Hi All!
I maintain a learning path for my cyber engineers and I've always started it with the CompTIA Security + exam, as I've always believed it to be a great foundation exam.
I'm now wondering where ISC2's CC qualification fits in, wondered if anyone has any real world experience of it yet?
Is it - as I suspect - designed as a direct competitor to Sec+ ? Which one do you prefer if experience of both?
@Rossva wrote:
I'm now wondering where ISC2's CC qualification fits in, wondered if anyone has any real world experience of it yet?
I haven't seen the CC in the wild yet. Security+ plenty. I think what we have seen over the years is a lowering of the threshold to get into info security. Overall, that is good, but the challenge remains qualifying people. As we are inundated with daily, we have a shortage (and a growing one) of "security professionals." However, I think we are missing the problem. Really, what we have is a shortage of professionals who think securely.
For every person, I've seen hired with some sort of security sense, I've seen probably 100 hired who lack security awareness. By the time young people are hitting the workforce today, often they've already had a good dozen years or more of bad habits that need to be addressed. While older employees are prone to develop the same bad habits, experience means something. Those who have been burned tend to be more circumspect. As much as I like to see Sec+ or something like the SSCP on a resume (and will now look for the CC), the question I always ask is "tell me about when you were hacked." The people who have some security scar tissue tend to have the motivation and sense to do well in this industry.
Going to agree with JoePete here. A culture of thorough review must include people who intrinsically bake security into their daily activities. Neither Sec+ nor CC will deliver what must be cultivated by the department.
Still, if either is used as a person's first insight into cybersecurity, they're both useful.
Oh in total agreement. As I said, these people already work at my place and I just want to put together a certification path for them - I'm asking which certs should someone have before you take them on.
@Rossva wrote:Oh in total agreement. As I said, these people already work at my place and I just want to put together a certification path for them - I'm asking which certs should someone have before you take them on.
At the entry level, I like Security+ . I think CompTIA does a good job with exam development. Where I think (ISC)2 has had a good niche is the transition toward management, strategy, or consulting. I haven't seen enough of the CC yet. I'll also say that something like Network+ catches my eye. People who understand networking, I think have a really good foundation for security compared to, say, software development or system administration, but that might just be my experience.