Terrible video. Security+ is a lower level basics of security cert. The cissp would be compared to the casp. If anything. Makes 0 sense to compare it to security+
@@germ4613 I get asked to compare the two certifications frequently enough that it made sense to make a video to address it, not because I'm unaware of the audience that each is targeted towards. Thank you for watching!
@@JonGoodCyber I also think it's weird that people keep comparing network+ to ccna. Cause network+ is a entry cert. They should be comparing network+ to a Cisco entry cert. Ccna is a intermediate cert. No one ever calls that out. Cause that one is like duh ccna is harder.
I'm 80% done studying for the sec+, and then I just learned about the cissp and its placement in hiarchy and considered to stop the sec+ and pursue the cissp. But thanks to this vid, I vid for reminding me to just stay focus and knock out the sec+. Especially when I have zero experience and I've already skipped the A+ and Network+. The cissp will come when it comes.
I think you hit the correct point towards the end that you should get Security+ first on your way to get CISSP. I think the real question some people have is if you should start with Security+ or SSCP. Or if you already have Security+ should you try for the SSCP or CySA+ next? Especially if you want to be an analyst, not necessarily a security manager.
Honestly I would probably recommend the CySA+ over the SSCP. The SSCP is very similar to the Security+, where the CySA+ will give you more of that analyst knowledge that is helpful in a Security Operations Center (SOC).
@@krisg900 for what kind of job? If we are still talking about the same path, (Security Analyst) the Pentest+ isn't even really in the conversation. Honestly even for Penetration Testing jobs, the value of the Pentest+ is very minimal. At the level of experience this question is related to (early to mid level security analyst), you should be much more focused on building your analysis skills and how to leverage blue team tools.
@@JonGoodCyber I was thinking about getting Pentest+. I have Security+ and am about to take CySA+. I was thinking about Pentest+ because I like pentesting and offensive but idk. I also am looking at the AZ 500. I like offense but I also like defense. What do you think? I don't want to spend forever getting certs. Should I get CySA+ and AZ-500 and stop?
Definitely go grab a copy of my eBook ( jongood.com/getstarted/ ) to see the skills and certifications that I recommend. As far as your situation, it isn't clear if you're working in the industry or your level of experience but cloud is one of the hottest areas in Cyber Security right now, and honestly in all of technology careers. With that being said, cloud is also its own area so if that is of interest to you, I wouldn't try to dip my toes in a bunch of areas and instead dive all the way in.
Hello! Thanks for taking the time to teach this, I am studying the material of both, and also for (ISC)2 I am getting a sense of which one I feel more comfortable of doing first. I am doing courses online and self education and tutorials, I will probably end up doing first sec+ thank u for all the good stuff you post
There is certainly an overlap in the material for both certifications but it's generally not a good idea to study multiple certifications at once. It's much better to make a decision and put your full effort into a single certification. Thank you for watching and I'm glad that the content is helpful!
I’m studying for security+ as a stepping stone to get into security space with a goal to finally do CISSP or CISA or CRISC later. Been in IT for 20+ years.
Awesome stuff...when you get to that later point if you are going to do all three, I would recommend the following order: CISSP, then CISA, then CRISC. They might not all make sense based on how things evolve but they all have great information and that order is highest demand to lowest.
The CISSP and CISM do have some overlap but I would consider the CISSP more valuable. For that particular lineup, I would say CISSP, CISA, CISM, CRISC...possibly even CRISC then CISM just because ideally you want to get different skillsets and then the CISM is just icing on the cake.
I would clarify that the CISA is not as much about the technical side of security and focuses heavily on identifying risk in areas like processes. Risk and risk management are major subjects in security but they aren't usually part of an analyst or engineer's role.
Currently an undergraduate student in information technology/cyber security. Looking for a certification now to further my career. I brand new to the space. Thanks for your updates. It helps me stay focused.
Awesome and I'm glad you enjoyed the video! Make sure to grab a free copy of my eBook ( www.jongood.com/newsletter/ ) that has a certification roadmap for you.
