I’m frequently asked, “What is the best security certification path for someone pursuing an IT job in security?” It’s not an easy question to answer because there are many variables but let me give it a try.
The Certified Information Systems Security Professional (CISSP) certification is considered by many to be a premier security certification. If you have the CISSP, it will open the door to many opportunities related to IT security. With this in mind, I’m focusing this post on the CISSP as the ultimate goal.
I don’t mean to imply that the CISSP is the only premier security certification. Any individual employer might value another security certification more. However, the CISSP is widely recognized and understood.
Security Certification Path for those Working in IT
If you’re working in an IT job, you have some experience. You understand many of the basics related to computers. One popular path to the CISSP is:
- CompTIA Network+
- CompTIA Security+
- (ISC)2 SSCP
- (ISC)2 CISSP
Network+ – Security Certification Path
The Network+ certification ensures you don’t have any holes in your networking knowledge. These knowledge holes can impede your progress because the remaining certifications assume you understand these topics.
With the right study materials, most people can pass the Network+ certification within 30 to 60 days after they start.
Security+ – Security Certification Path
After passing the Network+ certification, the Security+ certification builds on that knowledge with a focus on security principles. If you pursue it right after the Network+, you can probably pass it within 30 days. The How To Pass A Certification post outlines steps you can take to pass this and other exams. Additionally, this page includes links to many posts and other resources to help you pass.
In addition to helping you lay a solid foundation of security topics, the Security+ certification is a required cert for U.S. Department of Defense (DoD) IT jobs.
The CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide is a popular study guide and has helped many people pass this certification the first time they took it.
SSCP – Security Certification Path
The (ISC)2 Systems Security Certified Practitioner (SSCP) certification is a good stepping stone to the CISSP. You’ll find that there is a lot of overlap with the Security+ exam and the SSCP so pursuing it after the Security+ certification reduces your study time. Many people take about 60 days to prepare for this exam after the Security+ certification.
One of the challenges with the SSCP compared to the Security+ exam is that the content is broad and not clearly defined. CompTIA takes the time to identify many of the specific objectives of what you’re expected to know. However, the SSCP paints these objectives in much more generic domains. The SSCP Systems Security Certified Practitioner All-in-One Exam Guide is a study guide for the SSCP.
This page talks about the objectives and some of the requirements. One requirement is you need one year of experience to become an SSCP. You can still take and pass the exam without the experience. Instead of a full SSCP, you’ll be an SSCP associate until you build up the required experience.
You can skip the SSCP and go right to the CISSP. Many people do. However, studying for the CISSP takes quite a long time and due to the difficulty, many people drop it the first time they take it. It can be quite discouraging stopping people in their tracks. However, when people do the SSCP first, they build up knowledge that applies directly to both the SSCP and CISSP. Also, they understand the (ISC)2 exam process which eliminates some of the unknowns.
CISSP – Security Certification Path
The CISSP certification is much more difficult than the other certifications. However, the tradeoff is that it is well respected. If you earn it, most people understand that you’ve put in a lot of time and effort into it, and that you have a wide breadth of security related knowledge.
Just as the SSCP uses generic domains to identify what you need to know, the CCISP exam also uses domains. The SSCP includes seven domains and the CISSP includes ten domains. Much of the content from the SSCP overlaps with the CISSP but in general, the SSCP is more technical while the CISSP includes more administrative topics.
If you’re planning to take the CISSP exam, make sure you check out the details on the (ISC)2 site. Many people take as long as six months to prepare for this exam. However, if you take it after the SSCP, you can usually shorten this to 90 days.
Security Certification Path for those Without Experience
If you don’t have any work experience in an IT job, I suggest you add in the CompTIA A+ certification. This will give you a solid understanding of the basics related to computers. It isn’t needed by most people working in an IT job, but is valuable for people trying to get into IT. The modified path is:
- CompTIA A+
- CompTIA Network+
- CompTIA Security+
- (ISC)2 SSCP
- (ISC)2 CISSP
What About CASP?
The CompTIA Advanced Security Practitioner (CASP) certification is a newer CompTIA certification. People are beginning to understand it a little better and it has been getting more respect. As an example, the DoD Department of Defense (DoD) listed it as an approved certification on the same level as the CISSP certification. However, many security professionals question whether it is truly on the same level as the CISSP.
