Did you know?

rob1234

That ISC2 do not recommend someone holds both the SSCP and CISSP?


" Please note that we don’t normally suggest that someone has both the SSCP and CISSP certifications, as they are related to quite different career paths."

emerald_octane

lol oops.

I thought the SSCP curricula was just a subset of the CISSP though? Admittedly I havn't looked at it.

I guess they want to really separate the certs in terms of managerial and practice.

TeKniques

Unfortunately, the job market doesn't think so. I see more and more technical security jobs asking for CISSP and not SSCP.

dbrink

Interesting, I thought the SSCP was a stepping stone towards a CISSP. I have about 12 years of systems administration experience and looking to move towards IT security so I was planning on a Security+ -> SSCP -> CISSP path over the next year or so. Might have to re-evaluate that.

Paperlantern

dbrink wrote: »

Interesting, I thought the SSCP was a stepping stone towards a CISSP. I have about 12 years of systems administration experience and looking to move towards IT security so I was planning on a Security+ -> SSCP -> CISSP path over the next year or so. Might have to re-evaluate that.

You could Sec+ -> CASP -> CISSP maybe.

I've considered CASP as well since it is a little more technical than CISSP (or so I've heard), thus having both could demonstrate that you are a competent manager with a technical pool of expertise. I've also swayed back and froth between CASP and just forgoing CASP and going for a CISSP Concentration.

JDMurray

Can you supply a link to that? I would need to see it in context to make a proper comment.

rob1234

JDMurray wrote: »

Can you supply a link to that? I would need to see it in context to make a proper comment.

There is no link I spoke directly to ISC2, as I have the CISSP and was asking talking to them about the SSCP and they said the above.

cyberguypr

Well, I see where they are coming from. Why would you take SSCP if you have a CISSP?

dbrink

So is SSCP supposed to be more technical than the CISSP? I really have no desire to go into management.....

rob1234

cyberguypr wrote: »

Well, I see where they are coming from. Why would you take SSCP if you have a CISSP?

I don't think you do see where they are coming from. Why would having the CISSP mean you would not want to take the SSCP?

cyberguypr

Why would you? SSCP is CISSP's younger sibling and doesn't bring much to the table after CISSP. What ROI are you going to get out of that? I just don't see the point.

rob1234

cyberguypr wrote: »

Why would you? SSCP is CISSP's younger sibling and doesn't bring much to the table after CISSP. What ROI are you going to get out of that? I just don't see the point.

I was expecting you to say that it is a common misconception that I'm afraid people on this forum make worse for newcomers SSCP is not CISSP's younger brother or sister they are not related as closely as people think just because SSCP knocks a year off the experience for the CISSP.

The ROI you would get all depends on what area of security you are working in or looking to work in hence why ISC2 do not recommend a user getting both not because CISSP is a better more advanced exam but because they are aimed at achieving different things.

If you wanted to be a CTO/CIO with a good technical security knowledge then SSCP and CISSP could go well but by the time you are at the C level you will not be getting your hands dirty with things like that.

JDMurray

Look at who these two certifications are marketed to. The CISSP is for Information Security professionals with 5+ years working in a wide variety of InfoSec fields, including those related to business and management. The SSCP is targeted to people fresh out of college who only have a year of InfoSec work experience, which is usually only on the technical side. Having the SSCP be mostly for technical topics and the CISSP include business/management domains therefore follows this trend.

I have recommended many times here on TE that:

1. If you qualify now for full CISSP certification then you should go directly for it.
2. If you already have the CISSP there is no need to go for the SSCP.

lifecomm

TeKniques wrote: »

Unfortunately, the job market doesn't think so. I see more and more technical security jobs asking for CISSP and not SSCP.

This is correct, IMHO. A cert has value when required (like with DoD 8570 positions) or when desired by an employer. Cert perception is everything when it comes to an employer's desire. CISSP or SSCP can be impressive, if your resume backs it up. By themselves? Maybe, maybe not.

lifecomm

JDMurray wrote: »

1. If you qualify now for full CISSP certification then you should go directly for it.
2. If you already have the CISSP there is no need to go for the SSCP.

Excellent advice.

