WHICH CERTIFICATION ROADMAP OR PATH SHOULD I USE?

Kip Boyle:          
Hi, welcome to Your Cyber Path. I’m Kip Boyle and I’m here with Jason Dion. Hey, Jason.

Jason Dion:      
Hey, Kip. Nice to see you again. How have things been going for you? I know you’ve been busy recently.

Kip Boyle:          
It’s going really well. Thanks a lot. I want to tell a quick story about something really cool that happened. This is a business-oriented story, but I own my own business just like you do, and so I can’t help it when my business does something really cool, I’m a proud dad because I spend so much time nurturing my business. Anyway, you and I did the Implementing the NIST Cybersecurity Framework, which is available on Udemy, and I think that course launched late February, didn’t it? I think.

Jason Dion:      
Yes. Yep.

Kip Boyle:          
Right. And so we are recording this in mid-June. Well, one of our learners from a big tech company reached out to me and said, “Hey, we’re going to implement a cyber resilience program, and I just watched your course with Jason and we need your help because we don’t know really what we’re doing. And so how could you help us?”

Anyway, so we started having a really productive conversation. Actually, we’re still talking and kind of outlining and forming up what it would look like for cyber risk opportunities to help this tech company become more cyber resilient. And I’m just tickled because it’s nice to get a new customer. It’s good to close business. I’m all about that. I think it’s cool. Really though, what’s tickling me is when we built our course, we’ve tried to make it very practical, right?

We wanted like people to really come away from that experience saying, “Wow, this is how you use it.” And with all these examples and everything. Now I’m looking forward to an opportunity to take all of that and actually apply it in a situation and actually move the needle for a customer. To me, that is just so fun. That is just so fun. I want to thank you, Jason, for collaborating with me to make that course, because I don’t know that I would’ve been able to do it on my own. So, thank you.

Jason Dion:      
Yeah. I mean, I was happy to do that course. It’s one that I’ve been wanting to do for a long time, the NIST Cybersecurity Framework, and we’ve spent an entire episode on that in this show. It’s just something that’s so important for us as cybersecurity professionals. And when we built that course, I love the way that we outlined it and we built the course so that it was extremely practical.

People that have taken a lot of my courses know that I’m very much focused on certifications in general. And so that’s what we’re going to be talking today about is certification. So, it’s really up my area, but in this case we did a course that was not tied to a certification, but we wanted to make sure that it was extremely hands-on and practical. Whereas a lot of times when you’re doing a certification course, it’s a lot of theory. It’s a lot of, “Oh, in a perfect environment, it may be this way.”

But this course that we did, we did it to be, you could hit the ground running. And in fact, at the end of the course, we have a bonus lesson that comes with your particular guide, that’s this big Google spreadsheet essentially, that-

Kip Boyle:          
It automates everything.

Jason Dion:      
[inaudible] in your organization and build out your NIST cybersecurity roadmap of what you’re going to do. So, I love that course. I think it’s awesome. And if you are listening to this podcast and haven’t taken it yet, you totally should. You can find that over… just go to DionTraining.com/Udemy, and you’ll see it listed on our Udemy page with our discount code already embedded. So, when you click on that link, it goes through and you get the lowest price on the course instead of paying whatever the full retail is. I totally recommend it, and we’d love to have you in the course. Anyway, that’s my pitch for the NIST Cybersecurity Framework course. I know that’s totally not why you brought it up, Kip, but I’m going to take the opportunity.

Kip Boyle:          
Yeah, no. Mostly I just want to say I think that you and I, we love to bring what works to our students. And so I’m going to be able to take what I learned from this new opportunity, if we’re successful in negotiating it. And maybe when we refresh that course, I’ll be able to put that information in an anonymized way, but be able to put that in there. That’s one of the things I really enjoy about teaching is to be able to help people really solve problems.

But back to what you said a moment ago, Jason, that you do a lot of certification training. So, I actually thought this would be a great opportunity for us to pick up a topic that I’ve noticed recently, and I think there’s a little myth busting that we need to do. This is episode 76 and it’s, “Which certification roadmap or path should I use?” And the reason why this is coming up, and I know I’ve told Jason this in our show prep, but I’m going to just quickly give a thumbnail sketch.

