The Path for Your Security Career
Warren Peterson

 

One question I seem to get quite often is, “How do I get started in security?” This is almost always followed up by, “Then what is the best path for a security career?”

In this article, I’ll walk you through the process from getting started through defining career goals. By the end, you should have a solid grasp of how to plan, and follow, your path through the world of security certifications.

First, and perhaps most important, you need to understand that in this discussion, I’ll be doing something that you might find odd. I will be recommending certifications other than just SCP certifications. At SCP, we fully recognize that there are plenty of great certifications available, and if you want a comprehensive and well-rounded security career, one certification provider will not fulfill your needs.

There will be points during your career, when you will make decisions about which path you need to follow, and at those points you will choose the security certification that best fits your goals and needs.
 
 
Let’s get started.

We have collaborated on a career and business development tool called the IT Security Skills and Certification Map. Below you will find the Map embedded in this article.

You can click on the image to open a new window with a high-resolution PDF version of the map. You are welcome to print out the high-res PDF for your own use, or to discuss with friends and colleagues.

Required Skills and Certifications

This map is broken down into two core areas, the Required Skills and Certifications main section, and the recommended/required breakdown graphs below. Before getting into your unique security path for your career, some time will be required to discuss the map.

(If you are in a hurry, and just want to be see what certs you need in which order, go ahead and jump down in this article to the Security Paths heading.)

At the “starting” level would be all information workers, meaning anyone who uses a computer that is connected to a network (including the Internet). For all practical purposes, this course is designed for everyone. There is no certification; this is a single course, called the Security Awareness Program. It covers the true basics, how to create a strong password, secure techniques for the use of email and web browsing, and so on. The Security Awareness Program course is designed to be delivered online, requiring no time away to attend an in-person training program.

Once you move beyond the general information worker, then you start to move into the actual certifications that affect your career path. The starting point, and the recommended pre-requisite to move into the SCP certifications, is CompTIA’s Security+. This program provides the basic security concepts that you will need to build your security career upon.


Moving upwards from CompTIA’s Security+ you will find two of the SCP certifications, the Security Certified Network Specialist (SCNS) and the Security Certified Network Professional (SCNP). These two intense hands-on certifications provide the critical network security skills that need to be added to all computer and network administrators. These skills include the design and implementation of firewalls, IDS, wireless security, cryptography, Linux security, Windows security, and much more. All administrators will need these skill sets to remain competitive and valuable to their employers.

After you have received your SCNP certification, then the options begin to get wider as you move into the specialized security skills section. You have the choice of which types of specialties to pursue. The certifications at this level have been broadly split into the two main categories of vendor-neutral and vendor-specific.

The common vendor-specific security certifications here are from Cisco, Microsoft, Novell, and the security vendors like Checkpoint and RSA. On the vendor-neutral side, you have the certifications like EC-Council’s CEH, Planet3 Wireless’ CWSP, and SCP’s SCNA. We’ll go into this section in more detail in a moment.

Continuing on upwards, you land at the security certifications that are more related to security design and compliance. In this area you will find the certifications such as ISC(2)’s CISSP and SSCP, and ISACA’s CISM. Just as with the previous specialized security skills section, we will revisit this set of certifications in a moment.

You will notice that on the left side of the IT Security Skills and Certification Map we have a vertical ascension of career levels. These give you a general sense of the ascension from one stage of your career to the next. Every organization has its own unique positioning, so this is a general overview. As we discuss the bar graph at the bottom of the map, you will see how the career levels reference to the required skills and certifications.

Career Levels and Blending Certifications Together

OK, so far so good! Now let’s move into how all these skills and certifications blend into the four general IT Career Levels, as they are defined. This section explains how to use the bar graphs on the bottom of the map. From here on out, you will start to see how to mix and match all these certifications for your own unique security career path. As soon as we have gone through the four career levels, we will talk about specific certifications in specific orders. Or, you can jump right to “The Security Paths” section now.

Let’s start with the IT Worker, which is where the majority of people new to the security field will begin. At this level, you need to have very solid foundational security knowledge, such as that which is provided in the SCP Security Awareness Program. You will need a good understanding of basic security concepts, such as those delivered in the CompTIA Security+ certification. Lastly, you may need some network security skills, such as the SCP SCNS, and less of the specialized security skills (the specific certification would be based on your employer or goals).