Sec+ vs CISSP which is better. That is a no brainer on which is one holds more weight the problem is employers will see the CISSP cert and once hired will expect you to know your stuff. Plus just to take the test you need atleast 5 years experience in the industry to even apply. So depending on the level of knowledge/experience of the person is which cert to go for. Starting out Sec+, In the IT Security Field for a few years CISSP
I am new to Security , got CCNP R&S, MCSE cloud platform and infrastructure, a lot of tools related Certs (Splunk, PRTG, CyberArk,....) going to try CISSP.
Why not both? I know cost will be a factor but Sec+ will help gain the fundamentals down before taking the CISSP. Also in Europe the CISSP will open more doors than Sec+ would do.
There is absolutely nothing wrong with getting both certifications. Depending on the factors I lay out in the video though, one might make more sense than the other right now.
Certifications hold more or less value depending on what sector you’re in. There will never be a general answer to this. I can 1000% guarantee you that the Security+ in the government sector will be by far the more valuable cert. It’s literally a government DoD requirement listed. Even if you have CISSP, they won’t even hire you without Security+. If they do hire you without Security+, they won’t keep you long if you don’t get it fast. I had my CISSP going into a government role and it got me hired but I had an 8 week grace period to pass and obtain Security+ or I would have been shown the door. They literally told me that. I know in the private sector though, security+ is regarded as an entry level certification but still valuable depending on what you’re doing.
If you can pass the CISSP but cannot pass the Security+ then something is wrong. The government/defense sector definitely has some unique aspects regarding certifications and what's required based on overall responsibility. I find it interesting if you were actually told that the CISSP would not satisfy the Security+ requirement. Whoever was interpreting the requirements didn't do a very good job because the CISSP is an IAT Level III and IAM Level III certification, which actually means that it satisfies all lower levels within those categories. Some IAM level certifications wouldn't satisfy an IAT level requirement but the specific situation that you mentioned is a very common comparison. Also, the CISSP is actually the most valuable certification that you can have in that industry for high level positions.
This is sort of like asking if the A+ or a Microsoft Expert Cert is better for your career. Odd comparison choice as one is entry level and one is close to being intermediate-senior level.
It may seem like an odd comparison but I promise you that I get the question enough to where I needed to make the video. Interestingly enough, the question doesn't always come from people who are brand new to the career field.
That sucks, if I learned CISSP I will have to wait to be even considered an associate. But better than nothing I guess. Not sure if this is to curb the influx of personnel applying or it's genuinely about gaining the experience.
The target audience of the CISSP is managers or people making management level decisions with a security program, which is quite a different role than a normal staff member. The CISSP should certainly be on your roadmap but it doesn't do anything for you until you have the required experience under your belt. There's plenty of other options out there that are a better fit for somebody trying to gain experience but doesn't meet the requirement yet.
This feels like apples and oranges. Both are security certs but on opposite ends of the cert spectrum. Sec+ is entry level and CISSP is mid-to-late level. For 99% of people CISSP won’t be your first cert. Anyone asking this should shoot for Sec+
You would be surprised how often I get asked the question and many times it is because somebody is not aware how each certification fits into a career.
I am a windows systems admin. I have to get my security + in order to get a job on the air force base. Now with that, should i look at the CISSP later if i am not going to be in cyber security?
In that environment, I would highly encourage you to pursue the CISSP at some point. You'll find that as you get more experience, even the senior level staff in IT are going to frequently have a CISSP so you want to stay competitive if nothing else.
Has there been an update with the Cissp? I was just on their website and I'm sure I signed up for their free self paced training material. Also it says it's entry and it doesn't require 4-5 years of experience.
You probably signed up for their entry level certification that they just released recently. The experience requirement for the CISSP has not changed ( www.isc2.org/Certifications/CISSP/experience-requirements ).
