Security Certification Paths

Simply put, corporations exist for the sole purpose of making money.  The employees are there to serve that goal. Beyond screening employees for needed skills, degrees and certifications do little, if anything.  This is why we often find people working in fields that they have obtained proficiency in, but lack a matching degree.

With this in mind, IT security certifications show potential employers, or customers, that you are qualified to perform the functions of a security professional.  There are dozens of IT certifications, so which ones are best?

Everyone has different answers.  But, many organizations consider the Certified Information Systems Security Professional (CISSP) certification to be an excellent indication that an individual has the knowledge to perform effectively in an IT security role.  

Since the CISSP credential requires five years of cumulative paid work experience in at least two of the domains of the CISSP Common Body of Knowledge (CISSP CBK), a common career progression involves getting other certifications first:

  • CompTIA Network+
  • CompTIA Security+
  • (ISC)² SSCP
  • … and then the (ISC)² CISSP

Here is an overview of each of these certifications:


The Network+ certification indicates that you do not have any gaps in your knowledge of system administration.  It is designed to test the ability of a network technician to configure and support TCP/IP clients. It covers network design, cabling, hardware setup, configuration, installation, support, and troubleshooting.

The Network+ exam can be taken by anyone.  However, it is aimed at people who have a year or two of on-the-job experience and A+ certification – or equivalent knowledge.  So, if starting from scratch, the A+ certification might be a better starting place.

With the correct examination materials, many people can pass the Network+ confirmation with one or two months of study.


Security+ expands on the knowledge required for Network+ certification.  As the name implies, it concentrates on security aspects of information systems.  The time required to prepare for it is generally about half of the time required to prepare for Network+.

The Security+ certification is required for many (or maybe most) IT positions with the US Depart of Defense (DoD) or military contractors.  So, this certification is critical for those who touch IT in the defense industry. My favorite book for Security+ is Mike Meyers’ CompTIA Security+ Certification Guide.

A good companion to Mike’s book is his video series on Udemy.  

Be sure to look for the Udemy sales, which happen on a regular basis.  If you pay more than $10 or $15 for a course on Udemy, you are paying too much.  Just be patient and wait for a sale.


The (ISC)² Systems Security Certified Practitioner (SSCP) certification can be thought of as a final stepping stone toward a CISSP.  The SSCP has a lot in common with the Security+. So, it is the next logical step after obtaining a Security+. Obtaining the SSCP may take a bit more time than Security+. But, it should be easily achievable within a couple of months.  

Unlike Security+, the SSCP requires one year of experience in at least one of the following domains:

  • Access Controls
  • Security Operations and Administration
  • Risk identification, Monitoring, and Analysis
  • Incident Response and Recovery
  • Cryptography
  • Network and Communications Security
  • Systems and Application Security

The one year experience requirement can be waived if you have a degree in a cybersecurity related field.  The following degree titles are approved by (ISC)²:

  • Computer Science
  • Computer Engineering
  • Computer Systems Engineering
  • Management Information Systems (MIS)
  • Information Technology [IT]

In line with the work experience requirement, the SSCP exam itself focuses more on knowledge application and critical thinking, while the Security+ exam focuses on less ambiguous scenarios.

I like to think of the SSCP as personal validation that your knowledge base is progressing toward what is needed for the CISSP.  But, you can avoid the SSCP and go straight for the CISSP certification. Perhaps a compromise between these two extremes is to go through a SSCP study guide, but skip the exam.


The CISSP exam is considerably more difficult than basic and intermediate certifications described above.  But, by passing it, you demonstrate the breadth of your IT security knowledge.

The CISSP encompasses eight domains of knowledge:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

The CISSP exam is more general than the SSCP and requires more critical thinking skills that are acquired primarily by experience.  Speaking of experience, CISSP requires 5 years of paid work experience.

The amount of time required to prepare for the CISSP exam is significantly more than the time required to prepare for the other exams.  Many people take between 6 months and a year to prepare. However, the time spent is worthwhile because CISSP certification opens up many career possibilities.  I am most familiar with US DoD requirements and CISSP is certainly a certification to shoot for if you are an IT professional in the defense industry. Here is a link to DoD approved certifications for various types of positions: