Kia ora nettier,

 

First of all congratulations on making the SSCP exam. Well done!

 

choosing between CSSLP or CISSP really depends on your occupation and which of both fits best in your career path. Both are really excellent certifications, but are different.

 

CISSP is more general, but overall goes deeply detailed into almost all aspects if information security. You will learn about risk management, security architecture, encryption, network security, secure software development, identity access management and much more!

 

CSSLP is much more focussed at secure software development and the entire software lifecycle. You will learn about requirements, secure design and architecture, software testing, deployment and operations and of course secure software concepts.

 

If you have the possibility for longer term planning of your security career, I would advise to start studying for the CISSP, get that certification and then follow that with CSSLP to focus your career further into the secure software development..

 

Good luck with choosing!

 

Kind regards,

Ger van Hees, CISSP

 

I have both, and I prefer the CSSLP. However, it depends on what you are doing it. I got my CISSP while doing an operational cyber role, but that was a detour on my career that I didn’t enjoy doing. I’ve worked at two network security appliance vendors, two independent test labs (a CC/FIPS lab and a security efficacy test lab (not pentesting)).

My current job title is “software engineer iv,” where i am a test and automation engineer for the networking bits of a supercomputer platform.

I enjoy software security and see it in context as a subset of system/software quality.

If you want to be in product development or test, CSSLP concepts will help you out a lot. There aren’t many CSSLPs in the world (1292 in the US, vs 79617 CISSPs), so it is a differentiator. If the numbers reflect attitudes in industry, one might see that as a lack of focus on building secure software, which leads to the abundance of jobs and products to slap bandaids on to a bad situation.

If your interests and career runs through IT, cyber operations, and on into management then CISSP probably makes more sense. In terms of raw risk managment and security concepts (CIA triad and all that), there is a lot of overlaps. The practical nuts and bolts of integrating security into SDLC in the CSSLP is, to me, more relvant and engaging than business continuity plans though. Just sayin’

I would say the more basic question is whether you have already fulfilled or are close to fulfilling the work requirement for each of the certifications: minimum of 4 years of paid full-time employment in at least one of the 8 domains for the CSSLP; minimum of 5 years of cumulative employment in at least two of the 8 domains of the CISSP. Each has a distinct focus intended for entirely different audiences.