Trying to understand the skill gap between Sec+ and CISSP

I've passed net+, and (shortly) sec+. (I also have passed CISA which is more in line with my job experience - so I'm strong in the control / risk management / process area but I've learned lots of new info prepping for net+/sec+) I'd be very thankful for any guidance on what my next step should be.

I gather from other posts that SSCP is pretty much comparable to sec+, so I'm ruling that out as the next step (please tell me if you think I'm wrong)

I could continue with the CompTIA certs, CSA+, CASP and try to build up to CISSP that way. I like that there are lots of good study materials and the CompTIA certs are set up so that when you complete one, you are pretty much at the right level to start on the next one. To the degree that any overlap exists between CASP and CISSP - no harm done - I'm enjoying working on these and learning but I don't want to prolong the process unnecessarily.

I could try to jump from sec+ directly to CISSP. My concern is if sec+ is a good indication of where my technical skill level is, am I too far away to make the leap, or far enough that it will make the process miserable?

If you have alternative suggestions I'd also be thankful for those.

Thanks for any feedback you can offer.

Find more posts tagged with

Comments

SteveLavoie

If you are a CISA, you are nearer to CISSP than someone with only a Network+, Sec+. CISSP is not that technical, answer must be from a manager perspective and not from a tech one. If I dont make an error, CISA also got a 5 years exp requirement, as CISSP.

I have prepared to do the Sec+ for a few month, but decided to wrote the SSCP test instead, on my way to CISSP.

If I was you, I would study for CISSP directly.

Swimfan2516

What is your experience level? I think that will determine your own gap and whether you're ready or not to take a test that is primarily from a managers perspective. But studying on your own and assessing your own knowledge in the different domains on the CISSP will help you answer your question. Then you'll be able to work on your weak areas and take the test when you're ready... Good luck!

dhay13

I went straight from Sec+ (March 2016) to CISSP (Nov. 2016) and passed both the first time. I had already had quite a bit of security experience but just had not attempted any certs. I guess it depends on your experience.

acw

Thanks for the info guys. I may be closer than thought. I'll evaluate that and see if I should take a shot at it! Thanks again!

OctalDump

What I'd add to this is that Sec+, SSCP, CSA+, CASP, CISSP are aimed at different things. You could roughly rank them in order of difficulty or years of experience required, but I don't think that's the most useful way to categorise them. It's more useful, I think, to look at the roles they are aimed at.

Sec+ and CISSP are similar in that they both attempt to cover the breadth of info sec. However, Sec+ is more a baseline of info sec knowledge for anyone in IT, and CISSP is more directly aimed at an experienced Info Sec professional who likely has responsibilities at the engineer/design/architect end. The CISSP might not have the specific technical skills to implement all of their infosec program, but should have sufficient skills/knowledge to specify infosec requirements across the breadth of IT.

That sort of gap between hands on and design leaves an interesting space for the CISSP. It is possible to be a CISSP without specific, practical, info sec knowledge. You might understand what Kerberos is, and how it works, and why it is good in particular roles and not so good in others, but that doesn't mean you know how to repair a Berkeley database sitting under an OpenLDAP system, or how to configure NTP across multiple kinds of devices. Or understand the value of TLS, but never have configured TLS setting in Apache, or purchased a certificate online.

You might come to that role through management, perhaps from a more Business Analyst focus, or from an audit role. Or you might take a more 'traditional' approach and come up through IT, and hold Security Analyst roles then Security Operations roles then Engineering roles or other senior roles. If you do take that approach, then it's more likely that you will take things like CSA+, SSCP, CASP, CCNA Cyber Ops, MCSE, RHCE etc since those will be appropriate for the roles you have and are seeking to have.

From what you describe, it might actually be an easier transition for you if you skipped CSA+/CASP/SSCP since those all have a definite practical component, whereas CISSP seems more inline with your strengths.

acw

OctalDump wrote: »

What I'd add to this is that Sec+, SSCP, CSA+, CASP, CISSP are aimed at different things. You could roughly rank them in order of difficulty or years of experience required, but I don't think that's the most useful way to categorise them. It's more useful, I think, to look at the roles they are aimed at.

Sec+ and CISSP are similar in that they both attempt to cover the breadth of info sec. However, Sec+ is more a baseline of info sec knowledge for anyone in IT, and CISSP is more directly aimed at an experienced Info Sec professional who likely has responsibilities at the engineer/design/architect end. The CISSP might not have the specific technical skills to implement all of their infosec program, but should have sufficient skills/knowledge to specify infosec requirements across the breadth of IT.

That sort of gap between hands on and design leaves an interesting space for the CISSP. It is possible to be a CISSP without specific, practical, info sec knowledge. You might understand what Kerberos is, and how it works, and why it is good in particular roles and not so good in others, but that doesn't mean you know how to repair a Berkeley database sitting under an OpenLDAP system, or how to configure NTP across multiple kinds of devices. Or understand the value of TLS, but never have configured TLS setting in Apache, or purchased a certificate online.

You might come to that role through management, perhaps from a more Business Analyst focus, or from an audit role. Or you might take a more 'traditional' approach and come up through IT, and hold Security Analyst roles then Security Operations roles then Engineering roles or other senior roles. If you do take that approach, then it's more likely that you will take things like CSA+, SSCP, CASP, CCNA Cyber Ops, MCSE, RHCE etc since those will be appropriate for the roles you have and are seeking to have.

From what you describe, it might actually be an easier transition for you if you skipped CSA+/CASP/SSCP since those all have a definite practical component, whereas CISSP seems more inline with your strengths.

Thanks - this is extremely helpful! I'm pretty far along in my non-technical career and that places some limits on ways that I can reasonably get those technical skills, but CISSP seems perfectly aligned with what I am trying to accomplish. After CISSP I can continue to learn the technical skills, its unlikely that I could approach the level of someone with years of hands on experience, but this time next year I'll know more than I do today...and thats better than spending the year treading water.

Thanks everyone - I understand better now and I've refined my goal. I'm going for CISSP immediately after sec+ and after that I'll try gradually building the technical skill base.