Ted Demopoulos’ securITy

May 2005 -- updated 2007
___________________________________________________________

UPDATED version here => CISSP versus SANS GSEC Certification
 
Subscribe to S e c u r IT y, our free E-newsletter on Information Technology, Security, and their intersection with Business.
________________________________________________________________

• Two new “Ted Videos” by WatchIT.com are now available: Application Security Principles and Understanding Blogs and Their Business Uses.  I have a few free DVDs as well. 
   

• Worst Practices in Developing Secure Software Part I and Part II are now available as one unified article at http://www.demop.com/Articles.html.

With certifications, there are two things to consider: the value of the certification, and the value of the knowledge. Presumably you need to learn or at least review something to pass the certification test/requirements. That’s certainly true for CISSP and GSEC. Security is a broad enough area that almost no one can just waltz in and pass the tests for either of these.

CISSP is THE best known security certification. SANS GSEC is second, although rapidly increasing in prominence. CISSP has been around roughly twice as long GSEC, which accounts for at least some of its preeminence. They are both excellent programs with significant overlap as well as some significant differences.

SANS GSEC material is more practically oriented than CISSP. Many people comment that CISSP is more managerially or theoretically oriented than GSEC. Although most people agree that CISSP has some obscure and bizarre stuff in it (“Orange Book” material, Bell-Lapadula, etc.), most of the material in both programs is very useful.

SANS GSEC training has 10 hours of hands-on training whereas most CISSP programs have none. There is more emphasis on learning "how to do things as compared to knowing things” in SANS GSEC. CISSP requires four years of experience in security whereas SANS GSEC has no such requirement. SANS GSEC certification consists of online exams plus a “practical component” (note: SANS has changed requirements recently and includes a ‘test only’ certification option as well - see http://www.giac.org/info/16536  for full details). The GSEC exam is “real world” in that it’s open book and open Internet (it's no longer open Internet). CISSP certification requires you to report to an authorized test site for a rigorous, and many people say scary, examination. No books, notes, or Internet access allowed! It is similar to a college entrance exam in many ways.

SANS GSEC training is developed and run by The SANS Institute who are essentially the GSEC people. I don’t know of any other sources of GSEC training. CISSP training is available from many sources including The International Information Systems Security Certification Consortium, better known as (ISC)2, the CISSP people. This is confusing because the (ISC)2 certification entity is a nonprofit, whereas the (ISC)2 training entity is a different and for profit company.

CISSP and SANS GSEC training is intrusive! For example the SANS GSEC “Boot Camp” (as it’s often called) is six days long including most evenings. It runs over the weekend but I've never heard anyone complain. CISSP programs tend to be 5+days long as well. Depending on your level of experience, additional study may well be required before taking the certifying exams. It is very possible to get certified without taking the associated training.

I can't tell anyone how valuable being CISSP or SANS GSEC certified will be to them. I’ve been consulting on Information Security for well over a decade, and none of my clients have ever asked or cared! Others have told me that it’s been invaluable to them. My informal research shows that these certifications are slightly more useful on the East and West Coast of the USA than in the center. In Asia-Pacific, CISSP is by far better known and respected, at least currently.

That said, the knowledge learned while getting certified is valuable itself. Security is a broad enough field that certainly no one knows everything. Having a certification can't hurt, and sometimes it can help a lot, especially if you are just developing your expertise and experience.

What about other security certifications? TruSecure has a TICSA certification aimed at “IT Practitioners.” I was certified as a TICSA Subject Matter Expert at one point, or so TruSecure told me, but apparently they lost my paperwork! It is a good program, which may still exist, even though TruSecure doesn’t exist anymore (they are now part of CyberTrust).

I’ve also heard good things about the CompTIA Security+ certification, but have no experience with it. It is more of an entry level certification than CISSP and GSEC.

SANS and (ISC)2 have a number of additional certifications as well.

There are actually a lot of Certifications out there, but in security, CISSP and SANS GSEC are the biggest by far. I haven't even touched on vendor specific certifications and there seem to be hundreds of those in the security space.

Note to those hiring: there are a lot of certified bozos out there. Certification by itself means nothing. You hire people, not certifications!

Disclaimer: I’ve been involved in security and security training for a long time. I occasionally teach security classes for SANS including CISSP Training. I’m SANS GSEC and CISSP certified. TruSecure was a client of mine while they existed.

Postscript: I just renewed my SANS GSEC certification which required taking an online test. Yes, even instructors for SANS must be recertified! The test seems to have changed somewhat and I quite honestly didn’t remember it that well.

It impressed me! It’s very real world: open book, Google allowed, etc. Many of the questions did NOT seem to have answers that came directly from the SANS GSEC training material, but if you knew the material you could figure out the answer. If you didn’t have the appropriate background, any reference material wouldn’t have been of much use!

Ted Demopoulos, Consultant and Professional Speaker, 603-231-8782 (cell)
______________________________________________________________________
This newsletter is Copyright © 2005, 2006 by Demopoulos Associates, Durham, New Hampshire, USA.  All rights are reserved, except that it may be freely redistributed if unmodified.

Sharing securITy is encouraged if the copyright and attribution are included.

The free newsletter of Demopoulos Associates, www.demop.com

Subscribe to the securITy newsletter