GCIA or GCIH

I am currently working in my first IT job, as an Intrusion Analyst. My company is great, and have been willing to take a risk and train me on the job as I learn a new skill. They also offer certification reimbursement, about enough to cover 1 SANS course per year.

I am considering taking the GCIA or GCIH, but I'm not sure which one would be better. From what I can see GCIA is directly applicable to my current role, but my boss also has no respect for it. He says he interviewed a bunch of GCIA's for my current position, and that they could not answer basic questions about security in the interview process. It also seems that the GCIA will be less useful for me as I try to advance my career. I'm not looking to move on any time soon, but for a 6 grand course, I feel like there should be good ROI down the line. GCIH seems like it is still related to what I do now, but also largely covers procedures for incident response in addition to the technical security aspect. It seems like it is more well known and respected as well.

What would you folks recommend?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

chanakyajupudi

I think the GCIH is a good cert to have if you have intentions of moving or growing to a more IR type role. GCIA is a good cert to have too. I have done the GCIH but have also done 503 course but not the exam. They both have their own merits. Its upto you what you want to take away from either of the course. Having said that. If its growth you are looking for. One boss's opinion should effect your thinking.

NovaHax

I've done both, and in my opinion, GCIA was a lot more challenging than GCIH. Your boss sounds like an idiot...no offense. Fairly ignorant to pass judgement on a certification or training program based on a limited number of interviews, rather than actually assessing the content of the course and/or exam.

docrice

The GCIA and SANS 503 is considered one of the cornerstones in the SANS/GIAC line-up. No certification can really prove that an interview candidate is capable when it comes to on-the-job performance, but it's interesting that your boss felt that they didn't understand basic security. Either the candidates' knowledge was much too narrowly-focused or perhaps the line of questions weren't very well thought-out.

I felt that the GCIA is certainly more difficult of an exam than the GCIH, but it's also much more focused on a finite set of skills as opposed to GCIH which emphasizes a broader range of knowledge but doesn't expect a lot of depth in all of them.

Both of these exams seem to be fairly well-known for those who are familiar with GIAC. The GCIA is network-focused whereas the GCIH covers both systems, networks, general tactics, and processes. They're quite complementary. Note that the GCIH is about incident handling, not necessarily incident response.

ramrunner800

Thanks for the opinions and information guys, I really appreciate them. I hear you on the subject of my boss's opinions about the training, though I have to say that it seems like many in security aren't big on formal training/certifications. I definitely feel like I need some.

Docrice, I'm new at this, what differentiates incident handling and incident response?

JDMurray

ramrunner800 wrote: »

He says he interviewed a bunch of GCIA's for my current position, and that they could not answer basic questions about security in the interview process.

This sounds like classic anecdote of the hiring manager complaining that all the MCSE's he has interviewed don't know anything about repairing servers. He's looking for the wrong thing in that big pile of resumes.

SephStorm

I'm torn on this. While I hear what everyone is saying, in general, I expect a GCIA to be a person who can be an intrusion analyst. On the other hand, that doesn't mean necessarily they know security, like someone says, the IA is very specialized, which isn't identified in the name. But I can understand the hiring manager expecting them to.

docrice

ramrunner800 wrote: »

I'm new at this, what differentiates incident handling and incident response?

Incident handling refers to the encompassing process from the pre-incident phase (prepping your resources to be able to identify and react to events of interest) to the post-mortem where the incident as a whole is reviewed, recommendations for improvements are made, etc.. Incident response is far more into the scoping, forensics, data-analysis, and finding the needle in the haystack.

504 covers incident handling by examining the general phases involved in incidents, how attacks happen, and how to contain, eradicate, and recover form them. It's a relatively-introductory balanced view of both offense and defense. 508 is a deep-dive into looking at indicators, determining the scope of damage, correlating artifacts, tracing the steps of the intrusion, and finding the smoking gun. These two courses are complementary but also quite different. I found 508 to be quite a bit more challenging.

seltaeb

Gsec --> gcih --> gcia

docrice

I took a slightly different approach in regards to SANS training and the corresponding GIAC certifications:

GSEC -> GCFW (now GPPA) -> GCIA -> GCIH (and onward).

timrvt

gsec>gcih>gisp>gced this year its between gcia gcfa..wanted to do gcnfa but its not offered the date/place I could do

rep21

I'll be doing the gcih in a couple of weeks at Monterey, CA. Any tips or advice for this course? Does it require any *nix skills?

docrice

SANS SEC504 requires some basic Linux skills. I believe they dedicate an hour or two at the end of the first day to cover what you need.