March 19, 2007
Does Certification Really Matter — GSEC v. CISSP
The Department of Defense selected a number of information security certifications as required and listed them in a document titled 8570.1 This Immediately changed the information security world. There has been a lot of discussion saying that certifications are not really that important. Now, at least in DoD, the sense is to keep your job you have to pass the test. Several years ago a hotly debated topic was should I take the CISSP OR the GSEC, today, there are a number of discussions on mailing lists saying should I take the CISSP AND the GSEC. I think the first place we saw this discussion was on the CISSP COI. Dr. Eric Cole states, "Security certifications have emerged to help employers make that determination. The two most popular and trusted network and information security certifications today are the CISSP (Certified Information System Security professional) from ISC2 and the GSEC (GIAC Security Essentials Certification) from the SANS Institute.
While some people view these as competing certifications they are actually very complementary. CISSP tests very broad knowledge of security theory but does not go very deeply into current technology, skills or methods. GSEC is more focused on what security professionals actually have to do, and goes deeper in technical concepts. CISSP provides foundational information, theory and concepts across a wide range of areas. GSEC takes core areas and covers more technical information. For example CISSP covers security program management and development methodologies with no coverage of specific operating systems. GSEC has nearly one third of its focus on testing skills that people need to secure the most common and most important operating systems, so it test knowledge the professional can put to work immediately in their jobs.
During the past five years, people who knew network and information security theory and could and write about security were in great demand. Today, many of the people hired originally to write reports are being asked to take more of a hands-on role in actually securing the systems and networks. In this more demanding environment, security professionals who have earned both CISSP and GSEC report that they are both more marketable in today's more demanding hiring environment, and more effective in their jobs.
A lot of the discussions focus on either the similarities of the two certifications or the differences. Some of the writers have both, "I have both the GSEC and CISSP. In many ways, when I studied for the CISSP exam I repeated many of the same topics I studied for the GSEC certification. However, as many have said, the CISSP is more of a high-level overview and the GSEC is more technical. And also, "I believe that both these certifications have there own purpose and importance. And, just because some individuals start a discussion , and give precedence to any certification. It does not necessarily undermine the importance of either CISSP or GSEC."
One of the most fascinating things is the way the CISSP is perceived. Most people recognize the GIAC series for what it is, technical skill based, if you want to do intrusion detection/protection you would know to take the intrusion detection course and the GCIA certification, if you were doing firewalls you would take firewalls and the GCFW certification and if you wanted to understand hacker techniques, pen testing and the incident handling associated with that you would take the GCIH and so forth, but the point is you expect a GCIH to be a capable incident handler. In the case of the CISSP the expectation ranges widely, some people feel it denotes a security expert as you can see in the discussion below:
Last year I chose to get my CISSP for one reason: the prestige and recognition that the CISSP carries in the security and hiring communities At some point in my life, I may need or want to make a change in my employment status and I see my CISSP as the certification that will get me in the door when that time comes. As has been discussed before, the CISSP has a larger presence in the hiring community, though I do see the GIAC certs making headway in that area, so by having the CISSP, I am fairly confident that my resume will be acknowledged when applying for a job. I have also done some teaching for SANS with the GSEC course and, while I am confident in my skill set and my ability to teach the course, having my CISSP definitely lends some credibility to my being up there in front of students since it is a certification that is recognized as an expert level cert.
On the other hand, I take the SANS classes and obtain my GIAC certs because I know those are the certification that will help be do my job on a daily basis. When I needed to enhance my Incident Handling skills I obtained the GCIH. When I needed to enhance my forensic skills, I took the GCFA. In the next couple of years, my company is focusing on formally adopting the ISO 17799 standard so I will be taking the 17799 course in San Diego and obtaining the G17799 cert. While I agree that we should not demean someone for a certification they have chosen to pursue, we do still need make sure that we have a clear picture on the value of the certification because in reality there are some certifications that, for whatever reason, are not as highly regarded as others.
However, the majority of people perceive the CISSP as fairly high level and something on the management side and some are derogatory saying it is just a test, but in most mailing lists statements like that get challenged.
That a person could read the CISSP for Dummies book and then write and pass the exam a few days later is not, in my opinion, possible. Either the person already knew much more about the 10 domains covered in the exam or there were some other factors which affected the outcome. Perhaps work experience, perhaps a very clever person, perhaps very adept at understanding and interpreting exam questions, or some other factors at play. That book simply does not contain the necessary information for passing that exam. In respect of certifications being used in misguided way, I must agree. But this also happens with degreed people. The one I like here is a person who is a Doctor and is promoted as a guru in the financial and investing world.
However, he is a veterinarian, not a Doctor of economics or finance or similar. But this is a minor matter that is never brought up when promoting his financial foresight :) In terms of CISSP and GSEC - its all been said before. CISSP is high level, for management level people who need a broad, big picture understanding. GSEC, and many of the other GIAC certifications, are more technically oriented. I think people need to decide what they want to achieve first, then choose the certification path which helps to achieve that goal.
We could go on and on, but the point is, the tide is clearly turning and more people are starting to realize that certification really does matter as we see in this parting thought:
As with many of the other respondents I have both Certs. I did the CISSP first than the GSEC. I wish I had done it in reverse order. The first four days of the GSEC covers the same 10 domains as the CISSP, but not in as much depth. However, the GSEC adds the Windows and Linux Security modules and an entire cookbook full of practical exercises with many of the most essential security tools. Both Certs have great value. With the CISSP, I've found that I learned the vocabulary and methods do everything from basic auditing on software, to developing enhanced building security. With the GSEC you get specific hands-on experience that prepares you for other more technical certs such as the incident handling class. I believe the knowledge from one complements the other. In terms of value to industry, both carry weight for employeement with the DOD. So as others have pointed out, participating in a flame war to decide which is best, is as fruitless as the endless battle between the proponents of Linux and windows. They both have specific value in the computing world. BTW: I'm currently working on the CISM to round out the three security management Certs.
NOTE: all emails are dated either March 15 or 16, 2007
- email: Aiken to GIAC-Alumni list
- email: Bedi to GIAC-Alumni list
- email: Murray to GIAC-Alumni list
- email: Pols to GIAC-Alumni list
- email: Cantrell to GIAC-Alumni list