INSIDE THE 
NEWS + ADVICE
How to Navigate Security Cleared Cyber Security Certifications
EC-Council’s Kevin King discusses everything you want to know about certifications, from preparing for and maintaining certifications, to sharing which are most valued by defense contractors.
The 8570 certification matrix below is divided into three separate areas that describe the type of job that you’re going to be applying for. The one on the very top is IAT, Information Assurance Technical. The next level is IAM, which is Information Assurance Management.
Let’s say that you’re in an IAT Level II job and there’s an internal post for a management job at your company. I experienced this when working on a lower-level job. A management post came up and I applied for it internally. If you’re planning on either hitting that management track or the next one down, you want to make sure you have your certification ready to go.
If you apply for the job and you get it, you might be in limbo. There is only a certain amount of time that you have to make sure you have the certification, so it’s very important to make sure you plan ahead.
The third tier on the matrix is IA SAE, Information Assurance System Architects and Engineers. These are people who are going to be designing systems. And then there’s the CSSP, Cyber Security Service Providers, who are at the core of multiple infrastructures. They’re providing support for those infrastructures including analyst level support, infrastructure support, incident responder, auditor and manager.
Within each of these levels, there are various certifications that are useful. One of the things to keep in mind with this chart is that you have a choice at each level to get several certifications. Which certification you go after will depend on where you are going.
Where do you start?
Ask yourself the question, “Who do I want to be?”
Let’s say you want to be a Director of IT and you decide to start with the A+. A+ in my opinion is probably the first step for the person who has no experience. And then from there you map your way towards what you’re aiming at, in terms of your security and certification goals.
If you can get a class with a live instructor, do it. You can ask live questions that may be very difficult for you, but very obvious to the instructor. If you can’t get a class with a live instructor then you’re going to be going through books.
You need two things. Number one is a series of practice tests. You need to be scoring in the 90s before you go take the real test. And number two, you’re going to need some type of hands-on lab.
How much time is this going to take?
Anything that is worth it, requires an investment in you and your time. I always recommend that people section out a part of their life for this to happen. For example, on Monday, Wednesday and Friday, from six to nine o’clock, I will work on my certification.
I would allocate at least six months for an exam depending on the difficulty and how much time you have. I’ve worked with people who had a lot of time because they were in between jobs. They worked on it all day, every day and they were able to compress that down to a month of intense study. For the busy professional, you’re probably going to look at a six-month journey for each of these exams in my opinion.
It’s also going to be dependent on your level of experience. I’ve had both students and colleagues who are non-technical move into technical, and that’s a bigger leap than the people who are currently technical.
Let’s take two examples. We have Fred who gets a government job in a mail room. If he decides he wants to move into IT, he’s going to have a lot of work to do. Now let’s take Sally. She doesn’t have any certifications, but she’s taught herself a little bit of Linux and Python, and she understands what Active Directory is. Sally has some technical background, maybe even an associate’s degree in a technical field. She is very likely to get through those entry level certifications a lot faster than Fred.
But once Fred and Sally have both completed that entry level certification, they will both be able to advance almost at the same level. It just takes a longer time to get from zero to hero than it does to get from one certification to the next. So that first certification will be longer if you don’t have experience – shorter if you do have experience.
Which certifications are the hardest to prepare for?
There are two that I would say are the hardest to prepare. Number one, is your first exam. When I went to take my first exam, I failed it. I had created packs of note cards but I had never seen an exam before. I failed it by a few points. Later, I went back and passed it, but that first one is the big one.
Then there’s the ones that are just hard to pass in general, like the Certified Ethical Hacker. The CEH has a knowledge component and a practical component. If you pass both of those, you become a CEH master. If you only pass the knowledge component, you become a CEH. They are constantly taking the new technologies, so they’re asking you about Docker and Kubernetes, and IoT and OT because they update or upgrade it. So that’s probably one of the hardest ones to get.
Some of the SAEs are difficult to get too. If you look at the management level, the CISSP is traditionally a difficult one to get, but its only knowledge based. The upper-level Cisco certifications are also very difficult. I remember taking a CCNP Cisco certification, where they had me configure the router for DSL.
And for the CEH Practical certification you get questions like, “there’s a computer on the network running a Linux operating system that has an exposed area, find the computer and then hack the FTP server.” So those are things where we have to do configuration and those tend to be the most difficult to study for, but they have the best return.
Which certifications are valued by defense contractors?
One of the things to keep in mind is that these days we have quite a lot of security breaches going on. When I look at defense contractors, a lot of them are looking for security certifications that require a certain level of hacking knowledge.
I would look for a certification that shows you know how to hack. There’s a lot we need to defend. Whether you’re going for CEH or CSA, or the GIAC or the GCFA, find out if that certification teaches you to hack. Read about the certification and find out what they teach you in terms of how the enemy is coming at you and how you defend that attack. That’s something that everybody is looking for right now.
We can also look at two other paths. For one, as a security cleared professional, you may simply be required to have the certification at the level you’re currently working. Some jobs don’t actually care whether it’s A+, CEH, GCIH or whatever. They just want to make sure you have it and it’s a checking a box so that you can qualify for your job. In that case you can try to find the easiest one.
But the path that I recommend is having a target for where you want to be. There are several major vendors that are represented in the 8570 chart. We see the IC2, which is going to be your SSCP and other certifications. We see EC-Council with your CEH and others. And then for your GIAC, you have global information security assurance. They have a huge number of certifications there.
Each of these have their own paths, their own methodologies, and they’re all very good in their own right. For instance, if you go with EC-Council that’s going to be your penetration testing, hacking, or your application testing and so on. If you go with CompTIA or GIAC certifications, they have a wide variety of certifications. So go to each vendor, discuss their paths, and don’t be afraid to call their salespeople. Call the vendors and ask questions.
How often should you acquire and renew certifications?
You want to keep up your certification cadence. It might be once every six months or up to once a year depending on if you’re going to boot camps or studying on your own, both of which are valuable.
Some certifications just require renewal, meaning they just require you to go get another certification. Other certifications require continuing education (CE) credits to keep the certification. And if you don’t have the CE credits, you have to go take another exam.
Each vendor has different policies, but usually it’s about three years. So, if I have a Cisco certification that I got three years ago, I need to go get another Cisco certification this year in order to renew my existing certification. If I pass another test, my first certification and whatever new test I took are now all still current.
The biggest issue with getting certifications is that you need both the knowledge of the topics in the certification and the skills that the knowledge provides. In many cleared jobs, before you get the job, they’re going to make you take their own exam to show that you know the technology. So, on your certification journey, it’s important to not only acquire the knowledge, but also acquire the skills.
The IT community, and specifically the security community, needs you. We don’t have enough of these jobs filled, so go out there and get it done—get that certification.
Watch our webinar to hear more about certifications from Kevin King
