Re: CCSP and Security+

wmheid

I am just curious, has anyone pursued both CCSP and Security+? If so, your thoughts on the pro's and con's please. Is there any benefit in getting both?

emb021

That's an interesting combo.

The Sec+ is an entry-level cert, loosely equivalent to the CC.

the CCSP requires the same level of experience that the CISSP does, so I would expect that if you're going for the CCSP you have the CISSP already or could get it, as you have the same amount of experience.

And if you have that level of experience, just get the CISSP and don't bother with the Sec+.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

riffjim4069

I have both CCSP and Security+, but my path may be very different than yours. I've been a CISSP-ISSEP type for going on 20-years and, although I was hands-on building, deploying, and managing SOCs for years, my backside mainly sits behind a desk where I'm not allowed to touch-things/break-things for the past decade. I mostly deal with building security programs, security control and architecture frameworks, formulating cybersecurity strategy and IT risk posture, and deal with all the business process owners and people factors - and anything else (dirty jobs) that comes along. LOL!

I studied for the CCSP back in 2016 (purchased the book), but just finally got around taking/passing the exam back in February. I'm very family with Azure, and to a lesser extend AWS, but I mainly define security standards and work to ensure cloud services are property configured and hardened - so I mostly just snoop 'n poop or shoulder surf. Although I wasn't planning on it, I also took the Cloud+ (Beta) exam within a couple days - so I studied for both. The reason I took the Cloud+ was because the only $50 and I already had the Study Guide...so what the heck. There was about 50%-60% overlap in KSA, but the CCSP is focused more on solving cloud security business problems from Cloud Security Architect/Practitioner perspective...whereas the Cloud+ is more from the perspective of the security admins spinning-up and configuring cloud services.

Back to Security+...I took Security+, CySA+, Pentest+, and CASP+ because of some downtime due to Covid plandemic, along with the fact an employer had money to pay the bill - so what the heck. Security+ is a very nice certification for anyone waiting on their 5-years of experience to earn the CISSP. While not the CISSP (Gold Standard IMO) it's highly sought after by HR Tech Recruiters and I recommend it. Does a CISSP, or even a CISM need it? No! But it goes very well paired with the CCSP IMO.

As far as the CCSP goes...I recommend all Security types/CISSPs/Security+ also round-out their portfolio by earning the CCSP or CCSK (CCSP IMO)--platform agnostic--and at least one or two certifications be it Azure, AWS or Google Cloud. Why? There's just too many hybrid environments requiring security folks know both infrastructure AND cloud.

When I joined my organization two years ago, employees ran the network/infrastructure and contractors (@ $350 per hour) ran their Azure/M365 and very small AWS environment...poorly and insecurely I might add. We eventually got rid of our contracted support, and not all of our employees were eager to learn cloud engineering and admin skills...sadly, they were the one's let go when downsized last Fall/Winter. The reality was many of our legacy systems were being reengineered in the Azure cloud, and they didn't use their training funds, learn new skills, and certify within a year so just didn't need them. Here's what recommend (all my staff) to remain highly, and quickly, employable: (Street Cred)

1. Security+/CISSP - don't need both...buy most cybersecurity doors won't open without one)
2. CCSP/CCSK - don't need both, but I strongly advice if you're dealing with cloud issues...which is like everyone)
3. Azure/AWS - I don't care if it's fundamentals...recommend at one in Azure and one in AWS.

I hope this answers your question(s). Again, you don't need Security+ and CISSP (or CASP+ for that matter) but you should one in conjunction with the CCSP/CCSK. Not written in stone, just my two-cents and I've done a lot of hiring over the years.

Also, CompTIA is getting ready to roll-out Xpert Series certifications (e.g., Security+ (Professional)-->which leads to CASP+ being rebranded as SecurityX (Expert), Network+ and Cloud+ (Professional)-->which leads to CloudNetX (Professional).

emb021

Good comment!

Would add to this.