When your career has moved beyond that of a general IT Worker, and you have moved into IT Administration, then your skill set needs to advance as well. At this level, your need of the foundational security knowledge, and basic security concepts will move towards the back (though not forgotten!), as you move into more advanced subjects. Here you will need the maximum amount of network security skills, and will need your SCNS and SCNP. You will also likely need some specialized security skills, as per your employment situation or your career goals. It is possible that you will require a small level of design and compliance skill.

As your career progresses to the IT Manager level, now your needs for network security skills will slide back down a bit (again, hopefully not forgotten!), and you will need more specialized security skills and more security design and compliance skills. The specific certifications will be based on your current job role and requirements.

The last level of the four positions is that of the IT Executive. At this level, you will need strong design and compliance skills, and will likely need (or be required to hold) the CISSP, SSCP, or CISM certification. You will be required to keep your network and specialized security skills up to date, but it will be less for your own implementation and more for your understanding during your design and compliance role.

Whew, that was a lot! Let’s keep going. I trust that all of the above was helpful in identifying how the various certifications fit together. Now, let’s take a look at some very specific security paths that you might choose. You will choose the path based on either what your current employer is requiring, or based on where you wish to take your security career. Let’s get to the paths!

The Security Paths

If your goal is to become a security professional, with well-rounded, hands-on, network security skills, then you will follow the Path to Security Professional:
Security+ → SCNS → SCNP

If your goal is to become a senior-level security administrator, focusing on the hands-on and implementation skills at a higher level, then you will follow the Path to Senior Security Administrator:
Security+ → SCNS → SCNP → SCNA

If your goal is to become involved in management, design, and policy issues surrounding security, then you will follow the Path to IT Security Management:
Security+ → SCNS → SCNP → CISSP (or)
Security+ → SCNS → SCNP → CISM

If your goal is to become a wireless security specialist, then you will follow the Path to Wireless Security Specialist:
Security+ → SCNS → SCNP → CWSP

If your goal is to become an ethical hacking specialist, then you will follow the Path to Ethical Hacking Specialist:
Security+ → SCNS → SCNP → CEH

If your goal is to become a Cisco security specialist, then you will follow the Path to Cisco Security Specialist:
The Path to Cisco Security Specialist:
Security+ → SCNS → SCNP → CCSP (Cisco certification)

As you can see, the starting point for all these careers is essentially the same. You start with solid basic security concepts of Security+, followed by adding the hands-on skills of the SCNS and the SCNP, and then you start to “split” based on your career goals.

If your goal is to become an ethical hacker, for example, you would follow-up your SCNP with the CEH certification. In the Specialized Security Skills you will find the broadest divergence of the security paths. This is the area where you break away into your unique field of specialty or career requirement. If you have decided that you want to specialize in the hot field of wireless security, for example, once you finish the SCNP, then your logical next step would be towards the CWSP certification.

If your goals are to move to security management and other more senior levels, then you follow your skill set to the SSCP, CISSP, or the CISM. Some people go directly from the SCNP to the CISSP, so if that is the path you wish, forge ahead!

To read the full objectives covered in the SCNS certification, click here.
To read the full objectives covered in the SCNP certification, click here.
To read the full objectives covered in the SCNA certification, click here.

To prepare for the SCNS certification, we recommend the Tactical Perimeter Defense (TPD) course. TPD course information can be found here. To prepare for the SCNP certification, we recommend the Strategic Infrastructure Security (SIS) course. SIS course information can be found here.

I hope this has given you a solid grasp of how to use our IT Security Skills and Certification Map, and how to plan the path for your security career.

 

Have a great day! Warren Peterson

About the Author: Warren Peterson is the President, and co-founder of the Security Certified Program (SCP). In addition to his role as President, Warren also functions as the lead author for instructional content, and has written nine leading IT security books, including all current SCP courses.

In 1999, it was Warren’s vision to create a program that addressed IT security, and the SCP was born. Warren has overseen the company’s growth from delivering security programs in one Chicago classroom to SCP courses delivered on a global scale. Warren can be reached at: Warren@SecurityCertified.Net.