Navigating cybersecurity certifications can be daunting, especially with the many options available. Paul Jerimy's Cybersecurity Certification Roadmap offers a comprehensive guide, but it can also be overwhelming for those just starting out.
Note: It's been 1.5 years since Paul Jerimy's Cybersecurity Certification Roadmap was updated. New certifications have been released during this time, and some existing ones have undergone significant changes. While Jerimy's roadmap remains relevant, its relevance gradually diminishes as the field evolves. This article ranks the top four certifications that beginners should consider pursuing first. These certifications are not meant to be collected like trophies; they are designed to provide foundational knowledge and skills. It's crucial to understand that you don't need all of these certifications. Instead, consider it a "choose your own adventure" approach: picking certification A might mean you can skip certification B.
Aim for no more than two or three certifications from this list to maximize your learning and career prospects. Some of these certifications cover similar areas, and redundancy won't necessarily make you more attractive to employers.
I'll outline a suggested certification roadmap at the end of this article. Remember that while certifications are important, they are just one part of what you need to land a job in cybersecurity. Practical experience, continuous learning, and other qualifications are equally vital.
Summary
4. ISC2 Certified in Cybersecurity (CC):
Pros: Easy entry, almost free, ISC2 membership, explore cybersecurity.
Cons: Not widely respected, easiest on the list.
Recommended for: Unsure about cybersecurity, non-cybersecurity professionals, need ISC2 membership.
Not recommended for: Confident in cybersecurity path, have ISC2 endorsements.
3. CompTIA A+:
Pros: IT fundamentals, stepping stone to other certifications, widely recognized.
Cons: Diminished value, not impressive to employers.
Recommended for: Lack basic IT skills, want to start with CompTIA.
Not recommended for: Have IT experience or training.
2. CompTIA Network+:
Pros: Essential for networking knowledge, crucial for cybersecurity.
Cons: Redundant if already knowledgeable in networking.
Recommended for: Lack of networking skills.
Not recommended for: Already understand networking.
1. CompTIA Security+:
Pros: Most in-demand starter certification, IAT Level II DoD designation, foundational cybersecurity knowledge.
Cons: Challenging as a first certification, won't land a job alone.
Recommended for: Serious about a full-time cybersecurity career.
Not recommended for: Not fully committed to cybersecurity.
Kyser's Cybersecurity Roadmap:
Steps: Skip/obtain A+, earn Network+, earn Security+, specialize (PenTest+ or CySA+), choose your own adventure.
Note: CC not included in the roadmap for long-term cybersecurity commitment.
Reality Check:
Completing the roadmap alone won't secure a job.
For Penetration Testers: TryHackMe, PJPT, OSCP, Hack The Box.
For Blue Teamers: TryHackMe, OSDA or HTB CDSA, HTB Sherlocks.
Additional Skills: Learn Linux and Python.
5. ISC2 Certified in Cybersecurity (CC)
Full disclosure: I don't hold the ISC2 Certified in Cybersecurity (CC) myself. However, I've spoken with several professionals who do, and I hold another ISC2 certification (CISSP), giving me insight into its value and impact on your career.
The CC is relatively new, so it isn't commonly listed in job postings yet, and many seasoned professionals don't regard it highly. Frankly, I share that sentiment to some extent. The CC is arguably the easiest and least comprehensive certification on this list.
So why include the CC on this list?
Here are the reasons:
Low Barrier to Entry: The CC is accessible and can quickly make you more knowledgeable in cybersecurity than the average person.
(Almost) Free: You can get the necessary training and exam voucher for free (as of this writing). The only cost is the $50 annual maintenance fee, payable only after you pass the exam.
ISC2 Membership: Achieving the CC grants you an ISC2 membership, which is a significant perk. Normally, membership requires endorsement by another member or a rigorous approval process. With the CC, you bypass this, which is beneficial if you plan to pursue more advanced ISC2 certifications like the CISSP.
Test the Waters: The CC allows you to explore the field of cybersecurity with minimal investment of time and resources, helping you decide if this is the right career path for you.
Consider the CC if:
You're unsure if a cybersecurity career is right for you.
Your primary career isn't in cybersecurity, but you want to gain basic knowledge and certification quickly and affordably.
You plan to stay in cybersecurity long-term and foresee challenges in finding an ISC2 endorsement for future certifications.
You prefer to take incremental steps toward more advanced certifications.
Skip the CC if:
You're confident in your cybersecurity career path and can tackle the more challenging certifications on this list.
You have access to someone who can endorse you for ISC2 membership, or you're comfortable undergoing the ISC2 approval process for future certifications.
3. CompTIA A+
Full disclosure: I don't hold the CompTIA A+ myself. However, I've spoken with several professionals who do, and I hold six other CompTIA certifications, which gives me insight into its value and impact on your career.
The A+ certification has been the go-to starter certification for IT professionals for decades. While cybersecurity and IT aren't the same, cybersecurity is a subset of IT. Understanding how technology works and interconnects is crucial before you can effectively secure it. Therefore, learning IT fundamentals early in your cybersecurity career is essential if you don't already work in IT. The A+ certification is an excellent way to acquire these fundamentals.
However, the value of the A+ has significantly diminished in recent years. Its widespread popularity means that employers no longer hold it in high regard. The certification has become somewhat inflated, so don't expect it to impress employers much.
So why include the A+ on this list?
Here are the reasons:
Great Starter Certification: The A+ is a solid way to learn and prove your understanding of IT fundamentals.
Stepping Stone to Better Certifications: It serves as an introduction to CompTIA certifications, making your journey to more advanced certifications smoother since you'll have a strong foundation.
