Industry Experts Blog

One Audience. One Topic. Multiple Experts.

CCSK vs CCSP – What certification is best for you? (Pt. 2)

by Graham Thompson | February 10, 2017 | Training & Certifications

Introduction: CCSK vs CCSP (Pt. 2)


*NOTE: This ‘CCSK vs CCSP” entry has been updated to reflect the latest versions (CCSK v4.0 and CCSP 2017)*


Welcome to part 2 of Intrinsec’s CCSK vs CCSP series! In the first entry, CCSK vs CCSP (Pt. 1), we focused on the Certificate of Cloud Security Knowledge (CCSK) offered by Cloud Security Alliance (CSA). More specifically, we reviewed various details surrounding the instructor-led courses, exam, and essentially provide you – the reader – with relevant information in hopes of helping you gain a better understanding of what the CCSK has to offer.

For those of you who missed this article and wanted to give it a quick glance, feel free to click this link. Go ahead, we’ll wait.

Alternatively, for the “TL;DR” folks, here’s a quick recap:

–   I have been teaching CCSK and CCSP classes for a while; I have no personal bias in this comparison
–   CCSK is held in the highest regard as far as cloud security certifications go
–   There are two different types of instructor-led courses; CCSK Foundation and CCSK Plus
–   The CCSK exam is challenging – it tests your knowledge on both technical and strategic domains
–   Exam: 60 multiple choice questions, 90 minutes, 80% score required for passing grade
–   No CPE credit requirements. CCSK is CPE eligible; 14-21 CPEs can be earned through the courses
–   CCSK is a great choice for those interested in the tactical/strategic pros and cons of cloud

All caught up? Perfect! Now that everyone is on the same page let’s take a closer look at the CCSP and see how it compares to the CCSK.

Logo used for CCSP in Intrinsec's CCSK vs CCSP article

Introduction: CCSK vs CCSP (Pt. 2)


*NOTE: This ‘CCSK vs CCSP” entry has been updated to reflect the latest versions (CCSK v4.0 and CCSP 2017)*


Welcome to part 2 of Intrinsec’s CCSK vs CCSP series! In the first entry, CCSK vs CCSP (Pt. 1), we focused on the Certificate of Cloud Security Knowledge (CCSK) offered by Cloud Security Alliance (CSA). More specifically, we reviewed various details surrounding the instructor-led courses, exam, and essentially provide you – the reader – with relevant information in hopes of helping you gain a better understanding of what the CCSK has to offer.

For those of you who missed this article and wanted to give it a quick glance, feel free to click this link. Go ahead, we’ll wait.

Alternatively, for the “TL;DR” folks, here’s a quick recap:

–   I have been teaching CCSK and CCSP classes for a while; I have no personal bias in this comparison
–   CCSK is held in the highest regard as far as cloud security certifications go
–   There are two different types of instructor-led courses; CCSK Foundation and CCSK Plus
–   The CCSK exam is challenging – it tests your knowledge on both technical and strategic domains
–   Exam: 60 multiple choice questions, 90 minutes, 80% score required for passing grade
–   No CPE credit requirements. CCSK is CPE eligible; 14-21 CPEs can be earned through the courses
–   CCSK is a great choice for those interested in the tactical/strategic pros and cons of cloud

All caught up? Perfect! Now that everyone is on the same page let’s take a closer look at the CCSP and see how it compares to the CCSK.

Logo used for CCSP in Intrinsec's CCSK vs CCSP article

CCSP: Certified Cloud Security Professional

As far as the cloud security space is concerned, the Certified Cloud Security Professional (CCSP) credential is the new kid on the block – at least when compared to the CCSK. CCSP came onto the scene in 2015 when it was released by none other than (ISC)²; an international, non-profit membership association known for providing standardization and certification in the cybersecurity industry.

For those of you who don’t know, (ISC)² and Cloud Security Alliance (the organization who founded CCSK) actually worked together to create the CCSP course and certification exam. A bit off topic, but highly relevant all the same is the (ISC)² is the same organization who developed the popular Certified Information Systems Security Professional (CISSP) designation. I say this because the CCSP looks and feels like a cloud version of the CISSP.

The CCSP is, in my humble opinion, more suited for CISSP holders. CISSP holders will be very familiar with the domain structure, the content of the material being more along the lines on a holistic understanding of all components, not just cloud-specific information being covered. The CCSP will go into many subjects that are assumed knowledge in the CCSK. For example, the OSI reference model is covered in the CCSP whereas the CCSK assumes you have this knowledge already when talking to encapsulation of packets in an SDN network.

CCSP COURSE DETAILS

For the question of “CCSK vs CCSP”, the main differences between both programs can be found in three areas: Expanded governance discussion, Datacenter Security and Privacy. A CISSP is expected to understand a wide range of security domains and ISC2 wants to ensure that CCSP certified professionals are fully aware of the governance and security issues that come along with cloud, the datacenter and the privacy of consumers using cloud services. So really, when the dust settles, the following formula pretty much sums up the new CCSP:

CCSP = CCSK + Expanded Governance Items + Traditional Security + Privacy

The CCSP course is typically delivered over a 5-day period. I wouldn’t consider the CCSP to be a “fire-hose” type of course, at least not when it’s compared to the 1-day CCSK Foundation. There’s some repetition in the material and you can finish it in the allotted 5 days. I wouldn’t say it can be done in 4 days either.

