Does SSCP have value?

I have just finished my MCSE upgrade and am looking my next certification target.

Now, I do not believe in getting a certification in something which I am not qualified to hold. My feeling is that the cert is there to "certify" you are proficient in or have an expert level knowledge of the subject matter depending on which cert.

I have 5.5 years experience split between my current systems admin and a network/security/systems consultant position I held with a smaller company 3 years ago. I implemented firewalls and IPSec VPNs from scratch using Linux and open-source software so I have a pretty good technical understanding of technical aspects of security from my previous experience. Other than a side gig supporing a couple of small companies who have firewalls and a VPN, I'm not really working in that realm anymore, but I would like to certify that I am knowledgeable in this area.

I have shyed away from comptia certs as they seem to be regarded as basic, basic entry level certifications, so no Sec+ for me. I am not interested in infosec management (CISSP) at this time, just a technical cert. Is the SSCP fairly well regarded as an indicator of one's security technical knowledge? Is it sort of unknown and/or growing? Or is it worthless? I did a monster search and only found one job posting in NC that even mentioned SSCP as a desired/required/good to have credential.

I guess if I want in the future to work toward CISSP, then SSCP would best prepare me for that, but what if I just want to certify understanding/competence in info security?

Thanks

b

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

keatron

Well honestly while I'm not exactly a huge SANS proponent, they probably offer the most flexibility and can give you the closest match to what you're looking for. But do be advised they are extremely costly. You do have some other hands on cert options as well. CEH, CHFI, the Checkpoint stuff to name a few. But you can also look into CWSP as it is a nice break from what it sounds like you've been doing. Though you're strictly looking to validate your current skill set, CWSP could secondarily do that for you. You will basically be saying, "I have security skills, and now I know how to apply it to wireless as well" Good luck and let us know what you decide.

garv221

blargoe wrote:

I have just finished my MCSE upgrade and am looking my next certification target. Now, I do not believe in getting a certification in something which I am not qualified to hold.

I agree with your comment if your skills and experience are at entry level. However, I know your far beyond that! It doesn't really make sense to obtain a cert that will secure a position you can already get? I believe once IT employees get to a certain level of expeience, the doors wide open in what they want to certify in. You have MCSE, you know your CCNA and you have experience. If your thinking about SSCP, do CISSP. I wouldn't waste the time getting the little brother.

JDMurray

garv221 wrote:

If your thinking about SSCP, do CISSP. I wouldn't waste the time getting the little brother.

I am currently studying for the SSCP because, 1) I am technical and not managerial, 2) I do not meet the professional requirements for the CISSP, but I do for the SSCP, 3) the SSCP is recognized by all professional organizations that also recognize the CISSP, and 4) there are plenty of security-oriented job posting on the major job boards which mention the SSCP. Unlike SCNP and TICSA, the SSCP seems to have plenty of weight--although I will concede that the (few) number of people that have obtained the SSCP as compared to the CISSP do not seem to bear this assertion out.

blargoe

I was wondering if there was anyone else here thinking about SSCP. My line of thinking on this is pretty much the same as jdmurray. Though someday in the not to distant future, I believe will meet the technical requirements for CISSP.

However this has taken a seat on the back burner since I have taken a new position recently that is much more demanding and my training is set in stone for the next little while. I'm hitting Exchange very hard, being flown off to classes, and will do MCSE+Messaging, then training for EMC SAN, then SQL 2005, then renew CCNA. It's like a boot camp, but they're paying me instead of me paying them

I feel pretty sure I'll get the approval to pursue a security cert like SSCP next year.

garv221

jdmurray wrote:

garv221 wrote:

If your thinking about SSCP, do CISSP. I wouldn't waste the time getting the little brother.

I am currently studying for the SSCP because, 1) I am technical and not managerial, 2) I do not meet the professional requirements for the CISSP, but I do for the SSCP, 3) the SSCP is recognized by all professional organizations that also recognize the CISSP, and 4) there are plenty of security-oriented job posting on the major job boards which mention the SSCP. Unlike SCNP and TICSA, the SSCP seems to have plenty of weight--although I will concede that the (few) number of people that have obtained the SSCP as compared to the CISSP do not seem to bear this assertion out.

