SSCP or CISSP: Which is Better?

Cybersecurity is IT Job No. 1 for most organizations — and the demand for qualified security professionals has never been higher. There are several bodies offering security certifications, and the International Information System Security Certification Consortium, or ISC2, is one of the best known.

Their marquee security certification is the Certified Information Systems Security Professional (CISSP), arguably one of the most difficult and valuable security certifications.

Early-career security professionals may find the CISSP daunting and may look to the ISC2 Systems Security Certified Practitioner (SSCP) or another accreditation as their on-ramp to certification.

Let's explore these two ISC2 certifications in more detail. We'll examine their requirements for earning them, their career value, and their pros and cons.

Certified Information Systems Security Professional (CISSP)

This certification is for experienced cybersecurity professionals — technicians, managers, and executives. In order to earn CISSP certification, candidates must pass a three-hour, 100-to-150-question computer adaptive testing exam. In addition, they must provide verifiable proof of five years of full-time employment — or work experience — in two or more of the following eight CISSP security domains defined by ISC2:

• Security and Risk Management

• Asset Security

• Security Architecture and Engineering

• Communications and Network Security

• Identity and Access Management

• Security Assessment and Testing

• Security Operations

And that's not all. Once the candidate has passed the CISSP exam, they must be endorsed by an active ISC2 credential holder before they are awarded their CISSP cert.

Note that if you pass the CISSP exam but do not have the required years of experience, ISC2 will recognize you as a CISSP Associate while you acquire the necessary domain experience.

Given all this effort, it's reassuring that in their current Guide to the CISSP, ISC2 claims that salaries for CISSP-certified professionals average over $130,000. Also, as of September 2019, CISSP was the most in-demand security certification according to the CyberSeek interactive cybersecurity supply/demand map of job postings.

Systems Security Certified Practitioner (SSCP)

Whereas CISSP is for experienced professionals, the SSCP is an early-career certification from ISC2, which requires only a single year of relevant cybersecurity experience. SSCP differs in that its focus is on practical, technical aspects of security, while the CISSP emphasizes process.

ISC2 says that SSCP is for people in engineering and admin roles, whereas CISSP is for senior IT leaders — architects, auditors, and consultants, as well as IT managers and executives. The SSCP is equivalent to, but not as well-known as, CompTIA's Security+ certification.

SSCP candidates must pass a three-hour, 125-question exam that assesses their mastery of the following security domains:

• Access Controls

• Security Operations and Administration

• Risk Identification, Monitoring and Analysis

• Incident Response and Recovery

• Cryptography

• Network and Communications Security

• Systems and Application Security

SSCP candidates must have at least one year of verifiable work experience in one or more of the SSCP security domains. If you have a cybersecurity program degree, you may be granted a waiver for the year of experience.

As with the CISSP cert, SSCP candidates must be endorsed by an active ISC2 credential-holder before they are awarded their cert.

CISSP vs. SSCP

Frankly, it is not a question of one certification versus the other. They represent different areas of cybersecurity expertise and experience.

If you're in an early career security position and are looking for a way to establish credibility, then SSCP is a good starting point.

Do you already know that you want to pursue an IT leadership position? If that's the case, then the CISSP should be your long-term goal! You could earn the SSCP first and later go for the CISSP as you acquire the security work experience.

But hold on, if the CISSP is your target, then you could go for the CISSP exam and become a CISSP Associate. While it's not the same as a full-fledged CISSP, the associate-level badge is recognized in the U.S. government sector and may also be accepted by some companies.

Note that all ISC2 certifications are valid for three years and must be renewed through required ongoing continuing professional education. Certificate holders must also be current with their ISC2 annual membership fees.

Government Sector Opportunities

Both SSCP and CISSP are recognized as U.S. Department of Defense (DOD) baseline certifications, which identify specific certs for various levels of IT technician, manager, and architect/engineer jobs in the Federal Government.

SSCP is approved for Levels I and II Information Assurance Technician (IAT) jobs. CISSP (or CISSP Associate) is a baseline cert for Level III IAT jobs, as well as for jobs at Level II or III Information Assurance Manager (IAM) and Level I and II IA System Architects and Engineers (IASAE).

Level III architect/engineer jobs require the next level CISSP architecture or engineering concentrations.

Salary Expectations

As you might expect, you'll command a bigger salary if you're CISSP-certified. ISC2 claims an average CISSP salary of $131,030 compared to $93,240 for an SSCP.

A search of the Indeed.com/ job site provides some support for those numbers. A search for full-time jobs requiring CISSP certification returned an average salary of $94,000 but showed nearly one-half of offerings from $100,000 to $125,000.

A search for SSCP jobs returned an average salary of nearly $82,000, with just under half offering $90,000 or more. The ISC2 brand must add value because jobs for the equivalent CompTIA Security+ certification showed an average salary of only $72,395.

Wrapping Up

So, what's the bottom line? Both CISSP and SSCP are valuable, well-paying cybersecurity credentials. Demand for CISSP, in particular, is reportedly higher than the number of professionals certified.

CBT Nuggets provides online training for both certification paths. If CISSP is your target, we can help with our ISC2 CISSP training.

Check out our ISC2 CISSP 2018 playlist. Our recent blog post shows how you can create your own CISSP study plan to help you learn the CISSP material and prepare for the exam. By the way, you'll also be able to take advantage of the CISSP 2018 practice exams.