* CCSP/CCSK. The CCSK is a certificate (not a certification, yes there is a difference!) from the Cloud Security Alliance (CSA). They worked with ISC2 to create the CCSP. Most people say the CCSP is basically the CCSK + CISSP. So if you have the CCSP, don't bother with the CCSK. And if you have the experience, I would say get the CCSP over the the CCSK. I do like that the CSA worked with ISACA to create the CCAK certificate, which is cloud auditing.

I agree on getting AWS/Azure specific certs along with the CCSP. When I was a consultant and looking at getting the CCSP, as I had clients who worked with one or the other, I also planned on doing. Until I got a new job. Weirdly, it was at a company that used BOTH AWS and Azure, so I did plan on getting both. But now I'm at a company that doesn't use the cloud (nor plan too). CCSP is still on my radar, but not as high up on my list. Don't overlook the GCP as well.

Interesting update on what CompTIA is doing. Was aware of their newish "stackable" certs. Guess I'll have to update again my presentation on certifications...

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

riffjim4069

Michael,

I was vaguely aware of the CompTIA stackable certs, but really didn't care about them nor know anyone writing requisitions for them from a hiring manager perspective. Oddly, when I picked-up the Security+, CySA+, Pentest+ and CASP+ certifications, I was awarded five (yes, 5), stackable certifications. Who knew! Honestly, I don't know if they're of any use, or if anyone really cares, but I can honestly say I'm a "Secure Infrastructure Expert" without sounding like I'm boasting. LOL!

*CompTIA: CompTIA Secure Infrastructure Expert (CSIE)
(Security+ / CySA+ / PenTest+ / CASP+)
*CompTIA: CompTIA Security Analytics Professional (CSAP)
(Security+ / CySA+)
*Comptia: CompTIA Network Vulnerability Assessment Professional (CNVP)
(Security+ / PenTest+ )
*Comptia: CompTIA Network Security Professional (CNSP)
(Security+ / CySA+ / PenTest+ )
Comptia: CompTIA Security Analytics Expert (CSAE)
(Security+ / CySA+ / CASP+)

wmheid

Thank you for the thoughts and response, it gave me a lot to think about over the past week. I definitely have the work experience for the CISSP requirements and have been studying it as I review for my upcoming CCSP exam.

Last weekend, I took some time with LinkedIn and searched for jobs that list specific certifications. Between your response, input from family, input from a few others, and the LinkedIn results, my goals for the next several months in order are: CCSP, Security+, CISM and then CISSP.

We use Crowd Strike and it has some certifications as well, so I may sprinkle in one or two of those certs as well.

emb021

@wmheid I would question why are you getting Sec+ when you seem to be shortly getting CISSP. Seems a waste of time and money to get Sec+ unless you can't get the CISSP right now and need it for a job. Because once you have the CISSP, IMO the Sec+ is unnecessary.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

wmheid

@emb021, I agree with what your are saying.

When I searched open jobs in my area on LinkedIn this past weekend, there were 2,100 openings that had CISSP as a requirement and 3,498 for Security+. With the amount of overlap in the two certs, it shouldn't take to much effort for Security+ and since I have been in I.T. for a long while, the combination may open doors that otherwise might not be open.

emb021

@wmheid
You do understand that Sec+ is an entry-level cert and would only be listed on entry-level positions? CISSP is a senior cert and would be on mid-level and higher roles. Same for the CCSP & CISM.

If you are at the level of experience to obtain certs like the CCSP, CISSP, and/or CISM, you should NOT be going after entry-level roles that expect only a Sec+.

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow

Early_Adopter

I mean ultimately it’s your money that you are spending, so if you want to do Security+ before CISSP up to you, I wouldn’t say it’s worthless but most ISC2 certifications validate experience, along with domain knowledge and a decent amount of reading comprehension so you get a bit more use there.

There’s nothing wrong with Security+, and it’s clearly better suited than the CC is right now due to market acceptance, skills based testing however you wouldn’t really put it up against CISSPl(CASP+ fills that area for CompTIA).

It’s always going to be a YMMV, but to Michael’s point if you can prove your entry level/hands on skills the Security+ might give you less ROI over the alternatives.