Career wise, OSCP or CEH?

Hornswoggler

kurzon wrote: »

This is exactly what I'm talking about. CISSP is clearly a managerial certification which is for people who aim managerial positions. If you consider the fact that a certification program should add something to your experience, what is the purpose having CISSP for someone who has red team type experience?

Allow me a moment to call BS right there.

Look, studying for the CISSP and taking the exam is boring. It's dry, there is no hands-on, most of it is reading and memorization. It does not go very deep, the exam is expensive, and the renewal fees are a crock. I get it. The CISSP is NOT FUN.

With that said, unless you find the delusional dream job of being the lone nerd in the basement, you WILL interact and communicate with IT security managers. You will work with these "CISSP" level managers to understand your assignments, to help them understand the technical aspects, the requirements, the output, the remediation, and whatever consulting you need to provide for your engagements. The CISSP gives the holders a common language to use, be it describing threat actors, attack surface, separation of duties, risk, quantitative vs qualitative analysis, and a general understanding of all things security. Its good to understand and be able to hold a consistent conversation on all things security. If the management audience is talking the CISSP language, so should you. Put your reports/docs/presentations/emails in the terms and format they understand. It gets everybody on the same page and shows that you have a well-rounded foundational understanding of IT security. It should be a requirement (or comparable cert) for getting into the field.

Also picture the ideal job. Will somebody hire you to just be a "hacker", where you rely on leet skillz to impress your boss, or will you first and foremost be a security professional who helps the business make smart decisions as they weight pros and cons of a risk?

Raisin

You know, I hated studying for the CISSP, but now that it's over I'm glad I did it. Yes, there's a heavy level of content directed towards management, but this is important for regular employees to understand too. It's easy for people to roll their eyes at a security policy if they have no idea about the reasoning behind it.

Also for a pen tester I'd make it a requirement to have a CISSP. It would be a complete waste of time and money to find vulnerabilities if the person preparing a report can't convey them in terms that management can comprehend, or even worse offend someone high up by misunderstanding their role in the organization.

kurzon

Guys, I completely understand how you justify CISSP, but isn't it what SSCP for?

Quote directly from ISC2 SSCP brochure (http://www.usf.edu/continuing-education/documents/sscp-brochure.pdf):
"From graduation to retirement, (ISC)2’s got your back. If you are an SSCP looking to advance your career beyond the technical aspects of information security and into a managerial position, then the CISSP should be your next career goal. CISSPs are key decision makers who develop policies, standards, procedures and manage the overall implementation of them across the enterprise."

ISC2 must be promoting SSCP better to the industry. Learning about corporate security practices; understanding policies, procedures, regulations etc; being able to talk the same language with the upper-management, they are all provided by SSCP.

I am not a lone nerd in a basement "unfortunately" , I have been working in the largest IT and telecommunications companies in my country for more than 10 years, and doing network and security tasks every day including preparing procedures and presenting them to the upper management.

Believe me, no manager is actually looking for a CISSP level technical employee. They just "think" that they need it, only because of the popularity of the CISSP name and also because they do not have any idea about SSCP.

I insist, CISSP is (should be?) waste of time and effort for a technical level employee.

asurania

At the end of the day..you need the CISSP. I do agree SSCP is what is needed for the technical team, but everyone is looking for the CISSP, due to branding. The recruiters, and HR Department screen for CISSP, not SSCP.

The reciters HR Department is the one that will be getting the resume into the Hiring Manager Hands (who might not care if you have the CISSP, or SSCP or neither), but the recruiters and HR department do.

So you can try to fight and justify why NOT to do the CISSP, but if you want the best chance to get the better or higher paying position...just get the CISSP done.

kurzon

@asurania, That is true. And as I stated above, I will get CISSP, it is my goal for the next year.

In the meantime, I will be fighting for the SSCP in every interview.

I believe this topic is not about my certification choices anymore. I will try to have OSCP this year, and CISSP during the first quarter of 2018. I just keep writing to discuss the value of the CISSP over SSCP.