I knew you were studying SSCP & I understand why you are going for that cert, I hope I did not offend you. I noticed blargoe had CISSP on his desired list. I thought about SSCP as well, but I knew in the future I would be obtaining CISSP so it did not make much sense to get SSCP. The more I read CISSP the more I understand why you must be in a manager position to fully understand the concepts. SSCP is more technical then? Geared toward those engineers working in depth in a certain area of security?

JDMurray

garv221 wrote:

The more I read CISSP the more I understand why you must be in a manager position to fully understand the concepts. SSCP is more technical then? Geared toward those engineers working in depth in a certain area of security?

I think anyone is capable of understanding the CBK concepts without having been in security management, but you need the practical management experience to really have the best chance of passing the CISSP. I have heard that the questions on the SSCP are bent more towards the technical rather than the managerial/administrative. I'll let you know.

And for the record, I do intend on one day passing the CISSP, but I can't see that happening until I've been working in an actual information security environment for many years. Until then, the SSCP, Wireless#, and a few Microsoft .NET technology certs are more than enough of a load for me. Oh, and this Masters degree thingy, too, that I have another year remaining in accomplishing.

drakhan2002

Go with the CISSP, not the SSCP. I work in a Fortune 500 Bank. If you want to play in the "major leagues", you have to have a major league certification. I am not a manager, but I've been in the Information Security field for several years (I have over 12 years experience in IT altogether). The SSCP is good for a more entry level person...not someone who has been in IT for over 5 years. If you've been in IT that long, sit for the CISSP, you'll be glad you did.

Search Monster.com and compare the number of hits between CISSP and SSCP. It is like the difference between a CISA and CISM - if you want to be at the top of the pecking order, get the highest certification you can.

Anyone considering these lower level certifications, more power to you...just wave goodbye to those who decided take the extra time to prepare for the harder certification...as they will be the ones flying past you to the top of the industry.

garv221

drakhan2002 wrote:

Go with the CISSP, not the SSCP. I work in a Fortune 500 Bank. If you want to play in the "major leagues", you have to have a major league certification. I am not a manager, but I've been in the Information Security field for several years (I have over 12 years experience in IT altogether). The SSCP is good for a more entry level person...not someone who has been in IT for over 5 years. If you've been in IT that long, sit for the CISSP, you'll be glad you did.

Search Monster.com and compare the number of hits between CISSP and SSCP. It is like the difference between a CISA and CISM - if you want to be at the top of the pecking order, get the highest certification you can.

Anyone considering these lower level certifications, more power to you...just wave goodbye to those who decided take the extra time to prepare for the harder certification...as they will be the ones flying past you to the top of the industry.

As you can see from my previous postings I can agree with you to a certain point. However, after studying this cert I would have to say this is only for people who have a current manager style position which not only works on these domains but directly/indirectly over sees almost all of them. This is one of those certs where reading CISSP ahead of your exprience will not benifit you and for the majority I can see SSCP a smart move toward a rewarding certification path.

drakhan2002

"This is one of those certs where reading CISSP ahead of your exprience will not benifit you and for the majority I can see SSCP a smart move toward a rewarding certification path."

I partially agree with your statement. Yes, you probably cannot pass the CISSP without a few years of experience. However, the SSCP is more an entry level type of certification. Although it is an ISC2 certification, it holds the same weight as CompTIA's Security+ - it will give you a 1 year write off for the experience requirements for a CISSP.

I do not agree that a CISSP necessarily for managers - I know plenty of "technical" employees, many of whom sit down the hall from me with a CISSP. Heck the guy in the office next to mine is a CISSP and he is an Information Security Architect - he also has a CISA. I work in a world class information security department. A lot of people have the CISSP - it is not considered a "big deal." More technical folks have the CISSP than the managers. There are 80 people in my department and probably 20 of them have a CISSP. Of those probably 7 or so are managers with the CISSP. So I guess that's where my thoughts are coming from. I haven't worked any where else in a long time, so the enviroment may demand a lesser skill set than I am used to dealing with.

I think that anyone pursuing any type of certification, whether it be Security+, SSCP, CISA, CISM, or CISSP is great! We need more qualified people in information security - it seems like there are more bad guys out there every day.

