The CIA Triad: The Three Principles Behind Every Security Decision
Confidentiality, Integrity, Availability — understand these three things and you understand the foundation every security control is built on.
"I spent two years helping others get into cybersecurity before I stopped and asked myself — why haven't I placed myself? That question changed everything."
— Wayne M. Shelton Sr., CISM, CGRC, CySA+, CTT+
After leaving the military, I spent two years working in workforce development — helping people find their way into the cybersecurity field. I sat across from candidates every day, reviewed their backgrounds, and helped them position themselves for roles they didn't know they were already qualified for.
At some point I had a simple conversation with myself: I have the technical background. I need to place myself. That shift in thinking changed everything.
Not long after, I received a call from the owner of the training school I had been working with. He offered me an opportunity — my first real foothold in the cybersecurity field. I took it. Everything I have built since then traces back to that phone call and to the person who made it. I owe who I am in this field to him for believing in me first.
I hold a CTT+ — a certification for technical instructors — because I believe how you explain something matters as much as what you know. That is what this page is built on. The roadmap I wish I'd had, explained the way I wish someone had explained it to me.
And if you are a veteran: there is a section below specifically for you. Your service gave you more of a foundation than you probably realize — and there are education benefits that exist precisely to move you into this field.
"I have the technical background. I need to place myself." That one thought started everything.
The shift that changed Wayne's career trajectory"I owe who I am in this field to the person who gave me my first opportunity. This page is my way of paying that forward."
The "why" behind this resource"Study every domain. Build the homelab. Do the work. The cert matters because of what you learned preparing for it."
Honest advice — from someone who walked the pathIf you have tried to get into cybersecurity, you have probably hit a wall of acronyms, conflicting roadmaps, and content written for people who already know the field. That is discouraging — and it is unnecessary.
The two things that actually move people forward are simple: understand the foundational concepts, then pick a certification path and move through it. Everything else is noise.
That is what this page gives you.
"I don't know where to start. Every blog sends me somewhere different and I end up more confused than when I began."
"I understand the concept but the explanation assumes I already know things I don't. It feels like everyone is speaking a different language."
"I spent years working in classified environments, running IT systems, and thinking about threats — but nobody tells me how that translates."
Start with the concepts. Choose one cert path. Move through it systematically. Your background — military or civilian — is an asset, not a barrier.
These are not separate audiences. Most people are both — curious about the field and open to the possibility that a career in it is reachable.
You want to understand cybersecurity — not necessarily work in it. These are the concepts behind every news story, every breach, and every security conversation you will ever be in.
You are considering cybersecurity as a career and want a clear, honest answer on where to start. The roadmap below is what I would hand someone starting from zero — veteran or civilian.
I have held every CompTIA cert on this list. This is what I would hand someone starting from zero, aligned with CompTIA's official 2026 career roadmap.
New in 2026's official roadmap. Tech+ is designed for people with zero technical background — it covers basic computing concepts, software, security fundamentals, and infrastructure basics. If you have never worked in IT or a related field, this is a low-pressure on-ramp. If you have any IT exposure at all, skip it and go straight to A+.
Hardware, software, operating systems, and troubleshooting. This is the industry-recognized starting point for IT careers. If you have no IT background, start here. If you spent time in a military IT role or have worked hands-on in tech, you may be able to skip it — but know this material cold regardless.
Security runs on networks. You cannot protect what you do not understand. Network+ builds the networking foundation that every security concept assumes you already have. Most people who struggle in cybersecurity skipped this step. Don't be that person.
The baseline. DoD 8570/8140 approved, widely recognized, and required for most entry-level security roles — especially in defense and government contracting. Covers threats, vulnerabilities, identity and access management, cryptography, risk management, and incident response. Study it seriously; don't treat it like a checkbox.
After Security+ the path branches. All three are legitimate; pick one and go deep. Collecting credentials across lanes without depth is a common mistake.
ⓘ CySA+ V4 (CS0-004) releases June 2026 — if you are actively studying CySA+, confirm which exam version is current before you register.
Renamed from CASP+ in 2024 — same exam content, same DoD recognition, different name. SecurityX is the expert-level CompTIA credential for senior practitioners responsible for enterprise security architecture, advanced threat management, cloud and hybrid security strategy, and risk governance. This is where you go when you are running the program, not just working inside it.
This tier is where cybersecurity professionals move from doing the work to leading it — managing programs, auditing systems, governing risk, and owning enterprise security strategy. These are not entry-level credentials. Each one requires experience, and each one means something specific to employers.
