CASP vs. CISSP: The Real Fight Is For Candidates' Attention

Thanks to an interesting blurb in this week's Certification Watch (Vol 21, No. 42) I learned about an interesting IT Career News blog piece from CompTIA. You'll find it under the headline "CASP vs. CISSP: 4 Advantages of CompTIA's Advanced Cybersecurity Certification."

In this piece, the author, Patrick Lane, attempts to make a case for picking the CASP over the CISSP. FYI, Lane is the CompTIA Director of Products, who oversees related CompTIA security certs CySA+, PenTest+, and — you guessed it — CASP. So clearly, Lane has some skin in the game. So do I, however, so it's time for me to make some disclosures, too.

Ed Adds Some Additional Transparency

I'm actually positioned in this particular face-off with a foot on each side of the contest. Let me explain. First, I designed and worked on the first five editions of the Sybex CISSP Study Guide. It's now out in a sixth edition, in which I am no longer personally involved. But I've been following this cert in great detail, with rapt attention since the late 1990s.

On the other side of this face-off, I've been writing blog posts and the occasional longer pieces for CompTIA for the past three years or so. Last week, in fact, I just submitted four posts to them in the general areas of cloud computing and career development. Hopefully, you'll buy my assertion that I am not biased toward one cert or the other here, though I do have reason to think of both of them positively and their sponsors likewise.

Lane's 4 Arguments to Choose CASP, Summarized and Abridged

If you want the full details of his arguments, read his post. Here's the Reader's Digest condensed version, in bullet points:

The CASP exam is performance-based and CISSP is not. Lane correctly observes this means that the CASP exam can test for hands-on skills and operational knowledge, while the CISSP exam can (and does) not.

CASP endows cybersecurity managers with technical mastery, says Lane, and explains it applies to"a specific government standard" and "rolling out complex cybersecurity technologies and infrastructure requirements." He goes on to say that CASP holders "understand the standard and how to comply with it. They also have the advanced skills needed to lead, design, and implement the technical solution." By implication (though not by assertion) CISSP does not.

CASP fills a need for professionals with vetted, advanced, hands-on cybersecurity skills, especially for those who "want to remain at the keyboard and work directly with cybersecurity technologies and tools." The assertion is that CASP fits this bill, the implication that CISSP aims more at security management types (a true characterization, IMO).

CASP costs less to achieve than CISSP: $439 for the CASP vs. $699 for the CISSP.

The Texas Truth-o-Meter Strikes Again!

Where I live our local NPR affiliate (KUT Austin) brings on political commentator Ben Philpott and his colleagues regularly to assess the veracity of politician's claims and assertions. Ratings vary from "Pants on Fire" (obvious, blatant lie) to "Completely True" (no falsehoods here). On that scale, Mr. Lane's piece hits the high end of the spectrum, with a rating of "Completely True" for everything it says.

One may sin by omission, however, as well as sinning by commission, as any good person knows. Part of what Lane leaves out of the article is addressed in the table of numbers below. I'll get to some others after I present that next.

The table holds a snapshot from four job posting sites — SimplyHired, Indeed, LinkedIn and Linup — taken Thursday morning (Oct. 18). I don't insist on perfect accuracy for these numbers, but I will point out that the ratio of mentions between CISSP and CASP in today's job postings is roughly 9:1 (actual value: 9.03).

That simple comparison tells me that CISSP is a great deal better-known and more popular with employers than is CASP, at this point in time.

Other Quibbles and Nibbles

Then there's the matter of salary associated with each credential. Those same job boards cited in the table tell an interesting story there, too. The CISSP salary range runs from $72,000 to a high of $188,000, with an average of $111,000 and a median of $91,000.

The CASP range also starts at $72,000, but hits a high of $158,000, with an average of $91,000 and a median of $88,000. I actually think this lends credence to Lane's assertion that it's a good credential for people who want to stay technical and hands-on.

Why do I say this? Because, except for rare exceptions for extremely talented, high-level consultants and technical fellows, the hands-on guys usually make less than the guys who manage them.

I also take minor issue with Lane's assertion that CASP holders are better equipped to deal with compliance with applicable rules and regulations, and better able to lead, design and implement technical solutions. The CISSP exam is heavy on theory, but it pays close attention to matters of law, regulations, compliance and accountability.

It also emphasizes processes and procedures which, if followed closely, should help CISSP pros do every bit as well in such situations as their CASP-certified counterparts.

As for performance-based testing versus multiple-choice questions, there's no denying that the first is a better indicator of hands-on skills and operational knowledge. But CISSP's requirement for 3-to-5 years of documented on-the-job security experience, as well as a testimonial from a current CISSP holder, helps to address some of those same concerns, in my opinion.

Which is Best for You: CASP or CISSP?

Good question! I think Lane is correct to assert that for those who want to stay on in an active day-to-day role as a security professional who does security stuff, the CASP is a good choice. In the long term, however, I think it may make even better sense to combine the two.

Even the most dedicated in-the-trenches security guys may sooner or later aspire to more responsibility and a broader purview of the role that security (and policy) play in an organization. At that point, CISSP certification really makes a lot of sense, and provides career-boosting potential that, as indicated by the table above, the CASP simply doesn't match at present.

Not to mention the improved salary possibilities of CISSP certification. It's a good topic to chew on, however, and both credential are worthy of time spent duking things out. I think they're both winners, but for different reasons. I hope you agree, and have found this discussion informative and worthwhile.