Hornswoggler

SSCP doesn't have the recognition. Maybe it's the better fit but I don't think you can turn around the industry hiring practices overnight.

p@r0tuXus

Hornswoggler wrote: »

SSCP doesn't have the recognition. Maybe it's the better fit but I don't think you can turn around the industry hiring practices overnight.

The CISSP exam costs are easily more than twice the SSCP. So the fact that more hiring managers will want the CISSP holders than SSCP, only makes ISC2 more money. I wouldn't hold your breath on the organization sounding the horn for SSCP with those kinds of profits at stake.

518

kurzon wrote: »

@jelevated, CISSP is not the direction I want to take. I have zero interest in managerial positions.

Here are two example ads that I might be interested.

https://ca.indeed.com/viewjob?jk=281e1e6467be002a

Cyber Security Analyst

would you look at that, both jobs has "CISSP" acronyms on it.

I dont understand how CISSP is perceived as "Managerial" position. Most technical cybersecurity job I see asks for CISSP. Bombadier works with US Defense companies, expect them to prefer "CISSP."

if my job doesnt asks for CISSP, I would have taken OSCP instead...I still plan to.

ITSpectre

Honestly.....

I would get both. the OSCP and the CISSP. That way you have all bases covered. You have the tech knowledge with the OSCP.... and the manager knowledge to talk about company risk assesments, and thinking like a manager. You don't have to be a manager or want to be one to have the CISSP. I used to work with a NOC that had his CISSP.

beads

We lost the SSCP vs CISSP (plus concentrations) battle years ago. Today its just a HR filter and more concerned with the number of certified people than anything else.

The old adage still rings true: The CISSP is worth more to those without than to those with the certification.

- b/eads

ITSpectre

beads wrote: »

We lost the SSCP vs CISSP (plus concentrations) battle years ago. Today its just a HR filter and more concerned with the number of certified people than anything else.

The old adage still rings true: The CISSP is worth more to those without than to those with the certification.

- b/eads

Plus they give anyone a CISSP!!!

mbarrett

518 wrote: »

I dont understand how CISSP is perceived as "Managerial" position. Most technical cybersecurity job I see asks for CISSP. Bombadier works with US Defense companies, expect them to prefer "CISSP."

Government jobs look to CISSP because it's on the list of certs in compliance with the government requirements for IT jobs, such as DoD Instruction 8570.1m. This is a hard & fast requirement.
Commercial companies might be listing that in their non-Infosec job ads, but I think it might be more of a nice-to-have thing, I don't believe it holds as much weight - especially with the hiring managers & technical people.

TLeTourneau

kurzon wrote: »

Guys, I completely understand how you justify CISSP, but isn't it what SSCP for?

Quote directly from ISC2 SSCP brochure (http://www.usf.edu/continuing-education/documents/sscp-brochure.pdf):
"From graduation to retirement, (ISC)2’s got your back. If you are an SSCP looking to advance your career beyond the technical aspects of information security and into a managerial position, then the CISSP should be your next career goal. CISSPs are key decision makers who develop policies, standards, procedures and manage the overall implementation of them across the enterprise."

ISC2 must be promoting SSCP better to the industry. Learning about corporate security practices; understanding policies, procedures, regulations etc; being able to talk the same language with the upper-management, they are all provided by SSCP.

I am not a lone nerd in a basement "unfortunately" , I have been working in the largest IT and telecommunications companies in my country for more than 10 years, and doing network and security tasks every day including preparing procedures and presenting them to the upper management.

Believe me, no manager is actually looking for a CISSP level technical employee. They just "think" that they need it, only because of the popularity of the CISSP name and also because they do not have any idea about SSCP.

I insist, CISSP is (should be?) waste of time and effort for a technical level employee.

Ok, I'll have to let our IS managers know that they are not looking for their technical staff to have a CISSP - they will be amazed to find that out.

