SSCP, worth getting?

dannycracko

Hi Guys,

I have been in IT security field for the past two years. Currently i have CEH and other vendor specific certs. I would like to know whether SSCP should be my next step as I don't meet the requirement for CISSP.

Sheiko37

I think the SSCP is worth it if you don't have the experience or personal confidence for the CISSP.

dannycracko

Thanks for the reply Sheiko37.

Is this true SSCP is more technical than CISSP? as per my understanding, SSCP (technical) and CISSP(Management).

beads

@dannycracko;

Absolutely worth it. Given the number of resumes I have recently reviewed and dismissed with CISSP on them and only the slightest of IT experience included the exam has lost much of its former credibility with me. I have seen current helpdesk employees with a full CISSP. Junior Administrators and router jocks not withstanding. These folks should have done the SSCP first and build some credibility into there resumes from a career perspective. Too many are simply nonsense to even bother reading. The next large block are the "studying for the CISSP" resumes currently covering a vast number of vocations from administrative assistants to mid level IT people of varying shades.

Here's where I get jumped on this board. I haven't hired a CISSP in sometime. Rather I will build them from near scratch.

I'd rather hire a security person who has had a career in IT first: Infrastructure, Development or DBA for years. Have some capable BA skills to apply to the situation. THEN, go into security/audit. Otherwise I have to simply start you in the lower levels of audit and train you from there. I have the fourth of five starting 1Jun15 - all freshers with little to no real security experience. Has some advantages.

Webster's Dictionary defines 'Management' as:

: the act or skill of controlling and making decisions about a business, department, sports team, etc.

: the people who make decisions about a business, department, sports team, etc.
: the act or process of deciding how to use something

Not seeing the connection to the exam and running a department, business, team or organization. I remember thinking a great deal about TTP (Tools, Techniques and Practices) though. The last definition is close but not doing it for me. So the SSCP tends to be a bit more in the trenches where the CISSP tends to be a bit less specific, lacking detail. Concentrations tend to be very technical, almost insanely difficult with concrete answers. Hour glassed shaped in focus, I suppose.

Build your skills the right way and you'll stand out in the right way. Lots of cheaters and frauds out there and there is a difference.

- b/eads
Board appoint CISSP jerk

Sheiko37

dannycracko wrote: »

Is this true SSCP is more technical than CISSP? as per my understanding, SSCP (technical) and CISSP(Management).

I read this a lot but it's not my experience. The study content is 90% the same between both, and the SSCP exam questions were no more or less technical than any CISSP questions you see on a practice site.

I haven't taken the CISSP exam yet though, maybe the questions are very high level, conceptual and specifically managerial, so by comparison the SSCP is 'technical'.

dannycracko

I have made my mind to enroll for SSCP. I believe the exam blueprint has been changed. The official study material still dates back to 2010. Should i wait till they update to new study material ? Any suggestions on this?

Tongy

Good on you. I'm still mulling it over myself.

leugenel

How many years of experience you think is OK for someone to have CISSP?

Tongy

The official line is 5 - https://en.m.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional#Requirements .

It can be shortened to 4 if you have relevant further education or certifications listed here: https://www.isc2.org/credential_waiver/default.aspx

I hope that that this helps!

kalkan999

Actually, I 90% agree with you on this post, B/eads. I look at a CISSP with suspicion ONLY when his/her CV does not match up. I dont waste my time humbling and humiliating people with the CISSP cert who don't warrant the title, mostly because I know that there are a lot of people like you who will. I simply look over the Resume' handed to me by random HR person and move along.

SSCP, to me, tells me that the person taking it sees that he/she is lacking in experience AND seems to know better than to spend $70K on a Ahemm...BACHELORS Degree program from ITT or Devry, where the credits don't transfer to other, more legitimate universities. SSCP should be taught at vocational schools, and vocational schools should make a comeback against For-profit universities. SSCP tells me a lot about a person, and a lot of it is positive.

My advice to anyone listening and wanting to venture into the Information Security world. Listen to B/eads, but look past his cynicism an derision. He and I, and others like us who are senior peeps, are stuck in a historical loop. Stuck in Active Directory enterprises, stuck in obsolete 'Defense-in-Depth' enterprise networks, and interviewing security people without the skills, or worse, with the skills, but without the knowledge or desire to bring about a paradigm shift in security.

These three things are going to be most prevalent in the next 5-10 years regarding security: Mobile Device Management, Cloud Security, and upgrading SOC's to support both. DLP, Content filtering, Next Gen Firewalls, all will be operated virtually, manned operations will migrate to SOCs, data centers, and Mobile Device support centers. New Data Governance models will rise from the ashes of the daily data breaches that are turning existing 'secure' networks into charred out tinder boxes.

-Kalkan999

Sheiko37

I really cannot understand why beads and kalkan999 would prefer the SSCP over CISSP on someone's resume. I notice you both don't have the certification so maybe you're misguided on the content?