If the SSCP is part of your certification track, good luck! It is a great stepping stone on to the CISSP. But seriously consider going on to pursue the CISSP - it is not just for managers.

goforthbmerry

I am a bit confused. I thought there was some requirements to actually sit for the exam. Don't you need to be able to show a certain number of years experience before you are allowed to sit for the exam. I thought that there were situations in which the time requirement is lessened but you still needed some. If a person does not have that many years of experience isn't worthwhile to take the SSCP if they qualify for it. It at least shows the desire and skill set it takes to eventually achieve the higher cert.

keatron

goforthbmerry wrote:

I am a bit confused. I thought there was some requirements to actually sit for the exam. Don't you need to be able to show a certain number of years experience before you are allowed to sit for the exam. I thought that there were situations in which the time requirement is lessened but you still needed some. If a person does not have that many years of experience isn't worthwhile to take the SSCP if they qualify for it. It at least shows the desire and skill set it takes to eventually achieve the higher cert.

You are correct in assuming that you need to meet some requirements to sit the exam. Here they are.

CISSP® candidates must meet the following requirements prior to taking the CISSP examination.

Subscribe to the (ISC)² Code of Ethics.
Have a minimum of four years of direct full-time security professional work experience in one or more of the ten domains of the (ISC)² CISSP® CBK® or three years of direct full-time security professional work experience in one or more of the ten domains of the CISSP® CBK® with a college degree. Additionally, a Master's Degree in Information Security from a National Center of Excellence can substitute for one year toward the four-year requirement.

Also it is a common mis-conception that all one needs to do is sit and pass the exam to become a CISSP. This is far from the truth. Passing the exam does not mean you're a CISSP. The certification process is a process within itself. A mandatory prereq. of obtaining the CISSP is passing the exam. After passing the exam you'll need to go through the endorsement process to actually get the certification.

garv221

drakhan2002 - You are right, CISSP is not just for managers. I meant a more manager type position, where someone sits in control of an environment - networks, security, people....just someone granted responsibility of being in charge of something. I currently hold a manager position & I remember thinking that some of the stuff I was reading would not have fell into place like it has without my current thought process brought on by my position. For example backups, fault recovery, fire hazards, security from all angles, 1000’s of potential vulnerabilities…Stuff when I was not a manager I was sheltered from and did not even think about because it was my boss’s responsibility. It’s a pretty cool cert and I have a lot of respect for those who have it. Good luck

fva

Hello,

I'm new to this forum and saw this topic and just wanted to add a question or two.

Background: I have worked in IT for over 10 years, 9 years in a Help Desk/Service Desk setting (for 2 different companies) before finally getting into a Security Administration job 1.5 years ago. I have several books for the Security+ exam and have been meaning to pursue that exam since I got the Sec. Admin job, but haven't gotten to the point where I felt ready to take the exam.

At my job there are 5 CISSPs in the advanced technical/management roles in Enterprise Security department. Those 5 decided that the rest of us should pursue the SSCP exam, so the Syngress and Wiley books have been ordered, training sessions organized and I think the exam date has been set for next spring. I'm eager to pursue the SSCP exam.

I can see myself pursuing the CISSP exam in 3 or 4 years time, once I have the experience level required. Would it be wise to still pursue the Security+ exam once I have finished the SSCP?

Sincerely,

Frank

sprkymrk

fva wrote:

I can see myself pursuing the CISSP exam in 3 or 4 years time, once I have the experience level required. Would it be wise to still pursue the Security+ exam once I have finished the SSCP?

Hi Frank, welcome to the forums.

I think you could go either way. You will find a couple of small differences between the SSCP and the Sec+ in their philosophy that might be confusing, but having the SSCP under your belt should make the Sec+ that much easier. I guess you would have to consider your reasons and effort-to-benefit ratio. If you plan on beefing up your resume, the Security+ is sometimes a required certification while the SSCP is not as common (even though I think it is better). If you are pretty sure you are going to stay with your current employer and pursue the CISSP then you might want to begin familiarizing yourself with that material right after your SSCP, even though you will lack the experience to become a CISSP for a couple of years.

Personally, since you will still have plenty of time before getting your CISSP, I would still go for the Security+ to stay in a "security mindset" after the SSCP. The material is good, and I can't see the investment "hurting" you in any way.

