Skip to content
Home » security » CISSP vs. CASP vs. CEH


One of my coworkers invited me to watch a webinar with him today that promised to compare CompTIA’s new high-end certification with the CISSP.

I was skeptical at first, especially when I heard it was an 80-question, 150-minute test. But by the end, I mostly liked what I heard.

The most important thing they said is that the CASP doesn’t compete directly with the CISSP. The industry really doesn’t need a CISSP re-hash, given that there are so many certifications out there that cover much of the same ground. The CISSP, CompTIA emphasized, is mostly about policy. That’s a fair assessment. It’s mostly about what you do and why. That was an adjustment for me, because up until 2009 I was strictly a hands-on guy. I’ve been a policy guy for right around 3 years, and I’m not altogether comfortable being just a policy guy.

Let’s go back to 2009 for a minute. I was working in a shop with a DBA, a couple of network administrators, and several systems administrators. We all had Security+, including the team lead. CISSP wouldn’t have done all that much for that team lead, because having it says nothing about his day-to-day abilities. It just proves that he knows that it’s a good idea to have an IDS, that he has to do backups, he has to have a certain amount of redundancy in his network, and that he absolutely must have a firewall and antivirus software. The thing is, all of that is dictated to him anyway.

The only reason for him to get CISSP would have been to get a promotion, and he knew it. He also knew he was likely to get promoted at some point with or without it, which happened about a year later.

About the only other option for him would have been CEH (Certified Ethical Hacker), but the focus of CEH is more toward incident handling and penetration testing, rather than day-to-day operations.

With CASP, now there’s a certification for someone like him, or someone who aspires to be him. It’s a high-end certification for operations, who may not know or care what kind of fire extinguisher needs to be in the datacenter, or how tall the fence around the complex needs to be.

“Someone who had CISSP, CEH, and CASP would be dangerous,” my coworker observed at the end.

As one who was mentored by someone who definitely could pass all three, I agree.

I’m not far enough removed from taking CISSP to be extremely interested in getting another certification, but CASP doesn’t look like a bad choice when I’m ready. Although CISSP is mostly about policy, some shops want CISSPs who can still administer something for them.

If you found this post informative or helpful, please share it!
%d bloggers like this: