The author is a member of LevelBlue's Consulting Center of Excellence. This is part of a blog series from that elite group.
One of the main questions I get asked from people looking to get started in cybersecurity is, “What certification(s) do I need?”.
Who you ask and the number of people you ask will determine the number of different answers you will get back on this question. A few short years ago, there was no such thing as a cybersecurity professional. At first, people working in system administration or development were asked to take on the additional role of handling security for an organization.
In contrast, today, most organizations have a complete department dedicated to cybersecurity and find it exceedingly difficult to keep staffed with qualified security professionals. Qualified cybersecurity professionals are in high demand and enjoy a high-paying salary and opportunities for growth and mobility. This blog will briefly describe how I got into cybersecurity and the certification path that ultimately led me to my current position as a Principal Architect with LevelBlue. Hopefully, detailing my course will help someone reading this article avoid some pitfalls.
As I was preparing for retirement from the United States Army and working on my MBA, I started a small computer consulting company. I quickly discovered that 90% of my business was helping small businesses deal with viruses and malware. Armed with this knowledge, I knew I wanted to become a security professional once I retired from the Army. Still, I had no idea where to start or what certifications I would need.
When I began my research into the cybersecurity world, it was with the intent of working within the federal government. I noticed that all their security-related job positions talked about EC-Council certifications. After doing a lot more research, I found a business near me that offered bootcamp-style training for several different Microsoft and EC-Council certifications. After several thousands of dollars and months of feeling like I was drinking from a fire hydrant hose, I came out of the training with my MCSE, MSA, Security+, CEH, and CHFI certifications.
Long story short, these certifications did help me get my first federal contract position but did not truly give me the “hands on experience” needed to work as a security professional. True learning and experience came many years after reading countless security-related articles, websites, and Twitter feeds, YouTube videos, creating a home lab and trying different tools and techniques, and finally talking with other security-minded people.
My point being is a certification does not make you a security professional. It is only proof that you could take a test and answer most questions correctly. Becoming a true security professional takes many years of dedication and commitment. But it would be best if you started somewhere; certifications at least help get your foot in the door.
So, to answer the original question, “What certification do I need to get started in cybersecurity?” For me, my answer is always the same. You don’t need a certification to start, but if you can obtain a certification, I recommend starting with the SANS SEC504 course. The course is titled “Hacker Tools, Techniques, and Incident Handling.” It is a well-rounded security course that introduces the student to the offensive, defensive, and management aspects of cybersecurity. Understanding the difference between the offensive, defensive, and management aspects of cybersecurity early is very important and will help decide which cybersecurity career path you prefer.
Over the last decade or so, I have obtained numerous other cybersecurity certifications and the items detailed below are things that I wished I had known when I started:
- Choose a cybersecurity career path - Cybersecurity is a vast career field. To decide on what certification you should get, you must first determine what part of security interests you the most and try to obtain certifications that support that path. I break down the security fields into three different career paths:
- Offensive security - The offensive career path centers around finding and exploiting network, computer hardware, and software vulnerabilities before the bad guys find them. Some careers in offensive security include:
- Vulnerability Management Specialist
- Penetration Tester (Network, Web Application, Mobile Application)
- Red Teamer
- Defensive security – The defensive career path is the opposite of offensive security. Defensive security professionals protect networks, computer hardware, and software from the bad guys. Some careers in Defensive security include:
- Security Operation Center (SOC) Analyst
- Incident Handler
- Forensic Investigator
- Security management – As with any career field, management must oversee day-to-day operations. Cybersecurity is no different; the management career path leads to both the offensive and defensive aspects of security. Some careers in management security include:
- SOC Manager
- Director of Information Security
- Chief Information Security Officer (CISO)
- Offensive security - The offensive career path centers around finding and exploiting network, computer hardware, and software vulnerabilities before the bad guys find them. Some careers in offensive security include:
- Choose a well-known/industry accepted certification company - Numerous companies offer security certifications, but in my opinion, below are the ones that have the highest reputation and are widely accepted by most organizations:
- SANS – https://sans.org
- EC-Council – https://eccouncil.org
- Offensive Security - https://www.offensive-security.com/
- ISC2 - https://www.isc2.org/
- Research and practice – As stated earlier, becoming a security professional will not happen overnight or with certifications. You must develop a passion and be willing to spend much of your free time researching and practicing. To help get started, you must:
- Build a personal home lab
- Follow cybersecurity websites (Below are some examples)
- Join Social Media Platforms
- Discord
- YouTube
Getting started in cybersecurity can be daunting at first, but once you decide that this career is for you, it can be both rewarding and fulfilling. When I retired from the Army, I had no idea what I wanted to do with the next chapter of my life. For me, deciding to become a security professional has been one of the wisest choices of my life. It has been rewarding and challenging, and I could not imagine making a better career decision.