There is a certification so-called Roadmap out there right now floating around on the internet. I’ve seen it on Reddit. I’ve seen it all over the place. And the current version it’s… on the upper left hand corner it says, “Security certification progression chart, 7.0.” And it’s made and published by a really smart guy named Paul Jeremy. And he’s got 356 certifications in this very beautifully laid out, very colorful chart.

And I have heard people look at this and start to plan their future certifications based on the way that this chart is laid out, which I think is a terrible idea because you would never say to yourself, “Well, I think I’m going to read up a little bit on technology so that I’ll be better on the job. I know, I’ll go get Wikipedia and I’ll pull up the first page of Wikipedia and I’ll start reading, and then I’ll click up the next page in Wikipedia on technology and I’ll read that.”

And it’s kind of the same thing here, because I don’t think Paul Jeremy intended for this to really be a guide for you to plan your career in terms of which certifications you should get. I know it kind of looks like that, but I think it would be a mistake if somebody used it for that. There’s so many better examples. There’s so many more useful roadmaps out there that you really should be looking at. Anyway, having said that, Jason, have you heard anybody sort of mistake Paul Jeremy’s diagram for career advice?

Jason Dion:      
Yeah. For those listening, if you go to YourCyberPath.com/76, which is the number of this episode, you’ll be able to pull up this security certification progress chart. And as Kip said, the latest version on the PNG or image file is 7.0, which came out in October of 2020. There’s actually a more recent version on Paul’s website, on PaulJeremy.com, that is from April of ’22, and there’s over 430 or 440 certifications on his chart. If you look at this, what he’s done is he’s basically broken things down into different categories that align to the (ISC)2 CBK for the security domains.

Now, what does that mean? That’s a whole lot of letters I just threw out there. Well, (ISC)2 is the people who run the CISSP or Certified Information System Security Practitioner certification, which everybody knows is kind of the granddaddy of certifications when it comes to it cybersecurity. They also have a couple of other ones, but really that’s the one they’re known for.

And so what he’s done is he’s gone in there and he said, “Okay, here are the different domains that we cover inside of CISSP. We cover communication and network security. We cover IAM or Identity and Access Management, excuse me. We have security architecture and engineering. We have asset security, we have security and risk management. We have assessment and testing. We have software development and security, and then we have security operations. So, these are the different categories that the CISSP exam test people on.

And so what he did was he made a column for each of these, and then he started putting all the different certs and where they belong in each of these categories. As Kip said, this isn’t a progression in your career, but really it’s what fits into each of these areas based on what CISSP is looking at.

For example, if I wanted to look at something like Security+, which everyone should get as a baseline in cyber security, that only covers a couple of these domains, namely it touches asset security, security and risk management, assessment and testing, software development and security, and a little bit of security operations, but it doesn’t talk at all about security architecture and engineering, IAM, or communications and network security, according to Paul’s chart.

Now, I will tell you, I don’t think that’s right, because there is IAM covered in Security+, there is network security covered in Security+, and things like that. Again, you can’t take this with… You got to take it with a grain of salt. You can’t say this is the gospel truth because it’s not. And when you see that block for Security+, you see it stretches across four of those domains, but not all seven.

If you look at CISSP, it crosses all seven. If you look at some other certs like, I don’t know, let’s pick one off of here- [inaudible].

Kip Boyle:          
CASP+.

Jason Dion:      
CASP+, that’s another good one. So, CASP+ plus covers pretty much everything that CISSP does. So, it covers all seven, right? But if you go and look at something like ITIL Foundation, that’s really focused on IT operations. And so they put that under asset security because of configuration management and security and risk management. And they covered those two areas.

I don’t think that’s necessarily where it belongs either, but that’s why we brought up this security certification progress chart, because a lot of people are seeing it and going, “I need to go collect all the dots on this map.” And you don’t, that is not the purpose of this map. He’s just [inaudible].

Kip Boyle:          
We’re not throwing Jeremy under the bus either. We’re not saying that he made this deliberately trying to fool anybody. He didn’t. If you go read his website, he never tells you that you should use this for planning your career, right, Jason?

Jason Dion:      
Right, but that’s what people are using it for. And that’s the problem, right?

Kip Boyle:          
Yeah.

