- This post is about ISC2 (International Information System Security Certification Consortium) CISSP (Certified Information Systems Security Professional vs. CCSP (Certified Cloud Security Professional) Certification
- Comments and opinions expressed below are my own solely.
- This post has been written w/o consulting ChatGPT.
- The information presented here is as of March 2023 (the latest). The basic statistics:
|Member Counts March 2023||159,679||14,707|
|Increase since July 2022||3,635||2,427|
So, CISSP or CCSP?
Since 2022, on average, I have conducted one CISSP or CCSP class per month, roughly half of each. (many more prior to that – I have lost count) If I look back the past 3-5 years, it appears that CISSP is steadily progressing – no signs of any slow down, and CCSP is increasingly picking up momentum.
‘Should I take both?’ ‘Which one do I take first?’ ‘I am already a CISSP. Do I need CCSP? (vice versa)’ ‘If I can only take one, which one do I go for?’ – often I get asked. Here is to shed some light on these questions.
When I come across participants who take up both certifications (regardless which one first), I say to them ‘Congratulations, you’d kill 2 birds with 1.5 stones.’ Simply, looking at the syllabus, the overlapping topics account roughly ⅓. For example, Cryptography and Quantum Computing – which I ‘claim’ as my passionate topics, are shunned by many. If one has endured them once (for the first certificate), the 2nd time would be with ease and breeze.
Of course, the overlapped topics are general and generic in CISSP context. Often, in CCSP, one needs to contextualise these topics in the cloud environment. For example, physical data center security, for CISSP, is all aspects of building, selecting, operating and managing a data centre; for CCSP, Cloud Service Providers address physical data center security operationally and Cloud Service Customers seek assurance and proof of compliance from the providers.
Both are vendor neutral; no questions are solution dependent. You are not expected to possess hands-on technical skills. Most questions can and should be looked at from a managerial perspective.
CISSP is a CAT (Computerized Adaptive Testing) exam; CCSP has exactly 150 multiple-choice questions. Neither exam type allows for candidates to skip a question and return to it later.
Solid foundation vs Dynamic trend
CISSP participants often could not appreciate too much of those text-book only topics, e.g. security models (Biba, Bell-LaPadula, etc.) and Open System Interconnection (OSI) model. How relevant are they to the practical scenarios?! My light-hearted response – those are for sure correct and involve no changes since 1994; any topics too technical or practical would be out-of-date by the time they are included. Therefore, CISSP ensures security practitioners build up solid security concepts and are able to apply them in all domains regardless of the implementation approaches – which could be solution and vendor dependent.
Many CCSP topics are constantly evolving, contributed by open communities and backed by heavyweight hyperscale cloud service providers; emerging innovation pops up here and there. (First AWS public service was launched in 2006). For example, AI and blockchain topics. My light-hearted course preparation approach – glancing through cloud technology headlines before I begin everyday to avoid talking about yesterday’s news. Again, CCSP exam questions are vendor-neutral. However, It is imperative that participants open and embrace the dynamic nature of cloud computing to further advance their domain knowledge.
Comprehensive breadth vs Sharp focus
CISSP exam outline includes 8 domains, sounds straightforward. When one delves into each domain, it is like opening a Matryoshka doll (Russian doll). For example, Domain 3 Security Architecture and Engineering covers from the low-level system memory protection to the tangible data centre fire prevention. Extracting one of the CISSP candidate requirements – having work experience minimally in two domains (just two!), we know the certification does not expect one to have in-depth knowledge everywhere.
Therefore, the breadth or coverage of the exam outline is indeed broad. Anything is relevant to information security; you can find it. That means – everything.
In an organizational context, I often remind the participants, this topic, for example security governance, ‘you please picture you are the CISO (Chief Information Security Officer)’; another topic, for example, API security, you wear the product owner’s hat. That illustrates how diversified CISSP topics are.
CCSP covers 6 domains and every topic is around the cloud – obviously. This nature converges the relevancy of all topics. For example, Domain 4 Cloud Application Security focuses on web applications, API security, software supplier chain issues and so on. The common thread is around the use of cloud platforms.
Due to the ‘Shared Responsibility Model’ or ‘Shared Fate’ talk in the cloud environment, in terms of the organizational context, CCSP emphasizes the collaboration relationships required between provider and customer. This has become the focus of the organizational issues.
US-centric vs Global
From ISC2, ‘We have a long history of partnering with the U.S. government. All of our certifications meet the requirements of the U.S. Department of Defense (DoD) Directive 8570.1.’ Participants often find regulatory and compliance topics are very US-centric. CISSP is more evident due to its historical background. For example, many contexts simply refer to ‘federal’ requirements without explicitly indicating the state / nation. NIST (National Institute of Standards and Technology) practices are widely adopted. (Note, over the years, I think this has been toned down gradually.)
Cloud itself is global by nature; despite many providers being US-based, the business must be global to prosper. Furthermore, Europe has been pioneering various regulatory legislation in privacy, sustainability, and sovereignty areas. The latest CCSP outline makes an effort to equally mention ISO and NIST as well as highlights jurisdictional differences and country-specific legislation.
The following info provides a glimpse of the general impression. CISSP participants are often stepping up (or intend to) in terms of security responsibilities. (i.e. vertically) CCSP participants are broadening their scope of knowledge. (i.e. horizontally)
| Job Titles:|| Job Titles:|
|Focus : Management||Focus : Cloud Security technicality. (Cloud platforms and Cloud Security) Note: lack of “Chief”, “Director” or “Manager”|
Definitely, go for both, if you can. Start with which one? Let the logistics decide, i.e. your availability, course schedule and so on. I’d highly recommend – scheduling the two consecutively, i.e. no break or very short gap between the two – how you can take advantage of the 1.5 stones.
If you must choose one over the other, start with your current environment or anticipated future. That is, if your organization is considered as ‘typical’ (primarily on-prem for now, the cloud adoption is upcoming and gradual), go for CISSP; if the environment is cloud heavy or leaning towards cloud soon, go for CCSP. When you have a chance later, it is always worthwhile to get the other certification. Both are well-reputed in the cybersecurity industry.
Learn more about the two leading certifications with these available courses today!