The SSCP really is CISSP-lite. If you prefer a SSCP because of the statement it makes about the candidate that the CISSP doesn't make, then you effectively say exam content is not relevant. You could then replace certifications, resumes, and interviews with just a psychometric test.

kalkan999

Not what I said, Sheiko37. I am saying that If I see someone with a CISSP on their resume' but their experience does not match up with the job they are applying for, 'often a senior position', then I get a bit suspicious. I am saying that if I see someone with an SSCP with similar experience as a CISSP with little experience, then I tend to look at the SSCP holder more positively. SSCP's don't apply for Senior positions, usually. Entry level or mid-grade is what they usually apply for AND often get. It's just aggravating when someone with a CISSP cert comes in, looking for a senior position, but isn't qualified for it. Being in security at this point and time means we are TERRIBLY busy, and we need the help. But we can't take too much of our time away from our busy schedules to interview people with the CISSP and think they instantly deserve to make over $100K and be instant security gods above all others. Go get your CISSP. I am all for it! BUT...be ready to take on some serious questions during interviews if I take the time to interview you.

Sheiko37

I hear you. If I complete my CISSP as scheduled in the next few months then I might be one of those people you describe whose resume doesn't 'match up', though I will not be applying for any senior level positions.

The company I currently work for really doesn't foster education, I'm left with no option except self study.

beads

kalkan999 wrote: »

Actually, I 90% agree with you on this post, B/eads. I look at a CISSP with suspicion ONLY when his/her CV does not match up. I dont waste my time humbling and humiliating people with the CISSP cert who don't warrant the title, mostly because I know that there are a lot of people like you who will. I simply look over the Resume' handed to me by random HR person and move along.

SSCP, to me, tells me that the person taking it sees that he/she is lacking in experience AND seems to know better than to spend $70K on a Ahemm...BACHELORS Degree program from ITT or Devry, where the credits don't transfer to other, more legitimate universities. SSCP should be taught at vocational schools, and vocational schools should make a comeback against For-profit universities. SSCP tells me a lot about a person, and a lot of it is positive.

My advice to anyone listening and wanting to venture into the Information Security world. Listen to B/eads, but look past his cynicism an derision. He and I, and others like us who are senior peeps, are stuck in a historical loop. Stuck in Active Directory enterprises, stuck in obsolete 'Defense-in-Depth' enterprise networks, and interviewing security people without the skills, or worse, with the skills, but without the knowledge or desire to bring about a paradigm shift in security.

These three things are going to be most prevalent in the next 5-10 years regarding security: Mobile Device Management, Cloud Security, and upgrading SOC's to support both. DLP, Content filtering, Next Gen Firewalls, all will be operated virtually, manned operations will migrate to SOCs, data centers, and Mobile Device support centers. New Data Governance models will rise from the ashes of the daily data breaches that are turning existing 'secure' networks into charred out tinder boxes.

-Kalkan999

Your being a bit unfair here and doing so by your own admission: "I 90% agree with you on this post, B/eads." I don't bother interviewing people whose resume's simply do not match the experience level to back it up. That is being derisive, cruel, mean or even cynical. Its pointing out the truth of the matter - its an unqualified candidate and I have every right if not duty as a member in good standing to enforce the community rules. My personal rules are a bit harsher, that much is true. I set a higher bar than the organizing body.

The future is in big data sets.

Your list of technologies above feels about as up to date as last weeks tuna sandwich I found in the back of the refrigerator. I'd certainly add going well beyond AD or other LDAP based technologies. They won't go away anytime soon but add Network Based Anomaly Detection (NBADs) working in a form of unholy trio of prevention, detection and remediation. Currently they all seem to do one well and one other 'meh' at best the third not at all. Resulting in the use of three systems, whether appliance or agent/less based running at the same time. Now, if your thinking hard enough about all these alerts all day and trying to figure out how to correlate this new information into decision-able action - don't worry - you can't. At least not in the present form, its too much much for the human mind to assemble. Exactly where we are today. Information parsed once through these alert filters just means we have better data not information. We need to build custom tools to digest this second pass data into human readable, decisive information. I suggest 'R' as the likely starting point before feeding into prezi or other malleable present
software.

Security generating these huge data sets as it were (check your SIEM logs for proof) have already outmoded the human ability to keep up, let alone process this data. Data becomes information and information becomes intelligence becomes an action or control. We are only beginning to scratch the surface of what is possible but the road is path more with discrete mathematics than the old gumshoe methodologies of just a couple of short years ago. Leave the calculus to the physics majors, lol. For security its all discrete and applied differential equations from here on out.

Hardly one to wait for someone else to invent something, I've been hard at work changing the field as I go. Its been quite the insightful journey.

Let's security like its still 1999 shall we?

-b/eads

newjack

I passed my SSCP about a month ago and am waiting on endorsment. I have been kind of fishing out there for jobs to see what I will be called on. I have had a bunch of recruiters call me and about 2 job interviews. I think it has worked pretty well. Wonder if it will change anything once I am fully endorsed.

I only have 2 years experience and looking to get into a full fledged sec analyst roll, even some type of physical security roll with access controls would be cool...