JDMurray

lifecomm wrote: »

A cert has value when required (like with DoD 8570 positions) or when desired by an employer.

I'd like to add that certifications also have value in: 1) Codifying a common body of knowledge and skills that are worth knowing, and 2) allowing people to demonstrate specific knowledge and skills they have acquired and achieved. In addition, one can learn quite a bit by simply studying for a certificaiton but never taking its exam(s).

rob1234

JDMurray wrote: »

I have recommended many times here on TE that:

1. If you qualify now for full CISSP certification then you should go directly for it.
2. If you already have the CISSP there is no need to go for the SSCP.

What would you recommend to someone who does not qualify for the CISSP but wants to do it in the future as that is the direction they want to go in?

N2IT

lifecomm wrote: »

This is correct, IMHO. A cert has value when required (like with DoD 8570 positions) or when desired by an employer. Cert perception is everything when it comes to an employer's desire. CISSP or SSCP can be impressive, if your resume backs it up. By themselves? Maybe, maybe not.

Best advice in this thread.

"If your resume back it up" Well said

+1 Rep

ivx502

This is correct, IMHO. A cert has value when required (like with DoD 8570 positions) or when desired by an employer. Cert perception is everything when it comes to an employer's desire. CISSP or SSCP can be impressive, if your resume backs it up. By themselves? Maybe, maybe not.

The problem with DOD 8570 is that those people who have to follow it, but have never held a certifcation in their life are automatically grandfathered and exempt. So then you have System Administrators whose skill set was last current before the start of the century. I could rant on about my personal feelings of 8570. I tend to get two reactions when people find out I hold the SSCP. The first one is a puzzled look, and the second one is so when are you going to take the CISSP. The latter tends to come from the CISSP holders. Although, I have read a few chapters out of the CISSP book I can't dedicate the time it would take to truly get the concepts down.

JDMurray

ivx502 wrote: »

The problem with DOD 8570 is that those people who have to follow it, but have never held a certifcation in their life are automatically grandfathered and exempt. So then you have System Administrators whose skill set was last current before the start of the century.

I'm not sure what this means. Someone who doesn't have the certifications required by 8570.01 will need to take the current exams to get them and abide by the continuing education policy of the cert vendors as required by ISO/IEC 17024. Someone who already has the certs will not be required to re-take the exams, but they will still need to follow the same continuing education policies.

ivx502 wrote: »

I tend to get two reactions when people find out I hold the SSCP. The first one is a puzzled look, and the second one is so when are you going to take the CISSP.

The puzzled look is because the (ISC)2 does not do a very good job (IMHO) in making hiring managers aware of the SSCP, and the CISSP is seen as the natural progression from the SSCP. Stopping at the SSCP is like stopping at a high school diploma.

lifecomm

ivx502 wrote: »

The problem with DOD 8570 is that those people who have to follow it, but have never held a certifcation in their life are automatically grandfathered and exempt.

This is not my experience. DISA is very serious about the 8570 and they control the backbone for the DoD. As a contractor, I have had to tell employees that they are barred from work until they obtain their certs.

ivx502

Mileage may vary. Without saying where I work, or who I work for I cannot give details. In three cases users were grandfathered in on administrative rights without meeting 8570-M requirements. This is going way off topic from the original discussion.

dijital1

It depends on your goals really. I wanted to learn more about the business side of security as well as obtain the certifications required by DoDD 8570 for IASAE III and CNDSP Manager.

From my personal reviewing resumes and conducting interviews, I would say that the CISSP definitely holds more value for an infosec consultant than the SSCP. You have to remember that a big part of why companies want their consultants, engineers, etc to have these certifications isn't solely based on the knowledge that you're supposed to have acquired as a part of preparing for the exam.

It's good marketing to potential clients as well. Being able to say that "we XYZ number of consultants with this certification" is good marketing. For the people that have gotten hired without a CISSP, the question often is, when are you going to get it?

Given the choice, do the CISSP. If you get the SSCP, know that eventually you're going to be asked to get the CISSP at most companies if you're going to be operating in a consultant's role. Once you have the CISSP, I would encourage you to work towards getting the specializations to help differentiate yourself as well as learn more.

Just my 10 cents.