Jason Dion:      
If you go to his website, all of these in the website version are clickable. And so if I go down and say, “Oh, I’m interested in Security+. Let me learn more about that.” And I click on it. It takes you over to CompTIA.org to their Security+ page. If I click on ITIL Foundation, it takes you to EXIN’s website, which does ITIL Foundation. And so that’s what his purpose was. It was basically, “Here is a list of every certification I can find that relates to the seven or eight domains that CISSP has.” I say seven or eight, because depending on the version, there was anywhere between six and eight domains because they keep adding and subtracting some. I think as of this version, there was seven. And he put those little blocks on there so you could click on them and it would take you there and you could learn more about it.

Now, if you’re going to pick a certification roadmap or a pathway, I personally much prefer the CompTIA one. I think they do a really, really good job here of trying to show you how things line up for particular job functions. And so if you want to check this out, it’s also in our show notes at YourCyberPath.com/76, or you can go to CompTIA directly. And on their website, they have it at CompTIA.org… I just had this up and now I am talking and not… Okay. There we go. CompTIA.org/certroadmap. Yeah, CompTIA.org/certroadmap. And this is an interactive one.

And when you get there, they’re going to bring up five typical positions that people are interested in. This includes IT support specialists, IT networking specialists, cybersecurity specialists, software and web developers, or data specialists. And when you click on one of those, for instance cybersecurity specialists, it will tell you some information about that such as the median salary, the number of jobs available, the expected job growth. And if you click on learn more, it will actually bring up a path of what is beginner, intermediate, and advanced and what you should be looking at, at each level. Similar to some of the things we’ve talked about previously when we talked about Cyberseek.org, because CompTIA is a lead partner in Cyberseek.org.

What I really like about this is when you go down to the bottom, they simplify this big, crazy chart into a single line and says, “Here are the certifications we recommend you get based on this position.” And so for instance, if you look at the big CompTIA roadmap chart that I have in our show notes for you, you will see there’s probably about 100 certifications on here. They include CompTIA certifications, which are in bold or red because obviously they’re promoting their own stuff. But in addition to that, they have the equivalent certifications from other providers, too.

For example, if I’m looking at the information security path, and I look at something like CASP+, which is under the expert level, when you’re at the expert level, you can see that also is the same equivalent as CISSP or OSCE or other certifications like that. And so this is how they break it up, where they break it into columns of beginner or novice, where you start out, intermediate, advanced, and then expert. And as you progress from left to right, going across this career path, you’re going to pick different certifications in those areas that are going to align to your goal or that job that you’re working towards.

And so, for instance, if you are somebody who’s going to be working in information security, you should start out with kind of the trifecta, which we tell you guys all the time, right? A+, Network+, Security+. And that takes you through beginner and into intermediate. Then as you start moving from intermediate into advanced, you go into CySA+, which is cyber security analyst or PenTest+. And then when you go to expert, you become CASP+ or CISSP.

And there’s other ones you could choose from as well. But that’s kind of the big generics as you go through this. And based on each of those five different roles that you may come across, there’s different levels as you’re going across this roadmap. And so that’s why I really like the CompTIA one better, because it really does break it down into: you start out with zero years of experience, and what are you going to do for the next five to 10 years as you move from beginner to intermediate, advanced and into expert?

Kip Boyle:          
Yeah. I agree. I like the CompTIA roadmap as well. You know what, I really also want to do an explicit shout out that it isn’t just their certifications on this page. Because honestly, when you said, “Hey, Kip, I’m going to send this over and I want you to take a look at it.” I kind of did an eye roll because I was like, “Oh man, all I’m going to see is the CompTIA stuff. That’s no fun.” But no, they actually have all kinds. They’ve got the GIAC, they’ve got OSCE, OSCP. They’ve got a lot of stuff. Good on them for doing that. Because I think that makes this genuinely helpful.

Now, the one thing they don’t have on here though is… Well, let’s look at that expert quadrant. They’ve got their CASP+, and then they’ve got a bunch of other ones, but I think that it’s a little… It could be a little confusing for people if they think, “Well, CASP+ is really just hot plug, swappable with CISSP or CCI.” And it’s like, “No, not exactly.” I mean, those are experts in the respective sub-disciplines inside of information security.

CISSP, I would see it as more as a governance risk and compliance area. CCIE would be more about hardcore network security. OSCE, red teaming, that sort of thing. Do unpack this a little bit more so that you understand how these things actually differentiate. But anyway, I’m not trying to nitpick, I just want to make sure people understand. If you’ve never seen this before, I just don’t want you to be confused on that particular point, but it’s really good and I’m glad you mentioned Cyberseek.org, which we’re going to put that in the show notes too, because this chart is helpful because it kind of gives you that beginner, intermediate advanced expert layout. But because it doesn’t tie the job title, I want you to go over to Cyberseek.org. I want you to find the title for the job you want, and I want you to use the reference material in there to really narrow down on exactly which certifications employers are requesting.

Because that’s one of the things that I love about Cyberseek is they’re actually going out, they’re actually dumping all the job postings, and that’s where they’re really getting their data from. And you know what, if there is a Bible, if there are gospels, as far as what certifications you should get, it’s job postings more than anything else. More than when your buddy says, “Well, don’t get that cert. That’s that’s too trashy. Get this other one, because it’s much better.” Okay, so I don’t go get certified ethical hacker, instead I go off and I get-

Jason Dion:      
PenTest+ or OSCP. Yep.

Kip Boyle:          
Sure, right. Now, I’m kind of all set up as far as my buddy is concerned, right? Now he thinks I’m cool because I got the right cert, but what if that was the total wrong cert to get a job? That’s not good. I mean, okay, it’s nice that your buddy loves you, but he’s probably not going to cut you a paycheck every two weeks. Keep this in mind.

Jason Dion:      
The other thing I would say is, as you’re looking at, “Which cert do I get?” And we did talk about this back in episode 55, “Which certification should I get?” If you haven’t listened to that, I definitely recommend going back to YourCyberPath.com/55, and we’ll link to that in the show notes as well.

But when you’re looking at this and somebody says, “Hey, are you going to get XYZ certification?” Well, maybe. Let’s see if it comes up on one of these lists. For instance, I’ll give you an example. There’s a certification called the Digital Forensic Examine, DFE, and I have this certification and I will tell you that 99% of the people out there probably don’t even know what a DFE is, right? It is a very specialized, niche certification that you had to have if you were a DOD contractor or DOD employee working in forensics, doing a certain level job.

And so I got it because of that, but if I had to pay a lot of money to go get that out pocket, because somebody said, “Hey, I think DFE is cool. You should go get it.” If I go look at that, I’m going to find out that it doesn’t show up on this chart. I’m looking at the CompTIA one and I don’t see it there. I’m looking at the other one that you had brought over from Paul Jeremy, and I don’t think I see DFE there either, on their 400 something different certifications that they’ve listed here.

Yeah. I’m not seeing it there. So, instead I might want to go get something like FTK certified or one of the others. Some of the benefits of using these type of charts is that you could see what are other organizations saying is important. And as you pointed out, when we talked about the CompTIA chart, the CompTIA roadmap doesn’t specify only CompTIA’s stuff. It has other stuff there as well, even though they have things that compete with them. For instance, CompTIA has Linux+, and I will tell you, I know a lot about Linux+ because I’m currently filming my Linux+ course that’s-

Kip Boyle:          
Oh, that would be why.

Jason Dion:      
[inaudible] in July. Yeah. I like Linux+. That said, I’m also an authorized platinum partner with LPI, which is Linux Professional Institute, and they teach Linux Essentials. And if you look here on the chart under networking cloud, Linux Essentials shows up under beginning and novice. Intermediate has LPIC1, which is Linux Professional Institute Certification One, and there’s level two and level three as you go to advanced and expert. And CompTIA put all of those in there, even though they also have Linux+, which competes with LPIC1 and Linux Essentials, because it’s a replacement for those two.

And so being able to know that, “Hey, if I get Linux+, that counts the same as these other two,” is important. Or, “Do I want these other two instead of Linux+, because that’s what employers are looking at?” And being able to check that as you’re looking at job postings is going to help tell you which one you should get. But being able to look at a chart like this and understanding… I always think if you think in five year increments, it really works well for your career. So, you should say, “Okay, in five years, I want to have X position. To get X position, I need A, B and C certifications. And so I’m going to do A this year, B next year, C in year three.” And you can plan yourself out.

