How many paragliding instructors do we have out there? Okay, not a lot. But what if you were one looking to make a career change into cybersecurity?
Take it from this former paragliding instructor, here’s the way to glide into a new cybersecurity career.
Before I found out about the SSCP certification, the landscape of the cybersecurity industry looked a little chaotic.
I knew I wanted to get into the security field – I knew that cybersecurity pros continue to be in high demand. What I found was that pursuing some common-sense certifications is a great way to springboard this kind of career.
In researching job postings, I noticed a common theme under the requirements: first, many of the ads included “Security+,” and a good number of them required or strongly desired: “CISSP” certification.
Looking into the requirements, I found that Security+ was an entry level certification, involving passing the CompTIA Security+ test. I discovered that CISSP was quite the opposite. The requirements for this higher-level cert were much more involved. To be certified, a candidate has to:
- pass the ISC2 CISSP test
- have a minimum of 5 years experience in two or more different areas of the cybersecurity field, or
- have an IT/Computer Science/Cybersecurity related degree and a minimum of 4 years experience in two or more different cybersecurity areas
These requirements were a bit daunting, and would obviously take some time to achieve, but I decided this was something I should pursue, since most employers wanted it.
So I started with the Security+ certification. Having no college degree and no previous IT background, I wanted to bulk up my cred, and I enrolled in a university that offers a Cybersecurity and Information assurance bachelor’s degree program. I also figured this would knock off a year of the work experience requirement for the CISSP.
I was also fortunate enough to land an internship with a tech company’s digital forensics and investigations department, so I could start gaining cybersecurity work experience. As much as I enjoyed and appreciated this role, internships are not exactly the highest paying jobs, and the company policy was strict on a 4-year degree requirement for full time employment for any cybersecurity-related positions. I knew I would have to look elsewhere for another cybersecurity job. But what could I do to make myself stand out without a CISSP?
I found the next best thing – SSCP.
What is SSCP?
The Systems Security Certified Practitioner certification is through ISC2, the same organization that offers the CISSP certification. Here’s how the ISC2 describes it:
“SSCP certification demonstrates you have the advanced technical skills and knowledge to implement, monitor and administer IT infrastructure using security best practices, policies and procedures established by the cybersecurity experts at (ISC)².” https://www.isc2.org/Certifications/SSCP
SSCP involves a series of requirements:
- Passing the test
- A minimum of one year work experience in one or more of the seven SSCP CBK domains
- Candidates who have a bachelors or masters degree in a cybersecurity program, or in computer science, computer engineering, computer systems engineering, management information systems (MIS) or information technology (IT) will be granted a waiver to the one-year work experience requirement.
- Endorsement by a CISSP holder or ISC2
- Achievement of code of ethics – isc2 code of ethics compliance
- Paying an annual membership fee
As for exam format, the test is 3 hours long, with 125 multiple choice questions, 25 of which are not scored.
The SSCP exam tests information security knowledge through 7 CBK (Common Body of Knowledge) Domains. As of November 1, 2018 the domains and their weights for the exam are:
- Access Controls 16%
- Security Operations and Administration 15%
- Risk Identification, Monitoring, and Analysis 15%
- Incident Response and Recovery 13%
- Cryptography 10%
- Network and Communications Security 16%
- Systems and Application Security 15%
My Test Preparation:
The SSCP is a proctored test that has to be taken at a certified testing center. The ISC2 organization is fairly strict on the controls for their testing centers, so there are not many locations, and testing time slots tend to fill up fast. So the first thing I did was schedule the exam. I was able to get a time slot about a month later. This also gave me a timeline to follow that helped to keep me focused.
For a solid two weeks, I spent about four hours a day studying these materials:
- Murphy, G. (2015). SSCP (ISC)2 systems security certified practitioner official study guide. Sybex.
- SSCP Systems Security Certified Practitioner All-in-One Exam Guide, Third Edition 3rd Edition by Darril Gibson
- SSCP quizzes and flashcards found on Quizlet
I would say the most help I got with SSCP domain knowledge for me, though, was getting the Security+ certification. The Security+ exam topics were essentially the same as with the SSCP (test areas are in: Threats, Attacks and Vulnerabilities, Technologies and Tools, Architecture and Design, Identity and Access Management, Risk Management, and Cryptography and PKI ) so going through the study material for the SSCP felt largely like a review, more of a reinforcement with some expansion on the subject matter.
My Testing Experience:
I wouldn’t say it was an easy test by any means, partially due to the test format.
The SSCP tests your common sense and judgment capabilities just as much as it tests for computer security knowledge. The question formats were similar to the Security+ test, where some questions were straightforward, but more questions than not were in the ”best answer” format – questions had more than one answer that could be technically correct, but the “most” correct answer for that question or scenario is required.
ISC2 just gives a pass/fail score for results.
After passing the SSCP exam, an endorsement application must be filled out and approved before you’re granted the SSCP Certification. The application requires proof of SSCP subject-related work history, qualifying applicable education, and the endorsement information of a sponsoring CISSP member, or, alternately, a designation selecting the ISC2 to act as the endorsing sponsor.
My biggest complaint while going through the SSCP Certification process was their processing time.
After completing the application with a CISSP sponsor sign-off, it took 48 days for the application to be reviewed and processed. The email from ISC2 informing me of my official SSCP certification also informed me that it would take 8-12 weeks for my ID card and certificate to be mailed to me, and up to two weeks before I could log in and claim a digital badge (Badges are represented by an image that contains verified metadata to describe certification qualifications and the processes required to earn it. ). I can understand paper copies through snail mail being slow…but two full weeks for a digital link? Considering (ISC)² is the World’s Leading Cybersecurity Professional Organization, the lag time seems a bit excessive.
The bottom line is that SSCP served its purpose by formally demonstrating my cybersecurity knowledge to prospective employers.
Would I recommend it to others? Yes.
If you would like help with your cybersecurity strategy or program, give Fractional CISO a call for a complimentary consultation. We can be reached at (617) 658- 3276 or by email at [email protected].
To receive great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/