How to Choose a Cybersecurity Certification


For National Cyber Security Awareness Month, we are resharing some of our most popular cyber security blogs from the past year to ensure you are staying #CyberAware online - whether at home or in the office.

Various organizations offer a bewildering array of cyber security certifications. What should you pursue?

Cyber Security industry certifications

I'll start with the U.S. Department of Defense requirements. They apply to a lot of people, and NICE is bringing similar requirements to the rest of government.

You don't work for the U.S. military or government? Bear with me, because I have more suggestions.

graphic with hand and lock

U.S. Government Requirements

The U.S. DoD Directive 8570.01-M defines workforce categories. There are IAT and IAM, Information Assurance Technical and Information Assurance Management. Both have levels I, II, and III. Military service members need the corresponding certification, and so do civilian employees and contractors.

The rest of the government is following DoD. NIST is working on Special Publication 800-181. It describes the National Initiative for Cybersecurity Education or the NICE Cybersecurity Workforce Framework.

The NICE Framework specifies 7 Categories or high-level groupings of common cybersecurity functions, 33 Specialty Areas, and 52 Work Roles. Those Work Roles require KSAs, or Knowledge, Skills, and Abilities.

Workers demonstrate command of KSAs through relevant experience or performance-based education and training.
That means: cybersecurity certification tests. NICE requirements will look a lot like DoD 8570.01-M.

Let's Look at 8570

DoD approves three to six specific cybersecurity certification tests for each IAT and IAM level. A certification for one level satisfies all lower levels in that track.

CompTIA Security+ and (ISC)2 CISSP have become popular because they satisfy many requirements. So, let's see why:

Screenshot from https://iase.disa.mil/iawip/Pages/iabaseline.aspx
Screenshot from https://iase.disa.mil/iawip/Pages/iabaseline.aspx

Security+ satisfies IAT Level II (and therefore IAT I), in addition to IAM Level I. It gets you started on either track.

Also, CISSP satisfies IAT Level III and IAM Level III. Therefore, one cybersecurity certification satisfies all levels of both tracks.

There's more to 8570 than just IAT and IAM. IASAE, the IA Workforce System Architecture and Engineering specialty, has Levels I, II, and III. CISSP qualifies for Level I and II. However, Level III needs a CISSP follow-on, either CISSP-ISSAP or CISSP-ISSEP. (Information System Security Architecture Professional, or Engineering Professional)

In addition, CSSP or CyberSecurity Service Provider comes in five varieties with rather different certification requirements.

The Classic 8570 One-Two Punch

For most people subject to 8570 requirements, Security+ and CISSP are the obvious choices.

My personal recommendation would be to start your career track with the entry-level Security+. The field isn't all that difficult. The hard part is figuring out how to get through the exams! You have to get into the "certification test mindset". The questions can be tricky and vague. The more you know about an area, the harder some of the questions become. Learning Tree's CompTIA Security+® Training shows you what the test covers. But more importantly, it shows what the test is really like.

Your Security+ preparation will reveal which study methods work best for you. No single technique works for everyone. Then you're "in the groove" for CISSP study and testing. Check out Learning Tree's CISSP test prep course for the next step.

Going For A CSSP Position?

Notice that CEH or the Certified Ethical Hacker certification qualifies you for all but one CSSP specialty. Learning Tree's Certified Ethical Hacker (CEH) Training could prepare you for most CSSP positions.

But Maybe You Don't Work For The U.S. Government

Security+ and CISSP are recognized world-wide, and CISSP in particular is highly regarded. One or both will help you get the job and pay you want.

You might do CISSP as your first cybersecurity certification test. However, that's jumping in at the deep end. Security+ is easier and cheaper. Start there.

What else might you consider in addition to these? This gets interesting.

IT Decision Makers Want Cloud Skills With Security

Rackspace recently published a study. 71% of IT decision makers believe that their organizations have lost revenue due to a lack of cloud expertise. People abuse the term "Cloud" to mean almost anything involving the Internet or large data sets, and so Rackspace asked for details.

They asked respondants to list and rank their top ten hardest-to-fill skills. Cloud security was #2 overall. Security in general and in-house was #4.

What was the highest pay? Cloud security was #2, barely behind database management, and general cybersecurity was #5.

So yes, there is a demand and good pay for cybersecurity skills.

Which certification might help you? CompTIA has a Cloud+ certification. I would also consider certifications in the underlying technologies, especially Linux server administration. Much of cybersecurity comes from careful attention to detail. CompTIA Linux+ is the intro-level. Red Hat's RHCSA and RHCE are the serious ones.

Cybersecurity Supply And Demand

The Cyberseek project analyzes the U.S. cybersecurity job market. It's funded by that NICE initiative, CompTIA, and Burning Glass Technologies. Check out their interactive Cybersecurity Heat Map. You can examine the demand and supply of cybersecurity jobs nationally, by state, and by metropolitan area.

What jumps out? First of all, many job postings require Security+, but there's a lot of competition. 32,140 posted jobs opportunities require Security+, while 167,776 people have that.

However, over twice as many jobs require CISSP, and there is less competition. 72,700 posted jobs require CISSP, while only 76,413 people have it.

There are even better ratios. There are 1.2 jobs for every person with CISA or Certified Information Systems Auditor, and almost 2 jobs for every person with CISM or Certified Information Systems Manager. (Both of those certifications are from ISACA, the Information Systems Audit and Control Association) However, smaller numbers of jobs require CISA and CISM.

Test-prep courses can really help you to pass the first time. Check out Learning Tree's collection of exam-prep courses.

Continuing Education

All of these certifications need continuing education. Learning Tree has several cybersecurity training courses. They could refresh existing knowledge, and they could lead you into new areas. Keep current!

Written by Bob Cromwell