ISACA's flagship management credential. Governance, risk management, incident management, and program development. This is the certification I am most proud of — it reflects how security actually functions inside organizations at a strategic level, not just the technical side.
Focused on IT risk identification, assessment, and management — not just security controls but the full risk lifecycle. Highly valued in GRC, audit, and risk management roles. If the CGRC lane is where you're headed, CRISC is the natural next step.
ISACA's gold standard for IS audit, control, and assurance. If your path leans toward auditing systems and evaluating controls rather than running them, CISA is the credential that establishes your credibility. Well recognized in both public and private sectors.
The most widely recognized advanced security credential in the field. Broad and deep — covering eight security domains from security architecture and engineering to software development security. If someone in a senior security role has one certification, there's a good chance it's this one. DoD 8570/8140 approved at the IASAE level.
AI security is a real and growing specialty. The credentials below are new — none of them have a long employer adoption track record yet — but the domain itself is not going away. If this is where you want to specialize, start paying attention now.
There are a lot of good training courses out there. This is the one I used myself and the one I handed to every student I trained. I share it for one reason: it worked.
When I was actively training students for CompTIA certifications, Professor Messer's resources were the ones we gave to every single person in the room. I listened to his videos driving to and from work. I used his study guides to prepare for exams I had already been teaching for years. I cannot recommend his resources enough.
Full course video series for CompTIA A+, Network+, and Security+ — organized by exam objective so you know exactly what you're covering. I listened to these in the car. That's how good they are.
Not too shallow, not buried in details that don't appear on the exam. His study guides hit the exact depth you need to grasp the concept and pass the test. No filler.
Performance-based questions and practice exams that mirror the real test environment. Use these after you've worked through the course — they show you what you actually know vs. what you think you know.
I served 21 years. I know what it feels like to leave the military and not know how to translate two decades of discipline, mission focus, and operational experience into a civilian career conversation.
Here is what the civilian world doesn't always say clearly: cybersecurity is one of the best fields a veteran can enter. The structure you operated in, the security clearances you may already hold, and the mission-critical thinking you developed are directly applicable.
What follows is a plain-language breakdown of every benefit and program available to help you fund and accelerate a cybersecurity career — from active duty through post-separation.
When I separated from the military I didn't have a cybersecurity background. I had IT experience from my time in service, a work ethic built over 21 years, and a decision to go after the certifications systematically.
I used Tuition Assistance while I was still on active duty. I leveraged my military IT experience to skip entry-level roles. And I went after the certs that employers in the defense sector recognized.
The path is real. The benefits are real. You just need a clear picture of what's available and in what order to use it.
Available while you're still serving. Covers up to $250 per semester credit hour and $4,500 per fiscal year for courses at approved institutions — including certification prep programs.
Each branch has a COOL program that funds certification exams for active duty service members — including CompTIA Security+, Network+, CySA+, and others on the roadmap above.
Allows transitioning service members to work with a civilian employer or training program during their last 180 days of active duty — while still receiving full military pay and benefits.
The most widely used education benefit for veterans. Covers tuition at approved institutions and can be applied to Non-College Degree (NCD) programs — including certification training programs approved by your state's VA.
Veteran Employment Through Technology Education Courses. Specifically designed for high-tech training — including cybersecurity. Pays 100% of the training cost plus a housing stipend.
CompTIA offers discounted exam vouchers for veterans through their Veterans Support Program — reducing the out-of-pocket cost of exams on the roadmap above.
If you held a Secret or Top Secret clearance during your service, that clearance has real dollar value in the civilian cybersecurity market. Many defense contractors and federal agencies require clearances for their cybersecurity roles — and cleared candidates are genuinely hard to find. Companies pay significant premiums for cleared personnel. If your clearance is active or recently separated, that is one of the strongest things on your resume. Lead with it.
Plain-language posts on the concepts and certifications that matter most for anyone starting out.
Confidentiality, Integrity, Availability — understand these three things and you understand the foundation every security control is built on.
What Security+ actually covers, how to study it effectively, and why it is still the right first security credential a decade into my career.
The skills transfer more than you think. Here is how to frame your background for civilian employers — and which roles to target first.
The certification path and career information on this page reflects CompTIA's official 2026 roadmap and publicly available DoD policy documentation — not outdated blog posts or guesswork.
ⓘ Certification names, exam numbers, and program details change. Always verify current requirements directly with CompTIA or the relevant certifying body before registering for an exam.
Practical cybersecurity content for people starting out and veterans making the transition — no jargon, no hype, written by someone who has walked the path.
No spam. Unsubscribe anytime.