CISSP vs GCIH

sabresbc

I do not have any certifications, and am looking to start the year of right and get some certifications under my belt.

I have looked at both CISSP and GCIH, CISSP seems like a standard certification for the InfoSec industry and GCIH appears very interesting to me, so I have narrowed it down to these two. Does anyone have a recommendation on which one to start with?

Also, if I pursue GCIH, how well do the SANS courses prep you for the test? especially in comparison to the OnDemand training?

Thanks for the insight.

Greg

dbrink

What kind of Info Sec experience do you have? What is your motivation for getting the certifications?

sabresbc

I am System and Security Admin, I have an Advanced Certificate (graduate level coursework) in Info Assurance. I am looking to potentially break deeper into the info sec world, possibly consulting, or doing info sec in a large organization. Certifications are obviously neeeded when looking for a new job. I have an MBA, but definitely like being down in the dirt, so to speak.
Greg

ChooseLife

Of the two, CISSP is going to have a much higher ROI for you.

docrice

Depending on where you're at in an infosec career, certifications may or may not really help. If you're more on the senior (technical) end, I think it becomes less relevant. The CISSP is the most widely-recognized information security certification, but in many cases it's because that's what HR departments know about. There seem to be a lot of CISSPs who look down on the certification (and ISC2) as of late. I don't hold the cert myself, and I think the quality of candidates who hold it vary greatly in caliber.

SANS training via OnDemand is good enough to learn the material to attain the GIAC GCIH cert. I did it myself. In my opinion, GIAC exams are written too closely against the course materials. They used to have exam questions which were nothing more than "find the answer in the book using phrases that precisely match the text." They've started moving away from that so it's more realistic and cognitively challenging, but still I think if you take the SANS class, you're more or less assured that you can pass the (open-book, open-notes) exam provided you grasp the material fundamentally well.

CISPhD

I think what @dbrink was getting at was "Do you have the required experience to become a fully certified CISSP?" That is to say, do you have the required 4 to 5 years experience and associated educational degree? As far as comparing these two certs together, you're comparing apples and oranges. The CISSP is an overall security cert designed to provide a very strong foundation or intermediate understanding in a wide array of fields. The GCIH is designed to provide an in depth understanding of incident management (IM). IM is something the CISSP touches on in several domains, but it doesn't get as deep as the GCIH.

That being said, the CISSP offers many merits the GCIH does not. The GCIH makes you very good in one area of information technology (IM isn't just about IS, is it? ). However, the CISSP helps to ensure you're fair to good in many areas. @docrice hit on a point that is keen to emphasize insofar as the skill sets held by assorted CISSPs does vary greatly, but it seems HR departments haven't caught on to this yet... I do, however, disagree with the comment on security certs becoming less relevant as you climb the food chain. This may be true in areas such as network administration or service desk, but with regards to IS specifically, I believe, even up to the CISO level, that a(n) manager/executive needs to be on the absolute edge of security field developments in areas such as vulnerabilities, defense technologies, and best practices. One of (among others) the best ways to stay current, and demonstrate it on your resume, is through certs such as the CISSP, GIAC suite, or ISACA suite.

A final note here on which you should go for: IMO, the CISSP is your best bet. It's more well known. As @docrice noted, it's better known by HR departments, and is likely to provide your best ROI if you're shooting for a new role. Furthermore, the GIAC's target audience is businesses, not the individual cert seeker. As such, their prices reflect this audience. I am taking my CISSP exam on March 30th, and I've spent about 3K on my entire package. That includes the exam fee, a week long boot camp, four or five books, several testing software packages, and a few video training series. With the GIAC certs, 3K will barely cover the cost of their training courses. So unless you have organizational financial backing, I'd further suggest the CISSP.

TL;DR: CISSP is better known, and more affordable, than the GIAC. IMHO, I'd head there.

sabresbc

docrice and ChooseLife,

Thanks for the responses. The CISSP seems incredibly tough, as someone who holds the cert told me, it is 10 domains wide, and you dont have to go that deep for some of the exam questions, however you they dont tell you how deep you need to go, so you end up have to do a deep dive in all 10 domains, which is daunting.

Part of me wants to find a "quick" cert to kind of get underbelt to get used to the certification process, as I have none. I am somewhat leaning towards the GCIH, as although I am sure it isnt easy to get, it seems like it might be somewhat easier, or quicker to get (that and it interests me).

