CISSP Associate or SSCP? Or both?

Hi all,
I've currently been studying for the CISSP with hopes of getting my certification. The issue is that I lack the work experience. I'm almost 2 years into the security field as a 'security administrator' but I've been working somewhat in between the high level policy level and the more technical level. Most of what I do falls in the "review" category (log review looking for discrepancies/anomalies, firewall ACL reviews, and some higher level policy review).
I'd like to grow in my understanding of both high level and technical expertise for sure. I'm greatly interested in the hands-on/technical side though, as that's my 'first nature,' but I want to be able to gain the perspective of seeing the 'big picture' of things as well.

In any case, I was wondering if it's a wise idea to continue pursuing the Associate CISSP status right now, or if I should just go for the SSCP as the first priority. This is in terms of advancing in my career along with gaining certs. As it is, I feel a bit pigeon-holed where I am now (hence a lack of hands-on as I alluded to earlier), and I also feel like a cert would help make me more marketable in general. The problem is, I don't know which one would complement my resume more. A majority of my resume includes more technical skills (Unix/Linux, Bash/Perl, Packet sniffing/vuln scanning, etc).

Any advice on a good direction to go in my case?

Thanks guys!

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

JDMurray

I am currently studying for the SSCP cert exam in preparation for one day taking the CISSP exam as well. Many employers recognize the SSCP as a desirable security certification. The "Associate of the (ISC)2" designation is not an actual certification and is not accepted as such. If you want a general security cert on your resume that has more weight than the CompTIA Security+, but you don't yet meet all of the requirements for the CISSP cert, I would suggest that getting the SSCP is a very good way to go. That's what I'm doing, anyway.

jplee3

JDMurray wrote:

I am currently studying for the SSCP cert exam in preparation for one day taking the CISSP exam as well. Many employers recognize the SSCP as a desirable security certification. The "Associate of the (ISC)2" designation is not an actual certification and is not accepted as such. If you want a general security cert on your resume that has more weight than the CompTIA Security+, but you don't yet meet all of the requirements for the CISSP cert, I would suggest that getting the SSCP is a very good way to go. That's what I'm doing, anyway.

Thanks for the tip! Yea, that's what I was thinking as well - the fact that it's a solid cert that I can have in my hands might be a little more tangible for employers to grasp. So I heard that the CISSP encompasses the SSCP - is this true? I also read that the SSCP is more 'hands-on' than CISSP. Do you think I could just study for the CISSP (I'm using Shon Harris' book) and go into the SSCP with pretty good confidence in passing?

JDMurray

jplee3 wrote:

So I heard that the CISSP encompasses the SSCP - is this true? I also read that the SSCP is more 'hands-on' than CISSP.

Yes and no. There is a lot of overlap in the information in the CBK's for each exam, but the SSCP covers more technical topics, while the the CISSP tends more to the managerial/administrative side. For example, the SSCP goes into much more depth about telecommunications, networks, and malicious code than the CISSP; the CISSP covers physical security, BCP/DRP, and laws and ethics, while the SSCP really doesn't. And both certs are vendors-neutral, so there's no "hands-on" anything (like simulators) in either exam.

jplee3 wrote:

Do you think I could just study for the CISSP (I'm using Shon Harris' book) and go into the SSCP with pretty good confidence in passing?

You could, but there's no need to. The (ISC)2's Official SSCP Study Guide is the standard text. There are also a couple of SSCP study guides from Syngress and Wiley that can be bought for less than $10 each. There's also SSCP cert prep material from companies like PrepLogic. And only you can determine how confidant you are in passing any exam.

jplee3

JDMurray wrote:

jplee3 wrote:

So I heard that the CISSP encompasses the SSCP - is this true? I also read that the SSCP is more 'hands-on' than CISSP.

Yes and no. There is a lot of overlap in the information in the CBK's for each exam, but the SSCP covers more technical topics, while the the CISSP tends more to the managerial/administrative side. For example, the SSCP goes into much more depth about telecommunications, networks, and malicious code than the CISSP; the CISSP covers physical security, BCP/DRP, and laws and ethics, while the SSCP really doesn't. And both certs are vendors-neutral, so there's no "hands-on" anything (like simulators) in either exam.

jplee3 wrote:

Do you think I could just study for the CISSP (I'm using Shon Harris' book) and go into the SSCP with pretty good confidence in passing?

You could, but there's no need to. The (ISC)2's Official SSCP Study Guide is the standard text. There are also a couple of SSCP study guides from Syngress and Wiley that can be bought for less than $10 each. There's also SSCP cert prep material from companies like PrepLogic. And only you can determine how confidant you are in passing any exam.

Well, I just realized that I may actually be closer to meeting the CISSP requirements than I thought as I did do some related work at my old company for the couple years I was there. In the QA group at my old place, part of the checklist was testing encryption as well as working with file/folder ACLs/CHACLs. I used [formely] Ethereal to sniff for verifying encryption. Of course, this wasn't done every single day but on a fairly consistent basis as these items were part of checklists we went through. I'm thinking [hoping] these should qualify as experience... if so, then I'll be much closer to the 5 years I need for CISSP. At this point, I'm thinking I should just keep studying for the CISSP and just try to go for teh associates ASAP.

JDMurray

Only the (ISC)2 can determine what they will accept as valid InfoSec work experience, so you might as well go for it. The worse that can happen is you end up as an Associate of the (ISC)2 for a few years until you have acquired acceptable experience.