SSCP and CISSP are both (ISC)² certifications. I get a lot of questions about the two of them, especially about SSCP, as CISSP overshadows it. So let’s look at SSCP vs CISSP.
CISSP definitely pays better, but that’s not to say SSCP doesn’t have merit.
DoD 8570 requirement
SSCP doesn’t exactly compete directly with Security+, but when it comes to the government and its DoD 8570 requirement, the two are equivalent. At the pay grades where the DoD accepts Security+, it usually also accepts SSCP. The problem is that Security+ is the one with the name recognition, so even though DISA may say SSCP is OK, your COTR or team lead may not know that and may make you go get Security+ anyway.
If you don’t work in government contracting, don’t worry about DoD 8570. If you’re interested in getting into government contracting, having CISSP helps a lot more than SSCP. Since contracting requires a security clearance, if you don’t have one already, nobody wants to pay to investigate you unless there’s a really good reason. Having CISSP counts as a really good reason. SSCP, not so much. If a government agency or contractor needs someone with an SSCP or equivalent, they can find someone. It’s not hard for them to poach someone who already has the clearance from somewhere. And if they can’t find anyone, they’re pretty adept at getting people to pass Security+. As far as the government is concerned, SSCP vs CISSP isn’t even a fair comparison.
SSCP vs CISSP: Pay grade
CISSP is the more advanced certification of the two. It’s impolite to discuss salary but that’s almost necessary to set expectations, so I’ll talk salary anyway. When I went from being a highly paid Security+ to an entry-level CISSP, my salary went up about 15 percent. Your mileage will vary based on experience. A CISSP with just enough experience to meet the prerequisites can expect to make about what a Security+ with 15-20 years of experience makes. Exact pay figures will depend on your job market and the cost of living in your area. A CISSP living in the Washington DC area makes more than one living in the heartland because the cost of living is so much lower in the heartland.
The pay difference between SSCP and CISSP will be similar. If you don’t have any security certifications, go get something at the SSCP level first. It will make it much easier to get CISSP that way. Going straight for CISSP is a more difficult road, and I would argue, an unreasonably difficult one.
When I got CISSP, it was because I’d been promoted into a job that required it. I had six months to pass CISSP or lose the job. Essentially I bet my career on my ability to pass CISSP. No pressure. If I had it to do over again, I would have gotten Security+ first, because of name recognition. Then I would get SSCP, to get practice with the way (ISC)² asks questions. Then I would have gotten CISSP.
SSCP vs CISSP: Opportunities for promotion
I didn’t do it that way because I wasn’t looking outside my own organizational structure. I was blocked at the time, so I didn’t see the point of getting CISSP. What I didn’t consider was that having CISSP unblocks you. If your present employer doesn’t find an opportunity to advance you, someone else will. Having CISSP on your Linkedin profile makes you attract recruiters like a magnet. Have you ever gotten tired of recruiters looking at your Linkedin profile? If you don’t have CISSP, you probably think that’s a silly question. Why wouldn’t you want people to be interested in you? When I ask another CISSP that question, they always chuckle because we’ve all had times where we took a new job, have been in the job three months, and random recruiters contact us asking if we’re looking. Why would we be looking three months into a new job?
But that’s a two-edged sword. We’ve all been in situations where we took a job, then the hiring manager moved on, and the replacement manager was hard to work for. Every manager prefers having people they found and chose working for them. That happened more to me before I got CISSP than it did after. And when it did happen to me as a CISSP, I had options.
I’m not saying don’t get SSCP. I’m saying don’t stop there.
Testing: The (ISC)² difference
Although the SSCP doesn’t get much love, I like that it’s administered by (ISC)². If your goal is to eventually get the CISSP, why not take the entry-level test from the same certifying body? CompTIA intends for Security+ to prepare you for the CISSP someday, but I don’t think CompTIA does a good job of preparing you for the way (ISC)² asks questions. Both of them mess with your mind, but CompTIA messes with your mind with poor grammar and spelling. (ISC)² much more closely simulates how people will actually try to slip things past you in the real world.
You see poor grammar and spelling in the real world too, but CompTIA doesn’t do a very good job of simulating that. In the real world, when a coworker consistently destroys the language that way, they don’t last very long. It’s unprofessional. Dodging your question, or burying an uncomfortable answer within other irrelevant information is much more common. To me, being able to catch that kind of deception is a more useful skill than being able to decode crimes against the English language.
A year or so ago, when a client of mine was studying for CISSP, I told him to expect that the test is going to try to simulate the most difficult day of his career, where people are peppering him with emergencies, he has eight hours to finish 20 hours’ worth of work, and some people are being downright deceptive in the information they’re providing. After he passed the test, he said that was a very fair description of what taking the test felt like.
SSCP vs CISSP: The tests themselves
So, what’s the difference between the tests themselves? The SSCP is half as long as the CISSP, 125 questions versus 250 questions. SSCP also covers 70% of the material CISSP does. Most of the management and paper-pushing elements of CISSP are absent from SSCP. SSCP is hands-on and technical. Some CISSPs are hands-on and technical, but admittedly, some of us are paper pushers. It depends on what we specialize in. CISSP tries to make sure we can be either.
As for the questions themselves, SSCP will be more straightforward than CISSP. Here’s a study question from my old study material that’s fair game for both tests:
At what temperature does damage start occurring to magnetic media?
You’ll get a lot more questions like that on SSCP than on CISSP. I only recall a small number of questions that straightforward on my CISSP exam.
Some more common CISSP example questions
A moderately easy CISSP question is more likely to ask if it’s permissible to store magnetic tapes in a storage unit without air conditioning and why or why not.
A more difficult question would present a scenario, something like this: You’ve just accepted a consulting gig with a small company. As part of the disaster recovery plan, the company has its senior system administrator, who’s been with the company three years, take the company’s backup tapes home every night. He stores them in a storage shed in his back yard, which is secured with a combination lock purchased at a discount store. What problems should you have with this plan?
The correct answer would cite the likelihood of the tapes degrading, the lack of adequate physical security and close geographical proximity to the workplace. An Incorrect answer would zero in on the system administrator’s seniority or tenure as problems. Another incorrect answer would suggest approving the plan because the system administrator is well qualified to restore backups. A third incorrect answer might zero in specifically on the lock
In a hard question, they’d bury the plan to store tapes in a storage unit in a page or two of text, and other than that and one other detail, it might actually be an OK plan. In order to pick the right answer, you’ll need to know that tapes start degrading at about 100 degrees, and probably two or three other random things.
When it comes to SSCP vs CISSP, that’s likely to be the biggest difference you’ll notice. An SSCP question may very well ask one or two things. Most CISSP questions are really asking you several things.