CISSP-ISSAP or GSEC

Cyberscum

Looking for pros and cons of each. They seem to be very close in comparison with the ISSAP possibly being less known than the GSEC.

Any advice or suggestions would help.

Looking at eventually employment in the security architecture realm.

Thanks in advance!

renacido

I've not taken either, but based on what I know of each, they seem quite different from each other.

GSEC is a generalist security admin/analyst cert that is a prerequisite for the more specialized sec analyst certs in the GIAC roadmap (GSEC-->GCIH-->GCIA-->GSE). In terms of difficulty and content it seems like an alternative to Sec+ with maybe a more pragmatic approach (GSEC is open-book but asks harder, scenario-based questions whereas Sec+ is closed-book knowledge exam).

CISSP-ISSAP is about designing and implementing secure architecture that meets business requirements. Seems like you need in-depth understanding and ability to apply TOGAF along with ISO/COBIT/NIST best practices, know architecture models & views (AV's, SV's, TV's, OV's, etc) and how they are used to plan strategic tech investment that manages risk while meeting needs of the business units. You probably get into a good bit more of BC/DR planning as well along with portfolio management and ITIL Service Strategy and Service Design.

ISSAP PROs: Good cert for system architects, CISOs (along with ISSMP), security engineers (along with ISSEP). You have the prerequisite (CISSP) already.
ISSAP CONs: Boring exam content for those not at all interested in how IT supports business or for guys who are purely technical and could care less about the "big picture".

GSEC PROs: Great for net defenders, security analysts, SOC/security managers, general security practitioners of all feathers really. It's got the SANS reputation for quality and is the first cert to get if you want the real mack-daddy infosec cert (GSE).
GSEC CONs: GIAC makes it damned expensive to challenge the exam without the SANS training, and many folks don't have the logistical or financial means to attend the SANS course for GSEC, which to me is more valuable than the certification.

My two pesos.

beads

GSEC is actually recognized as a certification, the ISSAP is not. Though worthy of its designation there are still only 1001 people who have managed to pass that exam in the past 15 years. Sounds cool, right? No one actually cares because there is no demand for it. I think I have seen one posting asking but not requiring the ISSAP. Even then they had no idea it was a very obscure certification to obtain. The hiring manage just thought it must be "better" than the CISSP.

If you have your CISSP there would be little to no sense taking GSEC as this is a lower level exam than the CISSP. If so, concentrate on Defense in Depth or Incident Handling. Both far more practical in nature unless of course you plan to complete the GSE then it would be necessary.

They are really apples and oranges. Both fruits but very different at the same time.

- b/eads

nelson8403

I agree with beads, unless you're planning on getting the GSE which requires the GSEC (it's their expert level cert) I don't think the GSEC is worth it. CISSP is generally held in a higher regard and shows up on job boards more often than GSEC alone.

I'm trying for my CISSP-ISSMP shortly to try and help move myself into management, however I haven't seen that cert or the ISSAP increase in demand, however ISC2 seems to be pushing for that so it may change in the future.

renacido

While I don't disagree with b/eads on the obscurity of the ISSAP, the GIAC certs aren't exactly household names either as far as that goes. If you went to a university where the SANS courses were offered or if you fall under DoD 8570 you are aware of them, otherwise you might have never heard of them until you began lurking on sites like this one. SANS has a high reputation but the exams are very expensive, and to most hiring managers if you tell them you are a GSE they might say, "hmmm...ok. Are you planning on getting your CISSP?" The only certs that are well known outside of infosec are CISSP and to a lesser extent CEH (probably only because it "sounds cool").

Being that you want to work in security architecture and already have CISSP, I'd lean heavily toward ISSAP or better yet become an expert on the platforms you're interested in "architecting" secure solutions for (datacenter, cloud, server/network infrastructure, etc).

Cyberscum

Thx for all of the replies.

...So I have actually asked around the office today about either cert. There was only three people in he entire building (IT concentrations) that had any idea what either were. Almost everyone recognized the CISSP, but ISSAP and GSEC were not. Not that it matters much but it was just a small scope experiment I did. While I really love the structured approach of learning in attempt to get a certification I will have to agree with renacido; at this point it might be better to find what exactly I would like to be securing.

I have done a lot of work in amazon AWS and I feel that cloud security is where I would eventually like to be. Being that I like the cert structured approach of learning...

...Any ideas on a decent cloud cert to get started?

-Certified Cloud Technology Professional
-ISC2 CCSP
-VM certs
-Actual AWS certs

nelson8403

Cisco Cloud they are just releasing their CCNA Cloud here shortly.

Cyberscum

nelson8403 wrote: »

Cisco Cloud they are just releasing their CCNA Cloud here shortly.

Holy crap, first I heard of that

NetworkNewb

when did they release that?? First I've heard of this too... CCNA Cloud - IT Certifications and Career Paths - Cisco Systems

Cyberscum

NetworkNewb wrote: »

when did they release that?? First I've heard of this too... CCNA Cloud - IT Certifications and Career Paths - Cisco Systems

I am seriously considering this

renacido

Microsoft has cloud certs as well, pair MCSE:Private Cloud and/or MCSD: Azure Solutions Architect with CCNA Cloud and throw in a CCTP/CCSP and you're king of the cloud.

beads

renacido wrote: »

While I don't disagree with b/eads on the obscurity of the ISSAP, the GIAC certs aren't exactly household names either as far as that goes. If you went to a university where the SANS courses were offered or if you fall under DoD 8570 you are aware of them, otherwise you might have never heard of them until you began lurking on sites like this one. SANS has a high reputation but the exams are very expensive, and to most hiring managers if you tell them you are a GSE they might say, "hmmm...ok. Are you planning on getting your CISSP?" The only certs that are well known outside of infosec are CISSP and to a lesser extent CEH (probably only because it "sounds cool").

Being that you want to work in security architecture and already have CISSP, I'd lean heavily toward ISSAP or better yet become an expert on the platforms you're interested in "architecting" secure solutions for (datacenter, cloud, server/network infrastructure, etc).

I can show you many posted job descriptions directly or indirectly (as in GIAC) asking for GSEC but only one for ISSAP. Perhaps its your market? Michigan is notoriously behind the times from what have seen through, say January of this year. After that I stopped accepting interviews in that state.

- b/eads

renacido

beads wrote: »

I can show you many posted job descriptions directly or indirectly (as in GIAC) asking for GSEC but only one for ISSAP. Perhaps its your market? Michigan is notoriously behind the times from what have seen through, say January of this year. After that I stopped accepting interviews in that state.

- b/eads

That could be. GIAC is better-known in the Defense sector than in the private sector for sure. Most of the GIAC certified guys I know are DC beltway bandits who work for DoD or DoD-contractors and they enjoy seemingly bottomless training budgets, especially since DoD 8570 came into effect and it's required by regulation to have the minimum certs to have a job. DoD 8570 certs are all vendor-neutral, so in DC for example nearly every network is a Cisco+Microsoft joint, yet all the techs will have CompTIA, ISACA, GIAC and ISC2 certs out the wazoo while the senior sys ads and network engineers may or may not have any MS or Cisco certs (or way outdated ones from pre-8570).

beads

Live in Chicago now for the past 20 years after leaving Michigan. I see GSEC come up often enough usually as an example of acceptable certs to include GSEC, GSNA, etc. SANS has an annual training event here in Chicago so I would say the brand recognition here is well established. What would be more ironic is that I can tell you I saw many more SANS plaques at the U of M in Ann Arbor (year contract) than I do at my present employer back in Chicago where such 'I love me' walls are seriously frowned upon.

Go figure.

-b/eads