Passed SANS GIAC GSTRT - mini review
This is the training that I did:
and I passed the exam yesterday.
It's different than the other SANS training that I did (GCFA/GPEN) as this was not a technical training, the focus is on leadership/strategic management theory, policy development, coaching, and security program management.
The class size was small so we did the practicals together with the instructor (G. Mark).
My honest thoughts:
I personally enjoyed it and case study style was not new to me as this is how business schools teach (MBA), I was also familiar with some of the material (SWOT analysis, strategy, etc) from business school and I also had a good grasp on the frameworks they focused on (CMMI, NIST, CIS).
My class mates however, didnt seem to have enjoyed the course and got most of the questions/practicals wrong during the training. I have an opinion on why that was the case...it my personal opinion thouhg. They were all either "IT manager" or "infosec manager". The IT folks simply didnt have an understanding of InfoSec and were out of their depth when it came to management training. They knew IT from a technical perspective but that's about it (you could really see that from their analysis of the case studies, they haven't really come across similar scenarios in real life).
The InfoSec folks also didn't seem to have enough breadth, he only worked in one organisation for 10 years.
Another security person works in "government" and evidently had no experience with either IT or infoSec and got 100% of the questions wrong (he was way off...).
You could easily tell who thinks like a "business leader" and who thinks like a "technical lead/Engineer", this course is there to teach you the language and give you tools to be a better "Business leader".
I think having a consulting background and some business school training will give you more appreciation of the material.
Now the exam itself, it was honestly easy if you make a good index. It's easier to pass.
Would I recommend this course? yes if your organisation is paying for it AND you are a senior manager/CISO or aspire to be (in the near future)
if you dont have any training in management (CISSP/CISM don't count) / leadership/ security program development/ policy writing, you can definitely do and pass this course with ease but you may not enjoy it or you may not find it useful at all. I recommend that you do this instead as it'll be more applicable to what you do and you will learn more from it:
What's next for me?
Absolutely nothing, I do not want to do any more exams or certs or any study, I'm done...really done
I will be making a youtube video about it if you want to hear me blabbing.
Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE
Check out my YouTube Channel!