• United States




Beyond the basics: The certifications you need based on the path you choose

Jan 15, 20164 mins
Application SecurityCareersEnterprise Applications

Here are a few sector specific certifications that will grow your skills and impress prospective employers.

itskills training ts
Credit: Thinkstock

Turns out that a lot of people have a lot of differing opinions on the education, certifications, and training folks new to security ought to have.  If you read Lysa Myers’ blog post earlier this week, you know that she started off as a receptionist and worked her way up to security researcher, developing her skill set as she gained experience.

I was so inspired I felt that even I could apply for a security position. While I do love the classroom, I also learn best when I can combine auditory instruction with the visual and kinetic tools that bring content to life. After a week of trying to answer the question of why certifications matter, I’m still not convinced that they are the key to being successful at a job. 

They are, however, a way to get you noticed to get an interview.

Karen Evans, USCC national director said, “Most Human Resources (HR) departments look for the certifications from multiple certifying bodies. The certifications do provide a filter for HR to screen applications and attempt to provide the baseline qualifications needed for the position(s).”  

[ MORE ON CERTS: Which certifications matter most for those new to security | Why certificates matter, and which ones matter most ]

Beyond the certifications already mentioned this week, there are some sector specific trainings that will help you to advance in your career.

Looking at security through the four lenses of ‘cyber’, ‘information’, ‘infrastructure’, and ‘software’ will help you determine the best career path and which certifications you need, said David Shearer, CEO, (ISC)2.  Those who are looking to advance their careers might want to consider the Associate of (ISC)2 program, which serves as an on ramp for entry level folks looking to hone skills through rigorous training.

Many of the industry folks I connected with said that they look for the SANS certifications, and the Center for Internet Security recommended the following certifications for those interested in being analysts, though they also said that none of these are official or required when recruiting.

For SOC analysts the first certification we recommend is SANS GCIA: Certified Intrusion Analyst

For CERT analysts the consensus is to start with SANS GCFE (FOR408): Windows Forensic Analysis and then go to GCFA(FOR508): Advanced Digital Forensics and Incident Response (note: if you do not have any forensics experience you should not start with 508)

“I highly suggest SANS courses, which includes GCIA and GCFA, and they greatly increase chances for, at minimum, an interview, said, Tom Gorup, security operations leader, Rook Security.

Gorup said, “These are great hands-on certifications which require a decent amount of technical know-how to get started, and give real world scenarios and hands-on training to gain a great understanding of the domain.”

For Security Analysts Jeff Schilling, CSO, Armor, said, “Security + is still a great foundational certification for those entry level security analysts. As a next step, we like to see our security analysts progress and get their Certified Ethical Hacker certification so they can learn the way threat actors think.”

The top three certifications that Michael Angelo, chief security architect – CRISC, CISSP, Micro Focus likes to see in candidates are:

  • Certified in Risk and Information Systems Controls (CRISC):  demonstrates that the recipient knows how to analyze risks in infrastructure. More times than not, people will make decisions, without understanding the issue or risk they will incur.
  • Certified Ethical hacker (CEH)While it focuses on already existing tools, it demonstrates that the recipient understands the current state of hacker tools that can be used to analyze an environment for potential security vulnerabilities. It demonstrates a person knows how to develop code securely and can adhere to the requirements of Secure Development Life Cycle (SDLC). 
  • Certified Secure Software Lifecycle Professional (CSSLP):  Given that all computer systems contain software, and that the cause of most successful attacks on systems is via the software, this certification is a must have. 

Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author