Why sre SANS certifications so undervalued?
I have my GSEC and I am getting my GCIH soon and my CISM soon. For some reason the CISSP which I don’t think is that impressive is way more valuable than the SANS stuff. Also my CRISC is too and the CISM will be. The crazy thing is i feel like the SANS stuff made me a better security analyst. The other certs did not. Something needs to be done to change the industry so that companies understand the CISSP is not as valuable as the GSEC for example. Hands on and practical vs high level question and answers seems like a no brainer to me. Feel free to agree or disagree.
Comments
ISACA = Executives/Management
SANS = Security Engineers, Hackers, Analysts, Executives/Management, etc.
ISC2 and ISACA have the edge when it comes to Executives and Management. Sans has the edge for technical hands on techniques, but does cater to executives and management as well.
Ask yourself who gets paid more in any job industry? Executives or engineers(I should have said "staff/employees")?
2023 Cert Goals: SC-100, eCPTX
GIAC certs does have a little poor ROI unless your going for challenge or company is paying for it. That does not mean the ROI is bad. Its the ROI for information security field in general that starts out generally low, but its gonna offer a really high exponential growth as you get better and gain more experience.
I was interested at one point myself with SANS management curriculum but that soon when due to cost and fact that nobody asks for it - though you can argue you pick up invaluable knowledge nevertheless.
2) Was marketed heavier
3) Doesn't have a "dilution" problem (majority of recruiters don't know what means what in GIAC world -- it's just too many)
4) Actually a rather good "umbrella" cert that covers pretty much everything security
Now, what choices do I have as a player in the field?
1) Swim against the flow and waste time proving to each and every recruiter/employer I meet on my way that GIAC is better than (=boil the ocean).
2) Swim with the flow and just get yet another cert.
There's only one choice here that would be wise.
E.g. CEH - Certified Ethical Hacker. To your Mum or Dad that sounds really impressive. You're certified and trained to hack. Amazing.
CISSP: Certified Information Systems Security Professional .... brilliant. They are a security professional and certified too.
Just fancy words. The same as someone being "executive" or "senior engineer". Often it's just word play.
I'm deep into my CISSP studies. I'm learning tons but believe the majority isn't that helpful.
2017: OSCP - COMPLETED
2018: CISSP - COMPLETED
2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting - COMPLETED
GIAC GREM - Reverse Engineering of Malware - COMPLETED
2021: CCSP
2022: OSWE (hopefully)
Impressive set of certifications and qualifications you've got there.
Out of interest, which would you say was:
1) hardest
2) most worthwhile
3) least worthwhile
2017: OSCP - COMPLETED
2018: CISSP - COMPLETED
2019: GIAC GNFA - Advanced Network Forensics & Threat Hunting - COMPLETED
GIAC GREM - Reverse Engineering of Malware - COMPLETED
2021: CCSP
2022: OSWE (hopefully)
That said, I loved the course and would love to do more courses if my employer would ever pay for them. CISSP is insanely broad. While SANS courses are good for specific areas where you need that knowledge for your current job. Much more real world things you might be working on and be able to put to use right away.
They serve their own and different purposes imo.
Many thanks for the compliment
1. Hardest was SANS GSNA - really need to know your technical auditing stuff - something not taught by CISA (more process/methodology focused, however CISA much more relevant for auditing in enterprises today because that is how its done). Also AWS CSA - Really to need understand the environment.
2. Most Worthwhile - From a Resume perspective AWS, CISSP, CISA, CISM, TOGAF - All have helped with obtaining roles.
3. Least Worthwhile - CHFI, CCISO, CEH
Lots of companies don't necessarily need (or maybe more accurately want) a highly technical person. Just someone who knows enough to give the correct guidance to technical people who do the work. This is often a CISSP-type level. Just like pulling in a consultant or getting an IT health check/audit from a third party.
There's lots of things to do with security in business that have very little hands-on technical work, like advice, design. Security can almost be like a partially technical therapist (the psychological or physical kind).
/devil
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
Arthur Ashe
2. No kidding? SANS certifications are meant for analysts...the CISSP is meant for management...so I would say you basically answered your own complaint.
3. Nothing needs to be done except you shouldn't compare requirements for a management level job to that of an analyst. The CISSP does have value at the management level where a broad understanding is required...technical certifications have value at the analyst level...not all roles are created equal for what they need.
@Techguru80
Couple of very valid points. Depends what side of the fence you are on and what you want to get out of the courses.
CISSP sadly is not going to go away. I get the disdain for it in the community (especially Infosec), but it is probably one of the most worthwhile certs to get if you're already in study mode. Just get it over with.
In short, while GIAC Certifications are better in my opinion, the much high cost to obtain one will continue to limit the number of professionals that have one. Which in turn make it a less well known certification.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
But if you can't beat them, join them. Just get a CISSP. Do what @gespenstern suggested.
Because GCIH is actually easy and entry level-ish. SANS courses 600+ or GCFA will really challenge you. People fail GCFA with open book
I dont think Sans are necessarily undervalue i just think most hiring managers put CISSP,CISM and others over Sans becuase more people have them.
Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP
GCFA there are just too many windows artefacts, file names, locations, directories, registry , etc, there is no point memorising them so the open book is handy
One can argue that no multiple choice exam truly tests your mastery of the subject.
2023 Cert Goals: SC-100, eCPTX