I'm not even understanding how people are making this comparison. Those two certifications come into play at very different stages in your career, one is entry level and the other requires real-life experience to even be allowed to sit for the exam. By the time you go for the CISSP you probably had the Security+ for years, or maybe even stopped renewing it by then. These two certs are worlds apart, and it's not about which one is better, you'll probably get both at different points in your life. If you're contemplating on taking the Sec+ exam, then you're not ready for the CISSP and more than likely don't meet the requirements to take it. If you're at the point where you're ready for the CISSP, then you're way beyond the Sec+.
It's important to understand that I get questions from people of all experience levels, and my ultimate goal is to help people in their journey regardless of experience level. Although this might not be a question you have, which is completely fine, that doesn't mean other people don't need an answer to it, and we certainly aren't going to (and shouldn't) hate on them for asking. Also, for the correctness of your comment, the CISSP has an experience requirement to get certified, but you do not technically need any "real-life" experience to sit for the exam.
@@JonGoodCyberI didn't realize this video is 4 years old, it just popped up in my suggestions. I completely understand what you're saying, and I respect that you're trying to help and answer people's questions. I just feel it was addressed in an odd way. The whole "Which one is better?" and "So which one should you go for?" questions seem out of place, because they're not comparable at all. It's not like anyone is going to come to the point where they have to decide which one to take between the two. It's as if you're pitting them against each other, or like we're being forced to choose one over the other, when in reality most people will benefit from acquiring both, just at very different points in their career. To me, it's almost like asking the question, "Should I apply for a SOC Analyst position, or should I apply for CISO?" Well, what's your skill level and experience? Anyway, I'm not trying to invalidate anything you're saying, I just found it a bit strange to approach this the way you did. Thank you for the content!
The requirement is for cyber security experience not a particular title. I would take a look at the requirements and domains ( www.isc2.org/Certifications/CISSP/experience-requirements ) to make sure that your experience aligns but I can't imagine somebody working in a SOC doesn't have the appropiate experience.
So my goal is CISSP, but I don't have the cyber experience to take the exam. I work in project management (PMP certified) so should I go for security+ or SSCP?
I typically recommend the Security+ over the SSCP unless there is a very specific reason. The Security+ is more widely known and my students usually have an easier time passing.
If you're trying to find jobs that match what you have exactly, you're not using the right strategy. Find jobs that match your level of paid experience, and see how well your knowledge/skills align. Most likely you'll be in the ballpark for the job requirements of an entry level or junior level type job but you should be seeking to be the most competitive candidate that you can be.
@@JonGoodCyber Thanks for the reply Jon, I lack experience mostly, but it is very difficult to get experience with nobody hiring 0-2 years in my area. Even entry level positions on indeed have 4+ years of experience required.
@@SheepdogTTV I recommend using the filters provided by the job boards because jobs frequently ask for 3 years or less of experience. Also, don't just look for remote jobs, as that will limit your chances. In general, Cybersecurity is not considered an entry-level career path, so you should be applying to any help desk, IT or cyber security job that matches your experience. As you gain experience, start developing a strategy for the next steps to reach your goal job. I highly recommend checking out the Career Services offered by Cyber Training Pro to help you in your journey ( www.cybertrainingpro.com/ ).
I have 3-4 years experience in sys admin roles with Windows. I have good general knowledge but in terms of networking my skill level is around CCNA at best. My question is do CISSP roles require you to have intimate technological knowledge? Or more just a high-level understanding of how everything works?
It will really depend on the role because even though the CISSP is primarily meant for management level staff, there are a variety of positions including senior level technical roles that desire people to have a CISSP. The short answer though is that you don't have to apply to technical roles if you would rather be non-technical as there are plenty of roles that exist.
