Security+: More Advanced Certifications

December 20, 2017 by Claudio Dodt


So, a few months ago you decided it was time to advance on your information security career and choose to undertake the Security+ exam. The feeling of earning your very first certification is not quite like any other; after days (more likely weeks or months) of focus and dedication, of using most of your free time for studying and going over mock exams, you finally did it, you are now certified. Well, of course congratulations are in order, but almost immediately after the pressure of your study routine dissipates, it is more than likely that you are already thinking to yourself: What is the next step?

You see, for most people the very first certification, even if it is an entry level one, is the most difficult. Once you discover how to create a study schedule that is adequate to your needs, where to find online resources and the benefits of investing in official courses and training material, it is quite easy to realize that any certification, even the most challenging, can be accomplished, it is just a matter of how committed you really are.

Many times the Security+ certification is referred to as the first stepping stone for professionals who want to advance on their security careers. That is true enough! So, now that you are already standing on firm ground, let’s discuss some great options on how to use advanced certifications to become a specialized professional.

CompTIA Certification Hierarchy

Since you already started with the Security+, let’s assume you are familiar with how well regarded CompTIA certifications are. As a vendor neutral institution, respected and accepted worldwide, choosing to follow the Security+ -> CSA+ -> CASP is not a bad idea.

CompTIA Cybersecurity Analyst (CSA+)

This cybersecurity certification focus on enhancing behavioral analytics to improve the overall state of IT security. The CSA+ validates critical knowledge and skills that are required to prevent, detect and combat cybersecurity threats.

Any security specialist knows that technology plays a major role when it comes to data protection. But as attackers grow into professionals themselves, evading traditional signature-based solutions has become quite a common issue. Using an analytics-based approach that is able to detect and understand advanced threats is much in demand these days.

CSA+ professionals undergo training for configuring and using threat detection tools, executing data analysis and, most importantly, interpreting the results to identify vulnerabilities, threats and risks to an organization.

Why this should be your next step: This time the answer is quite simple, since the CSA+ is the next step on CompTIA certifications hierarchy, your previous study efforts will already be really useful as a basis for the new exam. This is a great opportunity for leaving the foundation level and to start building more advanced skills, while earning a globally recognized mid-level/intermediate certification.

CompTIA Advanced Security Practitioner (CASP)

The top level of CompTIA’s security certification path, the CASP is ideal for experienced professionals, with 5 years of recommended experience, and is a viable (and less expensive) alternative to other great certifications such as the CISM and CISSP.

The CASP certification focuses on developing critical thinking and judgment across a broad spectrum of security disciplines such as enterprise security, risk management, incident response, research and analysis, integration of computing, communications and business disciplines, as well as technical integration of enterprise components. It also requires candidates to implement clear solutions in complex environments. With the current market demand for cybersecurity experts, validating this skillset is a sound way of proving you are ready for an advanced position.

Why this should be your next step: With the current demand for experts in the cybersecurity field, having any top tier certification will put you ahead of the concurrence on job opportunities. This alone should be more than enough reason, but on a more practical point of view, the effort necessary for the CASP certification will help you develop critical thinking and sound judgment across several interconnected security disciplines. This is an exceptional trait for professionals that are required to implement effective solutions in complex environments.

ISACA Advanced certifications

ISACA is a vendor neutral, international professional association focused on IT Governance, Risk Management, Auditing and Information Security. It is well known for major publications such as Cobit, Risk IT and Val IT, but also for top certifications such as CISA, CISM and CRISC.

Certified Information Systems Auditor (CISA)

ISACA’s CISA is a certification dedicated to validating knowledge on auditing, controlling, monitoring and assessing information technology and business systems.

One important note for professionals that may not want to deviate from the information security focus: As the CISM is primarily a certification for IS (Information Systems) auditors, information security is but one out of five job practice areas required during the examination:

  • Domain 1— The Process of Auditing Information Systems (21%)
  • Domain 2 — Governance and Management of IT (16%)
  • Domain 3 — Information Systems Acquisition, Development and Implementation (18%)
  • Domain 4 — Information Systems Operations, Maintenance and Service Management (20%)
  • Domain 5 — Protection of Information Assets (25%)

Surely information security only represents 25% of the CISA examination, but you should also consider the fact that it is one of the most sought after international certifications and may also be a chance for expanding your personal skills to other important areas.

Why this should be your next step:
For starters, all ISACA’s top level certifications are very well received on the current market. Since the CISA certification does not focus solely on information security, it an excellent opportunity for professionals that want to become auditors. On the other hand, if performing audits is not something you would like to do or if you do not wish to stray from a cybersecurity-only certification path, even though the CISA is a great certification, maybe the CISM would be a better next step.

Certified Information Security Manager (CISM)

The CISM is not an overly-technical certification, it actually focuses on management aspects of information security. So, if you like the idea of calling the shots instead working on the operational level, this certification might just be what you are looking for.

