SANS Certs ROI?

Rumblr33Rumblr33 Member Posts: 99 ■■□□□□□□□□
I want to get started on a Graduate Certification in Ethical Hacking and Penetration testing from SANS, but given the price tag of the certificate and courses, I want to make absolutely sure this is going to be worth the money investment. For the people here that have a few GIAC certs or completed their grad cert at SANS, was it worth the investment and did they increase your salary as you would have expected? Thank you for your feedback, this will most likely help me determine a plan of action.

Comments

  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    I'm challenging the GPEN in two weeks and paying for it out of pocket. I'm positioned to get a job that would double my current salary and after talking to the hiring manager he stated that it's a job requirement. Whoever wrote their ad left it out. Honestly it's a good enough ROI for me that if I don't pass the test in time for this round of hiring I'll go take the course and pay for it out of pocket without thinking about it.

    When it comes to ROI on certifications I look at what I need for the job I want. I don't collect certifications and hope that some company will hire based on my certs. I sell myself on my knowledge and skills, and if a job I want has a certification requirement for a position I'll go take the test so some third party can somehow validate my knowledge.

    Every certification test I have taken has given me value because I don't take things I don't need or actively use. People that collect them based on potential financial value don't usually do themselves any favors. Study for the certifications based on the educational value, use them for something you want to do or to move up, and then the ROI is inherent even if you can't immediately quantify it. You can't really measure the ROI on knowledge and the SANS materials are great for learning.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    For some employers who have requirements for certain certifications, they can provide enough ROI in at least maybe giving you an HR checkbox-pass in order to be potentially filtered onto a short(er) list for the interview plate. Sometimes you get lucky with the hiring manager directly screening for candidates and not HR.

    In practical terms, however, the certifications are not what's important - it's the training and application of that knowledge gained which really set candidates apart. At the end of the day when I'm interviewing potential hires, I don't really care what someone's alphabet soup looks like. I care about competency, mental tenacity, personal dedication to the craft, sense of professional ethics, and other tangibles which show the value that the individual could bring to the bottom line. Having more certifications does not guarantee a better salary. As an infosec professional, I'm more skeptical if someone's flashing too many letters without a realistic degree of relevant experience demonstrating that they understand how the field works.

    I know it sounds like I'm ragging on certs. In some ways I am, but I'm also someone who has quite a few of them and I'll flat out say that by themselves, they don't say much about my abilities (other than I somehow managed to pass multiple-choice exams). I've interviewed enough people to start distinguishing early in the interview process whether someone chased papers or invested beyond that. Unfortunately, there are plenty who pass the exams but still lack the grasp on underlying fundamentals where they can gauge a complex system and meaningfully connect the dots in real-world environments.

    I'm also one of those guys who has invested heavily in SANS training and GIAC exams. I currently have nine active GIAC certs, and while that may sound impressive and they certainly helped me "see" the bigger picture as well as start realizing the moving parts in order to make better decisions, I'll be the first to tell you that a ninja I'm certainly not. Did the training and certs help my career? Absolutely ... but only because I have some years working the non-security grind before I took SANS training. One typically builds up to an infosec career, not start in it.

    It seems pentesting is one of those paths that everyone wants to gets into. Based on conversations I've had with other infosec professionals over the years, certs can be generally meaningless unless you understand the business environments, variety of daily challenges operations teams deal with, office politics, the profit-motive, communication requirements, and all the underlying technical bits. There seems to be a growing number of assessors who can run scans and maybe break-in successfully, but don't have the fundamental knowledge on how these systems work in order to explain to clients the what, why, and how to remediate. After you provide a report, it's not uncommon for a client to challenge a finding and/or a severity grade. You have to defend your findings to the letter or else risk your credibility. Training courses by themselves aren't going to prepare you for these sorts of complex intersections.

    While I personally highly endorse SANS and GIAC for their program, I'm also a bit hesitant to say that having a SANS degree will provide a lot of leverage in the employment search. The whole "cyber" hiring initiative is making it into the consciousness of business leaders, but it's still chaotic and GIAC isn't as recognized as much by traditional shops compared to typical vendor certifications, unfortunately (although DoD and similar organizations recognize some GIAC badges). The infosec hiring paradigm is evolving, but it's not so cut-and-dry.

    Long rant on my part. It's my way of saying, "It depends."
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Rumblr33Rumblr33 Member Posts: 99 ■■□□□□□□□□
    Thank you for your input. I am definitely doing this to expand my knowledge in the security realm and how this effects the business. As far as HR goes, I am confident I can sell myself on the skills and knowledge I currently possess, if I were to apply for a job requiring certain certifications. I am not interested in becoming a cert "monger", as stated before they mean nothing if the knowledge learned cannot be applied.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    dorice hit everything in the nail for higher level (technical/management) jobs, where experience, skill set and applicability favors over xxx certification. For lower/entry level jobs, things are slightly different here. It can be really difficult for company to hire a good infosec professional for lower level jobs within their budget means. To be honest, everyone is lacking a big portion of skill set, and it is not possible for anyone at this level to work on a difficult incident/pentesting project. But companies still do offer this position for various reason. That is where certification comes in allowing a hiring manger to evaluate a potential candidate.

    The bottom line of a key point of a candidate in entry level positions, I would say its interest. It doesn't matter if he doesn't knows that big portion of knowledge, everyone at that level is simply not good enough. But that particular candidate that shows interest is different, that goes to show his willingness to learn and to constantly find new ideas to improve himself and even the environment. If the budgets allows, and the company seeks to offer such position, then the hiring manager would definitely keep such candidate, eventually that candidate will pick up that required skillset and begin contribution.

    As to gauge what I mean as "simply not good enough or missing a big portion of knowledge"; A really good infosec professional must be able to handles to toughest situation ever, throw him an incident/difficult pen testing project and have him to figure out alone, would you think that most infosec professional is able to do that? Of course there is a team, but even so, a malware analyst is capable to working on investigating network and host forensic, the same goes to a intrusion analyst good in pcaps analysis must have some capabilities to work and get some good findings from a host infected with malware; because it is not possible to have a full team at all times, therefore while a really good infosec professional have his specialty, he must be able to handle almost everything within an incident by himself when a situation requires; the same goes to pentesting.

    And don't be surprise that even for a really good infosec professional in management area, he would also knows a great deal in these areas even though he probably have not hands on it for years. Should it be required even though it is unlikely, he can work out great deal of details out from from any incident close to any other professional. Although his role is likely to ensure everything is not miss, on both a management and technical view, and it goes to shows the necessary skill in order for such a professional to reach this level.

    In short, a really good infosec can handle any cyber security related situation to his best of ability no matter how tough it is, whether he is skilled in that domain or not. Would getting any GIAC certification enables you to become such a person? Certainly not, but it does shows your interest in Cyber Security better than other candidates for the manager to pick you up. Keep your interest and eventually you would be that infosec professional with such capabilities in the future.

    In terms of putting a price tag judgement on GPEN or other GIAC related certification. With exceptions to niche certifications like GCIA-G, GREM and GXPN, I would recommend the self study route for better ROI. As for courses, it probably gets you in the industry you would like in, but you would likely have to work 2 year to earn back the initial amount you pay for the course. As your work experience accumulates and if you are really good, the salary raise would be an incremental curve.
Sign In or Register to comment.