SSCP - Lack of love

wayne_wonder

As the title suggests in the UK at least can't vouch for America but there seems to be a lack of people taking this cert over way the security + why is that? Is it a case of its big brother casting a pretty large shadow over it?

I mean even the CEH gets more hits on job sites like indeed in the UK I was all set to take it even though I have about 2/3 years knowledge of 3/4 domains when it comes to the Cissp but don't fancy spending £200. When I might as well go the whole hog to get the Cissp.

Tongy

The honest answer is that SSCP occupies something of a certification no mans land. 125 questions (half CISSP) 3 hours (half CISSP) but requires only 1 of Infosec experience? Seems like a lot of hoops to jump through for something that is pretty difficult to attain, costs less and is less recognised than Sec+

That said, I see value in both, but am prouder of the SSCP designation than Sec+ - and saw it as a stepping stone certification to CISSP (eventually).

I see value in it and if/when I hire people, will see having it as a good thing for the candidate.

wayne_wonder

Tongy wrote: »

The honest answer is that SSCP occupies something of a certification no mans land. 125 questions (half CISSP) 3 hours (half CISSP) but requires only 1 of Infosec experience? Seems like a lot of hoops to jump through for something that is pretty difficult to attain, costs less and is less recognised than Sec+

That said, I see value in both, but am prouder of the SSCP designation than Sec+ - and saw it as a stepping stone certification to CISSP (eventually).

I see value in it and if/when I hire people, will see having it as a good thing for the candidate.

I'd definitely put it above the sec+ I think they need to really push it like the sec+ and ceh etc! I'm taking it in about 3/4 weeks it will definitely compliment my current skill set plus Certs then from there take the cissp or cism maybe

matai

I got it last year a couple weeks after the Security+.

My thought was that since my employer was paying for it, why not?

danny069

As said in wrestling, "The man (or woman) makes the title, the title does not make the man (or woman)", so if you see value in it, then there is value in it, no matter the opinion of others. So I will say, "The man (or woman) makes the cert, the cert does not make the man (or woman)" Which in a nutshell all means, if YOU believe, I believe.

Remedymp

The problem isn't the certification per se, it's the organization. ISC is almost a non-existent organization outside of the CISSP. It's just not relevant in comparison to San's and GIAC certs or ISACA and CISA/CRISC. The latter two are constantly evolving and widely available per region as they have regional chapters. ISC just does not have that presence.

So, therefore, they lose any relevance and the non-cissp cert won't mean much.

Security+ has relevance because Comptia is on the front line working with companies to constantly evolve it. This is how the CASP certification came to be.

OctalDump

Remedymp wrote: »

The problem isn't the certification per se, it's the organization. ISC is almost a non-existent organization outside of the CISSP. It's just not relevant in comparison to San's and GIAC certs or ISACA and CISA/CRISC. The latter two are constantly evolving and widely available per region as they have regional chapters. ISC just does not have that presence.

So, therefore, they lose any relevance and the non-cissp cert won't mean much.

Security+ has relevance because Comptia is on the front line working with companies to constantly evolve it. This is how the CASP certification came to be.

I'm inclined to broadly agree. Info Sec certifications are a mess compared to vendor certifications. That's sought of expected, since a vendor has nice well defined limits on the certification.

If you look at the top Info Sec certs, they are from different certifying bodies -
Security+ - Comptia
CISSP - (ISC)²
OSCP - Offensive Security
GSEC - GIAC
CISM - ISACA
CEH - EC-Council

Three of those are generalist certs, two are pen testing. CISM seems to have a generalist core with a management/governance/audit bent.

GIAC and EC-Council try to cover everything, although GIAC does a better job. CompTIA have entry level and 'advanced' general Info Sec certifications. (ISC)² offers a range. Offensive Security and ISACA seem to be better at specialisation, which makes the most sense in terms of brand eg I am looking for someone to manage IT Sec governance and compliance, I'll look for ISACA certs.

If you take something like CASP, it's pretty similar to GSEC or SSCP in its aims. Do we need three flavours of the same thing? If you look at some of the more obscure offerings, ECES or ENSA or CSSLP or GCED, you'll rarely see them asked for, putting the burden of educating on the applicant/employee ("I have this certification which means I know this and can do that. The certifying body also do the x certificate.").

If you look at penetration testing, the industry specialists don't seem to see much value in any of the certs, with maybe the Offensive Security offerings best regarded, along with something like GXPN.

Maybe part of the problem is that Info Sec is still maturing into clearly defined specialisations, and management is still figuring out what skills they need in particular roles and what certifications are meaningful. CEH is an excellent example of the disconnect. It would make more sense if each of the certifying bodies specialised in a particular area, and delivered quality in that area.

Maybe in a few years, when Info Sec is more mature and management "get it", we'll see some rationalisation.

gncsmith

matai wrote: »

I got it last year a couple weeks after the Security+.

My thought was that since my employer was paying for it, why not?

What were your study materials?