General Certifications

General certifications are certifications that can be applied to any kind of cybersecurity job, and are most often used by people landing their first cybersecurity role.  They cover the basic concepts expected of any cybersecurity professional.  There are certifications like CompTIA Security+ that are for beginning professionals, or the ISC2 CISSP for mid-career professionals.  Someone interested in a security career but not sure what that really means can look at these general certifications to get a sense of what kind of domains are included in the cybersecurity profession:

Specialty Certifications

Once someone gets a general certification, they can use specialty certifications to get a specific role in cybersecurity.

For example, someone wanting to be an ethical hacker may look to the Offensive Security Certified Professional (OSCP) certification.  This certification focuses specifically on Kali-Linux tooling, so someone pursuing this certification would be learning this tool stack as well as demonstrating willingness to continue with professional learning. Alternatively the EC-Council Certified Ethical Hacker (CEH) covers similar professional domains, but is tool vendor neutral.

Cybersecurity professionals will typically get at least one specialty certification in their career, as they decide where to focus and hone their expertise.

Keeping Up

Cybersecurity professionals know that technologies keep changing, and the tactics, techniques and procedures (TTPs) we use must change too.  Keeping up with these changes can be exhausting, and it’s often unclear what you must learn to stay in touch with these changes.

This is where certifications can come in.  Certifying organizations conduct research to understand what professional domains need to be included in a certification, which tools are useful, and what techniques professionals must learn in order to be proficient.  A security professional can leverage this research to create their own learning syllabus, even if they don’t ultimately take an exam or obtain a certification.

For example, you may want to learn more about privacy, but don’t work in a privacy role, and are not sure where to begin.  A review of the IAPP Certified Information Privacy Professional United States (CIPP/US) certification shows that these professional domains are included:

• Introduction to the U.S. Privacy Environment
• Limits on Private-sector Collection and Use of Data
• Government and Court Access to Private-sector Information
• Workplace Privacy
• State Privacy Laws

Maybe you are already familiar with some of this, or perhaps it’s completely new.  Maybe when you read these topic areas you realize you want to pursue a full certification; or maybe you are completely not interested in the subject.  If you want to learn more, you can now attend classes, read a book, or attend conferences covering these topics to bring you up to speed as quickly as you want. If the topics interest you enough to want to pursue a privacy role you can also reach out to privacy professionals for mentoring and networking. You may choose to sit an exam and obtain an official certification, but for the purposes of continuing your professional education this is optional. 

Use certifications to land your first cybersecurity job, and enhance your current role.  Then, as you work to stay on top of industry changes where you need to learn concepts but not necessarily apply them in your day-to-day job, use certification to understand the subject domain, and to choose what and how you need to learn.  This can help you efficiently keep up with all the changes inherent in this industry.