Someone asked me to compare Security+ vs CISSP, particularly the difficulty. I’m glad to oblige. I have both certifications.
Let’s start by looking at a couple of hypothetical questions. Don’t expect to see either of these on the test; I’m making them up as I go. But don’t be surprised if you see something similar.
Security+ vs CISSP questions
I think the best way to assess the relative difficulty of the two tests is to look at a couple of example questions.
What is SaaS?
A. Security as a Service
B. Software and application Security
C. Software as a Service
D. Security as a Software
Of course, the answer is C. Two of the answers are nonsensical. Of the two answers that aren’t complete nonsense, it’s still pretty easy to figure out the right one.
You’ll have to know what SaaS is for CISSP too, but CISSP isn’t going to come out and ask you that. Here’s a more typical CISSP question:
Your client is thinking about signing up for a SaaS solution. The vendor states that they have redundant data centers with automatic failover in Houston, Brussels, and Tokyo. Your data will be encrypted with the RC2 cipher. What should you be most concerned about?
A. The physical security of the data centers
B. Who will have control of the encryption keys?
C. The possibility of a single incident affecting all three sites
D. The strength of the cipher
This would be a fairly easy question on a CISSP exam. In this case, all of the answers have at least some validity.
We can eliminate C most easily, since the three data centers are on different continents. But that would be a legitimate concern if your data centers were in three suburbs in the same metropolitan area.
Option A is the second one I would eliminate. It’s a concern, and we know nothing about it, but there is at least one better answer.
Option B is a very legitimate concern, and usually it’s going to be the right answer to questions like this. Ideally, you want the keys.
But in this case, option D is the best answer. RC2 encryption has been obsolete for a couple of decades. It doesn’t really matter who has the keys when any computer made in the last 20 years is fast enough to crack RC2 in less than an hour.
This question isn’t really just asking you one thing. It does kind of ask you what SaaS is, although it kind of gives it away with the other things it asks. It also tests your knowledge of disaster recovery, physical security, and encryption.
It’s also a bit ambiguous. Only one of the answers is wrong. But the right answer is which of the three correct answers is the biggest concern.
The other difference you’ll see in the questions is obscurity. Security+ might ask you a question like this:
Which of the following is not a fire suppression system?
That’s a fairly difficult Security+ question. The answer is DES, which is an encryption cipher.
If you got that question on your CISSP, it will be the easiest question on the test. CISSP is more likely to ask you why you can’t buy new Halon anymore, how Halon works, when we stopped producing it in the United States, or what protocol banned it. Anything I say in my post about Halon is fair game. And that’s the only reason I knew that stuff.
On both tests, there wil be a number of questions that aren’t graded. You can usually tell on Security+ which ones those are, because they won’t have any correct answers at all. On my test, I had a question that asked me about Linux, but all of the answers were Windows file paths, complete with backslashes.
On CISSP, I couldn’t tell. I had one question that had to do with cryptography on cell phones, and the way it was written, it wasn’t even obvious it was a cryptography question. The way it was worded made me think it might not be graded, but I don’t know.
How to prepare for each test
You can pass Security+ by memorizing a few hundred facts. If you know a few hundred things like what a buffer overflow is and the difference between a virus and a worm, you’ll pass. Difficulty-wise, I found Security+ comparable to a college level test outside my major.
For CISSP, I had a collection of about 2,500 questions that I used to study. Do a Google search and you’ll find them. Grab every collection of 1,000 questions you find, get rid of the duplicates, and you’ll have about 2,500 left. Few of them were any more difficult than the question I presented here. I tested myself on 350 of them a day, and once I was able to get 90% of them right consistently, I took the test and passed. I recommend signing up for cccure.org and taking their tests. Their questions are closer to the real thing than what you’ll find floating around on document-sharing sites.
Effects on your salary
In St. Louis, a Security+ can expect to make $60,000 a year. I had one company approach me with a $60,000-a-year job that required a CISSP, but that was a short conversation. $75,000-$80,000 is a serious starting point. A CISSP with experience will make more than that.
You don’t have to have either certification to reach those levels, but it helps. It improves your chances of getting an interview, and while most employers prefer a certification, some will require it.
Both tests require continuing education now. In my day, Security+ was a lifetime certification, but it isn’t if you take it now. I recommend the same continuing education for both. The difference is just that Security+ doesn’t require as much of it.