Sometimes that position you want in five years is two positions away, and so you might be working the help desk today and you want to be a forensic examiner. Well, to get there, you’re probably have to become a system administrator first. And then from a system administrator, you can become a forensic examiner. And so you might say, “Okay, over the next five years, within two years, I need to be a system administrator. And then I need to do that job for two or three years before I can become a forensic examiner. And I need to get these certs and I need get this degree.”

But by having that five-year plan and working towards those things and checking those things off, you’re going to very quickly go up in your career, which is going to give you higher pay, more promotions, more responsibility, all those great things that you want in a long term-career. And I’ve done this myself in my career. I’ve always looked not at the next job, but the job after that. And by always looking two jobs ahead, you always are positioning yourself for the right place. And it helps you advance so much quicker than if you wait till you get the next promotion and then figure out where you want to go from there.

Kip Boyle:          
It’s almost like you and I were in the military or something.

Jason Dion:      
Yeah. I mean, the military is really good about having these set career paths. And in the military, because they are so stringent, if you miss doing something at a certain part of your career, it will screw you over 10 years from now and you can’t go back and fix that thing. If you forgot to do that thing as a young Lieutenant, you can only do that thing as a young Lieutenant. And so you can’t go back and fix that after.

And sometimes in the IT world or cyber security world, it’s not necessarily that stringent, because you can always go back, but you really want to have to go back and take a pay cut or backwards step to hit that job you want? No, you want to be able to always move forward. And so by laying this stuff out, you can really plan for the best.

Kip Boyle:          
Right, right, right, right. Oh boy. There’s no doubt, Jason, we could continue to talk about this for a lot longer than we have already. But my sense is that maybe we’ve come to a good place to hit the pause button and maybe wrap it up. Was there anything else you wanted to say that you haven’t said yet before we wrap it?

Jason Dion:      
I can talk about this stuff for hours. I am the certification guy. I’ll keep it short. But really what it comes down to is, have a plan and just realize that first chart we talked about, that Paul Jeremy put out, it’s a great chart to give you an introduction of what’s available, but there are 400 plus certifications on that chart. You’re not going to get them all.

When it comes to certifications, you really need three to five key certifications. And those key certifications are going to be based on what career path you’re going towards. And that’s why I really like the CompTIA certification chart because it helps you figure out what cert should I get at each level to hit those things? And Kip gave a great advice, which is look at the job descriptions, because that will tell you which one you should get: CEH or PenTest+? Well, PenTest+ is the better certification. But if the employers are asking for CEH, you better get CEH, right? And so knowing those things is really what’s going to help get you to where you want to be.

Kip Boyle:          
Yeah, definitely. Thanks, Jason. Let’s see. I’m good at kicking these things off. I’m not so hot at wrapping them up. So, what do we have to say before we can say this thing’s finished and into the can?

Jason Dion:      
Yeah. We gave a lot of links in today’s episode. I know most people listen to podcasts while they’re driving or either at the gym or they’re working out or doing something, so you probably didn’t write them all down, right? Things like Cyberseek.org, CompTIA.org/certroadmap, the Paul Jeremy website and things like that.

So, if you want to check out all those, you can always, for this in any other episode, go to YourCyberPath.com/ and the episode number. For this one that is 76. So, YourCyberPath.com/76. We’ve got a nice writeup on what we talked about today. A really short description to remind you, and then all the links to things we talked about in this episode, as well as other relevant episodes, such as episode 55, which is, Which Certification Should I Get? And it’s a great way for you to review what we’ve talked about today. [inaudible].

Kip Boyle:          
And you’re going to get a full transcript.

Jason Dion:      
And a full transcript if you want that, so you could search anything we said and correct us as needed. And we’d love to hear from you guys. So, if you guys and gals out there have any comments or wanted to continue the discussion, you could always reach us on Facebook/YourCyberPath, and feel free to post a comment there and let us know what you think. And we’ll definitely bring those up on future episodes or answer you back on Facebook. With that said, thanks for joining us for another episode of Your Cyber Path. We will see you at YourCyberPath.com and see you next time.

Kip Boyle:
All right, everybody. See you next time.