In junior year - will Associate of ISC2 help?

Hi,

I am an aspiring Information Security engineer currently enrolled in a BS in Information Technology in India. I would be applying for an MS in CS with a concentration in Information Security in November.

My questions are:

1. For a person with absolutely no experience except undergrad coursework, which is the correct exam to go for? SSCP or CISSP? From what I can see CISSP has around 60,000 certified professionals while there are only around 600 for the SSCP.

2. Closely related to the above - is there any difference in value of the exams for a complete fresher? I know the CISSP has 3 more modules to study.

3. Would passing either of these exams bolster my application for my Master's? This is particularly crucial because my coursework and possibly the CISSP/SSCP is going to be my only relevant experience on my resume. We just don't have intern jobs in India for aspiring InfoSec engineers.

Finally, as I have no experience, my certification will be awarded as an Associate of ISC2 (right?). In that case, how do I go about showing which one of the exams I passed on my resume?

Thanks

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Bl8ckr0uter

lm10 wrote: »

Hi,

I am an aspiring Information Security engineer currently enrolled in a BS in Information Technology in India. I would be applying for an MS in CS with a concentration in Information Security in November.

Welcome.

Right off the back I would like clarification. What does an information security engineer mean to you? It is better to answer with job responsibilities rather than titles since titles are not standardized across the board.

lm10 wrote: »

My questions are:

1. For a person with absolutely no experience except undergrad coursework, which is the correct exam to go for? SSCP or CISSP? From what I can see CISSP has around 60,000 certified professionals while there are only around 600 for the SSCP.

*I do not have the CISSP but I plan to sit the SSCP in July*

I think any cert isn't going to hold as much water as it could with out experience that relates to the cert to back it up. I would also say the same applies for any certified person. Think about that....
CISSP vs SSCP? It depends on how you want to look at it. The CISSP is popular and honestly has more "pull" than SSCP. Part (most) of the is isc2 fault. CISSP is seen by a lot of hiring folks as thee standard of ALL information security certification. So yea people want it. I have dealt with several CISSPs who were straight up quacks and knew less about infosec then me (with my grand total of 1 year in infosec

).
Most people will say out of the two, start with SSCP (realistically there are other certs that you should consider, like the Security+ but I digress). I will say that if you are looking for resume impact, go for the CISSP. Just keep in mind that you really won't be able to back it up and you have the potential to get yourself into some trouble if asked to (back it up). Realistically, experience wise, SSCP is going to be more doable. I currently have plans to take the SSCP and I know that it won't have as much impact as the CISSP, I don't want to be "paper certified". I think you should think your choice over carefully. But what I can say is that I have experience to back it up as I have worked in almost every domain of the SSCP in some capacity.

lm10 wrote: »

2. Closely related to the above - is there any difference in value of the exams for a complete fresher? I know the CISSP has 3 more modules to study.

See above about the career impact. For kicks do a job search for CISSP and SSCP in your area. In my neck of the woods, it is a 10 to 1 ratio and I think that is going to be true almost anywhere you look. (You even posted about the stats yourself).

lm10 wrote: »

3. Would passing either of these exams bolster my application for my Master's? This is particularly crucial because my coursework and possibly the CISSP/SSCP is going to be my only relevant experience on my resume. We just don't have intern jobs in India for aspiring InfoSec engineers.

I don't know about this one. I mean I am not sure how many MSCS programs care about CISSP or not. There are a few here but you may want to talk to your school about it.

lm10 wrote: »

Finally, as I have no experience, my certification will be awarded as an Associate of ISC2 (right?). In that case, how do I go about showing which one of the exams I passed on my resume?

I have seen a few people put CISSP Associate or Associate of CISSP or CISSP pending application process quite a few times. I am not sure about how isc2 wants you do to it. Your best bet would be to check with them.

lm10

Thanks for the reply

Bl8ckr0uter wrote: »

Welcome.

Right off the back I would like clarification. What does an information security engineer mean to you? It is better to answer with job responsibilities rather than titles since titles are not standardized across the board.

