focused on the legal aspects of forensics. Both certifications are through SANS which is well known for the quality (and price) of their training. Forensics delves into the inner workings of computers and hardware. Think of going through a hard drive looking for remnants of files or shadows of previous activity in order to discover clues. This is the life of a forensic examiner - a constant search for clues leading to hidden treasure. With the GCFE the treasure hunt will most likely lead to an arrest/conviction or proof on innocence, while the GFCA is more focused on “What the heck happened here and how do we respond to this?” GFCA has a heavier focus on the incident response side of forensics and less on the gathering of legal evidence.
You like technical, but not so much interested in forensics? Then perhaps Certified Ethical Hacker (CEH) is for you. CEH is all about playing hacker by finding vulnerabilities within online systems, finding a way to exploit those vulnerabilities, and documenting those weaknesses to allow the defenders to shore up their defenses. You cannot protect what you don’t know about. If it is there and it is weak, the CEH will find it. Another option here is the GIAC Penetration Tester (GPEN) which is provided by SANS and is another well-known certification similar to CEH.
For those of you who enjoy programming, Carnegie Mellon offers a certification in C and C++ called CERT Secure Coding in C and C++ Professional Certificate. As an alternative, there is the Certified Secure Software Life Cycle Professional (CCSLP) offered by ISC2. Both cover the huge problem found in poor software development practices.
Some of you may think this all sounds great and cannot wait to get started, but lack of experience. We have the certification for you! Look to CompTIA and their Security+ certification as a great place to start. Security + shows a solid understanding of security fundamentals, terminology, practices, and procedures. It is a great certification which will lead to an exciting career in Cybersecurity.
Two other great resources that you may want to look at when planning out your security career would be the DoD 8570 (DoD Instruction 8570.1M has been superseded by DoD Instruction 8140.01. However, at the core of 8140 are the basic requirements laid out in 8570.) – which lays out government requirements for specific cybersecurity positions, and NIST SP 800-181 which is a rather large document that details job descriptions and describes the Knowledge, Skills, and Abilities (KSA) required for those jobs. Just look in either of those two documents, find your area of interest, and they will tell you what you need to know and what certifications you need to achieve.
One last and related resource also provided by NIST is the Cybersecurity Career Pathway which has a great amount of information about cybersecurity careers and their associated pay scales. You can also find a map of the United States there showing the approximate amount of security job openings per state with salary information.
Hopefully, this will get you started on an exciting career in cybersecurity. The jobs are in demand and the demand is growing faster than there are people currently entering the field. Grab a certification and launch your cybersecurity career today.