Security Certifications – Where to Begin?
IT has for many years been a sector covered in various certifications and IT security especially has been an area of IT that has been covered in a plethora of various security related certifications. This to a degree that you will not be viewed seriously as an applicant for security jobs without any of these certifications. But where to begin? In this article I will try to give you some pointers on how to begin acquiring some of these certifications, as well as provide you with advice on which to go for depending on the areas of cyber security you find interesting.
My assumptions here are that you are a beginning, to intermediate, cyber security professional, trying to get a grip on the many, many cyber security certifications out there. If you look at my signature below this article, you will see that I have many of the certifications I will be mentioning here, so I have been where you are now! First, let me try to define some pillars within cyber security, that we can use as a guide here. The pillars that I am using here will not be representative for the entire area of cyber security, so please do not see them as the be all, end all truth of certifications and they are of course colored by my own interests in cyber security! First, look at the table below:
| GRC | Products | Privacy | General Security |
| ISO 2700x | Microsoft | CDPSE | CISSP |
| PCI DSS | CISCO | ISO27701 | CISM |
| CRISC | Anti-Virus | CIPP | CSSLP |
| CGEIT | Firewall | CIPM | SANS |
| COBIT 2019 | IDS/IPS | CIPT | CCSP |
| Cloud |
GRC in the above table is short for: Governance, Risk and Compliance. As well as many different certifications, there are many different vendors behind all these certifications. Some with many different certifications and others with only a limited number of certifications. You should not necessarily see the organizations with many certifications as better than the ones that are more limited! Or the other way around for that matter, it all depends on which are of cyber security you would like to make a career in. Let us look at each of the columns one by one.
GRC – Governance, Risk & Compliance
This is an area of cyber security that is becoming more and more important for any security professional! As the business environments are becoming more complex and the regulations more thorough, this is an area with an increased focus for management in the various organizations in heavily regulated industries, or just as a way of creating confidence in the organization from investors and customers. The certifications I have highlighted in this area comes from ISO, Payment Card Industry organization and ISACA. If you are a beginning cyber security professional, these are not certifications that you should aim at from the get-go. Some of them requires significant amount of years of experience before you will be granted the certification. For CGEIT and CRISC the number of years is 5 and the experience must be within the domains that the certifications are covering in the exams. For PCI DSS the training an examinations have significant costs involved, but there is plenty of work to be found for any person that is PCI DSS certified, since this is the way that merchants are showing compliance with the payment card security standards.
Even if you have no intent of moving into the GRC area of cyber security, it is of paramount importance that you at least gain some level of knowledge in the GRC area! Why? Because as a cyber security professional you will be expected to be able to advice clients and customers on these points, even if you are not the one that is going to implement the projects.
Products
Here are some of the certifications that a beginning professional should aim at getting under their belt! First off, because these kinds of certifications will not have any experience mandate before gaining them and because they provide you with excellent insight into the technologies behind the various security protections in the organizations we are working for, or consulting for. Microsoft and Cisco have both had a multitude of certifications for many years. Microsoft has not had any security related certifications until recently, with the Azure focused AZ-500 certification that focuses on security in Azure and the MS-500 that has a focus on the 365 environments from Microsoft.
Cisco has had security focused certification since the 90’s with a focus on the Cisco security products. As Cisco has increased their product portfolio, these certifications have followed with increased content and therefore with an increased difficulty in obtaining them. The new CCNP Security certification, for instance, has one core exam and six sub specializations beneath the core exam. All of them requiring a formal examination before gaining them. Now, there are a lot of other companies with relevant security certifications out there, beyond Microsoft and Cisco. Some of them are:
- Check Point
- Palo Alto
- McAfee
- Trend Micro
- …
Which ones you focus on will depend on the technology platforms of your customers or employers, but as a beginning security professional, gaining these product focused certifications is an excellent way of gaining experience for the certifications requiring experience.
Privacy
Even if privacy is not in your sphere of interest, privacy knowledge, just like GRC knowledge, is a requirement for any security professional. Be sure to read my article “Why Privacy is the new Black” on this topic.
It is only within the last 2-3 years that certifications focused on privacy have received focus as a possibility for a discerning security professional. IAPP – International Association of Privacy Professionals – were the first with their CIPP and CIPM certifications, followed later by ISO with their ISO 27701 certification. ISACA was the last with the CDPSE certification. I personally highly recommend that you gain at least one privacy focused certification for your CV! Just like with governance, privacy will become a business differentiator in the coming years. Just look at the number of news stories about companies losing their customer data to ransomware or hackers around the world. If you, or I, are to have any confidence in the protection of our data by the companies we are doing business with, they will have to have strong protections in place. The same goes for any other customers around the world!
General Security
There are many certifications within the general security area. The most known here is the CISSP certification from ISC2. This is the one certification that I advise every security professional to gain, simply because it is so well known in the market. This is another one of those certifications that require some years of experience before you can put it on your CV. Studying for this certification requires significant efforts, simply because of the amount of stuff you will need to go through. Not because the knowledge is on any deep technical level, because it is not, but because of the amount of stuff you will have to internalize, before attempting the exam. Still, it is well worth your effort!
ISC2 has other certifications that can make sense, depending on your areas of interest. CSSLP for secure software development and the CCSP focused on cloud security. CISM from ISACA is aimed at the management of cyber security and is another one of those certifications that requires some years of experience before you can acquire it.
Another organization to look for certifications is SANS Institute. SANS has had a plethora of different certifications for many years, with many different focuses. The SANS certifications have a significant amount of respect surrounding them, but they can also be expensive, especially for a beginning security professional.
Final Thoughts
If your interest is mainly in the pen test area of security, you will have noticed a distinct lack of certifications in this area in my certifications list. There are many certifications in this area, SANS have a few for example, but it is the OSCP and OSCE from Offensive Security that are the most respected of penetration testing certifications among the pen testing companies out there. I am personally squarely on the blue side of things in regards to cyber security, but that does not mean that I cannot see the value of penetration testing in cyber security. It is just that my mind does not work in the hacker way, so I would make a very poor penetration tester indeed.
So, if you are a beginning to intermediate security professional looking at certifications as a means of advancing your career, look at the various product certifications out there first to gain the experience for the ones requiring experience to get.
Tom Madsen
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.
Hello, thank you very much for your post which is very clear and giving an approach which is more than useful for me for instance as a cybersecurity project manager since one year (having before 8 years of experience in networking consultancy). Can you tell us please how we can train to get these exams ? My company is not aimed at paying me such training in live sessions (costing around 3 to 4K€). Also do you have training tips to increase our chances for the exam ? Thanks a lot again
Hi
It really depends on what certification you are aiming for. For the CISSP, which also was highly recommended in Tom’s article, there are several self-study books, for example this one: https://amzn.to/32OMmXU or this one: https://amzn.to/38Ja7nT – also, there are e-learning courses by the organizations offering those certifications which are usually a lot cheaper than an onsite training.