2005 -- updated 2007
Security: CISSP Certification, GSEC Certification, and more
UPDATED version here =>
CISSP versus SANS GSEC Certification
to S e c u r IT y,
our free E-newsletter on Information
Technology, Security, and their intersection with Business.
Security: CISSP Certification, GSEC Certification, and more
most important security certifications are
(Certified Information System Security Professional)
(Global Information Assurance Certification Security Essentials
Certification). The rest aren't significant in comparison, although I’ll
briefly comment on a couple others.
With certifications, there are
two things to consider: the value of the certification, and the value of the
knowledge. Presumably you need to learn or at least review something to pass
the certification test/requirements. That’s certainly true for CISSP and
GSEC. Security is a broad enough area that almost no one can just waltz in
and pass the tests for either of these.
CISSP is THE best known
security certification. SANS GSEC is second, although rapidly increasing in
prominence. CISSP has been around roughly twice as long GSEC, which accounts
for at least some of its preeminence. They are both excellent programs with
significant overlap as well as some significant differences.
SANS GSEC material is more
practically oriented than CISSP. Many people comment that CISSP is more
managerially or theoretically oriented than GSEC. Although most people agree
that CISSP has some obscure and bizarre stuff in it (“Orange Book” material,
Bell-Lapadula, etc.), most of the material in both programs is very useful.
SANS GSEC training has 10 hours of hands-on training
whereas most CISSP programs have none. There is more emphasis on learning
"how to do things as compared to knowing things” in SANS GSEC. CISSP
requires four years of experience in security whereas SANS GSEC has no such
requirement. SANS GSEC certification consists of online exams plus a
“practical component” (note: SANS has changed requirements recently and
includes a ‘test only’ certification option as well - see
http://www.giac.org/info/16536 for full details). The GSEC exam is
“real world” in that it’s open book and open Internet (it's no longer open
Internet). CISSP certification
requires you to report to an authorized test site for a rigorous, and many
people say scary, examination. No books, notes, or Internet access allowed!
It is similar to a college entrance exam in many ways.
SANS GSEC training is developed and run by
The SANS Institute
who are essentially the GSEC people. I don’t know of any other sources of
GSEC training. CISSP training is available from many sources including
The International Information Systems Security
Certification Consortium, better known as
(ISC)2, the CISSP people. This is confusing because the (ISC)2 certification
entity is a nonprofit, whereas the (ISC)2 training entity is a different and
for profit company.
CISSP and SANS GSEC training is
intrusive! For example the SANS GSEC “Boot Camp” (as it’s often called) is
six days long including most evenings. It runs over the weekend but I've
never heard anyone complain. CISSP programs tend to be 5+days long as well.
Depending on your level of experience, additional study may well be required
before taking the certifying exams. It is very possible to get certified
without taking the associated training.
I can't tell anyone how
valuable being CISSP or SANS GSEC certified will be to them. I’ve been
consulting on Information Security for well over a decade, and none of my
clients have ever asked or cared! Others have told me that it’s been
invaluable to them. My informal research shows that these certifications are
slightly more useful on the East and West Coast of the USA than in the
center. In Asia-Pacific, CISSP is by far better known and respected, at
That said, the knowledge
learned while getting certified is valuable itself. Security is a broad
enough field that certainly no one knows everything. Having a certification
can't hurt, and sometimes it can help a lot, especially if you are just
developing your expertise and experience.
What about other security certifications?
TruSecure has a
aimed at “IT Practitioners.” I was certified as a TICSA Subject Matter
Expert at one point, or so TruSecure told me, but apparently they lost my
paperwork! It is a good program, which may still exist, even though
TruSecure doesn’t exist anymore (they are now part of CyberTrust).
I’ve also heard good things about the CompTIA
but have no experience with it. It is more of an entry level certification
than CISSP and GSEC.
SANS and (ISC)2 have a number of additional certifications as well.
There are actually a lot of Certifications out there, but in security, CISSP
and SANS GSEC are the biggest by far. I haven't even touched on vendor
specific certifications and there seem to be hundreds of those in the
Note to those hiring: there are
a lot of certified bozos out there. Certification by itself means nothing.
You hire people, not certifications!
Disclaimer: I’ve been
involved in security and security training for a long time. I occasionally
teach security classes for SANS including
CISSP Training. I’m SANS GSEC and CISSP certified. TruSecure was a client of mine
while they existed.
Postscript: I just
renewed my SANS GSEC certification which required taking an online test.
Yes, even instructors for SANS must be recertified! The test seems to have
changed somewhat and I quite honestly didn’t remember it that well.
It impressed me! It’s very real
world: open book, Google allowed, etc. Many of the questions did NOT seem to
have answers that came directly from the SANS GSEC training material, but if
you knew the material you could figure out the answer. If you didn’t have
the appropriate background, any reference material wouldn’t have been of
Demopoulos, Consultant and Professional Speaker, 603-231-8782 (cell)
This newsletter is Copyright © 2005, 2006 by Demopoulos Associates, Durham,
New Hampshire, USA. All rights are reserved, except that it may be
freely redistributed if unmodified.
Sharing securITy is encouraged if the copyright and
attribution are included.
The free newsletter of Demopoulos Associates,
Subscribe to the securITy newsletter
We NEVER rent, sell, or share email addresses.