Good luck with whatever you decide, and please keep us posted on your SSCP progress.

JDMurray

The Security+ is more recognized by other certification organizations, such as Microsoft, than the SSCP. Security-minded employers are also likely to recognize Security+ and CISSP, but overlook the SSCP. This is mainly due to how aggressively the Security+ has been marketed by CompTIA, and not an indication that it is a "better" cert than the SSCP.

I agree with sprkymrk in that getting your Security+ is a very good way to prep for the SSCP, just as getting the SSCP is a very good way to prep for the CISSP; I'm certainly going that route.

Webmaster

fva wrote:

Would it be wise to still pursue the Security+ exam once I have finished the SSCP?

jdmurray wrote:

The Security+ is more recognized by other certification organizations, such as Microsoft, than the SSCP. Security-minded employers are also likely to recognize Security+ and CISSP, but overlook the SSCP. This is mainly due to how aggressively the Security+ has been marketed by CompTIA, and not an indication that it is a "better" cert than the SSCP.

I agree, and imo the extra, recognizable, letters on a resume, and the option to use Security+ as a Microsoft elective, are also the only reasons to justify Security+ 'after' SSCP.

But apart from that, I think those 5 CISSP made a very wise decision. It doesn't look like you need those extra letters on your resume for at least some time. And after the SSCP, and after years of relevant experience, Security+ seems like a waste of time to me. I agree with Mark though, it won't hurt you either, and if you understand the SSCP topics, the Security+ exam won't be really challenging. On the other hand, knowing too much (knowing more than CompTIA, which any SSCP will) can make it a tricky exam. Just remember to go for the obvious basic answer, even if you know another answer can work just as well under certain circumstances.

Actually, much of the SSCP study material is a lot better for preparing for Security+ than most of the Security+ books. Access Control Models for example, a rather vague topic in Security+, that becomes a lot clearer after reading SSCP or even CISSP material. It just goes bit further/deeper, which is needed to get a complete picture. This goes for many other topics as well, cryptography, intrustion detection, and physical security for example.

fva

Thank you for your responses and the feedback.

The SSCP Wiley and Syngress books arrived at work today, so we have about 4 months to get ready for the exam. I believe there are 10 to 12 people in our department that will be pursuing this exam, and so far I'm the most eager person to start studying!

I'll probably still pursue the Security+ exam at some point after I earn the SSCP, mainly since I have a lot of books and materials for it. I do feel like I'm fairly secure in my current job and would have room to move up in the company down the road.

Frank

blargoe

I almost forgot about this thread...

I've been directed to spend the rest of out training dollars for the year on books and study materials for our department and I intend on picking up SSCP materials for myself. I have seen the Syngress and Wiley books mentioned, does anyone have opinions on these books or any other guides for the SSCP?

JDMurray

Both the Syngress and Wiley SSCP books can be picked up at discount Web booksellers for under $10US, so at that price they are at least worth buying to read. There's no equivalent of Shon Harris' CISSP All-in-One book for the SSCP, but the (ISC)2 will be releasing the Official (ISC)2 Guide to the SSCP CBK next year . If you can't wait for it, the new edition of the Official (ISC)2 Guide to the CISSP CBK would be a very good substitute, but does not cover all of the material on the SSCP exam.

Whether or not you can pass the SSCP after reading any or all of these books would depend upon your level of experience with the exam's domains and topics.

http://www.amazon.com/Official-ISC-Guide-SSCP-CBK/dp/0849327741/sr=1-3/qid=1166560288/ref=pd_bbs_sr_3/002-9705952-2620859

http://www.amazon.com/Official-ISC-Guide-CISSP-Press/dp/0849382319/sr=1-1/qid=1166560674/ref=sr_1_1/002-9705952-2620859

royal

I'm very interested in Security as well. As I study for my MCSE, I always look at everything in a security related fashion. My employer forced me to do my 297 exam for my MCSE, so I will have to go back and do 298, then 299 (they are forcing me to do 299 as well), and I am drawn between Security+ and ISA. Our company does lots of ISA work and I will be working with Exchange as my main area of focus for my company. After I do the MCSE: Security and Messaging, I am thinking about doing SSCP. Just like Jdmurray, I will want to do the CISSP eventually. The CISSP is years away for me, however.