Personally I would like to be a sort of go-to guy for organizations to have their security assessed and analyzed. A sort of security analyst if you like.

Bl8ckr0uter wrote: »

*I do not have the CISSP but I plan to sit the SSCP in July*

I think any cert isn't going to hold as much water as it could with out experience that relates to the cert to back it up. I would also say the same applies for any certified person. Think about that....

Point duly noted. The thing is, I am in India. My undergraduate institution basically is a bunch of ghouls asking us to learn by rote during final exam time and spit it out.

I am in a scenario where getting real world experience is basically impossible for me. What I think is - can giving the SSCP/CISSP display the correct aptitude and attitude for Information Security?

Bl8ckr0uter wrote: »

CISSP vs SSCP? It depends on how you want to look at it. The CISSP is popular and honestly has more "pull" than SSCP. Part (most) of the is isc2 fault. CISSP is seen by a lot of hiring folks as thee standard of ALL information security certification. So yea people want it. I have dealt with several CISSPs who were straight up quacks and knew less about infosec then me (with my grand total of 1 year in infosec ).
Most people will say out of the two, start with SSCP (realistically there are other certs that you should consider, like the Security+ but I digress). I will say that if you are looking for resume impact, go for the CISSP. Just keep in mind that you really won't be able to back it up and you have the potential to get yourself into some trouble if asked to (back it up).

I'd like to know what "backing up" would mean in this context, as I didn't really understand it. From the discussions on this forum, CISSP seems a more managerial degree. In that case I would probably go for SSCP.

Bl8ckr0uter wrote: »

See above about the career impact. For kicks do a job search for CISSP and SSCP in your area. In my neck of the woods, it is a 10 to 1 ratio and I think that is going to be true almost anywhere you look. (You even posted about the stats yourself).

Actually there are no jobs for these sorts of qualifications where I am based. Security isn't much of a deal here.

Bl8ckr0uter wrote: »

I don't know about this one. I mean I am not sure how many MSCS programs care about CISSP or not. There are a few here but you may want to talk to your school about it.

Again - poor information base here means that nobody knows squat about anything. Here an undergrad education means a moderately paying IT job and an MBA a few years later. I'm being a little cynical, but that is how it is.

If you were to take a guess, would you say that an application for an MS CS with an InfoSec specialization would be bolstered by these certifications?

Bl8ckr0uter wrote: »

I have seen a few people put CISSP Associate or Associate of CISSP or CISSP pending application process quite a few times. I am not sure about how isc2 wants you do to it. Your best bet would be to check with them.

Thanks again

Bl8ckr0uter

lm10 wrote: »

Thanks for the reply

Personally I would like to be a sort of go-to guy for organizations to have their security assessed and analyzed. A sort of security analyst if you like.

Vulnerability assessments or penetration test or risk assessments? Are you trying to do Ca and A work or technical work (or both)? You really need to be specific. Like for me I know I want to manage IDS/IPS, Firewalls, Routers, Switches, WAPs and concenrtators. Linux servers and (sigh) Windows servers are also apart of my goal. Application Security is pretty much a dream of mine as well but I am really going to have to bust my butt to learn development so I won't be a script/tools kiddie. I also want to do pentesting AND vulnerability assessments but C and A work looks like hell for me. As does risk assessments and the like.

lm10 wrote: »

I am in a scenario where getting real world experience is basically impossible for me. What I think is - can giving the SSCP/CISSP display the correct aptitude and attitude for Information Security?

I'd like to know what "backing up" would mean in this context, as I didn't really understand it. From the discussions on this forum, CISSP seems a more managerial degree. In that case I would probably go for SSCP.