518

mbarrett wrote: »

Government jobs look to CISSP because it's on the list of certs in compliance with the government requirements for IT jobs, such as DoD Instruction 8570.1m. This is a hard & fast requirement.
Commercial companies might be listing that in their non-Infosec job ads, but I think it might be more of a nice-to-have thing, I don't believe it holds as much weight - especially with the hiring managers & technical people.

believe me, I said that same thing to myself: I dont need a cissp to use security related COTS tools. but time and time again, those hospitals, banks, and utility companies wants cissp cert security analyst. what do you think I did to get a call for a sec analyst job?

and lets not get started with 8570, we can have a thread dedicated just for 8570. those so called IA who only does C&A/A&A didnt need CISSP, a CAP would do and it was launched the same year DoD released 8570. not to mention, my CIV/GS counterparts only possess Security+

It doesn't matter that a "candidate" thinks. hiring manager wants cissp, they are getting a cissp. we can justify cissp all we want (I think this has been beaten to death), but at the end of the day, if you are not the hiring manager, stop justifying that you dont need cissp when applying for the job. you dont like what the job ad says? move on and apply to a different company.

wait, thought this thread was about OSCP vs CEH?

I think someone has already mentioned this, and I agree:
- CEH to satisfy job ad/requirement
- OSCP to do well on your job

hoccniki

I think it depends on what role you would like to go for. If you need really hands on skill in pentesting, you should go for OSCP. However, in my case, I am on the IT audit side, I need to have knowledge to audit cybersecurity process, but not actually be the one doing it, so CEH is enough for me. I'm still waiting for the funding from boss to take the exam - a way to please your boss. But I don't see in knowledge wise, CEH will benefit me the most.

misterbaanu

Well Said. One Word Gun Shot.

jelevated wrote: »

CISSP for the name, OSCP for the brain.

ITSpectre

CEH - get this only if you have to get it to be in compliance with your job, boss, etc....
OSCP - Get this if you want good hands on with pentesting.

m4v3r1ck

I have the CEH and it was a waste of money in terms of knowledge. You get to play with a ton of toys, but it's an easy multiple choice test and I found the EC Council instructor to be boring. However, it does check the 8570 box if you need it and gets you past HR. It would be worth it just for those two things.

The OSCP will teach you a ton about pen testing and will impress a hiring manager. I work at a major company that pays our pentesters 6-figures and some of those guys struggled through the OSCP. It's not an easy certification, but it's very rewarding when you are done.

The most important thing you can do for your career is network. Get out and meet people in the field you want to be in. You never know when they may think of you for a job opening.

ITSpectre

m4v3r1ck wrote: »

I have the CEH and it was a waste of money in terms of knowledge. You get to play with a ton of toys, but it's an easy multiple choice test and I found the EC Council instructor to be boring. However, it does check the 8570 box if you need it and gets you past HR. It would be worth it just for those two things.

The OSCP will teach you a ton about pen testing and will impress a hiring manager. I work at a major company that pays our pentesters 6-figures and some of those guys struggled through the OSCP. It's not an easy certification, but it's very rewarding when you are done.

The most important thing you can do for your career is network. Get out and meet people in the field you want to be in. You never know when they may think of you for a job opening.

Yup you are right. also network and make associations at work. You never know when your co-worker may help you get a job one day.

Raisin

I think another argument is that the people currently sitting in most security jobs hold a CISSP. For me it was a challenge but not the hardest thing I've ever done. Despite all its flaws the test material did open my mind up to the business aspect of security, which is often overlooked when people just focus on the technical side of things. When I see people complain and argue why they don't need a CISSP, it mostly just makes me role my eyes, my thinking is that I did it when I didn't want to, why should this other guy get to skip this step in his security career? I suspect many hiring managers are going to be thinking that too. Odds are if you walk into an interview and tell the CISSPs sitting across from you that their cert is worthless and you don't need it... Don't be surprised if you get passed over for that position.

mikey88

Hey @Databasehead, great research and chart. I am wondering if you also researched any other security certs from GIAC, EC-Council and Cisco?