What about the structure of the course? Well, the CCSP course is pretty much 100% lecture-based. There are no labs at all. Zero. None. Zilch. Nada. Instead, you have a series of Q&A and work-group type of scenarios that are peppered throughout the course. By default, this makes the CCSP a course that could be considered more strategic in nature. All this to say, I would give the CCSP a 70% strategic, 30% tactical approach. In other words, almost the inverse of the CCSK.

Example: Here’s a case in point regarding the difference between the two. As I mentioned, there is quite a bit of reference to AWS by way of reference in the CCSK course. I did a search of the latest CCSP courseware and “AWS” comes up a total of 4 times. “Laws” comes up over 120 times in the latest update.

ISC2 updated the CCSP Common Book of Knowledge (CBK) and the course in 2017. The CBK itself is about 150 pages bigger than its predecessor (735 vs 584). This update expands on concepts, introduces new subjects (such as economics of cloud, business requirements, etc) and new technologies (e.g. DevOps, Containers, etc), albeit to a lesser technical degree than the CCSK.

CCSP EXAM BREAKDOWN

As far as the exam itself goes, I’m under an NDA, so unfortunately I can’t share specific details on the types of questions they present. I think it would be a fair to emphasize again how the CCSP is more suited for CISSP holders. In other words, it’s expected you understand how the cloud may (or may not) change security programs compared to the traditional IT security covered by the CISSP and you would be tested on both cloud and traditional data center security concepts.

Here is some information I can share: a passing grade for the CCSP exam is 70% (700 out of 1000 points) or higher, you have 4 hours to answer 125 questions, all of which are multiple choice, and the exam can only be taken onsite at an approved Pearson Vue Testing Center – meaning it’s a proctored exam. For those of you interested in learning more, both (ISC)2 and Pearson Vue have a ton of information for you to review.

CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS

When it comes to training, CPE’s are naturally a given here as the CCSP is listed as a 40 hour course; meaning you should be taking home roughly 35 CPE’s when everything is said and done. Of note for current CISSP’s is that future CPEs earned apply to both the CISSP and CCSP designations.

You should also know, if you don’t already, that with the CCSP certification you need to earn 90 CPE’s every 3 years if you are interested in maintaining (or regaining) your CCSP certification. This differs from the CCSK, which does not require any CPEs to maintain the certification.

CONCLUDING THOUGHTS: CCSP

The latest version of the CCSP expands discussion on strategic issues and addresses some of the latest technology in cloud. It doesn’t get into the same depth of tactical discussion that is found in the CCSK.

As I mentioned earlier, the CCSP course and exam are written along the same lines of the CISSP; coverage includes everything that an Information Security professional should know to secure an environment, ranging from the physical design of a datacenter up to cloud application security.

If you’re interested in learning more about the training we provide for the CCSP certification, feel free to check out our CCSP course page which has helpful stuff like a brochure, a list of the resources provided to students, prerequisites and more. Alternatively, if you’re interested in learning more about our partner (ISC)² and their CCSP certification, we encourage you to visit the (ISC)² website.

CCSK vs CCSP: FINAL THOUGHTS

As I said earlier, I don’t have a bias here. I’ve laid out what I consider to be the strengths of both offerings and I think you have enough information to form your own educated decision regarding which course is right for you. This table basically recaps some highlights:

CCSKCCSP
100% focused on cloud securityCovers both traditional information security and cloud security
60% tactical; 40% strategic30% tactical; 70% strategic
Quicker delivery and more comprehensive review of cloud-specific technologies (e.g. SDN, DevOps, Serverless)More comprehensive review of IT security principles along the lines of the CISSP CBK
Less expensive course and examMore expensive course and exam
Open book exam online (exam included with training cost)Closed book proctored exam at testing center (exam additional charge)

My personal opinion? I appreciate the coverage of the CCSP, but if I had to do only one, I would do the CCSK because it is 100% focused on cloud security and architectural patterns as well as cloud-specific technologies are covered in greater depth (even more so after the v4 update). I also prefer how it’s consumed in a shorter timeframe (due to aforementioned cloud focus). Doing both is not a bad idea either if you have the time and resources. In that case, I would do the CCSK first then the CCSP (and the CCSK counts as 1 year of experience towards the CCSP requirements as well). Either way though, the only way you can go wrong is by not doing either one.


Learn More About Intrinsec’s Training Opportunities for Cloud Security

Graham Thompson

Graham Thompson

Cloud Security Trainer and Architect

Graham’s the cloud security SME and principal trainer for Intrinsec. He’s logged over 20 years of IT experience assessing, recommending, designing and implementing secure system and network solutions for Fortune 500 companies and Government agencies. Since 2010, Graham’s been a leader in delivering cloud training and performing cloud security solutions across North America.
 

 

Sign In

 
Share This