Wasted cert?

n8236

I've had my GSEC for over the course of a year and been aggressively looking for an infosec job for the past 3 months. On multiple occasions, I have been asked what the GSEC is and most of the time no one seems to recognize the cert.

Certainly, they all know what the CISSP is, but I'm not sitting for that exam for another two months. Honestly, 3/4 of the CISSP is in the GSEC and the only reason I am obtaining the CISSP is to get recognized easier. Doesn't add much to what I already know.

I'm starting to question whether having spent $6,000, a week of my own vacation to attend the bootcamp, spending countless hours studying and passing the exam was worth anything.....

docrice

Training courses and certifications provide value beyond just employment (unless that's your only real goal). GIAC certs are more recognized in government and defense industries, although they're starting to catch on in the private sector. That said, I work in the private sector and I certainly look for those on a resume. The CISSP alone means a lot less to me for technically-heavy positions.

HR departments are way behind the times when it comes to knowing which certifications reflect which type of skill sets. This is an unfortunate reality that we as professionals face in any area of technology. Your chances of success are also based on the people you know and your relationships with them, the area(s) you're searching for employment in, the industries in those areas, their growth, your willingness to potentially relocate to other areas, and so on as well as your existing background and professional experience.

I don't know what your previous experience is, but infosec jobs are not necessarily easy to come by due to the rigor and scrutiny put against candidates. The demand for qualified infosec professionals is growing though and the number of open positions seem to be expanding as well.

JDMurray

Not to sound rude, but what made you think that the GSEC was the ticket to an InfoSec job? Looking at InfoSec job listings on Dice, Monster, and LinkedIn shows the CISSP probably has the best chance of getting your foot in the door to a first interview. After you sit down in the interviewee chair, all of your certification paper falls to the floor and it's the stuff you have in your head and what comes out of your mouth that the hiring manager will evaluate. It's in the interview itself that your GSEC training will be the most valuable for getting a job.

Oh--you may be shocked to one day to personally discover that 3/4 of the CISSP is not in the GSEC. Much of what is in the GSEC is not in the CISSP either. I'm sure the marketing departments of GIAC and (ISC)2 see to that.

YFZblu

Agree with the above, from a pure marketing perspective GIAC is not a golden ticket. I just did a raw search on Dice for GSEC and it resulted in 125 job postings. Compared, CISSP resulted in 1,279. Really the only reason I keep Security+ on my resume is for its marketability - a search for Security+ on Dice results in 16,000+ job listings. Not all security jobs of course, but most of them are related.

You have to remember, the bulk of preliminary screening is done by bots searching resumes for key words and such. This graphic has made the rounds and isn't new, but it's always good to keep in mind:




Also, the topic of this thread, seemingly wasted effort, it has me thinking about the anecdote Dr. Cole gives during his GSEC bootcamps - I won't post the exact words here, but it has something to do with his son studying the wrong material for a pop quiz. The moral of the story was that his son should not consider it time wasted, and the information he studied will most certainly benefit him going forward.

SephStorm

I'd agree with above. Do you have any other security experience or credentials? because Unless you are going for a management position, GSEC/CISSP isn't showing much. Even so, I would not hire a CISSP with no experience for a security management position. I'd rather have a non IT manager move over. I guess for me its all about ability. If I'm hiring for a tech position, its about experience and/or the capacity to learn and work with a team. For an IT management position its IT experience or prior management experience with a desire to understand IT.

But back to your prediciment. If you want a security technical position spend a few years in systems or network administration, then move over, or if you want management, help desk to help desk manager, then look for an IA position.

billyc123

GSEC is like another type of entry level cert of Sec+ and/or is partial of CISSP which HR pre-requirement of a Security job. I don't think it really cost justified to spend a $1000 exam fee to get this certification unless your employer fully paid. GSEC & SANS 401 is entry level course & is the concepts to begin with in order to get more advance certificates or advanced class from SANS.

docrice

GSEC goes beyond Security+. I would not put those two on the same level at all, and I took both of those exams within weeks of each other.

YFZblu

Agreed, Security+ and GSEC should not be compared. SEC301 is probably more along the lines of Security+; I'm not sure there is a corresponding GIAC certification for SEC301 though.

JDMurray

Sez right on the SANS 301 page the companion GIAC cert is the GISF.

n8236

That's exactly the revolving door for entering infosec. For someone like me who's been in the IT over 7 years, but not doing an explicit security role, the cert should provide at least a crack to the door in landing a security job. In no way do I expect employers to embrace me with open arms with a GSEC, since it is a mid-lvl cert and have not much experience to show for. Bit of a catch-22 for infosec.

I have to respectfully disagree that the CISSP and GSEC being very different variants of one another. About 3/4 of the GSEC stuff was kinda new to me and in taking a few closely resembled CISSP exams, I did fairly well. Perhaps I knew more than I thought, who knows. In any case, the CISSP isn't something I am going for because I want a gig that's technical.

Just the fact that potential employers or job-scan-bots skipped me over due to not having a CISSP for a technical role, just pressed my buttons a bit.