The Global Information Security Workforce Study (GISWS) is a joint effort conducted biannually by the Center for Cyber Safety and Education and (ISC)2. The 2017 study indicates there will be a “cybersecurity workforce gap of 1.8 million by 2022”. (https://iamcybersafe.org/gisws/) The study further reveals that the number one reason for this shortage is due to qualified personnel being difficult to find. (To learn more about the shortfall of cybersecurity professionals, please read http://aspetraining.com/resources/blog/cybersecurity-jobs-certifications-worth-it )
If you want to help fill the gap in this workforce shortage, (and take advantage of the $124k average salary for cybersecurity professionals) you must demonstrate that you have attained a level of proficiency in securing information assets. To help you demonstrate this proficiency, the industry has come up with a plethora of cyber security certifications. Each of these certifications indicates that the individual has achieved a minimum benchmark of knowledge and/or skills related to protection of information assets.
However, choosing the certification(s) that is right for you can be a challenge. I am often asked “which certification should I go for next?”. My answer is always the same; “it depends”. It depends first on the experience you currently possess and secondly on your goals and third on what is needed in the industry.
What experience do you have?
In general, cyber security certifications can be broken down into two levels and two categories. The two levels are entry and advanced while the categories are technical and managerial. Oftentimes, the entry level certifications are considered entry level while the managerial certificates are advanced. This makes sense in the fact that most careers follow a logical progression beginning with technical, hands-on assignments with management positions being filled only after one has paid his or her dues in the trenches doing the work of cyber security, racking and stacking the firewall, configuring the identity management system, reviewing security logs and tuning intrusion detection and prevention systems.
The entry level certifications expect the individual to know basic terminology and concepts of cyber security. They usually require the individual to have at least one year of security related work experience. Whereas the advanced certifications require the individual to have at least five years of direct security related work experience with at least some of that experience managing cyber security projects and workers.
What are your goals?
Are you looking to get into the technical aspects of security such as penetration testing or incident response or are you interested in advancing your career into the management side of security?
Choosing the right entry level certifications can be a bit tricky because on one hand there are certifications related to the things that interest you, but you have zero experience with. These certifications may include Certified Ethical Hacker (CEH) or Computer Hacking Forensic Investigator (CHFI) from EC-Council. In this case, how does one obtain the experience? One simple word: volunteer. Volunteer your services in exchange for mentoring from an experienced professional. Another option is to seek out on-line communities and associations of professionals. Join these organizations and participate with them to gain the experience needed.
On the other hand, there are certifications related to the things you actually have experience doing, but you may not have a love for. Go ahead and obtain these certifications. At the very least they show to employers and prospective employers that you have the benchmark level of knowledge to do the job.
What positions are available?
The practical side of selecting security certifications comes from human resources. What positions are employers seeking to fill? Or more specifically, what positions are they seeking to fill in my geographical area? It is a good idea to do your homework to answer this question. Take a look at the many job posting sites such as Monster. Search for openings using the various certificate acronyms. Currently within a 20-mile radius of where I live there are only three job postings that come up when I search for CEH while there 177 postings referencing Security+. For advanced certifications there are 33 postings looking for the CISSP certification and only one looking for Certified Advanced Security Professional (CASP) from EC-Council.
Like all good “it depends” answers, I don’t tell you which certification you should go after next, rather I provide a couple key points to consider for yourself. I believe each of the questions above can be weighted, with the greatest weight placed on what certifications are going to open the most doors for me followed by what do I want to do. The certifications that sit at the nexus of these two questions are the ones I would recommend that you obtain.