SSCP, worth getting?
dannycracko
Registered Users Posts: 4 ■□□□□□□□□□
in SSCP
Hi Guys,
I have been in IT security field for the past two years. Currently i have CEH and other vendor specific certs. I would like to know whether SSCP should be my next step as I don't meet the requirement for CISSP.
I have been in IT security field for the past two years. Currently i have CEH and other vendor specific certs. I would like to know whether SSCP should be my next step as I don't meet the requirement for CISSP.
Comments
Is this true SSCP is more technical than CISSP? as per my understanding, SSCP (technical) and CISSP(Management).
Absolutely worth it. Given the number of resumes I have recently reviewed and dismissed with CISSP on them and only the slightest of IT experience included the exam has lost much of its former credibility with me. I have seen current helpdesk employees with a full CISSP. Junior Administrators and router jocks not withstanding. These folks should have done the SSCP first and build some credibility into there resumes from a career perspective. Too many are simply nonsense to even bother reading. The next large block are the "studying for the CISSP" resumes currently covering a vast number of vocations from administrative assistants to mid level IT people of varying shades.
Here's where I get jumped on this board. I haven't hired a CISSP in sometime. Rather I will build them from near scratch.
I'd rather hire a security person who has had a career in IT first: Infrastructure, Development or DBA for years. Have some capable BA skills to apply to the situation. THEN, go into security/audit. Otherwise I have to simply start you in the lower levels of audit and train you from there. I have the fourth of five starting 1Jun15 - all freshers with little to no real security experience. Has some advantages.
Webster's Dictionary defines 'Management' as:
: the act or skill of controlling and making decisions about a business, department, sports team, etc.
: the people who make decisions about a business, department, sports team, etc.
: the act or process of deciding how to use something
Not seeing the connection to the exam and running a department, business, team or organization. I remember thinking a great deal about TTP (Tools, Techniques and Practices) though. The last definition is close but not doing it for me. So the SSCP tends to be a bit more in the trenches where the CISSP tends to be a bit less specific, lacking detail. Concentrations tend to be very technical, almost insanely difficult with concrete answers. Hour glassed shaped in focus, I suppose.
Build your skills the right way and you'll stand out in the right way. Lots of cheaters and frauds out there and there is a difference.
- b/eads
Board appoint CISSP jerk
I read this a lot but it's not my experience. The study content is 90% the same between both, and the SSCP exam questions were no more or less technical than any CISSP questions you see on a practice site.
I haven't taken the CISSP exam yet though, maybe the questions are very high level, conceptual and specifically managerial, so by comparison the SSCP is 'technical'.
It can be shortened to 4 if you have relevant further education or certifications listed here: https://www.isc2.org/credential_waiver/default.aspx
I hope that that this helps!
SSCP, to me, tells me that the person taking it sees that he/she is lacking in experience AND seems to know better than to spend $70K on a Ahemm...BACHELORS Degree program from ITT or Devry, where the credits don't transfer to other, more legitimate universities. SSCP should be taught at vocational schools, and vocational schools should make a comeback against For-profit universities. SSCP tells me a lot about a person, and a lot of it is positive.
My advice to anyone listening and wanting to venture into the Information Security world. Listen to B/eads, but look past his cynicism an derision. He and I, and others like us who are senior peeps, are stuck in a historical loop. Stuck in Active Directory enterprises, stuck in obsolete 'Defense-in-Depth' enterprise networks, and interviewing security people without the skills, or worse, with the skills, but without the knowledge or desire to bring about a paradigm shift in security.
These three things are going to be most prevalent in the next 5-10 years regarding security: Mobile Device Management, Cloud Security, and upgrading SOC's to support both. DLP, Content filtering, Next Gen Firewalls, all will be operated virtually, manned operations will migrate to SOCs, data centers, and Mobile Device support centers. New Data Governance models will rise from the ashes of the daily data breaches that are turning existing 'secure' networks into charred out tinder boxes.
-Kalkan999
The SSCP really is CISSP-lite. If you prefer a SSCP because of the statement it makes about the candidate that the CISSP doesn't make, then you effectively say exam content is not relevant. You could then replace certifications, resumes, and interviews with just a psychometric test.
The company I currently work for really doesn't foster education, I'm left with no option except self study.
Your being a bit unfair here and doing so by your own admission: "I 90% agree with you on this post, B/eads." I don't bother interviewing people whose resume's simply do not match the experience level to back it up. That is being derisive, cruel, mean or even cynical. Its pointing out the truth of the matter - its an unqualified candidate and I have every right if not duty as a member in good standing to enforce the community rules. My personal rules are a bit harsher, that much is true. I set a higher bar than the organizing body.
The future is in big data sets.
Your list of technologies above feels about as up to date as last weeks tuna sandwich I found in the back of the refrigerator. I'd certainly add going well beyond AD or other LDAP based technologies. They won't go away anytime soon but add Network Based Anomaly Detection (NBADs) working in a form of unholy trio of prevention, detection and remediation. Currently they all seem to do one well and one other 'meh' at best the third not at all. Resulting in the use of three systems, whether appliance or agent/less based running at the same time. Now, if your thinking hard enough about all these alerts all day and trying to figure out how to correlate this new information into decision-able action - don't worry - you can't. At least not in the present form, its too much much for the human mind to assemble. Exactly where we are today. Information parsed once through these alert filters just means we have better data not information. We need to build custom tools to digest this second pass data into human readable, decisive information. I suggest 'R' as the likely starting point before feeding into prezi or other malleable present
software.
Security generating these huge data sets as it were (check your SIEM logs for proof) have already outmoded the human ability to keep up, let alone process this data. Data becomes information and information becomes intelligence becomes an action or control. We are only beginning to scratch the surface of what is possible but the road is path more with discrete mathematics than the old gumshoe methodologies of just a couple of short years ago. Leave the calculus to the physics majors, lol. For security its all discrete and applied differential equations from here on out.
Hardly one to wait for someone else to invent something, I've been hard at work changing the field as I go. Its been quite the insightful journey.
Let's security like its still 1999 shall we?
-b/eads
I only have 2 years experience and looking to get into a full fledged sec analyst roll, even some type of physical security roll with access controls would be cool...