I definitely want the CISSP at somepoint, but not sure if that is a good "starter" cert. Maybe I am over thinking this and should just go with the CISSP...

CISPhD - thanks for the reply. Those are good thoughts i will take into consideration. Luckily I can get my current employer to pay for training, although its more expensive they may actually be mroe apt to pay for the GCIH then the CISSP, as the GCIH is more directly related to what i currently do, as the CISSP is more broad (might be slightly harder to make a case for the training for the CISSP).

CISPhD

It may not be as hard as you think to make the case for the CISSP if you want to head that way. They do have several of the domains that deal with incident response, and they get the added bonus of all the other stuff you pick up as well. Easy enough pitch that I can help you formulate further if needed. Just PM me.

Regarding cert difficulty, the CISSP is not for the faint of heart. Then again, neither are some of the GIAC certs. If you're looking for start certs, I'd suggest a selection of CompTIA certs. You can probably skip the A+ as it doesn't carry much weight, but the Security+ and Network+ are fairly recognizable, and will also help you be better prepared for the CISSP later on down the road. The Sec+ will also help reduce the required years of IT experience to get the CISSP, CISM, CISA, and others. It's also good if you ever need to do any federal work... So all-in-all, a good "starter" cert that's cheap to study for/take, and can usually be done in about two months if you're a structure person when it comes to studying (which you HAVE to be for the CISSP).

Hope this helps.

wes allen

I did Sec+ as a warmup for cissp and think it works well in the role, so if you want something easy to start with, that might be worth looking into.

CISSP is tough, no doubt, but it isn't as bad as some people make it out to be, esp. if you have a solid IT background already. I kinda think of it as entry level infosec cert - it really helps provide a framework for putting things into a security context. For me at least, it was very helpful in that way - tied together what I already knew, filled in some blanks, and makes it easier to learn new stuff in a security context.

sabresbc

Any recommendations on Sec+ materials to help pass the exam? I am about 75-100 pages into the new CISSP All-In-One by Shaunna Harris. Is there a different book that will target Sec+ more or any other materials people might suggest?

CISPhD

It's from 2010, but check out this thread: http://www.techexams.net/forums/security/56462-security-book.html

wes allen

Darril's Sec+ is great, highly recommended.

There are several threads on books for cissp, but I really thought Eric Conrad's was pretty good, and not nearly as dry as the AIO.

spiderjericho

Man, there is some CISSP Koolaid being passed around. I think it has a great ROIcompared to a lot of certs. But the level of technical knowledge in the area of security, telecommunication, cryptography, physical security, access control, etc but when I took a 2-week course with a bunch of folks who had small IT backgrounds but decent to great managerial backgrounds, they all passed the exam. So all though I think the test taking experience is grueling, the exam is not equivalent to the difficulty if RHCE, CCIE, OSCP, some of the SANs, JNCIE, etc nor will it make you someone who'll be able to thwart script kiddies, network attacks from the Chinese Cyber Cell or be able to deploy an array of firewalls, IPS, ACLs and UTMs.

emerald_octane

CISSP is easy...
...if you enjoy pain, and like to study for 5 hours a day for 3-4 months.

That's what I did lol. Then again i'm not the sharpest tool in the shed.

Iristheangel

One of the biggest misconceptions about the CISSP is that it's an advanced security or technical exam. In reality, it's a security certification from a management level. There are 10 domains but they aren't supposed to drill down or be extremely technical because it's geared towards management or CSOs who are required to have foundational security knowledge but not be in the technical trenches. I think the CISSP exam is the hardest for technical people because it's a lot of "best practices" and "models" than may not translate into the real world. In my experience, people with more years of technical experience had a harder go at the exam than the people with more management or policy-shaping experience.

I'll be honest. I hadn't even heard of the GCIH before this thread so I quickly jumped over to the GIAC page to check out the objectives. I think it comes down to one question: What's the end game in your career? The CISSP material covers a LOT more and it had name-recognition that can help you in your career if you're looking to become move into a managerial position. The GCIH seems more geared specifically to incident handling and it appears to be a little more technical and niche. If you're looking to be more on the front lines of security or on an incident team, then the GCIH is for you. Either way, good luck!