On my website I have my Security+ course, which is great for beginners to Cyber Security. www.jongood.com/product/comptia-security-sy0-501/ My website requires a membership but then you can access all of my courses including the ones I am working on creating right now. www.jongood.com/product/membership-subscription/ If you prefer just an individual course instead of access to all of my courses then I would check out the single course on Security+: www.jongood.com/udemy/securityplus
I was thinking of taking this route to be honest. Security+ > CEH > CISA > CCISO > CISM > CISSP(But with CISSP you mention that you need to write ISC2? before or after CISSP) But I see you mention to start with the biggest and hardest one first CISSP, then do the CISA. Is the concept you are trying tell here equivalent to doing the CCIE first then CCNA? What's your Take? I got to where I am through sheer experience but now qualifications is becoming a thing that i need to do to progress further. I'm currently an Information Security Specialist for 4 years now. But before that for 6 year i've been involved in the security space for 6 years with 2 years being a security engineer. Always had a study disability even through school, so had to have someone(Scribe) read the papers for me for my brain to take in. With psychologist that had to approve this with proper evaluations.(Just making a point that I wasn't just being lazy and truly have an issue)
I would highly recommend grabbing a free copy of my eBook ( www.jongood.com/getting-started/ ) where I give a skills and certifications roadmap. Although you list some well known certifications, there is more strategy to getting the most return on your investment than simply gathering a bunch of certifications. For the CISSP and CISM, I have a comparison video ( ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-WbtpVWEm2QU.html ) that I would highly consider watching for the differences. Also, for all of ISC2 and ISACA certifications, you must submit an application and be approved based on the requirements.
Interestingly I made a video on the Associate of ISC(2)...aka the CISSP prior to having the experience. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-GNVBcGziS9I.html
Mark Zuckerberg dropped out of college and created Facebook and is now rich...does that mean that everybody should drop out of school and they will form the next Facebook? There's always going to be examples where people just happened to be in the right place at the right time or have the right network that opens a door into a good position...but you're asking for a lot of disappointment by completely ignoring certifications and ASSUMING that interviewers are going to put in the extra effort that you're describing. Certifications are a much bigger discussion but that oversimplification is a recipe for disaster.
The CISSP is definitely not inexpensive and ideally you can work for an employer that will pay for it. With that being said, would you pay $700 if it resulted in $10,000 more pay? By passing the CISSP you might not directly get that kind of increase but over the long term it really is that obvious that you should get the CISSP.
Hello Jon looking for advice on my job search. Currently a Spanish teacher but looking to leave b/c of the low pay. In the last 5 months I obtained (Google Data Analytics Cert, Google Project Management Cert, Comptia Security + Cert). I have a limited budget to pay for more certs/training. My 2 questions are: 1. What type of jobs/pay would you say I am qualified for now? 2. How can I buff my resume even further but inexpensively? Thanks in advance.
For Cyber Security, the only certification that would help directly is the Security+ and I would apply to anything that says 2 years or less experience in both IT and Cyber Security. Unfortunately, just because you obtained the Security+ doesn't necessarily mean you have the required knowledge in areas like networking, operating systems, etc. to be "qualified" for a job, especially in cyber security. Look at my free eBook ( www.jongood.com/getstarted/ ) where I provide a roadmap of what you should be learning and the certifications to pursue. For training, you'll want to check out my resources page ( www.jongood.com/resources/training/ ) where I provide several options that are either free or low cost.
Hello Jon, I have no job experience in IT but I have done bachelor in IT engineering and currently I am doing master of cyber security. Am I eligible for CISSP? And is it necessary?
I would review the CISSP requirements below so that you are aware, but no you wouldn't meet the 5 years of paid work experience required. The CISSP should be the goal of anybody in Cyber Security. I would recommend checking out my Getting Started page for useful resources included a career roadmap ( www.jongood.com/getting-started/ ). CISSP Requirements: www.isc2.org/Certifications/CISSP/experience-requirements
If you have 10 years of experience then you aren't really the target audience for CompTIA certifications because they typically work best for 0-3 years of experience. I disagree with saying that CompTIA certifications are worthless for a lot of reasons including but not limited to required prep time, learning concepts early in your career, and helping employers differentiate candidates. I could say the same thing for a CCNA being worthless if you have 20 years of networking experience because it would make a lot more sense to aim straight for a CCIE.
