Ted Demopoulos    Demopoulos Associates
keynote speeches
Security, IT, Business Consulting
securITy newsletter

Ted Demopoulos’ securITy

Updated October 2015

Security: CISSP Certification, GSEC Certification, and more

Infosec Career Success!
Click to Download Infosec Rock Star: Geek will only get you so far


Security: CISSP Certification, GSEC Certification, and more

The two most important security certifications are The CISSP (Certified Information System Security Professional) and The SANS GSEC (Global Information Assurance Certification Security Essentials Certification). The rest aren't as significant in comparison, although I’ll briefly comment on a couple others.

With certifications, there are two things to consider: the value of the certification, and the value of the knowledge. Presumably you need to learn or at least review something to pass the certification test/requirements. That’s certainly true for CISSP and GSEC. Security is a broad enough area that almost no one can just waltz in and pass the tests for either of these.

CISSP is THE best known security certification. SANS GSEC is second, although rapidly increasing in prominence. CISSP has been around roughly twice as long GSEC, which accounts for at least some of its preeminence. They are both excellent programs with significant overlap as well as some significant differences.

SANS GSEC material is more practically oriented than CISSP. Many people comment that CISSP is more managerially or theoretically oriented than GSEC. Although most people agree that CISSP has some obscure and bizarre stuff in it (“Orange Book” material, Bell-Lapadula, etc.), most of the material in both programs is very useful.

SANS GSEC training has 10 hours of hands-on training whereas most CISSP programs have none. There is more emphasis on learning "how to do things as compared to knowing things” in SANS GSEC. CISSP requires four years of experience in security whereas SANS GSEC has no such requirement. The GSEC exam is “real world” in that it’s open book but not open Internet.

SANS GSEC training is developed and run by The SANS Institute who are essentially the GSEC people. I don’t know of any other sources of GSEC training. CISSP training is available from many sources including The International Information Systems Security Certification Consortium, better known as (ISC)2, the CISSP people. This is confusing because the (ISC)2 certification entity is a nonprofit, whereas the (ISC)2 training entity is a different and for profit company.

CISSP and SANS GSEC training is intrusive! For example the SANS GSEC “Boot Camp” (as it’s often called) is six days long including most evenings. It runs over the weekend but I've never heard anyone complain. CISSP programs tend to be 5+days long as well. Depending on your level of experience, additional study may well be required before taking the certifying exams. It is very possible to get certified without taking the associated training.

I can't tell anyone how valuable being CISSP or SANS GSEC certified will be to them. I’ve been consulting on Information Security for well over a decade, and none of my clients have ever asked or cared! Others have told me that it’s been invaluable to them. My informal research shows that these certifications are slightly more useful on the East and West Coast of the USA than in the center. In Asia-Pacific, CISSP is by far better known and respected, at least currently.

That said, the knowledge learned while getting certified is valuable itself. Security is a broad enough field that certainly no one knows everything. Having a certification can't hurt, and sometimes it can help a lot, especially if you are just developing your expertise and experience.

SANS and (ISC)2 have a number of additional certifications as well.

There are actually a lot of certifications out there, but in security, CISSP and SANS GSEC are the biggest by far. The CISA and CISM are also quite well known and well regarded for example. I haven't even touched on vendor specific certifications and there seem to be hundreds of those in the security space.

Note to those hiring: there are a lot of certified bozos out there. Certification by itself means nothing. You hire people, not certifications!

Disclaimer: I’ve been involved in security and security training for a long time. I occasionally teach security classes for SANS including CISSP Training.

Postscript: I just renewed my SANS GSEC certification. Yes, even instructors for SANS must be recertified! The test seems to have changed somewhat and I quite honestly didn’t remember it that well.

It impressed me! It’s very real world: open book, etc. Many of the questions did NOT seem to have answers that came directly from the SANS GSEC training material, but if you knew the material you could figure out the answer. If you didn’t have the appropriate background, any reference material wouldn’t have been of much use!

Ted Demopoulos, Consultant and Speaker

Infosec Career Success!
Click to Download Infosec Rock Star: Geek will only get you so far

This newsletter is Copyright © 2005-2015 by Demopoulos Associates, Durham, New Hampshire, USA.  All rights are reserved, except that it may be freely redistributed if unmodified.

Sharing securITy is encouraged if the copyright and attribution are included.

The free newsletter of Demopoulos Associates, www.demop.com

Subscribe to the securITy newsletter


We NEVER rent, sell, or share email addresses.


© Copyright 2002-2015, Demopoulos Associates