CISSP and SANS GSEC - Comparing Security Certifications
The two most important security certifications are CISSP and SANS GSEC. The rest aren't significant in comparison, although I’ll later comment on a couple others briefly. With certifications, there are two things to consider: the value of the certification, and the value of the knowledge. Presumably you need to learn or at least review something to pass the certification test/requirements. That’s certainly true for CISSP and GSEC. Security is a broad enough area that almost no one can just waltz in and pass the tests for either of these. CISSP is THE best known security certification. SANS GSEC is second, although rapidly increasing in prominence. CISSP has been around roughly twice as long GSEC, which accounts for at least some of its preeminence.
They are both excellent programs with significant overlap as well as some significant differences. SANS GSEC material is more practically oriented than CISSP. Some comment that CISSP is more managerially or theoretically oriented than GSEC. I’ll comment that CISSP has some bizarre stuff in it! For example, no one cares if something is "Bell Lapadula" or not – not in industry at least. Bell what??? “Bela Lugosi??” – wasn’t he the original movie “Dracula” or "Batman?" (GSEC also mentions Bell Lapadula although very briefly). Most of the material in both programs is very useful.
SANS GSEC training has 10 hours of hands-on training whereas most CISSP programs do not. There is more emphasis on learning "how to do things as compared to knowing things” in SANS GSEC. CISSP requires four years of experience in security whereas SANS GSEC has no such requirement. SANS GSEC certification consists of online exams plus a “practical component.” CISSP certification requires you to report to an authorized test site for a rigorous, and many people say scary, examination.
SANS GSEC training is developed and run by The SANS Institute, who are essentially the GSEC people. I don’t know of any other sources of GSEC training. CISSP training is available from many sources including The International Information Systems Security Certification Consortium, better known as (ISC)2, the CISSP people.CISSP and SANS GSEC training is intrusive! For example the SANS GSEC “Boot Camp” (as it’s often called) is six days long including most evenings. It runs over the weekend and I've never heard anyone complain. CISSP programs tend to be 5+days long as well. Depending on your level of experience, additional study may well be required before taking the certifying exams. It is very possible to get certified without taking training.I can't tell anyone how valuable being CISSP or SANS GSEC certified will be to them. I’ve consulting on Information Security for well over a decade, and none of my clients have ever asked or cared! Others have told me that it’s been invaluable to them. My informal research shows that these certifications are slightly more useful on the East and West Coast of the USA than in the center. In Asia-Pacific, CISSP seems to rule.
That said, the knowledge learned while getting certified is valuable itself. Security is a broad enough field that certainly no one knows everything. Having a certification can't hurt, and sometimes it can help a lot, especially if you are just developing your expertise and experience. What about other security certifications? TruSecure has a TICSA certification aimed at “IT Practitioners.” I was certified as a TICSA Subject Matter Expert at one point, or so TruSecure told me, but apparently they lost my paperwork! A good program, which appears to still exist, even though TruSecure doesn’t exist anymore.
I’ve also heard good things about the CompTIA Security+ certification, but have no experience with it. It seems to be more of an entry level certification than CISSP and GSEC.
SANS and (ISC)2 actually have a number of additonal certifications as well.
There are actually a lot of Certifications out there, but in security, CISSP and SANS GSEC are the biggest by far. I haven't even touched on vendor specific certifications, and there seem to be hundreds of those in the security space.
Disclaimer: I’ve been involved in security and security training for a long time. I occasionally teach security classes for SANS. I’m SANS GSEC certified and may eventually get around to taking the CISSP exam as well. TruSecure was a client of mine while they existed.
Updated - click for new copy here.
They are both excellent programs with significant overlap as well as some significant differences. SANS GSEC material is more practically oriented than CISSP. Some comment that CISSP is more managerially or theoretically oriented than GSEC. I’ll comment that CISSP has some bizarre stuff in it! For example, no one cares if something is "Bell Lapadula" or not – not in industry at least. Bell what??? “Bela Lugosi??” – wasn’t he the original movie “Dracula” or "Batman?" (GSEC also mentions Bell Lapadula although very briefly). Most of the material in both programs is very useful.