@@JonGoodCyber I did not say worthless. I said "kinda a joke". Even when I started out in IT back in late 2010 I had the A+, Net+ and MCSA. never once was my comptia certs brought up in interviews, ever. 3 bosses in and they all said "I saw your Microsoft cert" 3 years into IT I got the ccent then ccna r/s then 1 year after that the ccnp r/s followed by ccnp sec. I have had a total of 4 bosses between 3 jobs over 10 years and every single one of them have expressed complete lack of care or attention for comptia certs even when recruiting for our help desk. I'm not saying don't get them. I am saying if I could go back, I would have spent my time elsewhere.
Everything is a building block to learning more knowledge. Of course as you get higher level certifications (like CCNA > CCNP) and depending on the actual job responsibilities then things are going to be valued differently. Additionally, different hiring managers will view things differently depending on their experience and what they personally value. Are CompTIA certifications "impressive" in the grand scheme of things? Obviously they aren't going to turn heads but they give you something tangible to exhibit that you are continually learning, which is a lot harder if you are only studying (especially as hiring managers review resumes). Something that I tell people all the time is that whenever you can show what you know through blogs, videos, etc., the better you look and it COULD take away some of the emphasis on certifications in the industry. The main problem is that of all the people that I tell that, the number that actually follow through with it is pretty small.
How much experience do you have? I would definitely check out my video on the technical path to the CISSP ( ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-wWKACDri6hM.html ). The CASP is a good progression leading up to the CISSP because it builds on the knowledge you've already acquired and adds additional knowledge. Also in the CASP, you are still going to get some of the hands-on technical learning that you aren't really going to get in the CISSP, which is more about managing from a high-level.
I have 2.5 years of help desk/SysAdmin/ everything lol. Small shop. I currently work at a IT school as an instructor mentor. 6 months there. So 3 years of experience. Getting the CySA and Sec+ get a 1 year waver. So I’m 1 year away with experience
@@richarddalton4305 Do you want to be managerial or technical? Managerial go CISSP, Technical stick with CASP and maybe get CCNP-Security, CISM. Depends on what you want to do.
I typically recommend Security+ over the SSCP because it has better industry recognition and tends to be an easier exam for people. At the end of the day though, they both cover very similar information and are intended for basically the same audience.
The CCNP Security will be more difficult and more technically focused on the network side of things. That means VPNs and other networking technologies at a deep level because it's a professional level certification. The Security+ will give you a broad understanding of Cyber Security without the focus on a specific vendor. Basically, you can count on your CCNP studies requiring a lot of hands on where the Security+ will be more conceptual. When the CCNA Security was still around, it was a lot closer but even then it still heavily focused on networking for obvious reasons.
If you can pass the Security+, the CySA+ would be a little more difficult because it's the next level but you should be able to handle it. I recommend checking out the roadmap in my eBook ( www.jongood.com/getstarted/ ) for what I tell people to pursue.
Below is the link to the eligibility requirements for the CCISO from EC Council. Although the Security+ isn't a requirement for the CCISO, if you couldn't pass the exam then you definitely aren't ready. The CEH has very little relevance if any for the CCISO. ciso.eccouncil.org/cciso-certification/cciso-qualification-requirements/
@@JonGoodCyber thx, basically a zillion years experience (5 yrs per 5 domains). Is there truly a demand for cybersecurity professionals without a zillion years experience, lol?
Domains 1-4 will almost always overlap in experience. Domain 5 basically will require you to be in a lead or management role. It will probably be easier to get the experience satisfied than it seemed at first glance.
Good day, Jon! I am a bit confused about the experience requirements.. I have 16+ years experience in application architecture, design and development, none in the role of a formal cybersecurity-related job. However, owing to my passion in security, I have put in my best efforts to deliver secure applications. Can I still be CISSP certified or do I have to settle down for an associate? I have started my prep, though...
You would need to look at the domains and the requirements to see if your experience matches. Typically, if you've been working in a technology job then you probably can qualify but if you want an official answer then you would need to reach out to ISC2.
Yes, you can get a one year waiver by either having a degree or one of the approved certifications. www.isc2.org/Certifications/CISSP/experience-requirements