Numerous surveys have shown that Cloud Security is THE biggest concern for Cloud adoption. The Cloud Security Alliance led by Jim Reavis has been at the forefront of raising awareness of Cloud Security. The main activities of CSA have been around Cloud Security research and education.
As part of their focus of creating Cloud Security professionals, CSA had launched the Certificate of Cloud Security Knowledge (CCSK) in 2010. CCSK is currently the most important certification in Cloud Security.
On April 24, 2015 CSA and ISC2 jointly launched Certified Cloud Security Professional (CCSP) credential. CSA, the pioneer in Cloud Security partnered with ISC2, the leader in Information Security certification bringing the best of both worlds to address a pressing concern of the Cloud industry.
However, the launch of CCSP has raised several questions in the mind of Cloud Security professionals:
- Aren’t CCSK and CCSP competing certifications?
- What are the key differences between CCSK and CCSP?
- Which certification should I go for? Which one will be more valuable as a professional
Before I get to addressing these concerns let me tell you, why I am qualified to provide answers to these questions.
I was part of the development of both these security certifications:
- CCSK: As part of the CSA, Global Certification Board, I was part of the team that worked various aspects of the certification
- CCSP: Thanks to CSA, I was part of the joint CSA and ISC2 team that developed the CCSP certification.
So here goes!
Aren’t CCSK and CCSP competing certifications?
Short answer…not really!
Both certifications have been developed with different objectives. CCSK is a certification that really tests the “knowledge” aspect of Cloud Security. As the certification title so clearly mentions, it is a certificate of cloud security KNOWLEDGE. It tests the knowledge of three key documents viz. the CSA Guidance, the CSA Cloud Control Matrix and the ENISA report.
On the other hand, CCSP tests not just the knowledge but also practical experience of the professional. It does not restrict itself to these two documents but goes into other traditional areas of information security that are relevant to Cloud Security. It also imposes stringent experience requirements of 5 years for those who would like to obtain the certification. The word PROFESSIONAL in the certification title suggests that this is a much more in-depth and experience driven credential.
As Jim Reavis correctly pointed out CCSK and CCSP really complement each other. In my opinion, attaining the CCSK credential prepares one for the more stringent CCSP certification.
What are the key differences between CCSK and CCSP?
The key differences between the two certifications are listed below:
1. Body of Knowledge
CCSK: The body of knowledge required to obtain CCSK certification is largely limited to three documents viz. CSA Guidance, CSA Cloud Control Matrix and ENISA document.Check out the CCSK preparation guide for more information.
CCSP: The body of knowledge required to obtain CCSP is vast and in addition to the above two documents covers numerous knowledge sources. Further, it also has an “applied knowledge” angle to the examination that tests the professional’s practical application of the knowledge she possesses.
2. Experience requirements
CCSK: CCSK has no experience requirements. Any individual who would like to obtain CCSK can do so after studying the two key documents and then passing the objective type exam.
CCSP: CCSP has stringent experience requirements that makes it clear that this certification is for experienced professionals with hands on experience in cloud AND traditional information security. The experience level required for CCSP is “minimum of 5 years of full-time, paid, cumulative information technology, including at least 3 years of information security and 1 year of cloud computing“. The CCSP certification also recognizes the value of CCSK and has a provision that CCSK can be substituted for one year of experience in one of the six domains of the CCSP CBK.
3. Examination items
CCSK: Due to its focus on testing knowledge, CCSK is more of an objective-type of exam with multiple choices. Most exam items are based on information in the 3 documents viz. CSA Guidance, CSA Cloud Control Matrix and ENISA document.
CCSP: Due to its focus on testing both book and experiential knowledge, expect the exam items to be both objective and problem solving type of questions with scenarios. Those who have achieved CISSP certification would be able to relate to this type of testing.
4. Exam delivery
CCSK: CCSK can be attempted through a browser from anywhere after obtaining an exam token from CSA. In fact, CSA generously offers two attempts at the exam when you register.
CCSP: CCSP is offered through PearsonVUE testing centers worldwide at http://www.pearsonvue.com/isc2/.
5. Cost of exam
CCSK: The CCSK examination costs US$345.00. This entitles you to attempt the test up to two times. If necessary, additional test attempts can be purchased for US$345.00 each.
CCSP: The exam costs US$549 per attempt.
6. Certification Maintenance
CCSK: CCSK does not have any requirements to maintain the certification as of now. There is no provision for paying Annual Maintenance Fees or submitting CPEs
CCSP: As with all ISC2 certifications, CCSP requires Annual Maintenance Fees of US$100 per year, earn 90 CPEs, with a minimum of 30 each year.
Which certification should I go for? Which one will be more valuable as a professional?
It really depends on the circumstances of each individual.
If you are new to Cloud Security, it would be preferable to go in for CCSK first and then attempt CCSP after gaining requisite knowledge. CCSP also provides a pathway for those with less experience to attempt the CCSP exam and then obtain the certification after necessary experience requirements are met. This is similar to the mechanism that is in place for CISSP.
On the other hand, if you are an experienced IT security professional with enough exposure to Cloud Security, you could directly go for CCSP. A person with CCSP certification means that she is not just knowledgeable about Cloud Security but has practical experience in the subject. However, if you are not very sure of your knowledge of Cloud Security, it would be best to first attempt CCSK before taking of CCSP.
CCSK and CCSP complement each other and provide professionals a way to demonstrate their competency level in Cloud Security. When deciding which certification to go for, it is important to first evaluate your current competency and experience level. As mentioned earlier, with its focus on testing knowledge based on select documents, the open book approach to the exam and its objective type multiple choice question format, CCSK would be a great way to start the certification journey in Cloud Security.
However, if you are the hardened IT security professional with loads of knowledge and experience, with full knowledge security aspects as they now relate to the Cloud, CCSP would be the way to go.
(Keith Prabhu, Executive Director, Confidis has over 18 years of experience in the IT domain. He holds various security credentials viz. CISA, CISSP, MBCI and CCSK. He is also the Chairman of Cloud Security Alliance, India RCB. He has been actively involved in creating Cloud Security certifications like CCSK and CCSP. He works at the intersection of business and technology and has provided several organizations with security advice that focuses on meeting business objectives.)