Certs at one point were use in the entirely opposite way that we use them today. At one point certs were used to validate preexisting experience. So if you were an Windows Admin, you got a MCSE to validate your existing experience, not to try to gain experience as a Windows Admin (I can only speak in allegory because I was not around for this time period in IT lol). So if you were already working in Infosec, you could get a CISSP to prove what you already know. That's why the 5 years experience requirement was/is so significant because it require you to have 5, documented year of infosec experience before you could even get the cert. Then something changed all of this. New IT pros found certs to be a requirement and that's when the mad dash began. Now in order to get any kind of experience (a job) you have to have a cert. So people started picking up certs to "break into the field". I won't really go into how this cheapens certification at a macro level but I will say that on a micro level this can effect you greatly. If you are a CISSP and you don't know how to harden a router, a server or a room you could be passed up for a number of positions. Or heaven help you if you get hired and the first big problem happens and you don't know anything

Yea, it WILL be a big deal. Certs backed with validated experience and people who back their certs with validated experience and skills will win 9 times out of 10 vs those who just have the certs (all other things being equal). There is just something special about being able to say, yea, I have done that vs yea I have read about that in a book. I remember the first time I check a circuit on a live, production, cisco router. It is just something different. It's really hard to explain....
Being paper certified is simply dangerous for you and your potential employer.
See but then another problem is that we are all "paper certified" until we get experience. So IMO what you have to do is get certs that you feel that, if required to, you could perform at the level of the cert. For me to get a CCIE right now would be pointless. For me to get a MCM right now would be pointless as well (and impossible since I don't meet the prereqs). For me to get a CCNP or MCITP would be doable because I know I could perform at (at least) the level of the certification. To some specifics to my situation, I don't think I could do RHCE but Linux+/LPIC-1 is doable for me. You have to be smart about which certs you chose to be "paper certified" in so you don't screw yourself over. A CCIE with no experience is going to have some trouble.
For me, the hardest exam I plan on taking this year is the GCIA. I know that it will be difficult just because of the subject matter and I don't have as much experience with IDS/IPS work as I would like but I feel like learning TCPdump and snort and hex is something I could reproduce on demand if required to. Plus I don't plan to take it until the end of the year so I have time to gain more experience and study.
As far a CISSP being managerial and SSCP being technical, while that may be true in theory, people treat the CISSP like Frank's Red Hot (they put that s#1t on everything). So I think that argument is bunk.

lm10 wrote: »

If you were to take a guess, would you say that an application for an MS CS with an InfoSec specialization would be bolstered by these certifications?

Idk. Some schools frown on certs period (because school >certs

). It depends on a school by school bases. I know of a few infosec programs that will take some classes off for certs. Then of course, there are places like WGU: WGU Online University | Online Degree Programs, Accredited Bachelor's and Master's

instant000

No kidding.

Certs went from being "proof" to being "admission tickets".

It's like:
You can't touch my Windows Server without a Windows certification
You can't touch my Juniper Router without a Juniper certification

Even with all that said:

certs with experience >>>>>> certs without experience

JDMurray

lm10 wrote: »

1. For a person with absolutely no experience except undergrad coursework, which is the correct exam to go for? SSCP or CISSP? From what I can see CISSP has around 60,000 certified professionals while there are only around 600 for the SSCP.

I would go for the Security+ first, the SSCP next, and then the CISSP after you have the degree. If you can get a simple InfoSec job (such as at a help desk) you can collect the 1-year experience required for the full SSCP certification before you graduate.

lm10 wrote: »

2. Closely related to the above - is there any difference in value of the exams for a complete fresher? I know the CISSP has 3 more modules to study.

The CISSP is very highly regarded, but only if you have the accompaying experience. The Security+ and SSCP are for people who have very little or no InfoSec experience. The CISSP and SSCP exams do have some overlap in material, but they are different exams. Remember that the point of certifications is to learn the material first and pass the exam second.

lm10 wrote: »

3. Would passing either of these exams bolster my application for my Master's? This is particularly crucial because my coursework and possibly the CISSP/SSCP is going to be my only relevant experience on my resume. We just don't have intern jobs in India for aspiring InfoSec engineers.

The depends entirely on the academic institutions you are applying to. Check with an admission councilor for each school to see if they respect having passed specific certification exams.

lm10 wrote: »

Finally, as I have no experience, my certification will be awarded as an Associate of ISC2 (right?). In that case, how do I go about showing which one of the exams I passed on my resume?

You put "Associate of (ISC)2" and the date and exam you passed the exam on your resume.