If you wanted to substitute the CASP for the CISSP, you can pursue it after the SSCP or skip the SSCP and pursue it after the Security+. These posts cover the CASP in more detail:
Summary – Security Certification Path
What is the best path security certification path? I suggest Network+, Security+, SSCP, and CISSP. If you study these certifications and learn the material, you will find that you are well prepared to land an IT security job. No promises, of course. You still need to submit resumes to get interviews and demonstrate your knowledge in the interviews.
55 thoughts on “What is the Best Security Certification Path”
Hi Darril ,
I am a fresh graduate that have 1 year experience in security environment project . The company im working right know ask me to take certificate regarding security platform . I need advice and recommendations from you about which cert i should take first for a beginner or entry level , im interested in CEH and CNDA . What do you think about this cert ? or are there other cert that you can recommended to me?
Check out this post: “Recommended Certification Path“
I have 10 years of experience in Network and security field and am Jnice-Sec certified, am planning to take CISSP , i need your suggestion on this
The CISSP is a well-respected security certification.
We get a lot of favorable feedback on this book: CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide.
Thanks for your reply, Is it right decision to go for CISSP certificate as per my experience , I was handling security firewall on my environment , So is it ok to take CISSP certificate and change my track .
need your suggestion on ths
Thanks and regards,
Check out this blog post:
Recommended Certification Path
Darril, CompTIA just releasaed a new cert called CSA+ that is supposed to be a steppingstone from Security+ to CASP. I assume it may be comparable to SSCP? They willrelease the new book April 24th which I just pre-ordered at a discount on Amazon.
However, you may be able to get a preview copy of it to evaluate. Im leaning towards the SSCP since its the industry standard, but am curious about CSA+
I wrote a little about the CSA+ beta exam here.
People sometimes ask me if I’m doing a book on CSA+ and I answer it in the FAQ here.
Do you have a book on CSA+?
At the moment, the SSCP is more widely recognized and accepted.
Hope all is well. What is your opinion on the following order. I am intending to take the CASP after SSCP and then to CISSP.
After reading your post on CFR exam, i am somewhat interested in that as well. Please share your insight on the order below and whether CFR could be handy after SSCP or before that. Its not set in stone so I am open to your suggestion.
Thank you for writing an excellent book on SEC+.
Network+ –> done long ago
Security+ –> done last year
SSCP –> in a month
CASP –> After SSCP
CEH –> early next year.
CISSP –> early next year
That path works.
I encourage you to check out this post.
Thanks for your link. The reason I brought this up was due to my existing work experience as vulnerability assessment guy at my current job. I am just not quite sure if the CyberSec First Responder would make sense to add to my list of skill sets or whether GIAC Certified Incident Handler would be better choice.
With about 12+ yrs Of IT work exp. including 6+ years of work experience related to intermediate level IT security, I was wondering if adding CEH and CFR would make sense or any other skill-sets.
Thank you, Fahim
> Network+ –> done long ago
> Security+ –> done last year
> SSCP –> in a month
> CASP –> After SSCP
> CEH –> early next year.
> CISSP –> early next year
You’re working on SSCP now and plan to take CASP next. Considering that you took the Network+ long ago and Security+ last year.
And, you’re asking about what you should take after these next two certs.
I recommend you focus on the certification you are currently working on.
While studying the current certification, you are likely to learn more about what you enjoy and create some clear goals about what you want to do.
Congratulations Kate. You’re absolutely correct. Pass CASP and it renews A+, Net+, and Sec+. It’s an easy way to renew them all.
Thanks for the kind words. A CASP book may be in my future, but not soon. I have written some practice test questions for it.
Good luck with the CISSP. Not sure if you’ve picked up a book yet, but we’re getting a lot of favorable comments out the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide.
Just sat and passed CASP on July 22nd. I needed CASP or CISSP for a DoD contractor job. Went with CASP because it’s a shorter test. I hold the Sec+, CEH, and CASP certs. Difficulty-wise, CEH is Sec++ and CASP is Sec +++.
If you pass CASP and hold A+, Sec+, and (I think) Net+, CompTIA will renew the other certs automatically (no continuing ed fees required). That’s a nice little perk for CASP that people may not consider.
I loved your Sec+ book for SY0-301 and I recommend your Sec+ book to everyone I know. Please get cracking on writing a CASP book. Neither one of the two leading CASP-02 books is that great. I also wish you would write a CHFI book because I’ll have to sit that exam for a WGU class.
Rather than lose my certification momentum, I’m sitting CISSP in October. I wrote this comment to plead for a high quality, readable CASP prep book and to add some recent CASP insight.