Widely Recognized: Although it might not impress employers, the A+ is widely known. It demonstrates that you have a grasp of basic IT fundamentals.
Consider the A+ if:
You lack basic IT skills and knowledge.
You want to take gradual steps toward CompTIA certifications.
Skip the A+ if:
You already know how to build a computer and have taken a formal IT fundamentals course.
You are currently working in IT.
2. CompTIA Network+
As mentioned earlier, understanding how technology works and interconnects is essential before you can effectively secure it. Computer networking is the foundation of how computers communicate. It involves understanding how data is transmitted from point A to point B to point C. A strong background in networking is invaluable in a cybersecurity career. Many cybersecurity professionals overlook networking fundamentals, so a solid grasp of these concepts can set you apart.
Consider Network+ if:
You Lack Networking Skills: If you don't understand concepts like routing and switching, ARP, subnetting, TCP/IP, the OSI Model, frames, packets, and data encapsulation, then pursuing the Network+ is a wise choice.
Skip Network+ if:
You Have a Strong Understanding of Networking: If you already have a solid grasp of networking fundamentals, you might want to focus on more advanced certifications. Note: Just because you hold a "higher level" CompTIA certification doesn't mean you understand how networks work. The Network+ is unique among CompTIA certifications. Even though it's lower on the certification pyramid, skipping it could leave you without essential networking knowledge. I highly recommend that you have a solid understanding of networking fundamentals before moving on to more advanced topics.
Figure 1: CompTIA Certification Pyramid (Source: CompTIA)
1. CompTIA Security+
The CompTIA Security+ is The CompTIA Security+ is currently the most in-demand "starter" certification in the cybersecurity market. It's widely recognized and holds the IAT Level II designation in the Department of Defense (DoD) 8570 directive, making it mandatory for many federal IT and cybersecurity jobs.
CompTIA recommends obtaining the CompTIA Network+ and having two years of experience in a security or systems administrator role before pursuing Security+. However, in my experience, Security+ can be your first certification. It was my first certification and the first for many of my cyber defense operations peers in the U.S. Air Force.
That said, Security+ as a first certification is challenging. With discipline and focus, anyone can achieve it without prior experience. I've seen many people succeed, but I've also seen just as many struggle and fail. For this reason, I recommend getting Network+ before Security+. However, pursuing Security+ first and Network+ second is also a viable option.
Consider the Security+ if:
You're Serious About Cybersecurity: If you're committed to a full-time career in cybersecurity, Security+ is an essential certification.
Skip Security+ if:
You're Not Fully Committed: If you're not serious about a full-time cybersecurity career, starting with a less demanding certification might be best. The fundamentals learned in Security+ are crucial and will be valuable throughout your career.
Note: While Security+ is the best starter certification available, despite past perceptions, it won't land you a job on its own. It used to be a door opener in cybersecurity, but that's no longer the case.
Kyser's Cybersecurity Roadmap
Let's assume you are my mentee, seeking my genuine advice on breaking into cybersecurity. Here’s the roadmap I would recommend:
1. IT Fundamentals:
Skip A+ if you already possess IT fundamental skills.
Obtain A+ if you lack IT fundamental skills.
2. Earn Network+: This certification will build your networking knowledge, a crucial foundation for any cybersecurity career.
3. Earn Security+: This widely recognized certification covers essential cybersecurity concepts and will significantly bolster your resume.
4. Specialize:
Earn CompTIA PenTest+ if you're interested in offensive security (ethical hacking or red teaming).
Earn CompTIA Cybersecurity Analyst (CySA+) if you're drawn to defensive security (blue teaming).
5. Choose Your Own Adventure: By this stage, you'll have a clearer understanding of your career goals and can decide your next steps based on your interests and aspirations.
Figure 2: Kyser Clark's Starter Certification Roadmap 2024
Notice: I didn’t include the ISC2 Certified in Cybersecurity (CC) on my roadmap. While I believe it’s a certification that can be skipped if you're committed to a long-term cybersecurity career, it made my list in this article for the reasons mentioned earlier.
Furthermore, I don't recommend PenTest+ or CySA+ as a first certification, which is why they didn't make my list of top 4 beginner cybersecurity certifications. You should only seek PenTest+ or CySA+ after you obtain Security+.
Reality Check
Completing my roadmap alone is unlikely to land you a job in cybersecurity. Step 5 of my roadmap encompasses multiple steps depending on your chosen path.
For Aspiring Penetration Testers:
TryHackMe: Sign up and complete all the offensive security learning paths.
Certifications:
Obtain the TCM Security Practical Junior Penetration Tester (PJPT).
Pursue the OffSec Certified Professional (OSCP).
For Aspiring Blue Teamers:
TryHackMe: Complete all the defensive security learning paths.
Certifications:
Practical Experience: Become an active participant in HTB Sherlocks.
Job Applications: These steps will make you a strong candidate for defensive security positions.
Additional Skills:
Linux: Develop a strong understanding of Linux.
Programming: Learn Python as your first programming language.
Breaking into this field requires a broad set of skills and knowledge. Be prepared for the long haul of late-night studying and continuous learning. Recommended Reading:
For more on becoming a penetration tester, read my article: From SysAdmin to Penetration Tester: My Path to SkillBridge Internship.
For insights on becoming a cybersecurity engineer, check out: How to become a cybersecurity engineer: ultimate career guide.
For job searching advice applicable to all cybersecurity roles, read: How To Break Into Cybersecurity in 2024.
For beginner-friendly resources, see: How to Get Into Cybersecurity (and Other IT Fields) With No Experience.