The exam’s objective is to test your knowledge in four functional areas of information security:

  • Domain 1 — Information Security Governance (24%)
  • Domain 2 — Information Risk Management and Compliance (33%)
  • Domain 3 — Information Security Program Development and Management (25%)
  • Domain 4 — Information Security Incident Management (18%)

Similarly to other ISACA exams, the CISM uses two basic kinds of questions, they are either fact-based, with no direct relation to specific technology (i.e. SAP, Oracle, SQL) and analysis-based (context and decision oriented). Most questions require you to understand a specific scenario and formulate your opinion/judgment base on what an information security manager should do to ensure the protection of a major business environment.

Why this should be your next step:
The CISM is ISACA’s answer to the global demand of information security managers. This certification focuses much more on how to handle security from a strategic/tactical point of view than operational aspects. It is quite common to have this certification coupled with (ISC)² CISSP as a requirement for high level security positions.

Certified in Risk and Information Systems Control (CRISC)

Risk Management is one area that most companies should be paying more attention to. Being able to understand what are the actual threats (both from within the organization and coming from outsiders), exposition levels, risk appetites and using this information to prioritize controls that will effectively protect business is a skillset that is really in high demand these days. The focus of the CRISC certification is exactly that, building a greater understanding of the impact of IT risk and how it relates to your organization

Again, information security may not be central for the CRISC, but it stands out as the one certification that prepares and enables IT professionals for the unique challenges of IT and enterprise risk management, and positions them to become strategic partners to the enterprise. This includes 4 basic domains:

  • Domain 1—IT Risk Identification (27%)
  • Domain 2—IT Risk Assessment (28%)
  • Domain 3—Risk Response and Mitigation (23%)
  • Domain 4—Risk and Control Monitoring and Reporting (22%)

Most CRISC professionals will be working with top management, entrusted of protecting business by ensuring no major risk is not properly managed. With the ever-evolving threat landscape, this sort of position will never, ever, have a dull day at work.

Why this should be your next step: Managing IT Risks is a great challenge for every company, being prepared (and certified) to do so should place you ahead of competition for several job openings. Similar to the CISA, this certification does not focus solely on information security aspects, so while this is a great credential, you should consider if specializing in risk management is the right choice for you.

(ISC)² certifications

The International Information System Security Certification Consortium, or (ISC)², is a non-profit, vendor neutral organization which specializes in information security education and certifications. (ISC)² is mostly recognized by its top certification: the Certified Information Systems Security Professional (CISSP).

Certified Information Systems Security Professional (CISSP)

Do not be mistaken, there are quite a few reasons the CISSP has maintained its reputation as one of the most challenging and desired information security certifications.

With 250 questions from the 8 domains of its Common Body of Knowledge, and a time limit of 6 hours, The CISSP examination requires an advanced level of practically every information security related subject:

  • Asset Security
  • Communications and Network Security
  • Identity and Access Management
  • Security and Risk Management
  • Security Assessment and Testing
  • Security Engineering
  • Security Operations
  • Software Development Security

Yes, taking (and passing) the exam is not an easy task and you should also take into account other requirements, such as having a minimum of five years of direct full-time security work experience in two or more of the CISSP CBK (one year may actually be waived, provide you have either a four-year college degree, a master’s degree in Information Security, or for possessing one of a number of other certifications, including the Security+, CISA, CISM).

So, why should you take the CISSP? It is quite simple: Aside from being one of the most respected titles a security expert can achieve, for several years the CISSP has remained at the top of job board search results requirements for top positions. With this one there is no going wrong: Once you feel up to the challenge, taking the CISSP should be a top priority for any security expert.

Why this should be your next step: There is no doubt about it: For many years (ISC)²’s CISSP has remained as the most in demand security certification, a simple query of online job boards should provide ample evidence that most high level security positions will either require or directly mention the CISSP as a desired credential.

EC-Council certifications

The International Council of E-Commerce Consultants (EC-Council) is an organization that certifies individuals in various e-business and information security skills. Some of the most recognizable certifications include Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA).

Certified Ethical Hacker (CEH)

The CEH aims at establishing and governing minimum standards for credentialing professional information security specialists in ethical hacking measures and reinforcing the fact that ethical hacking is a unique and self-regulating profession.

 With the exponential growth of cybercriminals, both from insider threats or external ones, having a skilled, ethical professional in your team, capable of understanding and knowing how to look for weaknesses and vulnerabilities in target systems and using the same knowledge and tools as a cybercriminal, but in a lawful and legitimate manner to assess security, can be of immense importance to many organizations.

The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. It is way more technical oriented than most certifications we discussed on this article, requiring familiarity with techniques such as Footprinting and Reconnaissance, Scanning Networks, Host Enumeration, System Hacking, Malware Threats, Evading IDS, Firewalls and Honeypots, using Sniffers, Social Engineering, Denial of Service attacks, Session Hijacking, Hacking Webservers, Hacking Web Applications, SQL Injection, Hacking Wireless Networks, Hacking Mobile Platforms, Cloud Computing and Cryptography.

Why this should be your next step: Working as an Ethical Hacker is one of the most in demand technical jobs, so if you are not looking for a managerial role at this moment, this may be a very rewarding career path that, with the current rise of security threats, only tends to increase in demand. 