First, I would like to echo another poster and say that I used your Security + guide to pass my Security+ certification; it was a great help! I enjoyed the style and presentation of the layout and found it to be enjoyable to study.
Second, as this thread was started quite a while ago, I wanted to ask if you still thought that the path you laid out was still the best path to the CISSP? Also, Is your book for the SSCP that you have linked still current with the exam? Can it be studied as the sole source for the exam like your Security+ guide was for that exam? If not, what other study materials would you recommend?
Thank you for your help!
Congratulations on the pass.
> I wanted to ask if you still thought that the path you laid out was
> still the best path to the CISSP?
Yes. Many people are still using this path (Sec+, SSCP, CISSP) successfully. I also hear from people that jump straight to the CISSP, but with mixed results.
I’m hesitant to recommend any single book as a single source for an (ISC)2 exam. I’d recommend you use Google for anything that isn’t clear.
Hey, Can I putsue CISSP without any job experience?
Pursue it, yes. Get it, no. Check out this URL.
I am an active duty service member (army). I have been in the army for over two years and my work has consisted of managing Cisco and Brocade Routers and switches (which has security involved all over it). By the time I leave the military, I will have 5+ years of experience in this field. I already have SEC+ and I am planning on taking Net+ soon.
I want to get an IT Security/Network Administrator job when I get out. Taking into consideration that I have free access to any IT related certification (including CISSP) and its respective training, which certifications do you recommend me to get in order to be above the rest when I get out onto the job marketplace.
> I already have SEC+ and I am planning on taking Net+ soon.
Congrats on the Security+. While taking the Network+ might appear to be going backwards, you will gain valauable knowledge in the process.
> I want to get an IT Security/Network Administrator job when I get out.
> …which certifications do you recommend me to get in order to be above the rest when > I get out onto the job marketplace.
If you want to stand out, build a solid foundation of certifications in topics that interest you. Many people wait until they have six months until they’ll get out and try to rush to get certs. If you get just one new cert every 6 months or even once a year, you’ll be ahead of them.
These blog posts might help.
Recommended Certification Path
IT Certification Path for Network Administrators
Just Lean Into It
Also, with your experience, you might like to consider the CCNA or CCNP.
I’ve been in the IT field for a few years now (about 13) and I’m planning on taking CASP. I’ve been told that I can get additional certifications simply by passing this exam. Is this true? If it is, what are the steps I need to take?
I’ve passed SEC+ many times over and now I’m looking to expand my knowledge vice just taking the SEC+ exam over and over again.
> I’ve been told that I can get additional certifications simply by passing this exam. Is this true?
No. Passing the CASP does not give you additional certifications.
However, passing the CASP does automatically renew lower level certifications (such as Security+) without the need to do the CEUs.
I was told it can give you Linux+ and others but only if you submit for them. They aren’t automatically given to you. I’ll keep looking online because I know I saw it as well, with a full explanation how to get them. I was hoping you would know. I’ll be sure to post it if I find it again.
Thank you for taking the time to write this and answer so many people individually. I have one question for you: Considerings that I don’t possess IT security knowledge, but have worked as both software developer and BI developer for over 12 years, how long will it take an average person such as myself to pass the CISSP without the above listed certs? I plan to set about 4-5 months of full time study to it, do you think it should suffice?
> I plan to set about 4-5 months of full time study to it, do you think it should suffice?
Yes. People with less experience than you have gotten the CISSP within 4-5 months. Your software and database experience are sure to help you.
Recently, one person told me that he did the Security+ first (completing it within 30 days) and then moved onto the CISSP and finished it after another 70 days. He stressed that the Security+ knowledge built a solid foundation for him. He said that it was relatively easy for him to grasp the Security+ concepts, and then add a little when he moved into the CISSP. He also mentioned that the “win” after getting the Security+ gave him some positive feedback before he took on the CISSP exam.
In contrast, I have heard from people that have gone to the CISSP only, but failed it the first time they took it. Afterwards, it took them a long time to “get back on the horse” and try it again.
Good luck whatever path you take though. It is definitely achievable within 4-5 months of full time study.
What do you consider full time study? I have always been dreadful when it comes to time management but I am sure if I approach it like I did in school along with asking my wife to get on my case about it if she sees me slacking that I can knock these out.
The better question is what do you consider full time study?
Words have power. With that in mind, you might like to change the words you’re using. Otherwise, you might find them constantly echoing in your self-talk.
Instead of “I have always been dreadful when it comes to time management”
“Up until now, I haven’t been the best with time management.”