SANS GSEC training has 10 hours of hands-on training whereas most CISSP programs do not. There is more emphasis on learning "how to do things as compared to knowing things” in SANS GSEC. CISSP requires four years of experience in security whereas SANS GSEC has no such requirement. SANS GSEC certification consists of online exams plus a “practical component.” CISSP certification requires you to report to an authorized test site for a rigorous, and many people say scary, examination.
SANS GSEC training is developed and run by The SANS Institute, who are essentially the GSEC people. I don’t know of any other sources of GSEC training. CISSP training is available from many sources including The International Information Systems Security Certification Consortium, better known as (ISC)2, the CISSP people.CISSP and SANS GSEC training is intrusive! For example the SANS GSEC “Boot Camp” (as it’s often called) is six days long including most evenings. It runs over the weekend and I've never heard anyone complain. CISSP programs tend to be 5+days long as well. Depending on your level of experience, additional study may well be required before taking the certifying exams. It is very possible to get certified without taking training.I can't tell anyone how valuable being CISSP or SANS GSEC certified will be to them. I’ve consulting on Information Security for well over a decade, and none of my clients have ever asked or cared! Others have told me that it’s been invaluable to them. My informal research shows that these certifications are slightly more useful on the East and West Coast of the USA than in the center. In Asia-Pacific, CISSP seems to rule.
That said, the knowledge learned while getting certified is valuable itself. Security is a broad enough field that certainly no one knows everything. Having a certification can't hurt, and sometimes it can help a lot, especially if you are just developing your expertise and experience. What about other security certifications? TruSecure has a TICSA certification aimed at “IT Practitioners.” I was certified as a TICSA Subject Matter Expert at one point, or so TruSecure told me, but apparently they lost my paperwork! A good program, which appears to still exist, even though TruSecure doesn’t exist anymore.
I’ve also heard good things about the CompTIA Security+ certification, but have no experience with it. It seems to be more of an entry level certification than CISSP and GSEC.
SANS and (ISC)2 actually have a number of additonal certifications as well.
There are actually a lot of Certifications out there, but in security, CISSP and SANS GSEC are the biggest by far. I haven't even touched on vendor specific certifications, and there seem to be hundreds of those in the security space.
Disclaimer: I’ve been involved in security and security training for a long time. I occasionally teach security classes for SANS. I’m SANS GSEC certified and may eventually get around to taking the CISSP exam as well. TruSecure was a client of mine while they existed.
Updated - click for new copy here.
posted by Ted Demopoulos at 12:01 AM
Comments on "CISSP and SANS GSEC - Comparing Security Certifications"
-
Batman Fan said ... (Saturday, April 02, 2005 7:31:00 PM) :
-
Bobby C said ... (Friday, April 08, 2005 1:03:00 PM) :
-
Greg Miller said ... (Friday, April 08, 2005 1:33:00 PM) :
-
Anonymous said ... (Friday, April 08, 2005 6:35:00 PM) :
-
Jerome said ... (Saturday, April 09, 2005 8:41:00 PM) :
post a commentBela Lugosi is the original Dracula.
Adam West is the original and only Batman!!!!!
CISSP the original, but GSEC is greatly improved.
I've got both certs.
I use what I learned in GSEC regularly. Much of what I learned for CISSP is worthless - Orange Book nonsense, academic theory, how high fences need to be to keep guard dogs in etc.
Renewing CISSP is trivial. Renewing GSEC takes some work.
CISSP currently has more "sex appeal," but I still think people that append CISSP to their names are bozos. Stick in on your biz card if you want, and stop there. It's not like you earned a PhD after all. More likely you crammed and passed an exam.
They are both good programs. For someone established in the industry, I'd suggest GSEC to fill the holes in their knowledge.
For someone starting out, CISSP is much better known.
Certification alone means nothing! Plenty of certified know-nothings around - I once hired one.
I took a CISSP Bootcamp - the emphasis was on passing the test, not learning. Still, it wasn't bad