CISSP-ISSAP or GSEC
Looking for pros and cons of each. They seem to be very close in comparison with the ISSAP possibly being less known than the GSEC.
Any advice or suggestions would help.
Looking at eventually employment in the security architecture realm.
Thanks in advance!
Any advice or suggestions would help.
Looking at eventually employment in the security architecture realm.
Thanks in advance!
Comments
GSEC is a generalist security admin/analyst cert that is a prerequisite for the more specialized sec analyst certs in the GIAC roadmap (GSEC-->GCIH-->GCIA-->GSE). In terms of difficulty and content it seems like an alternative to Sec+ with maybe a more pragmatic approach (GSEC is open-book but asks harder, scenario-based questions whereas Sec+ is closed-book knowledge exam).
CISSP-ISSAP is about designing and implementing secure architecture that meets business requirements. Seems like you need in-depth understanding and ability to apply TOGAF along with ISO/COBIT/NIST best practices, know architecture models & views (AV's, SV's, TV's, OV's, etc) and how they are used to plan strategic tech investment that manages risk while meeting needs of the business units. You probably get into a good bit more of BC/DR planning as well along with portfolio management and ITIL Service Strategy and Service Design.
ISSAP PROs: Good cert for system architects, CISOs (along with ISSMP), security engineers (along with ISSEP). You have the prerequisite (CISSP) already.
ISSAP CONs: Boring exam content for those not at all interested in how IT supports business or for guys who are purely technical and could care less about the "big picture".
GSEC PROs: Great for net defenders, security analysts, SOC/security managers, general security practitioners of all feathers really. It's got the SANS reputation for quality and is the first cert to get if you want the real mack-daddy infosec cert (GSE).
GSEC CONs: GIAC makes it damned expensive to challenge the exam without the SANS training, and many folks don't have the logistical or financial means to attend the SANS course for GSEC, which to me is more valuable than the certification.
My two pesos.
If you have your CISSP there would be little to no sense taking GSEC as this is a lower level exam than the CISSP. If so, concentrate on Defense in Depth or Incident Handling. Both far more practical in nature unless of course you plan to complete the GSE then it would be necessary.
They are really apples and oranges. Both fruits but very different at the same time.
- b/eads
I'm trying for my CISSP-ISSMP shortly to try and help move myself into management, however I haven't seen that cert or the ISSAP increase in demand, however ISC2 seems to be pushing for that so it may change in the future.
Master of Science, Information Security and Assurance
CCIE Security Progress: Written Pass (06/2016), 1st Lab Attempt (11/2016)
Being that you want to work in security architecture and already have CISSP, I'd lean heavily toward ISSAP or better yet become an expert on the platforms you're interested in "architecting" secure solutions for (datacenter, cloud, server/network infrastructure, etc).
...So I have actually asked around the office today about either cert. There was only three people in he entire building (IT concentrations) that had any idea what either were. Almost everyone recognized the CISSP, but ISSAP and GSEC were not. Not that it matters much but it was just a small scope experiment I did. While I really love the structured approach of learning in attempt to get a certification I will have to agree with renacido; at this point it might be better to find what exactly I would like to be securing.
I have done a lot of work in amazon AWS and I feel that cloud security is where I would eventually like to be. Being that I like the cert structured approach of learning...
...Any ideas on a decent cloud cert to get started?
-Certified Cloud Technology Professional
-ISC2 CCSP
-VM certs
-Actual AWS certs
Master of Science, Information Security and Assurance
CCIE Security Progress: Written Pass (06/2016), 1st Lab Attempt (11/2016)
I am seriously considering this
I can show you many posted job descriptions directly or indirectly (as in GIAC) asking for GSEC but only one for ISSAP. Perhaps its your market? Michigan is notoriously behind the times from what have seen through, say January of this year. After that I stopped accepting interviews in that state.
- b/eads
That could be. GIAC is better-known in the Defense sector than in the private sector for sure. Most of the GIAC certified guys I know are DC beltway bandits who work for DoD or DoD-contractors and they enjoy seemingly bottomless training budgets, especially since DoD 8570 came into effect and it's required by regulation to have the minimum certs to have a job. DoD 8570 certs are all vendor-neutral, so in DC for example nearly every network is a Cisco+Microsoft joint, yet all the techs will have CompTIA, ISACA, GIAC and ISC2 certs out the wazoo while the senior sys ads and network engineers may or may not have any MS or Cisco certs (or way outdated ones from pre-8570).
Go figure.
-b/eads