“I’m sure that if give this some effort, I can figure out the best way to manage my time.”
“I was great with time management in school and I can be just as good or better while pursuing this certification.”
I am taking CISA exam this December and planning on studying CISSP soon after. Will it be necessary for me to write Security +. Iv already attained the CCNA Security and ITIL certifications.
> Will it be necessary for me to write Security +.
Other than experience requirements, there aren’t any prerequisites for the CISSP exam.
I’m not close to the CISA cert so can’t speak to it. Similarly, I’m not close to the CCNA Security cert but do think it would help you with the networking part of the CISSP.
I do know that many people that attempt the CISSP exam without an adequate foundation of knowledge end up with an opportunity to take the exam more than once. Successfully passing the Security+ exam does help build a good foundation.
Hope this helps.
Thank you, I have 3 years Experience in IT Security and one as an IT auditor. So from your own point of view, do you think Security + will be necessary or I can just get into CISSP
Security+ is not “necessary.” Having the Security+ knowledge is recommended.
Based on your level of uncertainty, I’d say get it. You’ll create a solid foundation of overall security and you’ll also have an intermediate victory.
In contrast, some people pursue the CISSP first and fail it due to the overwhelming amount of material it covers. They then get discouraged and never pursue it again.
Earlier this year, my company notified me they were closing the office, leaving me back in the job market.
I got my Network+, Security+ VMware DCV, ITIL Foundations, CISSP all in a 5 month period.
The CISSP was what got me my current job as system administrator with the US Navy in the Seattle/Tacoma area.
Even with over 15 years experience as sys admin, all the certs, most of my resumes were ignored. It’s a very different game here than it was 15 years ago when I was hired as sys admin with Expedia. Also at the age of 59 most people I work with are younger. My advice, before you study for a cert, go to Indeed.com , careerbuilder.com, monster.com. See what certs they are looking for. I didn’t see anyone here looking for SCCP or CASP.
Government jobs really like certs. They are paying for my MCSE now and after that certs with Nessus vulnerability scanner.
And forget what they articles say about how much pay you will get. It’s not going to be that much, but take the job and start getting experience and don’t stop taking that next cert exam.
Congrats on landing the system administrator job with the Navy.
Everyone isn’t able to get the five certs you achieved in five months.
That said, the SSCP is often a good stepping stone to the CISSP exam.
Also, while the CASP has been a slow starter, it is being recognized by many hiring managers as an alternative to the CISSP. This includes many DoD jobs.
Of course the easiest course of action is to just get the cert that your next employer wants. Unfortunately, you rarely know what that cert is until after you get the job.
Good advice on checking the job boards and continuing to pursue the next cert. As long as you’re working for someone else, there simply aren’t any guarantees about tomorrow.
No question here; rather a thank you. I used your book to self-study for Sec+ and passed. I learned a ton, and I like the way you set up the materials in the book. I’ve got your SSCP book now and need to stop procrastinating and get going on it, but just wanted to say thanks again as I attribute a large portion of my passing to your excellent study material.
Keep up the good work.
Thanks Brad. Congratulations on the pass – it’s not an easy test to pass, but I’m very happy to hear you say that the book helped you.
Good luck with your next adventure.
After getting my Security+ certification (with the help of your material), I plan on studying for the SSCP certification or the Certified Authorization Professional (CAP) certification. What is your opinion of the CAP and how does it compare to the SSCP? Thanks you your advise!
Congrats on the Security+ pass. Sorry, but I don’t have much knowledge about the CAP so can’t give you any advise there. Good luck whichever path you take.
> is if I have work experience in IT support and want to change to security is that possible?
> Don’t I need experience in addition to certs?
That is best, but everyone starts somewhere.
>In the country I am living its hard to get a job in an area I don’t have experience in.
It can be the same in any country. I recommend you look for reasons why you can can succeed rather than reasons why you can’t. Set a goal and pursue it. Good luck.
I am planning to go through the recommended path but my question is if I have work experience in IT support and want to change to security is that possible? Don’t I need experience in addition to certs? In the country I am living its hard to get a job in an area I don’t have experience in. Please advise.
I am looking at changing career paths to IT Security and I wanted to ask you a few questions
1) What is the IT Security job market like? Is it a good idea to get into the IT Security industry? I ask because I am looking for a career path that will provide me a 6 figure plus salary
2) What is the salary ranges in 2015? and are 6 figure salaries common for security experts who are certified? I ask this because when I was a Network Specialist in 2001 making $70,000 a year was common now the market is saturated.