Computer Hacking Forensics Investigator (CHFI)

Even with the very best security controls, cybercriminals often find ways to circumvent protections, causing significant damage to operations, finance and even company reputation.

This is yet another quite technical-centered certification that is rather attractive to law enforcement personnel, system administrators, security officers, defense and military personnel, legal professionals, bankers, security professionals, and anyone who is concerned about the integrity of the network infrastructure. It covers topics such as Computer Forensics Investigation Process, Searching and Seizing of Computers, Digital Evidence, First Responder Procedures, Computer Forensics Lab, Data Acquisition and Duplication, Steganography and Image File Forensics, Log Capturing and Event Correlation, Network Forensics, Investigating Logs and Investigating Network Traffic, Investigating Wireless an Web Attacks, Tracking Emails and Investigating Email Crimes, Mobile Forensics, Creating Investigative Reports and Becoming an Expert Witness.

Why this should be your next step: If you ever watched CSI Cyber, had a blast with the frankly obvious “poetical liberties” and technical incoherencies, but thought it would be really nice to work tracking down cybercriminals, the CHFI may prepare you for just that.

This certification is designed for information security professionals with an emphasis on forensic investigation, meaning the people that will investigate a successful attack after it took place in order to understand what really happened, how it came to be, how much of a damage it really caused, what can be done to prevent it from happening again and, if necessary, ensuring that there is enough evidence for taking legal action 

EC-Council Certified Security Analyst (ECSA)

As with most EC-Council certification programs, the ECSA focus on the technical aspects of penetration testing. It provides a real world hands-on penetration testing, covering the testing of modern infrastructures, operating systems and application environments while requiring candidates to know how to document and write a penetration testing report.

 The ECSA includes topics such as TCP/IP Packet Analysis, Advanced Sniffing Techniques, Vulnerability Analysis, Advanced Wireless Testing, Designing a DMZ, Log Analysis, Advanced Exploits and Tools, Penetration Testing Methodologies, Customers and Legal Agreements, Rules of Engagement, Penetration Testing Planning and Scheduling, Pre-Penetration Testing Checklist, Information Gathering, Penetration Testing (Internal/External) for Routers, Switches, Firewalls IDS and Wireless Network, Data Leakage Penetration Testing, Penetration Testing Deliverables, Conclusion, Report and Documentation Writing, Report Analysis, Post Testing Actions, Ethics of a Licensed Penetration Tester and Standards and Compliance.

Why this should be your next step: While the CEH focus on the usage of tools and techniques, the ECSA takes a step further by elevating simple tool usage into actual full exploitation. It requires not only good technical skills, but also an analytical approach to handle the collected information and create meaningful reports.

As a professional, proving that you can do much more than merely using tools is a sound way of demonstrating not only technical competence, but a real understanding of how security works within most systems. That level of proficiency is a quite in demand for higher level positions.

Licensed Penetration Tester (Master)

The LPT is the capstone to EC-Council’s entire information security track. Going well beyond the simple consolidation of the knowledge required for the CEH / CSA, it is the ultimate test of your practical skills as a penetration tester.

To earn this certification, candidates are required to conduct a full blackbox penetration test of a network provided to you by EC-Council. This means following the entire process (reconnaissance, scanning, enumeration, gaining access, maintaining access) and then actually exploiting vulnerabilities.

Sounds like a tough challenge? It does not stop there! You still have to fully document your actions in a complete, professional penetration test report. Your report will also be graded by other penetration testing professionals that already have EC-Council’s LPT (Master) Credential.

Why this should be your next step: This exam is a serious challenge, and should only be undertaken once you have advanced practical expertise on both the technical and reporting skills required by a top level penetrating tester.

If you have just earned your Security+, this certification is possibly a little too much at the moment, but understanding what is required is the best way to prepare yourself for the challenges down the road.


What is YOUR next step?

If you have just completed your Security+, learning of the challenges of advanced and specialized certifications can be slightly disturbing. The required level of commitment and knowledge (both practical and theatrical) may sound unreasonable, but that is actually the idea.

There is no point in creating a top level certification if anyone can earn it without much effort. This is true for all renowned certification institutes and respected certifications as the ones we discussed. Coming to think of it, it all makes sense: How would you be able to stand out as a professional without proving you can endure the most demanding challenges?

Again, since you already earned the Security+, be sure it is not just the first step, but also the most difficult step that quite a few professionals never dare to take. From now on, it is just a question of deciding what career path best suits your needs and planning ahead. Thinking strategically is never a simple task, and there is no need to rush to mountaintop, so if you still need some time to expand basic information security knowledge/experience, taking the CSA+ or SSCP may the best option. But if you already feel confident, do not shy away from going straight to the top!

Either way, it is important to know you do not have to face this journey alone! You can always count on official training as a secure method for filling the gaps on your knowledge and benefiting from a much smoother ride from junior to expert! The Infosec Institute is here to help you with several career changing options, including our CISSP Boot Camp, Ethical Hacking Boot Camp, and several other choices that are sure to meet your needs.

Posted: December 20, 2017
Articles Author
Claudio Dodt
View Profile

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117