The Systems Security Certified Practitioner (SSCP) certification is the lesser-known cousin of the more famous Certified Information Systems Security Practitioner (CISSP) credential. Both programs are sponsored by cybersecurity professional association (ISC)², but they target security professionals at different stages in their careers.
While the CISSP is designed for well-rounded security professionals with broad experience, the SSCP offers more of an entry-level opportunity for technologists who are newer to the profession. You might be surprised to learn that the SSCP credential has a history almost as long as the CISSP program.
(ISC)² launched the CISSP as the first comprehensive cybersecurity credential in 1994, long before many organizations were even thinking about security. The SSCP followed in 2001 as the organization’s second credential, even before they started branching out into CISSP concentrations and other certification programs.
Despite this long history, however, the SSCP credential didn’t gain traction for quite some time. Today there are over 82,000 individuals holding CISSP certifications in the United States, while only around 2,600 Americans hold the SSCP certification.
This year, (ISC)² is launching a significant update of the SSCP certification, seeking to reposition it as a credential for those actively engaged in security operations and a good starting point for those who may wish to eventually pursue CISSP certification.
Who Should Consider SSCP?
The SSCP certification targets individuals who have at least one year of work experience in cybersecurity. Unlike the stricter requirements of the CISSP program, the SSCP does not require that the work experience a candidate submit be full-time or paid.
Candidates who have part-time experience in the field simply need to demonstrate that they have sufficient hours of work experience accumulated that are equivalent to a year of full-time work. Also, while the CISSP exam has a very broad and high-level focus, the SSCP drills down deeper and targets those with hands-on technical skills.
One important note: Both the SSCP and CISSP programs grant a one-year experience waiver to individuals who hold an academic degree in cybersecurity. For the SSCP program, this waiver covers the entire experience requirement, making the certification a great choice for recent graduates who are preparing to tackle their first cybersecurity job.
What’s Changing on the 2018 SSCP Exam?
(ISC)² certification programs typically follow a three-year refresh cycle and the SSCP credential is following this process. On Nov. 1 — later this week — (ISC)² will release a new version of the exam that updates material from the April 2015 revision.
The basic structure of the exam remains unchanged. Candidates will face 125 multiple choice questions during the three-hour exam and must achieve a score of at least 700 points on a 1000-point scale in order to pass. The exam will continue to use a computer-based testing format made available through Pearson VUE testing centers.
One other important thing that isn’t changing is that the SSCP exam will continue to use a traditional, linear exam format. Candidates will be able to move freely back-and-forth between questions on the exam and may revisit their answers as many times as they would like.
In January 2018, the (ISC)² flagship CISSP exam moved to an adaptive testing format that changes the difficulty of future questions based upon a candidate’s exam performance. This format requires that candidates answer a question once and does not allow them to return and change their answers later.
The SSCP exam is not moving to this adaptive format, at least for now.
The seven domains on the 2015 SSCP exam also remain the same, although the weights of those domains are being adjusted on the 2018 exam. Here’s a summary of the domain weights on both the 2015 and 2018 exam versions:
The bottom line? You’ll see a few less questions on security operations and application security that will be replaced by a few questions on risk management and cryptography, but the weights stay pretty much the same.
The biggest changes on the 2018 exam come in the form of new content in each of the domains. The subject matter experts assisting (ISC)² with the SSCP exam review added quite a bit of new material to the new exam that brings it up to date with the current state of cybersecurity and also aligns it with the new emphasis on hands-on knowledge.
Here are a few examples of the new material covered by the exam:
- Designing and maintaining Identity and Access Management (IAM) systems
- Badging employees and visitors for physical security
- Considering legal and regulatory concerns for monitoring systems
- Managing the incident response lifecycle
- Understanding details of cryptographic algorithms and key lengths
- Load balancing network traffic
- Implementing the shared responsibility model for cloud computing security
As you prepare for the exam, you should review the full 2018 Exam Content Outline from (ISC)² and make sure that you’re using exam preparation materials that are updated for the 2018 test.
Career Paths for SSCP Holders
The SSCP is an entry-level certification, so candidates earning the credential should expect to move into an entry-level cybersecurity position. It’s common for SSCP holder to accept positions in security operations centers (SOCs), operating firewalls, intrusion prevention systems, and other cybersecurity technologies; or conducting cybersecurity awareness training.
As SSCP holders advance in their careers, they should also consider earning more advanced certifications commensurate with their new roles. This may include pursuing the CISSP certification as well as moving down a more technical track by pursuing technically deep cybersecurity certifications, such as CompTIA’s Cybersecurity Analyst+ (CySA+) or Penetration Tester+ (PenTest+) credentials.
The SSCP offers cybersecurity professionals a stepping stone in their career. Positioned similarly to CompTIA’s Security+ certification, it is an excellent choice for anyone who is just beginning to establish themselves in the cybersecurity career field.