3) I understand the training path of
Any recommendations how to properly prepare to pass these certifications?
Thank you Darril
Check out this 2015 IT Salary Survey, which shows some good trends.
Here’s a cut and paste from part of it:
I hear from people almost daily that have passed the Security+ exam using the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide to self-study and pass the Security+ certification, typically within a month. Many people supplement their studies with online materials here.
Additionally, I often hear from people that pass the SSCP exam quickly afterward using the SSCP Systems Security Certified Practitioner Exam Guide: All-In-One as a self-study source. The objectives have changed but I’m finding that they aren’t significantly different.
CISSP is more complex and covers a wide range of topics. People typically use multiple books to study. Here’s one: CISSP: Certified Information Systems Security Professional Study Guide
Hope this helps.
I have 8 years of enterprise application development and maintenance experience and I wish to tend my IT career towards Security as it provides unique job opportunities and better salary and I dont have previous experience in IT Security. When I am looking for security certifications I found CSSLP which is about secure programming oriented for which I had past experience, my question is it correct path to follow from app development to Security domain through CSSLP ? Is it worth to take CSSLP certification ? What will be my next path after getting CSSLP to progress in IT security?
Hi Raj. Sorry, but I don’t have any experience with the CSSLP so I don’t have any advise. I do know that Security+ provides a solid foundation for all of the security certifications. Good luck no matter what path you take.
If you have no experience can you still work your way up to CISSP? I’m just a bit confused as to the requirements, I saw on one website that you need 5+ years experience in two of ten fields to acquire CISSP.
Also what can you tell me of CEH? I’ve heard that is good as well. If i went with CEH where along the path should I take it? Or is it something that I need not take? There are so many certificates that I am lost on what exact path I should take.
> Also what can you tell me of CEH?
I’m not close to that cert and have not seen it as a highly valuable cert. I’m not saying it isn’t valuable. Instead, I haven’t seen it highly valued by others.
> If you have no experience can you still work your way up to CISSP?
Absolutely. Everyone starts without any experience but work their way up to where they are now.
> I saw on one website that you need 5+ years experience in two of ten fields to acquire CISSP.
Yes. If you don’t have the experience though, you can still take and pass the CISSP exam and earn an Associate of CISSP certification. Check out this page: https://www.isc2.org/how-to-become-an-associate.aspx
I’m a senior J2ee web engineer, looking forward to make a turn in my career path toward information security, the question is: is it necessary in my case to pass network+ prior to secuity+.
In another hand, as SSCP has a lot of overlap with security+, shouldn’ t one consider other options ?
> is it necessary in my case to pass network+ prior to secuity+.
No. However, having the Network+ knowledge will help you pass the Security+.
> In another hand, as SSCP has a lot of overlap with security+, shouldn’ t one consider other options ?
While the Security+ and SSCP overlap, the SSCP builds on the Security knowledge so it is a logical path. Similarly, the SSCP and CISSP overlap, but the SSCP gives you a solid foundation and the CISSP builds on that knowledge.
That said, you could take a completely different path of CCNA, CCNP, and CCIE Security.
However, many people don’t know what they enjoy or what they ultimately want to end up with. A path of Network+, Security+, SSCP, and CISSP helps them learn the basics and build on it to get some advanced security knowledge, get some certs that will make them more marketable, and in the process, learn what they enjoy. They can consider an alternate path later, but the knowledge they gain in the process will help them in the long run.
I’m reading the Alchemist this week and love this line: “And, when you want something, all the universe conspires in helping you achieve it.”
That said, if you want to turn your career towards information security, focus on what you can learn to take in that path. Your path to get there might be different than a path someone else might take, but that’s OK. It’s your path.
Is this post still relevant for 2014… I’m looking to follow the recommendations you have posted.
Yes Patrick. This is still a good path.
Quick question; If I go for SSCP immediately after taking my Seurity+ do they still need me to have a year experiance before I can become SSCP or I can use my Sec+ as 1 year experience??
The CIB says A candidate is required to have a minimum of one year of cumulative work experience in one or more of the seven domains of the (ISC)2 SSCP CBK®.
You can get the CIB here: https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/Exam_Outlines/SSCP-CIB.pdf
You can still take and pass the SSCP exam while you’re building experience. You’ll be an associate until you gain the experience.
I did CASP as the predecessor to CISSP and found that to be a great stepping stone. Great test. It was refreshing to not see all multiple choice questions.