First we'll do a quick review of each test. The tests are ordered based on their level, which is based on the results of my analysis. This of course is based my opinion, my research, and the data obtained from the various testing authorities.
A side-by-side review of CySA+, SSCP, CASP+, and CISSP
by David Evenden
Over the past few years I have attacked a new Cyber Security Certification each year. I have taken many tests over my career, and I have to admit right out of the gate that I'm not the best test taker. However, after a while I finally figured out how to tackle cyber security certifications.
I started by taking about 6 or 7 SANS courses; GCIH, GWAPT, GPEN, GXPEN. During which time I also took SANS courses that at the time didn't have certifications, Intense Hands-On Pen Testing Skill Development, Metasploit Kung Fu, and so on. Then I moved on to the OSCP.
To be honest the OSCP was a challenge for me. I struggled and struggled, but throughout the training and the test I learned so much about the process, goals, and most importantly my weaknesses.
Now that I've moved into a non offensive security shop, I have started researching new certifications. Even though my full time job does not require Pentesting, I took the Pentest+just to see how it felt. It felt good and I was one of the first 400 people to receive the certification (via the BETA test).
I then moved onto the CySA+, and found that test to cover material I was dealing with on a daily basis. I also received that cert via the BETA test and was one of the first 400 to obtain that cert. I currently work as a threat intelligence analyst and as a vulnerability exploitation analyst.
At the end of last year I set my target on the CASP via CompTIA. I started looking for a study book for the -003 version of the exam, and can't get a hard copy until February. So I have been using the CISSP study guide to fill in my gaps.
I started to realize the overlap was astonishing. I couldn't figure out why there is so much information covered in the CASP if the CISSP is a more prestigious test. I decided to take a step back and find out what other tests are out there. The following is the review of my findings of the contrast and comparison of the CySA+, SSCP, CASP+, and CISSP.
First we'll do a quick review of each test. The tests are ordered based on their level, which is based on the results of my analysis. This of course is based my opinion, my research, and the data obtained from the various testing authorities. The order these tests should be considered are as follows:
CySA+ (Cyber Security Analyst +)
CySA+ is the only intermediate high-stakes cybersecurity analyst certification with performance-based questions covering security analytics, intrusion detection and response. High-stakes exams are proctored at a Pearson VUE testing center in a highly secure environment. CySA+ is the most up-to-date security analyst certification that covers advanced persistent threats in a post-2014 cybersecurity environment.
SSCP (Systems Security Certified Practitioner)
SSCP certification demonstrates you have the advanced technical skills and knowledge to implement, monitor and administer IT infrastructure using security best practices, policies and procedures established by the cybersecurity experts at (ISC)².
CASP+ (CompTIA Advanced Security Practitioner +)
CASP+ is the only hands-on, performance-based certification for practitioners - not managers - at the advanced skill level of cybersecurity. While cybersecurity managers help identify what cybersecurity policies and frameworks could be implemented, CASP-certified professionals figure out how to implement solutions within those policies and frameworks. The CASP+ certification validates advanced-level competency in risk management; enterprise security operations and architecture; research and collaboration; and integration of enterprise security.
CISSP (Certified Information Systems Security Professional)
Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program. With a CISSP, you validate your expertise and become an (ISC)² member, unlocking a broad array of exclusive resources, educational tools, and peer-to-peer networking opportunities.
The first thing that jumped out at me was the various levels of risk. This is not based on the risk an employee takes throughout the course of accomplishing their job, but rather the level of risk the employee is responsible for. This is where the first division takes place in the certifications jurisdiction. The CySA+ is the only certification that does imply risk accountability to the test taker. However, the SSCP implies so little risk that it fails to meet my personal requirements for risk accountability. That means while the certified employee takes risk, they are not ultimately responsible for that risk. It can be assumed here that the highest level of risk taken by an employee will be employees targeted for the CISSP certification.
Practitioner vs Management Positions
The next item that creates a clear separator is the capability or hands on keyboard roles. It is important to note that not all high level positions are incapable of configuring, programming, or engineering security solutions themselves, but rather it is not part of their day-to-day job. While the CASP+ meets all the requirements of a high level position, CompTIA makes it a point that this certification is not for managers.
CASP+ is the only hands-on, performance-based certification for practitioners - not managers - at the advanced skill level of cybersecurity.
I think CompTIA is taking too wide a swing at defining this as not-for-managers, especially since they currently offer zero Cyber Security related certifications at the manager level. However, the CASP+ certification is technically not for high level managers. Therefore, the dividing line here is role and position. The below graph represents the various functions and capabilities practitioners should be able to perform based on passing the tests. The numbers are based on the percentage each subject is focused on within the test.
It is important to note that the above numbers are gathered from throughout the learning objectives, and not simply the titles of the sections like the other data is taken from.
I've gathered the data from each authority showing the corresponding job for each certification.
In conclusion the outlined certifications are designed to show capability, knowledge, and risk aptitude for various roles throughout the Cyber Security community. Each test is designed for a specific role. Experience will lend way to the ability to pass the tests. Anyone can study and pass a test, however not being able to perform the job functions on the test degrade the test takers reputation and the reputation of the test. If you're considering taking the CISSP to prove you know everything there is to know about cyber security, please reconsider. Being a good test taker does not make one a good practitioner. There is a talent gap in our industry right now, and the community needs competent practitioners, what we don't need is more incompetent good test takers.
About the author
David Evenden is an experienced offensive security operator/analyst with 10 years of active work experience inside the Intelligence Community (IC). During his time inside the IC, he learned Persian Farsi, worked at NSA Red Team and was a member of an elite international team operating in conjunction with coalition forces to aid in the ongoing efforts in the Middle East.
While he currently works with an ISP and DHS to aid in the efforts to enhance the bidirectional sharing relationship between the US Government and Commercial entities, his passion is educating network administrators and security engineers on best practices when securing your network.
David currently holds Pentest+ and CySA certificates.
The article was originally published at the author's LinkedIn profile: https://www.linkedin.com/pulse/analysts-review-top-cyber-certs-david-evenden/